Template properties type check-point-autoscale--byol.py AutoProvTemplate my-configuration-template allowUploadDownload 'true' autoscaler_dependencies - check-point-autoscaling-igm autoscalingVersion R80.30 Autoscaling bootDiskSizeGb 100.0 computed_sic_key tagada cpuUsage 60.0 deployment check-point-autoscaling diskType pd-ssd enableEsp true enableIcmp true enableMonitoring false enableSctp true enableTcp true enableUdp true espSourceRanges '' externalNetwork external-vpc externalSubnet security-northbound externalZone us-east1-b gatewayExternalIP true gw_dependencies [] hasInternet 'true' icmpSourceRanges '' igm_dependencies - check-point-autoscaling-tmplt installationType AutoScale instanceSSHKey XXXXXXXX internalNetwork internal-vpc internalSubnet app-subnet internalZone us-east1-b machineType n1-standard-2 managementName my-management maxInstances 3.0 mgmtNIC Ephemeral Public IP (eth0) minInstances 2.0 networkDefinedByRoutes true outputs - name: deployment value: check-point-autoscaling - name: project value: tagadada - name: instanceTemplateName value: check-point-autoscaling-tmplt - name: InstanceTemplateLink value: $(ref.check-point-autoscaling-tmplt.selfLink) - name: IGMname value: check-point-autoscaling-igm - name: IGMLink value: $(ref.check-point-autoscaling-igm.instanceGroup) - name: cpuUsagePercentage value: 60% - name: minInstancesInt value: '2' - name: maxInstancesInt value: '3' project tagadada resources - name: check-point-autoscaling-external-vpc-icmp properties: allowed: - IPProtocol: icmp network: global/networks/external-vpc sourceRanges: - 0.0.0.0/0 targetTags: - checkpoint-gateway type: compute.v1.firewall - name: check-point-autoscaling-external-vpc-udp properties: allowed: - IPProtocol: udp network: global/networks/external-vpc sourceRanges: - 0.0.0.0/0 targetTags: - checkpoint-gateway type: compute.v1.firewall - name: check-point-autoscaling-external-vpc-tcp properties: allowed: - IPProtocol: tcp network: global/networks/external-vpc sourceRanges: - 0.0.0.0/0 targetTags: - checkpoint-gateway type: compute.v1.firewall - name: check-point-autoscaling-external-vpc-sctp properties: allowed: - IPProtocol: sctp network: global/networks/external-vpc sourceRanges: - 0.0.0.0/0 targetTags: - checkpoint-gateway type: compute.v1.firewall - name: check-point-autoscaling-external-vpc-esp properties: allowed: - IPProtocol: esp network: global/networks/external-vpc sourceRanges: - 0.0.0.0/0 targetTags: - checkpoint-gateway type: compute.v1.firewall - metadata: dependsOn: [] name: check-point-autoscaling-tmplt properties: project: tagadada properties: canIpForward: true disks: - autoDelete: true boot: true deviceName: check-point-autoscaling-check-point-autoscaling-boot index: 0.0 initializeParams: diskSizeGb: 100.0 diskType: pd-ssd sourceImage: projects/checkpoint-public/global/images/check-point-r8030-gw-byol-273-601-v20200305 kind: compute#attachedDisk mode: READ_WRITE type: PERSISTENT machineType: n1-standard-2 metadata: items: - key: startup-script value: |2+ #!/bin/bash generatePassword="$(echo | tr 'TF' 'tf')" allowUploadDownload="true" echo "template_name: autoscale" >> /etc/cloud-version echo "template_version: 20200312" >> /etc/cloud-version function get_router() { local interface="$1" local subnet_router_meta_path="computeMetadata/v1/instance/network-interfaces/$interface/gateway" local router="$(get-cloud-data.sh ${subnet_router_meta_path})" echo "${router}" } function set_mgmt_if() { mgmtNIC="Ephemeral Public IP (eth0)" local mgmt_int="eth0" if [ "X$mgmtNIC" == "XEphemeral Public IP (eth0)" ]; then mgmt_int="eth0" elif [ "X$mgmtNIC" == "XPrivate IP (eth1)" ]; then mgmt_int="eth1" fi local set_mgmt_if_out="$(clish -s -c "set management interface ${mgmt_int}")" echo "${set_mgmt_if_out}" } function set_internal_static_routes() { local private_cidrs='10.0.0.0/8 172.16.0.0/12 192.168.0.0/16' #Define interface for internal networks and configure local interface="$internalInterfaceNumber" local router=$(get_router $interface) clish -c 'lock database override' #Configure static routes destined to internal networks, defined in the RFC 1918, through the internal interface for cidr in ${private_cidrs}; do echo "setting route to $cidr via gateway $router" echo "running clish -c 'set static-route $cidr nexthop gateway address $router on' -s" clish -c "set static-route $cidr nexthop gateway address $router on" -s done } function create_dynamic_objects() { local is_managment="$1" local interfaces='eth0 eth1' for interface in ${interfaces}; do if ${is_managment}; then dynamic_objects -n "LocalGateway" dynamic_objects -n "LocalGatewayExternal" dynamic_objects -n "LocalGatewayInternal" else local addr="$(ip addr show dev $interface | awk "/inet/{print \$2; exit}" | cut -d / -f 1)" if [ "${interface}" == "eth0" ]; then dynamic_objects -n "LocalGateway" -r "$addr" "$addr" -a dynamic_objects -n "LocalGatewayExternal" -r "$addr" "$addr" -a else dynamic_objects -n "LocalGatewayInternal" -r "$addr" "$addr" -a fi fi done } function post_status() { local is_success="$1" local need_boot="$2" local status local value local instance_id if "true" ; then if "$is_success" ; then status="success" value="Success" else status="failure" value="Failure" fi instance_id="$(get-cloud-data.sh computeMetadata/v1/instance/id)" cat </etc/software-status $FWDIR/scripts/gcp.py POST "/variables" --body '{ "name": "/variables/status/$status/$instance_id", "value": "$(echo $value | base64)" }' EOF fi create_dynamic_objects $installSecurityManagement if "$installSecurityGateway" ; then set_internal_static_routes set_mgmt_if ########## # DA Self update DAselfUpdateHappening=$(dbget installer:self_update_in_progress) if [ "X$DAselfUpdateHappening" == "X1" ]; then oldDApid=$(pidof DAService) countdown=121 while [ $((--countdown)) -gt 0 ] do sleep 1 DApid=$(pidof DAService) if [ "${DApid:-$oldDApid}" -ne "$oldDApid" ]; then break fi done if [ $countdown -eq 0 ]; then dbset installer:self_update_in_progress fi fi ########## fi if "$need_boot" ; then if [ "False" = "True" ] ; then chkconfig --add gcp-statd fi shutdown -r now else service gcpd restart if [ "False" = "True" ] ; then chkconfig --add gcp-statd service gcp-statd start fi fi } clish -c 'set user admin shell /etc/cli.sh' -s case "AutoScale" in "Gateway only") installSecurityGateway=true gatewayClusterMember=false installSecurityManagement=false sicKey="tagada" internalInterfaceNumber=1 ;; "Management only") installSecurityGateway=false installSecurityManagement=true sicKey=notused ;; "Manual Configuration") post_status true false exit 0 ;; "Gateway and Management (Standalone)") installSecurityGateway=true installSecurityManagement=true gatewayClusterMember=false sicKey=notused internalInterfaceNumber=1 ;; "Cluster") installSecurityGateway=true gatewayClusterMember=true installSecurityManagement=false sicKey="" internalInterfaceNumber=2 ;; "AutoScale") installSecurityGateway=true gatewayClusterMember=false installSecurityManagement=false sicKey="tagada" internalInterfaceNumber=1 ;; esac conf="install_security_gw=$installSecurityGateway" if ${installSecurityGateway} ; then conf="$conf&install_ppak=true" blink_conf="gateway_cluster_member=$gatewayClusterMember" fi conf="$conf&install_security_managment=$installSecurityManagement" if ${installSecurityManagement} ; then if "$generatePassword" ; then managementAdminPassword="$(get-cloud-data.sh computeMetadata/v1/instance/attributes/adminPasswordSourceMetadata)" conf="$conf&mgmt_admin_name=admin" conf="$conf&mgmt_admin_passwd=$managementAdminPassword" else conf="$conf&mgmt_admin_radio=gaia_admin" fi managementGUIClientNetwork="" conf="$conf&install_mgmt_primary=true" if [ "0.0.0.0/0" = "$managementGUIClientNetwork" ]; then conf="$conf&mgmt_gui_clients_radio=any" else conf="$conf&mgmt_gui_clients_radio=network" ManagementGUIClientBase="$(echo ${managementGUIClientNetwork} | cut -d / -f 1)" ManagementGUIClientMaskLength="$(echo ${managementGUIClientNetwork} | cut -d / -f 2)" conf="$conf&mgmt_gui_clients_ip_field=$ManagementGUIClientBase" conf="$conf&mgmt_gui_clients_subnet_field=$ManagementGUIClientMaskLength" fi fi blink_conf="$blink_conf&ftw_sic_key=$sicKey" blink_conf="$blink_conf&download_info=$allowUploadDownload" blink_conf="$blink_conf&upload_info=$allowUploadDownload" conf="$conf&$blink_conf" if "$generatePassword" ; then blink_password="$(get-cloud-data.sh computeMetadata/v1/instance/attributes/adminPasswordSourceMetadata)" else blink_password="$(dd if=/dev/urandom count=1 2>/dev/null | sha1sum | cut -c -28)" fi blink_conf="$blink_conf&admin_password_regular=$blink_password" if [ "Gateway only" = "AutoScale" ] || [ "Cluster" = "AutoScale" ] || [ "AutoScale" = "AutoScale" ]; then config_cmd="blink_config -s $blink_conf" else config_cmd="config_system -s $conf" fi if ${config_cmd} ; then if "$installSecurityManagement" ; then post_status true "$installSecurityGateway" elif [ "Cluster" = "AutoScale" ] ; then mgmt_subnet_gw="$(get-cloud-data.sh computeMetadata/v1/instance/network-interfaces/1/gateway)" sed -i 's/__CLUSTER_PUBLIC_IP_NAME__/'""'/g' /etc/fw/conf/gcp-ha.json sed -i 's/__SECONDARY_PUBLIC_IP_NAME__/'""'/g' /etc/fw/conf/gcp-ha.json clish -c 'set static-route '""' nexthop gateway address '"$mgmt_subnet_gw"' on' -s post_status true true else post_status true false fi else post_status false false fi - key: serial-port-enable value: 'true' - key: instanceSSHKey value: ssh-rsa XXXXXX kind: compute#metadata networkInterfaces: - accessConfigs: - kind: compute#accessConfig name: external-nat type: ONE_TO_ONE_NAT kind: compute#networkInterface network: https://www.googleapis.com/compute/v1/projects/tagadada/global/networks/external-vpc subnetwork: https://www.googleapis.com/compute/v1/projects/tagadada/regions/us-east1/subnetworks/security-northbound - kind: compute#networkInterface network: https://www.googleapis.com/compute/v1/projects/tagadada/global/networks/internal-vpc subnetwork: https://www.googleapis.com/compute/v1/projects/tagadada/regions/us-east1/subnetworks/app-subnet scheduling: automaticRestart: true onHostMaintenance: MIGRATE preemptible: false serviceAccounts: - email: default scopes: - https://www.googleapis.com/auth/devstorage.read_only - https://www.googleapis.com/auth/logging.write - https://www.googleapis.com/auth/monitoring.write - https://www.googleapis.com/auth/pubsub - https://www.googleapis.com/auth/service.management.readonly - https://www.googleapis.com/auth/servicecontrol - https://www.googleapis.com/auth/trace.append tags: items: - x-chkp-management--my-management - x-chkp-template--my-configuration-template - checkpoint-gateway - x-chkp-ip-address--public - x-chkp-management-interface--eth0 - x-chkp-topology-eth1--internal - x-chkp-topology-settings-eth1--network-defined-by-routes type: compute.v1.instanceTemplate - metadata: dependsOn: - check-point-autoscaling-tmplt name: check-point-autoscaling-igm properties: baseInstanceName: check-point-autoscaling instanceTemplate: $(ref.check-point-autoscaling-tmplt.selfLink) region: us-east1 targetSize: 2.0 type: compute.v1.regionInstanceGroupManager - metadata: dependsOn: - check-point-autoscaling-igm name: check-point-autoscaling-as properties: autoscalingPolicy: coolDownPeriodSec: 90.0 cpuUtilization: utilizationTarget: 0.6 maxNumReplicas: 3.0 minNumReplicas: 2.0 region: us-east1 target: $(ref.check-point-autoscaling-igm.selfLink) type: compute.v1.regionAutoscaler sctpSourceRanges '' shell /etc/cli.sh tcpSourceRanges '' templateName autoscale templateVersion '20200312' udpSourceRanges ''