7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
|
# File 'lib/paloalto.rb', line 7
def self.start_integration(nexpose_settings, pan_settings)
asset_query = "select asset_id, da.ip_address, string_agg(DISTINCT '<' || dt.tag_name, '>') || '>' as tags
from dim_site_asset
LEFT OUTER JOIN dim_asset da USING (asset_id)
LEFT OUTER JOIN dim_tag_asset dta using (asset_id)
LEFT OUTER JOIN dim_tag dt using (tag_id)
GROUP BY asset_id, da.ip_address"
nexpose_url = nexpose_settings[:nexpose_url]
nexpose_username = nexpose_settings[:nexpose_username]
nexpose_password = nexpose_settings[:nexpose_password]
nexpose_port = nexpose_settings[:nexpose_port]
pan_url = pan_settings[:pan_url]
pan_username = pan_settings[:pan_username]
pan_password = pan_settings[:pan_password]
report_timeout = nexpose_settings[:timeout]
sites = nexpose_settings[:sites]
dags = nexpose_settings[:dag]
@log.log_message("Running with user configured site IDs <#{sites}> and dynamic asset group IDs #{dags}.")
nsc = Paloalto::NexposeHelper.login(nexpose_url,
nexpose_username,
nexpose_password,
nexpose_port)
all_sites = nsc.sites
all_sites.delete_if {|site| !(sites.include? site.id)} unless sites.nil?
all_sites_names = []
all_sites.each { |site| (all_sites_names ||= []) << site.name.to_s }
nexpose_dag_query_results = Paloalto::NexposeHelper.generate_dag_asset_groups({timeout: report_timeout}, nsc)
all_nexpose_dag_details = Paloalto::NexposeHelper.parse_dag_details(nexpose_dag_query_results)
all_nexpose_dag_details.delete_if {|dag_details| !(dags.include? dag_details[0].to_i)} unless dags.nil?
@log.log_message("User has access to the following site IDs <#{all_sites.each {|site| site.id}}> and dynamic asset group IDs #{all_nexpose_dag_details.each {|dag| dag[0]}}.")
pan_key = Paloalto::Ngfw.login(pan_url, pan_username, pan_password)
device_config_xml = Paloalto::Ngfw.retrieve_device_config(pan_url, pan_key)
device_name = Paloalto::Ngfw.parse_device_name(device_config_xml)
vsys_name = Paloalto::Ngfw.parse_vsys_name(device_config_xml)
@log.log_message("Found device configuration. Name <#{device_name}> and vsys <#{vsys_name}>.")
vsys_config = Paloalto::Ngfw.retrieve_device_config(pan_url, pan_key, device_name, vsys_name)
existing_tags = Paloalto::Ngfw.parse_existing_tags(vsys_config)
wanted_tags = []
all_sites_names.each {|site_name| wanted_tags << site_name.gsub(/[()]/, "")}
wanted_tags << 'Nexpose'
all_nexpose_dag_details.each {|details| wanted_tags << details[1].gsub(/[()']/, "")}
tags_to_create = wanted_tags - existing_tags
@log.log_message("New tags to be created <#{tags_to_create}>.")
existing_dags = Paloalto::Ngfw.parse_existing_dags(vsys_config)
wanted_dags = []
all_sites_names.each {|site_name| wanted_dags << site_name.gsub(/[()]/, "")}
wanted_dags << 'Nexpose'
all_nexpose_dag_details.each {|details| wanted_dags << details[1].gsub(/[()']/, "")}
dags_to_create = wanted_dags - existing_dags
@log.log_message("New DAGs to be created <#{dags_to_create}>.")
@log.log_message("Creating tags...")
tags_element=''
tags_to_create.each {|tag_to_create| tags_element << Paloalto::Ngfw.generate_tag_xml(tag_to_create, 'color3', "Nexpose tag for asset grouping: #{tag_to_create}")}
response = Paloalto::Ngfw.create_tags(pan_url, pan_key, device_name, vsys_name, tags_element) unless tags_element.empty?
@log.log_message("Creating DAGs...")
dags_element=''
dags_to_create.each {|dag_to_create| dags_element << Paloalto::Ngfw.generate_dag_xml(dag_to_create, "'Nexpose' AND '#{dag_to_create}'", dag_to_create)}
Paloalto::Ngfw.create_dags(pan_url, pan_key, device_name, vsys_name, dags_element) unless dags_element.empty?
@log.log_message('Committing the changes...')
response = Paloalto::Ngfw.commit(pan_url, pan_key)
@log.log_message("Commit response <#{response}>")
all_sites.each do |site|
@log.log_message("Getting asset details for site <#{site.id}>.")
report_output = Paloalto::NexposeHelper.generate_report({timeout: report_timeout, site: site.id.to_s, query: asset_query}, nsc)
asset_details = Paloalto::NexposeHelper.parse_asset_query_details(report_output, site.name)
@log.log_message("Unregistering assets for site <#{site.id}>.")
Paloalto::Ngfw.unregister_devices(pan_url, pan_key, asset_details, site.id)
@log.log_message("Registering asset details for site <#{site.id}>.")
Paloalto::Ngfw.register_devices(pan_url, pan_key, asset_details, site.id)
end
all_nexpose_dag_details.each do |dag_details|
@log.log_message("Getting DAG details details for DAG <#{dag_details[0]}>.")
report_output = Paloalto::NexposeHelper.generate_report({timeout: report_timeout, query: Paloalto::NexposeHelper.generate_dag_assets_query(dag_details[0])}, nsc)
dag_parsed_details = Paloalto::NexposeHelper.parse_dag_query_details(report_output, dag_details[1].gsub(/[()']/, ""))
@log.log_message("Registering asset details for DAG <#{dag_details[0]}>.")
Paloalto::Ngfw.register_devices(pan_url, pan_key, dag_parsed_details, "dag_#{dag_details[0]}")
end
@log.log_message('Exiting..')
end
|