Device Control features a more powerful way to interact with devices using the Lua programming language. Instead of sending a single command to a device, Lua offers control structures loops, conditionals, match functions, etc. Using Lua, you can perform more complex tasks, including making decisions based on the device output.
To create a Lua action, navigate to the Device Control page (Devices > Device Control) and click New Action. Then select Type > Lua from the drop-down menu.
The syntax is straightforward, and it does not require any specific programming experience or knowledge of markup languages like XML. For more information about Lua, see https://www.lua.org/docs.html.
Restorepoint Built-in Functions
The following functions can be used in a Lua applet:
- timeout(seconds) - set the maximum timeout when waiting for device output
- sleep(seconds) - do nothing for the given number of seconds.
- send(command) - send command to the device
- wait(string) - wait for timeout seconds for string from the device
- sendget(command,output) - combined send/wait
- before() - used after wait() or sendget(); it contains the output from the device up to the expected string.
- print(string) - displays the value of string
- splitlines(string) - split a multi-line string (for example, the output of a command) into an array of lines.
Other standard Lua commands that may be useful include, string.match, string.gsub. and string.trim.
You do not need to write any code to connect and authenticate to the device. Restorepoint will automatically connect and authenticate the device for you.
Users are not permitted to run any “os” or “system” functions when making Lua scripts. This restriction is in place to maintain the security of your Restorepoint appliance.
Examples
Show Version (Cisco)
A basic example is to display the output of the show version command on a Cisco switch:
timeout(20)
send('show version')
wait('#')
out=before()
print(out)
The send() & wait() commands can also be combined into a sendget():
timeout(20)
sendget("show version","#")
out=before()
print(out)
Show Interface (Cisco)
The following is a more complex example using control structures. It runs show interfaces on a Cisco switch and checks that all interfaces that are not connected (line protocol is down) are also administratively down. Note that everything after -- is a comment, and is not executed:
timeout(20) -- set the timeout to 20 seconds
sendget("terminal length 0","#") -- send command to the device, and
-- wait for the prompt
sendget('show interfaces', '#')
out = before() -- set "out" to the output
lines = splitlines(out) -- split the output lines into array
for k,v in pairs(lines) do -- loop over each line, and
-- set k=number and v=text
int,st1,st2 = v:match(
"^(%S+Ethernet[0-9/]+) is ([a-z ]+), line protocol is ([a-z]+)"
) -- extract the interface name,
-- interface status, and the
-- line protocol status
if int ~= nil and
( st1 ~= 'administratively down' and st2 == 'down' ) then
print("Interface "..int.." is disconnected but not shutdown")
end
end -- end loop
IP Spoofing (ScreenOS)
For ScreenOS, use the following script to check for ip-spoofing:
timeout(5)
sendget("set console page 0",">")
sendget("get zone | inc L3",">")
ret = before()
sendget("get config | inc ip-spoofing",">")
conf = before()
for zone in ret:gmatch(" [0-9]+ (.-)%s+Sec") do
if conf:match('zone "'..zone..'" screen ip%-spoofing') then
print('Zone '..zone..': antispoofing enabled')
else
print('Zone '..zone..': antispoofing disabled')
end
end
IP Spoofing (Palo Alto)
You can use the following script to check for ip-spoofing, but for Palo Alto devices:
timeout(5)
sendget("set cli pager off",">")
sendget("set cli config-output-format set",">")
waitprompt()
sendget("configure","#")
send("show zone")
sleep(1)
waitlast("#")
ret = before()
sendget("exit",">")
tbl = {}
for key in ret:gmatch("set zone (.-) ") do
tbl[key] = true
end
for k, _ in pairs(tbl) do
send('show zone-protection zone '..k)
sleep(1)
waitlast('>')
ret = before()
if ret:match('discard%-ip%-spoof:%s+enabled: yes') then
print('Zone '..k..': antispoofing enabled')
else
print('Zone '..k..': antispoofing disabled')
end
end