1st we have to authenticate with our authenticationkey
curl -v -b cookie -H "Content-Type: application/json" -d '{"authenticationkey":"5gxuXESVCAGYAPho587taXeC"}' http://127.0.0.1:8082/6.4/login
* Trying 127.0.0.1...
* Connected to 127.0.0.1 (127.0.0.1) port 8082 (#0)
> POST /6.4/login HTTP/1.1
> Host: 127.0.0.1:8082
> User-Agent: curl/7.47.0
> Accept: */*
> Cookie: JSESSIONID=5DA43E32F08E101BCC681C96CE79A0AD
> Content-Type: application/json
> Content-Length: 48
>
* upload completely sent off: 48 out of 48 bytes
< HTTP/1.1 200
* Replaced cookie JSESSIONID="D4CF72DA884CCD5A9F30202C6F484540" for domain 127.0.0.1, path /, expire 0
< Set-Cookie: JSESSIONID=D4CF72DA884CCD5A9F30202C6F484540; Path=/; HttpOnly
< Content-Type: application/json
< Content-Length: 0
< Date: Thu, 10 Oct 2019 08:45:59 GMT
<
* Connection #0 to host 127.0.0.1 left intact
Now, to find the name policies, we can do a GET against /elements/fw_policy for our layer3-FW policy.
curl -b cookie http://127.0.0.1:8082/6.5
curl -b cookie http://127.0.0.1:8082/6.5/elements/fw_policy/
{"result":[{"href":"http://127.0.0.1:8082/6.5/elements/fw_policy/17","name":"demo-lab","type":"fw_policy"},
{"href":"http://127.0.0.1:8082/6.5/elements/fw_policy/19","name":"demo","type":"fw_policy"}]}ubuntu@ip-172-31-47-74:~$ elements/fw_policy/
{"result":[{"href":"http://127.0.0.1:8082/6.5/elements/fw_policy/17","name":"demo-lab","type":"fw_policy"},{"href":"http://127.0.0.1:8082/6.5/elements/fw_policy/19","name":"demo","type":"fw_policy"}]}ubuntu@ip-172-31-47-74:~$
if you have quite a few policies using a filter strings
e.g /elements/fw_policy?filter=myname
Now you can call up that policy and look at the history
curl -b cookie http://127.0.0.1:8082/6.5/elements/fw_policy/19/history
{"creation_time":1570657861418,"creator":"http://127.0.0.1:8082/6.5/elements/admin_user/2","is_locked":true,"is_obsolete":false,"is_trashed":false,"last_modification_time":1570657861418,"modifier":"http://127.0.0.1:8082/6.5/elements/admin_user/2"}
policy modification does not mean policy installed timeSo we can evaluate that the policy was last modified by user #2 and at 1570657861418. You can call up user 2 to see the "reference username"
ubuntu@ip-172-31-47-74:~$ curl -b cookie http://127.0.0.1:8082/6.5/elements/admin_user/2
{"allow_sudo":false,"allowed_to_login_in_shared":true,"can_use_api":true,"console_superuser":false,"enabled":true,"engine_target":[],"key":2,"link":[{"href":"http://127.0.0.1:8082/6.5/elements/admin_user/2","rel":"self","type":"admin_user"},{"href":"http://127.0.0.1:8082/6.5/elements/admin_user/2/history","rel":"history"},{"href":"http://127.0.0.1:8082/6.5/elements/admin_user/2/change_password","rel":"change_password"},{"href":"http://127.0.0.1:8082/6.5/elements/admin_user/2/generate_password","rel":"generate_password"},{"href":"http://127.0.0.1:8082/6.5/elements/admin_user/2/change_engine_password","rel":"change_engine_password"},{"href":"http://127.0.0.1:8082/6.5/elements/admin_user/2/enable_disable","rel":"enable_disable"},{"href":"http://127.0.0.1:8082/6.5/elements/admin_user/2/unlock","rel":"unlock"}],"local_admin":false,"name":"kfelix","read_only":false,"superuser":true,"system":false}ubuntu@ip-172-31-47-74:~$
This allows you to record data and details from auditing and can confirm modification or if the policy is locked and possible by who
NSE ( network security expert) and Route/Switching Engineer
kfelix -----a----t---- socpuppets ---dot---com
^ ^
=( @ @ )=
o
/ \
No comments:
Post a Comment