servers = { "cr": { "hostname": "cr", "ip": "172.19.20.2", "prefix": "24", "gw": "172.19.20.1", "domain": "avndr.ru", "description": "ЦР ПУЦ + TLS", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "cs": { "hostname": "cs", "ip": "172.19.20.3", "prefix": "24", "gw": "172.19.20.1", "domain": "avndr.ru", "description": "ЦС ПУЦ + TLS", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "rk-uc": { "hostname": "rk-uc", "ip": "172.19.40.3", "prefix": "24", "gw": "172.19.40.1", "domain": "avndr.ru", "description": "Сервер РК", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "ntp": { "hostname": "ntp", "ip": "172.19.40.4", "prefix": "24", "gw": "172.19.40.1", "domain": "avndr.ru", "description": "Сервер точного времени-1", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "pki": { "hostname": "pki", "ip": "172.19.100.4", "prefix": "24", "gw": "172.19.100.1", "domain": "avndr.ru", "description": "PKI-кластер", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "mps": { "hostname": "mps", "ip": "172.19.100.5", "prefix": "24", "gw": "172.19.100.1", "domain": "avndr.ru", "description": "МПС", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "esia": { "hostname": "esia", "ip": "172.19.150.4", "prefix": "24", "gw": "172.19.150.1", "domain": "avndr.ru", "description": "ТР-ЕСИА", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "ko-app": { "hostname": "ko-app", "ip": "172.19.110.4", "prefix": "24", "gw": "172.19.110.1", "domain": "avndr.ru", "description": "Сервер КО", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "ko-db": { "hostname": "ko-db", "ip": "172.19.110.5", "prefix": "24", "gw": "172.19.110.1", "domain": "avndr.ru", "description": "Сервер КО СУБД", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "ko-csp": { "hostname": "ko-csp", "ip": "172.19.110.6", "prefix": "24", "gw": "172.19.110.1", "domain": "avndr.ru", "description": "Сервер КО СКЗИ", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "kk-app": { "hostname": "kk-app", "ip": "172.19.120.4", "prefix": "24", "gw": "172.19.120.1", "domain": "avndr.ru", "description": "Сервер КК", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "kk-db": { "hostname": "kk-db", "ip": "172.19.120.5", "prefix": "24", "gw": "172.19.120.1", "domain": "avndr.ru", "description": "Сервер КК СУБД", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "kk-csp": { "hostname": "kk-csp", "ip": "172.19.120.6", "prefix": "24", "gw": "172.19.120.1", "domain": "avndr.ru", "description": "Сервер КК СКЗИ", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "core": { "hostname": "core", "ip": "172.19.130.4", "prefix": "24", "gw": "172.19.130.1", "domain": "avndr.ru", "description": "Ядро ВВС", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "core-db": { "hostname": "core-db", "ip": "172.19.130.5", "prefix": "24", "gw": "172.19.130.1", "domain": "avndr.ru", "description": "СУБД Ядро ВВС", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "arch": { "hostname": "arch", "ip": "172.19.130.6", "prefix": "24", "gw": "172.19.130.1", "domain": "avndr.ru", "description": "Модуль архивирования", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "arch-db": { "hostname": "arch-db", "ip": "172.19.130.7", "prefix": "24", "gw": "172.19.130.1", "domain": "avndr.ru", "description": "СУБД Модуль архивирования", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "web-apps": { "hostname": "web-apps", "ip": "172.19.130.8", "prefix": "24", "gw": "172.19.130.1", "domain": "avndr.ru", "description": "Сервер веб-приложений СС", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "aldp": { "hostname": "aldp", "ip": "172.19.140.4", "prefix": "24", "gw": "172.19.140.1", "domain": "avndr.ru", "description": "Сервер ИБ-1 (ALD Pro)", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "alds": { "hostname": "alds", "ip": "172.19.140.5", "prefix": "24", "gw": "172.19.140.1", "domain": "avndr.ru", "description": "Сервер ИБ-2 (ALD Pro)", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "rk": { "hostname": "rk", "ip": "172.19.140.6", "prefix": "24", "gw": "172.19.140.1", "domain": "avndr.ru", "description": "Сервер РК", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "ksc": { "hostname": "ksc", "ip": "172.19.140.7", "prefix": "24", "gw": "172.19.140.1", "domain": "avndr.ru", "description": "ВМ Kaspersky Security Center", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "log": { "hostname": "log", "ip": "172.19.140.8", "prefix": "24", "gw": "172.19.140.1", "domain": "avndr.ru", "description": "ВМ Сервер журналирования", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "repo": { "hostname": "repo", "ip": "172.19.140.9", "prefix": "24", "gw": "172.19.140.1", "domain": "avndr.ru", "description": "ВМ Сервер репозиторий ПО", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "zbx": { "hostname": "zbx", "ip": "172.19.140.10", "prefix": "24", "gw": "172.19.140.1", "domain": "avndr.ru", "description": "ВМ Сервер мониторинга (ZbxProxy)", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "arm-cont4": { "hostname": "arm-cont4", "ip": "172.19.210.2", "prefix": "24", "gw": "172.19.210.1", "domain": "avndr.ru", "description": "АРМ ЦУС Континент 4", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "arm-web-oper": { "hostname": "arm-web-oper", "ip": "172.19.220.2", "prefix": "24", "gw": "172.19.220.1", "domain": "avndr.ru", "description": "ВВС АРМ WEB (1)", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "arm-web-adm": { "hostname": "arm-web-adm", "ip": "172.19.230.2", "prefix": "24", "gw": "172.19.230.1", "domain": "avndr.ru", "description": "ВВС АРМ WEB (2)", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, "arm-web-pki": { "hostname": "arm-web-pki", "ip": "172.19.230.2", "prefix": "24", "gw": "172.19.230.1", "domain": "avndr.ru", "description": "АРМ адм САВС", "type": "host", "affinity": ["fw_cr", "fw_cr_ca"], }, } # networks nets = { "net_any": { "hostname": "net_any", "description": "Any", "domain": "avndr.ru", "ip": "0.0.0.0", "prefix": 0, "type": "network", "affinity": ["fw_cr", "fw_cr_ca"], }, "net_uc_srv": { "hostname": "net_uc_srv", "description": "Сегмент УЦ ПУЦ+TLS", "domain": "avndr.ru", "ip": "172.19.20.0", "prefix": 24, "type": "network", "affinity": ["fw_cr", "fw_cr_ca"], }, "net_uc_adm_srv": { "hostname": "net_uc_adm_srv", "description": "Административный сегмент УЦ", "domain": "avndr.ru", "ip": "172.19.40.0", "prefix": 24, "type": "network", "affinity": ["fw_cr", "fw_cr_ca"], }, "net_dr_pki": { "hostname": "net_dr_pki", "description": "Сегмент САВС", "domain": "avndr.ru", "ip": "172.19.100.0", "prefix": 24, "type": "network", "affinity": ["fw_cr", "fw_cr_ca"], }, "net_dr_ko": { "hostname": "net_dr_ko", "description": "Сегмент КО", "domain": "avndr.ru", "ip": "172.19.110.0", "prefix": 24, "type": "network", "affinity": ["fw_cr", "fw_cr_ca"], }, "net_dr_kk": { "hostname": "net_dr_kk", "description": "Сегмент КК", "domain": "avndr.ru", "ip": "172.19.120.0", "prefix": 24, "type": "network", "affinity": ["fw_cr", "fw_cr_ca"], }, "net_dr_core_srv": { "hostname": "net_dr_core_srv", "description": "Сегмент интеграции", "domain": "avndr.ru", "ip": "172.19.130.0", "prefix": 24, "type": "network", "affinity": ["fw_cr", "fw_cr_ca"], }, "net_dr_adm_srv": { "hostname": "net_dr_adm_srv", "description": "Административный сегмент", "domain": "avndr.ru", "ip": "172.19.140.0", "prefix": 24, "type": "network", "affinity": ["fw_cr", "fw_cr_ca"], }, "net_dr_gis_esia": { "hostname": "net_dr_gis_esia", "description": "Сегмент ГИС ЕСИА", "domain": "avndr.ru", "ip": "172.19.150.0", "prefix": 24, "type": "network", "affinity": ["fw_cr", "fw_cr_ca"], }, "net_dr_adm_arm_cont4": { "hostname": "net_dr_adm_arm_cont4", "description": "Сегмент администраторов ЦР", "domain": "avndr.ru", "ip": "172.19.210.0", "prefix": 24, "type": "network", "affinity": ["fw_cr", "fw_cr_ca"], }, "net_dr_adm_arm_web1": { "hostname": "net_dr_adm_arm_web1", "description": "Сегмент администраторов ЦР", "domain": "avndr.ru", "ip": "172.19.220.0", "prefix": 24, "type": "network", "affinity": ["fw_cr", "fw_cr_ca"], }, "net_dr_adm_arm_web2": { "hostname": "net_dr_adm_arm_web2", "description": "Сегмент администраторов ЦР", "domain": "avndr.ru", "ip": "172.19.230.0", "prefix": 24, "type": "network", "affinity": ["fw_cr", "fw_cr_ca"], }, "net_dr_adm_arm_pki": { "hostname": "net_dr_adm_arm_pki", "description": "Сегмент администраторов ЦР", "domain": "avndr.ru", "ip": "172.19.230.0", "prefix": 24, "type": "network", "affinity": ["fw_cr", "fw_cr_ca"], }, "net_dr_adm_arm_ngate": { "hostname": "net_dr_adm_arm_ngate", "description": "Сегмент администраторов ЦР", "domain": "avndr.ru", "ip": "172.19.250.0", "prefix": 24, "type": "network", "affinity": ["fw_cr", "fw_cr_ca"], }, } groups = { "net_any": {"name": "net_any", "items": [{"hostname": "0.0.0.0/0"}]}, "prot_set_uc_adm": { "name": "prot_set_uc_adm", "items": [{"hostname": "arm-cont3"}, {"hostname": "arm-cr"}], }, "prot_set_uc_arm_reg_dr": { "name": "prot_set_uc_arm_reg_dr", "items": [{"hostname": "arm-cr"}], }, "prot_set_uc_arm_reg_tls": { "name": "prot_set_uc_arm_reg_tls", "items": [{"hostname": "arm-cr"}], }, "prot_set_uc_reg_dr": {"name": "prot_set_uc_reg_dr", "items": [{"hostname": "cr"}]}, "prot_set_uc_reg_tls": { "name": "prot_set_uc_reg_tls", "items": [{"hostname": "cr"}], }, "set_abs": {"name": "set_abs", "items": []}, "set_cdp": {"name": "set_cdp", "items": []}, "set_dbo": {"name": "set_dbo", "items": []}, "set_dns": {"name": "set_dns", "items": []}, "set_dr": { "name": "set_dr", "items": [ {"hostname": "net_dr_pki"}, {"hostname": "net_dr_gis_esia"}, {"hostname": "net_dr_ko"}, {"hostname": "net_dr_kk"}, {"hostname": "net_dr_core_srv"}, {"hostname": "net_dr_adm_arm_cont4"}, {"hostname": "net_dr_adm_arm_web1"}, {"hostname": "net_dr_adm_arm_web2"}, {"hostname": "net_dr_adm_arm_pki"}, {"hostname": "net_dr_adm_arm_ngate"}, ], }, "set_dr_adm_pki_cl": { "name": "set_dr_adm_pki_cl", "items": [{"hostname": "pki.avndr.ru"}], }, "set_dr_adm_web_adm": { "name": "set_dr_adm_web_adm", "items": [{"hostname": "arm-web-adm.avndr.ru"}], }, "set_dr_adm_web_oper": { "name": "set_dr_adm_web_oper", "items": [{"hostname": "arm-web-oper.avndr.ru"}], }, "set_dr_arm_ngate": { "name": "set_dr_arm_ngate", "items": [{"hostname": "arm-ngate.avndr.ru"}], }, "set_dr_esia_tr": { "name": "set_dr_esia_tr", "items": [{"hostname": "esia.avndr.ru"}], }, "set_dr_gateout": { "name": "set_dr_gateout", "items": [{"hostname": "core.avndr.ru"}], }, "set_dr_kk_be": { "name": "set_dr_kk_be", "items": [{"hostname": "kk-app.avndr.ru"}], }, "set_dr_kk_crypto": { "name": "set_dr_kk_crypto", "items": [{"hostname": "kk-csp.avnd.ru"}], }, "set_dr_kk_db": {"name": "set_dr_kk_db", "items": [{"hostname": "kk-db.avndr.ru"}]}, "set_dr_ko_be": { "name": "set_dr_ko_be", "items": [{"hostname": "ko-app.avndr.ru"}], }, "set_dr_ko_crypto": { "name": "set_dr_ko_crypto", "items": [{"hostname": "ko-csp.avndr.ru"}], }, "set_dr_ko_db": {"name": "set_dr_ko_db", "items": [{"hostname": "ko-db.avndr.ru"}]}, "set_dr_ngate": { "name": "set_dr_ngate", "items": [ {"hostname": "ngate-mgmt"}, {"hostname": "ngate-node01"}, {"hostname": "ngate-node02"}, ], }, "set_dr_ngate_mgmt": { "name": "set_dr_ngate_mgmt", "items": [{"hostname": "ngate-mgmt"}], }, "set_dr_ngate_nodes": { "name": "set_dr_ngate_nodes", "items": [{"hostname": "ngate-node01"}, {"hostname": "ngate-node02"}], }, "set_dr_pki_cluster": { "name": "set_dr_pki_cluster", "items": [{"hostname": "pki.avndr.ru"}], }, "set_dr_plcr": { "name": "set_dr_plcr", "items": [ {"hostname": "cbr_cd-tuz01"}, {"hostname": "cbr_cd-tuz02"}, {"hostname": "cbr_cd-tuz03"}, {"hostname": "cbr_cd-tuz04"}, ], }, "set_dr_savs_mps": { "name": "set_dr_savs_mps", "items": [{"hostname": "mps.avndr.ru"}], }, "set_dr_savs_mps_be": { "name": "set_dr_savs_mps_be", "items": [{"hostname": "mps.avndr.ru"}], }, "set_dr_savs_mps_crypto": { "name": "set_dr_savs_mps_crypto", "items": [{"hostname": "mps.avndr.ru"}], }, "set_dr_savs_mps_db": { "name": "set_dr_savs_mps_db", "items": [{"hostname": "mps.avndr.ru"}], }, "set_dr_ss_arch_be": { "name": "set_dr_ss_arch_be", "items": [{"hostname": "core.avndr.ru"}], }, "set_dr_ss_arch_db": { "name": "set_dr_ss_arch_db", "items": [{"hostname": "arch-db.avndr.ru"}], }, "set_dr_ss_core_bbs": { "name": "set_dr_ss_core_bbs", "items": [{"hostname": "core.avndr.ru"}], }, "set_dr_ss_core_bbs_db": { "name": "set_dr_ss_core_bbs_db", "items": [{"hostname": "core-db.avndr.ru"}], }, "set_dr_ss_integr_be": { "name": "set_dr_ss_integr_be", "items": [{"hostname": "core.avndr.ru"}], }, "set_dr_ss_keycloak": { "name": "set_dr_ss_keycloak", "items": [{"hostname": "core.avndr.ru"}], }, "set_dr_ss_nginx": { "name": "set_dr_ss_nginx", "items": [{"hostname": "core.avndr.ru"}], }, "set_dr_tech_server": {"name": "set_dr_tech_server", "items": [{"hostname": "-"}]}, "set_hsm": {"name": "set_hsm", "items": [{"hostname": "-"}]}, "set_ksc": {"name": "set_ksc", "items": [{"hostname": "ksc.avndr.ru"}]}, "set_ntp": {"name": "set_ntp", "items": []}, "set_rubackup_servers": { "name": "set_rubackup_servers", "items": [{"hostname": "rk.avndr.ru"}], }, "set_siem": {"name": "set_siem", "items": []}, "set_uc": { "name": "set_uc", "items": [ {"hostname": "net_uc_srv"}, {"hostname": "net_uc_adm_srv"}, {"hostname": "net_uc_cus_adm"}, {"hostname": "net_uc_arm_ra"}, ], }, "set_uc_adm_arm_reg": { "name": "set_uc_adm_arm_reg", "items": [{"hostname": "arm-cr"}], }, "set_uc_arm_hsm": {"name": "set_uc_arm_hsm", "items": [{"hostname": "arm-hsm"}]}, "set_uc_cgw_ncc3": { "name": "set_uc_cgw_ncc3", "items": [{"hostname": "gw-uc"}, {"hostname": "ncc-uc"}], }, "set_uc_cgw_ncc4": { "name": "set_uc_cgw_ncc4", "items": [ {"hostname": "ncc.avndr.ru"}, {"hostname": "gw.avndr.ru"}, {"hostname": "gw02.avndr.ru"}, {"hostname": "gw.avndr.ru"}, ], }, "set_uc_cgw3": {"name": "set_uc_cgw3", "items": [{"hostname": "gw-uc"}]}, "set_uc_cgw4": { "name": "set_uc_cgw4", "items": [ {"hostname": "gw.avndr.ru"}, {"hostname": "gw02.avndr.ru"}, {"hostname": "gw.avndr.ru"}, ], }, "set_uc_ncc3": {"name": "set_uc_ncc3", "items": [{"hostname": "ncc-uc"}]}, "set_uc_ncc4": {"name": "set_uc_ncc4", "items": [{"hostname": "ncc.avndr.ru"}]}, "set_uc_ntp": {"name": "set_uc_ntp", "items": [{"hostname": "ntp"}]}, "set_uc_ntp_prot": {"name": "set_uc_ntp_prot", "items": [{"hostname": "ntp"}]}, "set_uc_reg_dr": {"name": "set_uc_reg_dr", "items": [{"hostname": "cs"}]}, "set_uc_reg_tls": {"name": "set_uc_reg_tls", "items": [{"hostname": "cr"}]}, "set_uc_rubackup_servers": { "name": "set_uc_rubackup_servers", "items": [{"hostname": "rk-uc"}], }, "set_zabbix": {"name": "set_zabbix", "items": []}, "set_uc_cert_tls": {"name": "set_uc_cert_tls", "items": [{"hostname": "cs"}]}, "set_uc_dr": {"name": "set_uc_dr", "items": [{"hostname": "cs"}]}, "grp_web_servers": { "name": "grp_web_servers", "items": [ {"hostname": "web01"}, {"hostname": "web02"}, {"hostname": "net_dmz"}, ], }, } # services services = { "cyberbackup-7780": { "name": "cyberbackup-7780-tcp", "sport": "any", "dport": "7780", "proto": "tcp", }, "cyberbackup-9862": { "name": "cyberbackup-9862-tcp", "sport": "any", "dport": "9862", "proto": "tcp", }, "cyberbackup-9877": { "name": "cyberbackup-9877-tcp", "sport": "any", "dport": "9877", "proto": "tcp", }, "cyberbackup-data-9852": { "name": "cyberbackup-data-9852-tcp", "sport": "any", "dport": "9852", "proto": "tcp", }, "cyberbackup-data-9876": { "name": "cyberbackup-data-9876-tcp", "sport": "any", "dport": "9876", "proto": "tcp", }, "dc-locator": { "name": "dc-locator-389-udp", "sport": "any", "dport": "389", "proto": "udp", }, "dns-tcp": {"name": "dns-53-tcp", "sport": "any", "dport": "53", "proto": "tcp"}, "dns-udp": {"name": "dns-53-udp", "sport": "any", "dport": "53", "proto": "udp"}, "globalcatalog-tcp": { "name": "globalcatalog-3268-tcp", "sport": "any", "dport": "3268", "proto": "tcp", }, "globalcatalog-udp": { "name": "globalcatalog-3268-udp", "sport": "any", "dport": "3268", "proto": "udp", }, "ngate-webcon": { "name": "ngate-webcon-8000-tcp", "sport": "any", "dport": "8000", "proto": "tcp", }, "icmp": {"name": "icmp-echo", "sport": "-", "dport": "-", "proto": "icmp-request"}, "syslog-tcp": { "name": "syslog-514-tcp", "sport": "any", "dport": "514", "proto": "tcp", }, "syslog-udp": { "name": "syslog-514-udp", "sport": "any", "dport": "514", "proto": "udp", }, "syslog-10514-udp": { "name": "syslog-10514-udp", "sport": "any", "dport": "10514", "proto": "udp", }, "ssh": {"name": "ssh-22-tcp", "sport": "any", "dport": "22", "proto": "tcp"}, "smtp": {"name": "smtp-25-tcp", "sport": "any", "dport": "25", "proto": "tcp"}, "smtp-tls": { "name": "smtp-tls-587-tcp", "sport": "any", "dport": "587", "proto": "tcp", }, "smtp-ssl": { "name": "smtp-ssl-465-tcp", "sport": "any", "dport": "465", "proto": "tcp", }, "smb": {"name": "smb-445-tcp", "sport": "any", "dport": "445", "proto": "tcp"}, "sn-tls": { "name": "sn-tls-443-tcp", "sport": "any", "dport": "443", "proto": "tcp", }, "sn-pwd-change-tcp": { "name": "sn-pwd-change-42464-tcp", "sport": "any", "dport": "42464", "proto": "tcp", }, "sn-pwd-change-udp": { "name": "sn-pwd-change-42464-udp", "sport": "any", "dport": "42464", "proto": "udp", }, "sn-lds-tls": { "name": "sn-lds-tls-50001-tcp", "sport": "any", "dport": "30001", "proto": "tcp", }, "sn-lds": { "name": "sn-lds-50000-tcp", "sport": "any", "dport": "30000", "proto": "tcp", }, "sn-kerberos-tcp": { "name": "sn-kerberos-42088-tcp", "sport": "any", "dport": "42088", "proto": "tcp", }, "sn-kerberos-udp": { "name": "sn-kerberos-42088-udp", "sport": "any", "dport": "42088", "proto": "udp", }, "sn-gc-lds-tls": { "name": "sn-gc-lds-tls-50003-tcp", "sport": "any", "dport": "30003", "proto": "tcp", }, "sn-gc-lds": { "name": "sn-gc-lds-50002-tcp", "sport": "any", "dport": "30002", "proto": "tcp", }, "snmp-trap-162-udp": { "name": "snmp-trap-162-udp", "sport": "any", "dport": "162", "proto": "udp", }, "snmp-161-udp": { "name": "snmp-161-udp", "sport": "any", "dport": "161", "proto": "udp", }, "tls-pcr-processing-ul": { "name": "tls-pcr-processing-ul-443-tcp (change)", "sport": "any", "dport": "443", "proto": "tcp", }, "tls-pcr-processing-fl": { "name": "tls-pcr-processing-fl-443-tcl (change)", "sport": "any", "dport": "443", "proto": "tcp", }, "tls-pcr-processing-fp": { "name": "tls-pcr-processing-fp-443-tcp (change)", "sport": "any", "dport": "443", "proto": "tcp", }, "rdp-tcp": { "name": "rdp-3389-tcp", "sport": "any", "dport": "3389", "proto": "tcp", }, "rdp-udp": { "name": "rdp-3389-udp", "sport": "any", "dport": "3389", "proto": "udp", }, "psql-tcp": { "name": "psql-5432-tcp", "sport": "any", "dport": "5432", "proto": "tcp", }, "ntp": {"name": "ntp-123-udp", "sport": "any", "dport": "123", "proto": "udp"}, "netbios-137-udp": { "name": "netbios-137-udp", "sport": "any", "dport": "137", "proto": "udp", }, "netbios-138-udp": { "name": "netbios-138-udp", "sport": "any", "dport": "138", "proto": "udp", }, "netbios-139-tcp": { "name": "netbios-139-tcp", "sport": "any", "dport": "139", "proto": "tcp", }, "ldaps": {"name": "ldaps-636-tcp", "sport": "any", "dport": "636", "proto": "tcp"}, "ldap": {"name": "ldap-389-tcp", "sport": "any", "dport": "389", "proto": "tcp"}, "ksc-klserver-13000-udp": { "name": "ksc-klserver-13000-udp", "sport": "any", "dport": "13000", "proto": "udp", }, "ksc-klserver-13000-tcp": { "name": "ksc-klserver-13000-tcp", "sport": "any", "dport": "13000", "proto": "tcp", }, "ksc-klnagent-14000-tcp": { "name": "ksc-klnagent-14000-tcp", "sport": "any", "dport": "14000", "proto": "tcp", }, "ksc-distribution-tls": { "name": "ksc-distribution-tls-8061-tcp", "sport": "any", "dport": "8061", "proto": "tcp", }, "ksc-distribution": { "name": "ksc-distribution-8060-tcp", "sport": "any", "dport": "8060", "proto": "tcp", }, "ksc-webcon": { "name": "ksc-webcon-8080-tcp", "sport": "any", "dport": "8080", "proto": "tcp", }, "klnagent": { "name": "klnagent-15000-udp", "sport": "any", "dport": "15000", "proto": "udp", }, "krb-password-tcp": { "name": "krb-password-464-tcp", "sport": "any", "dport": "464", "proto": "tcp", }, "krb-password-udp": { "name": "krb-password-464-udp", "sport": "any", "dport": "464", "proto": "udp", }, "krb-88-udp": {"name": "krb-88-udp", "sport": "any", "dport": "88", "proto": "udp"}, "krb-88-tcp": {"name": "krb-88-tcp", "sport": "any", "dport": "88", "proto": "tcp"}, "k3-vpn": { "name": "k3-vpn-10000-10031-udp", "sport": "10000-10031", "dport": "10000-10031", "proto": "udp", }, "k3-sd-to-ap": { "name": "k3-sd-to-ap-7500-udp", "sport": "any", "dport": "7500", "proto": "udp", }, "k3-filetransfer-5103": { "name": "k3-filetransfer-5103-tcp", "sport": "any", "dport": "5103", "proto": "tcp", }, "k3-messages-5100": { "name": "k3-messages-5100-udp", "sport": "any", "dport": "5100", "proto": "udp", }, "k3-messages-5106-5107": { "name": "k3-messages-5106-5107-udp", "sport": "any", "dport": "5106,5107", "proto": "udp", }, "k3-messages-5109": { "name": "k3-messages-5109-udp", "sport": "5100", "dport": "5109", "proto": "udp", }, "k3-messages-5109-tcp": { "name": "k3-messages-5109-tcp", "sport": "5100", "dport": "5109", "proto": "tcp", }, "zabbix-agent-active": { "name": "zabbix-agent(active)-10051-tcp", "sport": "any", "dport": "10051", "proto": "tcp", }, "zabbix-agent": { "name": "zabbix-agent-10050-tcp", "sport": "any", "dport": "10050", "proto": "tcp", }, "http": {"name": "http-80-tcp", "sport": "any", "dport": "80", "proto": "tcp"}, "TLS": {"name": "TLS", "sport": "any", "dport": "443", "proto": "tcp"}, "nats-tech-4223": { "name": "nats-tech-4223-tcp", "sport": "any", "dport": "4223", "proto": "tcp", }, "nats-digrub-4222": { "name": "nats-digrub-4222-tcp", "sport": "any", "dport": "4222", "proto": "tcp", }, "nats-tls-4224": { "name": "nats-tls-4224-tcp", "sport": "any", "dport": "4224", "proto": "tcp", }, "ra-tech-1443": { "name": "ra-tech-442-tcp", "sport": "any", "dport": "1443", "proto": "tcp", }, "ra-digrub-443": { "name": "ra-digrub-443-tcp", "sport": "any", "dport": "443", "proto": "tcp", }, "ra-tls-2443": { "name": "ra-tls-444-tcp", "sport": "any", "dport": "2443", "proto": "tcp", }, "drweb-ess-2193-tcp": { "name": "drweb-ess-2193-tcp", "sport": "any", "dport": "2193", "proto": "tcp", }, } # service groups service_groups = { "sg_dns": {"name": "sg_dns", "items": [services["dns-tcp"], services["dns-udp"]]}, "sn-in": { "name": "SecretNet-In", "items": [ services["sn-pwd-change-tcp"], services["sn-pwd-change-udp"], services["sn-lds-tls"], services["sn-lds"], services["sn-kerberos-tcp"], services["sn-kerberos-udp"], services["sn-gc-lds-tls"], services["sn-gc-lds"], ], }, "ad-ds-in": { "name": "ADDS-In", "items": [ services["dns-tcp"], services["dns-udp"], services["globalcatalog-tcp"], services["globalcatalog-udp"], services["ntp"], services["netbios-137-udp"], services["netbios-138-udp"], services["netbios-139-tcp"], services["ldaps"], services["ldap"], services["krb-password-tcp"], services["krb-password-udp"], services["krb-88-udp"], services["krb-88-tcp"], services["dc-locator"], services["smb"], ], }, "ksc-in": { "name": "KasperskySecurityCenter-In", "items": [ services["ksc-klserver-13000-udp"], services["ksc-klserver-13000-tcp"], services["ksc-klnagent-14000-tcp"], services["ksc-distribution-tls"], services["ksc-distribution"], ], }, "klnagent-in": { "name": "KasperskyLabsNetworkAgent-In", "items": [services["klnagent"]], }, "cyberbackup-in": { "name": "Cyberbackup-In", "items": [ services["cyberbackup-7780"], # services['cyberbackup-9862'], services["cyberbackup-9877"], # services['cyberbackup-data-9852'], # services['cyberbackup-data-9876'], services["smb"], ], }, } # rules rules = [ { "name": "Инфраструктурные правила", "order": 1000, "type": "span", "affinity": ['fw_cr'], }, { "name": "ICMP Echo", "order": 1010, "description": "Разрешить ICMP", "src_list": [groups["set_dr"]], "dst_list": [groups["net_any"]], "service_list": [services["icmp"]], "service_group_list": None, "action": "allow", "log": "false", "idp": "false", "affinity": ["fw_ca_cgw", "fw_core"], "type": "rule", }, { "name": "ICMP Echo-ext", "order": 1020, "description": "Разрешить ICMP", "src_list": [groups["net_any"]], "dst_list": [groups["set_dr"]], "service_list": [services["icmp"]], "service_group_list": None, "action": "allow", "log": "false", "idp": "false", "affinity": ["fw_ca_cgw", "fw_core"], "type": "rule", }, { "name": "to_dns", "order": 1030, "description": "Разрешить доступ к DNS", "src_list": [groups["set_dr"]], "dst_list": [groups["set_dns"]], "service_list": [services["ssh"]], "service_group_list": None, "action": "allow", "log": "false", "idp": "false", "affinity": ["fw_ca_cgw", "fw_core"], "type": "rule", }, { "name": "to_syslog", "order": 1040, "description": "Разрешить доступ к Syslog", "src_list": [groups["set_dr"]], "dst_list": [groups["set_siem"]], "service_list": [services["syslog-tcp"]], "service_group_list": None, "action": "allow", "log": "false", "idp": "false", "affinity": ["fw_ca_cgw", "fw_core"], "type": "rule", }, { "name": "to_ksc", "order": 1050, "description": "Разрешить доступ к Kaspersky Security Center", "src_list": [groups["set_dr"]], "dst_list": [groups["set_ksc"]], "service_list": [services["ssh"]], "service_group_list": None, "action": "allow", "log": "false", "idp": "false", "affinity": ["fw_ca_cgw", "fw_core"], "type": "rule", }, { "name": "to_kaspersky_updates", "order": 1060, "description": "Разрешить доступ к папке обновлений Kaspersky", "src_list": [groups["set_dr"]], "dst_list": [groups["set_ksc"]], "service_list": [services["ssh"]], "service_group_list": None, "action": "allow", "log": "false", "idp": "false", "affinity": ["fw_ca_cgw", "fw_core"], "type": "rule", }, { "name": "to_zabbix", "order": 1070, "description": "Разрешить доступ к серверам Zabbix", "src_list": [groups["set_dr"]], "dst_list": [groups["set_zabbix"]], "service_list": [services["ssh"]], "service_group_list": None, "action": "allow", "log": "false", "idp": "false", "affinity": ["fw_ca_cgw", "fw_core"], "type": "rule", }, { "name": "Взаимодействие в УЦ", "order": 1080, "type": "span", "affinity": ['fw_cr'], }, { "name": "pki_cluster_tls", "order": 1090, "description": "Разрешить обращения PKI-кластер к Центру регистрации УЦ TLS", "src_list": [ servers["pki"], groups["set_dr_pki_cluster"] ], "dst_list": [groups["set_uc_reg_tls"]], "service_list": [services["ssh"]], "service_group_list": None, "action": "allow", "log": "false", "idp": "false", "affinity": ["fw_ca_cgw"], "type": "rule", }, { "name": "pki_cluster_dr", "order": 1100, "description": "Разрешить обращения PKI-кластер к Центру регистрации УЦ УНЭП", "src_list": [groups["set_dr_pki_cluster"]], "dst_list": [groups["set_uc_reg_dr"]], "service_list": [services["ssh"]], "service_group_list": None, "action": "allow", "log": "false", "idp": "false", "affinity": ["fw_ca_cgw"], "type": "rule", }, { "name": "crl_request_tls_external", "order": 1110, "description": "Разрешить доступ к CRL из сети предприятия", "src_list": [groups["net_any"]], "dst_list": [groups["set_uc_reg_tls"]], "service_list": [services["ssh"]], "service_group_list": None, "action": "allow", "log": "false", "idp": "false", "affinity": ["fw_ca_cgw"], "type": "rule", }, { "name": "crl_request_dr_external", "order": 1120, "description": "Разрешить доступ к CRL из сети предприятия", "src_list": [groups["net_any"]], "dst_list": [groups["set_uc_reg_dr"]], "service_list": [services["ssh"]], "service_group_list": None, "action": "allow", "log": "false", "idp": "false", "affinity": ["fw_ca_cgw"], "type": "rule", }, { "name": "rubackup-cmd", "order": 1130, "description": "Управление операциями на клиенте резервного копирования", "src_list": [groups["set_dr"]], "dst_list": [groups["set_rubackup_servers"]], "service_list": [services["ssh"]], "service_group_list": None, "action": "allow", "log": "false", "idp": "false", "affinity": ["fw_ca_cgw"], "type": "rule", }, { "name": "rubackup-media", "order": 1140, "description": "Передача данных между медиасервером и клиентом", "src_list": [groups["set_dr"]], "dst_list": [groups["set_rubackup_servers"]], "service_list": [services["ssh"]], "service_group_list": None, "action": "allow", "log": "false", "idp": "false", "affinity": ["fw_ca_cgw"], "type": "rule", }, { "name": "rubackup-api", "order": 1150, "description": "Управление операциями RuBackup через REST API", "src_list": [groups["set_dr"]], "dst_list": [groups["set_rubackup_servers"]], "service_list": [services["ssh"]], "service_group_list": None, "action": "allow", "log": "false", "idp": "false", "affinity": ["fw_ca_cgw"], "type": "rule", }, { "name": "repo", "order": 1160, "description": "Внутренний репозиторий", "src_list": [groups["set_dr"]], "dst_list": [groups["set_dr_tech_server"]], "service_list": [services["ssh"]], "service_group_list": None, "action": "allow", "log": "false", "idp": "false", "affinity": ["fw_cr"], "type": "rule", }, { "name": "CC", "order": 1170, "type": "span", "affinity": ['fw_cr'], }, { "name": "ngate", "order": 1190, "type": "span", "affinity": ['fw_cr'], }, ]