Python 100 project #34: Sophos XG API

I’m using Sophos Firewall virtual appliance at home. The reason is quite simple, it’s free of charge. There are numbers of opensource firewall, but most of them lacks essential features(eg. AntiVirus, SSL inspection). Sophos is providing XG firewall VM for home use, and you can claim home license, which is technically has the same functionality of the business use, just less performance. In this project, I use python to access sophos XG firewall so that it can be monitored/configured to secure home network.

 

Output Example:

$ python sophos_base.py 
OrderedDict([('Response',
              OrderedDict([('@APIVersion', '1700.1'),
                           ('Login',
                            OrderedDict([('status',
                                          'Authentication Successful')])),
                           ('SecurityPolicy',
                            [OrderedDict([('@transactionid', ''),
                                          ('Name',
                                           'Auto added firewall policy for '
                                           'MTA'),
                                          ('Description',
                                           'This rule was added automatically '
                                           'by SFOS MTA. However you could '
                                           'edit this policy based on network '
                                           'requirement.'),
                                          ('IPFamily', 'IPv4'),
                                          ('Status', 'Enable'),
                                          ('Position', 'Top'),
                                          ('PolicyType', 'PublicNonHTTPPolicy'),
                                          ('MatchIdentity', 'Disable'),
                                          ('PublicNonHTTPBasedPolicy',
                                           OrderedDict([('ScanSMTP', 'Enable'),
                                                        ('ScanIMAP', 'Disable'),
                                                        ('ScanIMAPS',
                                                         'Disable'),
                                                        ('ScanPOP3', 'Disable'),
                                                        ('ScanSMTPS', 'Enable'),
                                                        ('ScanPOP3S',
                                                         'Disable')])),
                                          ('IntrusionPrevention', 'None'),
                                          ('TrafficShappingPolicy', 'None'),
                                          ('LogTraffic', 'Disable'),
                                          ('ApplyNAT', 'CustomNatPolicy'),
                                          ('OverrideGatewayDefaultNATPolicy',
                                           'Disable'),
                                          ('SourceSecurityHeartbeat',
                                           'Disable'),
                                          ('MinimumSourceHBPermitted',
                                           'No Restriction'),
                                          ('DestSecurityHeartbeat', 'Disable'),
                                          ('MinimumDestinationHBPermitted',
                                           'No Restriction'),
                                          ('OutboundAddress', 'MASQ')]),
                             OrderedDict([('@transactionid', ''),
                                          ('Name', '#Default_Network_Policy'),
                                          ('Description', None),
                                          ('IPFamily', 'IPv4'),
                                          ('Status', 'Enable'),
                                          ('Position', 'After'),
                                          ('PolicyType', 'Network'),
                                          ('After',
                                           OrderedDict([('Name',
                                                         'Auto added firewall '
                                                         'policy for MTA')])),
                                          ('SourceZones',
                                           OrderedDict([('Zone', 'LAN')])),
                                          ('DestinationZones',
                                           OrderedDict([('Zone', 'WAN')])),
                                          ('Schedule', 'All The Time'),
                                          ('Action', 'Accept'),
                                          ('LogTraffic', 'Disable'),
                                          ('MatchIdentity', 'Disable'),
                                          ('DSCPMarking', '-1'),
                                          ('ApplicationControl', 'None'),
                                          ('ApplicationBaseQoSPolicy',
                                           'Revoke'),
                                          ('WebFilter', 'Default Policy'),
                                          ('WebCategoryBaseQoSPolicy',
                                           'Revoke'),
                                          ('IntrusionPrevention',
                                           'lantowan_general'),
                                          ('TrafficShappingPolicy', 'None'),
                                          ('ApplyNAT', 'CustomNatPolicy'),
                                          ('OverrideGatewayDefaultNATPolicy',
                                           'Disable'),
                                          ('PrimaryGateway', None),
                                          ('OutboundAddress', 'MASQ'),
                                          ('BackupGateway', None),
                                          ('ScanHTTP', 'Enable'),
                                          ('ScanHTTPS', 'Disable'),
                                          ('Sandstorm', 'Disable'),
                                          ('ScanFTP', 'Disable'),
                                          ('SourceSecurityHeartbeat',
                                           'Disable'),
                                          ('MinimumSourceHBPermitted',
                                           'No Restriction'),
                                          ('DestSecurityHeartbeat', 'Disable'),
                                          ('MinimumDestinationHBPermitted',
                                           'No Restriction')])])]))])

 

Here is the code:

from dicttoxml import dicttoxml
import xmltodict
import requests

from data_source import sophos_credentials

def get_config(scope):

    param_dict = sophos_credentials.SEGFW_INT

    param_dict['GET'] = {
        scope: ""}

    xml = str(dicttoxml(param_dict, custom_root="Request", attr_type=False), 'utf-8')

    url = f"https://"firewall-ip":4444/webconsole/APIController?reqxml={xml}"

    resp = requests.get(url, verify=False)

    return resp.status_code, xmltodict.parse(resp.text)


from pprint import pprint

ret_code, ret_dict = get_config("SecurityPolicy")

if ret_code == 200:
    pprint(ret_dict)