Hi Darren,
Your input has been a great help! I later thought that it would be better to
isolate suspicious nodes instead of unregistering any node belonging to the
user and therefor simply pulled the source IP out of the CheckPoint logs. I’m
able to successfully query the node’s MAC address that is associated with the
relevant IP and thereafter wanted to update the node to change the role but I’m
stuck there…
# Change node role to Isolation
MAC='00:04:f2:29:35:23';
DATA=`echo -e '{\n "role": "isolation"\n}'`;
# echo "$DATA";
# {
# "role": "isolation"
# }
curl -X PATCH "https://packetfence.redacted.com:1443/api/v1/node/$MAC"; -H
"accept: application/json" -H "Authorization: $TOKEN" -d "$DATA";
# error output:
# {"errors":[],"message":"Cannot update '00:04:f2:29:35:23'","status":404}
curl -X GET "https://packetfence.redacted.com:1443/api/v1/node/$MAC"; -H
"accept: application/json" -H "Authorization: $TOKEN";
{"item":{"autoreg":"no","bandwidth_balance":null,"bypass_role":null,"bypass_role_id":null,"bypass_vlan":null,"category":"computers","category_id":19,"computername":"","detect_date":"2022-09-08
21:45:13","device_class":"VoIP
Device","device_manufacturer":"Polycom","device_score":15,"device_type":"VoIP
Device","device_version":"","dhcp6_enterprise":"","dhcp6_fingerprint":"","dhcp_fingerprint":"","dhcp_vendor":"","last_arp":"0000-00-00
00:00:00","last_connection_sub_type":"","last_connection_type":"Ethernet-NoEAP","last_dhcp":"2022-12-06
17:47:08","last_dot1x_username":"00:04:F2:29:35:23","last_end_time":"0000-00-00
00:00:00","last_ifDesc":"ether18","last_port":"","last_role":"computers","last_seen":"2022-12-23
14:46:26","last_ssid":"","last_start_time":"2022-12-06
17:46:16","last_start_timestamp":1670341576,"last_switch":"192.168.1.14","last_switch_mac":"dc:2c:6e:d2:af:69","last_vlan":"50","lastskip":"0000-00-00
00:00:00","mac":"00:04:f2:29:35:23","machine_account":null,"not_deletable":true,"notes":null,"pid":"default","realm":"null","regdate":"0000-00-00
00:00:00","sessionid":null,"status":"reg","stripped_user_name":"00:04:F2:29:35:23","tenant_id":1,"time_balance":null,"unregdate":"2027-09-08
00:00:00","user_agent":"","voip":"no"},"status":200}
Documentation here doesn’t show ‘role’ as a valid field, am I looking in the
wrong place?
https://www.packetfence.org/doc/api/#/default/api.v1.Nodes.update
Also, an associated question please:
Is it safe to limit the query to 1 for a search of the offending IP address?
Should that locate the last ipv4 log for it or must I structure the query to
sort by that field?
# echo "$DATA";
# {
# "fields": ["mac"],
# "query":{
# "op": "and",
# "values":[
# {
# "op": "or",
# "values":[
# {
# "field": "ip",
# "op": "equals",
# "value": "192.168.5.17"
# }
# ]
# }
# ]
# },
# "limit": 1
# }
MAC=`curl -X POST "https://packetfence.redacted.com:1443/api/v1/ip4logs/search";
-H "accept: application/json" -H "Authorization: $TOKEN" -d "$DATA" | jq -r
'.items[].mac'`;
# Sample output:
# {"items":[{"mac":"00:04:f2:29:35:23"}],"prevCursor":0,"status":200}
PS: The ‘/nodes/bulk_deregister’ API command does not appear in the
documentation either, do you recall where you read up about it?
Regards
David Herselman
From: Satkunas, Darren <dsatk...@akamai.com>
Sent: Thursday, 22 December 2022 15:55
To: packetfence-users@lists.sourceforge.net
Cc: David Herselman <d...@syrex.co>
Subject: Re: [PacketFence-users] Unregistering user's devices via API call?
Hi David,
The API can be used to manage nodes externally.
To get the list of nodes for a user:
curl 'https://localhost:1443/api/v1/nodes/search' \
-H 'Authorization: Bearer
ebb51aad4da62ab87dae7154f8ce5062d8654362f712a4f52d85116c206e6569' \
--data-raw
'{"fields":["mac"],"query":{"op":"and","values":[{"op":"or","values":[{"field":"pid","op":"equals","value":"default"}]}]},"sort":["mac
DESC"],"limit":25}'
To deregister a list of nodes:
curl 'https://localhost:1443/api/v1/nodes/bulk_deregister' \
-X 'PUT' \
-H 'Authorization: Bearer
ebb51aad4da62ab87dae7154f8ce5062d8654362f712a4f52d85116c206e6569' \
--data-raw '{"items":["d3:4d:b4:c0:ff:ee"]}'
More information about the API is available at
https://www.packetfence.org/doc/api/
To obtain an Authorization token refer to /login and /token_info.
Darren Satkunas
Sr. Software Engineer
[signature_3069383668]
Office: +1.617.444.1234
Cell: +1.617.444.1234
Akamai Technologies
145 Broadway
Cambridge, MA 02142
Connect with Us:
[signature_3826658678]<https://community.akamai.com/> [signature_1375463681]
<http://blogs.akamai.com/> [signature_3603380552] <https://twitter.com/akamai>
[signature_4144200882] <http://www.facebook.com/AkamaiTechnologies>
[signature_2223931078] <http://www.linkedin.com/company/akamai-technologies>
[signature_2312383179]
<http://www.youtube.com/user/akamaitechnologies?feature=results_main>
From: David Herselman via PacketFence-users
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Reply-To:
"packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>"
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Date: Thursday, December 22, 2022 at 8:35 AM
To:
"packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>"
<packetfence-users@lists.sourceforge.net<mailto:packetfence-users@lists.sourceforge.net>>
Cc: David Herselman <d...@syrex.co<mailto:d...@syrex.co>>
Subject: [PacketFence-users] Unregistering user's devices via API call?
Hi,
We have a CheckPoint firewall which has been configured to replace DNS queries
to known malicious destinations with a bogus DNS trap IP, when devices then
subsequently attempt to connect to that DNS trap IP a reaction script can be
triggered. We are essentially looking for guidance on a web GET/POST/whatever
that we could then initiate to unregister all devices associated with a given
username.
NB: The CheckPoint wouldn’t know the MAC address of the node involved in the
abuse.
To debug the event information from CheckPoint I temporarily simply made the
script log all data it receives:
[Expert@checkpoint-management:0]# cat $RTDIR/bin/ext_commands/block_on_clearpass
#!/bin/bash
EVENT=$(cat)
echo $EVENT >> /tmp/block_on_clearpass
Herewith a sanitised sample:
[Expert@checkpoint-management:0]# tail -n 1 /tmp/block_on_clearpass
(StartTime: 20Dec2022 11:10:26; Uuid: deadbeef-dead-beef-dead-beef00000000;
rowid: ENdeadbeef-dead-beef-dead-beef00000000; id_generated_by_indexer: false;
first: true; sequencenum: 1; log_id: 2000; DisplayName: IP_Block_from_DNS_Trap;
Category: User Defined Events; cu_rule_id:
DEADBEEF-DEAD-BEEF-DEAD-BEEFDEADBEEF; is_correlated: 1; num_of_updates: 0;
is_last: 0; event_start_time: 1671534625; detection_time: 2022-12-20T09:10:26Z;
time_interval: 60; max_num_count_detected: 2; cu_log_count: 2;
cu_detected_by_hostname: checkpoint-management; cu_detected_by: 172.254.254.23;
users_repetitions: 2; aba_customer: SMC User; source_repetitions: 2;
origin_repetitions: 2; destination_repetitions: 2; service_repetitions: 2;
Severity: High; type: Correlated; ProductName: VPN-1 & FireWall-1;
product_family: Access; Destination: (hostname: laptop-joed; countryname:
Israel; IP: 62.0.58.94; repetitions: 1) ; Origin: (IP: 0; hostname:
redacted-fw01; repetitions: 1) ; Service: (port: 443; protocol: 6; servicename:
https; repetitions: 1) ; Source: (user_name: joed; IP: 172.254.254.23;
machine_name: laptop-joed; repetitions: 1) ; logid: 392281947) ;
I’m essentially hoping for a way that I can unregister all nodes belonging to
‘joed’ in the above example…
[cid:image018.gif@01D916DE.BD516840]<https://urldefense.com/v3/__https:/www.syrex.com/__;!!GjvTz_vk!WOijWqEVW-lP4yvlHEocYGrjS_y0IV_5c-dgj3PDo9CcYCU1kUbAue4oi2J-GL3ypY8kRoJ84Jy1AEew2jtjtYI8PLq4EZvTyJw$>
David Herselman | Managing Director
e:
d...@syrex.co<mailto:d...@syrex.co> | o: 086 11 79739<tel:+27117211900> | c:
082 784 7222<tel:082%20784%207222>
a:
turnberry office park, 48 grosvenor road, bryanston,
2021<https://urldefense.com/v3/__https:/maps.google.com/?q=Syrex__;!!GjvTz_vk!WOijWqEVW-lP4yvlHEocYGrjS_y0IV_5c-dgj3PDo9CcYCU1kUbAue4oi2J-GL3ypY8kRoJ84Jy1AEew2jtjtYI8PLq4eLyHauo$>
www.syrex.com<https://urldefense.com/v3/__https:/www.syrex.com/__;!!GjvTz_vk!WOijWqEVW-lP4yvlHEocYGrjS_y0IV_5c-dgj3PDo9CcYCU1kUbAue4oi2J-GL3ypY8kRoJ84Jy1AEew2jtjtYI8PLq4EZvTyJw$>
/
accreditations<https://urldefense.com/v3/__https:/www.syrex.com/accreditations__;!!GjvTz_vk!WOijWqEVW-lP4yvlHEocYGrjS_y0IV_5c-dgj3PDo9CcYCU1kUbAue4oi2J-GL3ypY8kRoJ84Jy1AEew2jtjtYI8PLq4Y4vFTdc$>
This message contains confidential information and is intended only for the
individual named. If you are not the named addressee you should not
disseminate, distribute or copy this email. Please notify the sender
immediately by email if you have received this email by mistake and delete it
from your system. If you are not the intended recipient you are notified that
disclosing, copying, distributing or taking any action in reliance on the
contents of this information is strictly prohibited. Think before you print.
[cid:image019.png@01D916DE.BD516840]<https://urldefense.com/v3/__https:/www.facebook.com/syrexsa__;!!GjvTz_vk!WOijWqEVW-lP4yvlHEocYGrjS_y0IV_5c-dgj3PDo9CcYCU1kUbAue4oi2J-GL3ypY8kRoJ84Jy1AEew2jtjtYI8PLq4EPu1IPw$>
[cid:image020.png@01D916DE.BD516840]<https://urldefense.com/v3/__https:/twitter.com/syrexsa__;!!GjvTz_vk!WOijWqEVW-lP4yvlHEocYGrjS_y0IV_5c-dgj3PDo9CcYCU1kUbAue4oi2J-GL3ypY8kRoJ84Jy1AEew2jtjtYI8PLq4f4GeApk$>
[cid:image021.png@01D916DE.BD516840]<https://urldefense.com/v3/__https:/www.linkedin.com/company/1723334__;!!GjvTz_vk!WOijWqEVW-lP4yvlHEocYGrjS_y0IV_5c-dgj3PDo9CcYCU1kUbAue4oi2J-GL3ypY8kRoJ84Jy1AEew2jtjtYI8PLq4KgBqxqM$>
CHANGE OF BANKING DETAILS
We have not changed our banking details recently. We will not just send an
email to inform you of a change, should we ever do so.
_______________________________________________
PacketFence-users mailing list
PacketFence-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/packetfence-users
