topic Re: Azure VMSS - Gaia Certificates in Cloud Firewall

Azure VMSS - Gaia Certificates

Soeren_Rothe — Mon, 06 Apr 2020 11:42:30 GMT

In Azure we use a VMSS with several FW Instances and we would like to configure the scale up and scale down process completely automatically.

For this we use the autoprov-cfg script (-cg) and add a configuration file with all necessary routes etc. for the FW Instances:

It looks more or less like this:

#!/bin/bash # . /tmp/.CPprofile.sh # # clish clish -c 'add host name host.test.org ipv4-address 10.30.10.58' clish -c 'add host name hist2.tes.org ipv4-address 10.30.10.59' clish -c 'set static-route 4.4.0.0/16 nexthop gateway address 10.26.0.241 on' clish -c 'set ntp active on' clish -c 'set ntp server primary 10.30.0.248 version 1' clish -c 'set ntp server secondary 10.30.0.249 version 1' clish -c 'add syslog log-remote-address 10.30.0.205 level all' clish -c 'set expert-password-hash $1234567890' clish -c 'save config' # # # SecureXL Fast Access echo "SAP" | fw ctl fast_accel add 1.1.1.1/32 10.10.10.10/32 50000 6 fw ctl fast_accel enable # # # fw ctl set fw ctl set int fw_reuse_established_conn 3299 # # # fwkern.conf echo "fw_reuse_established_conn=3299" >> $FWDIR/boot/modules/fwkern.conf # # # change sshd sed -i 's/ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/g' /etc/ssh/sshd_config service sshd restart # # # change Gaia WebUI SSLCipher cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ.ORIGINAL chmod -v u+w /web/templates/httpd-ssl.conf.templ sed -i 's/SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5/SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1:!3DES/g' /web/templates/httpd-ssl.conf.templ sed -i 's/SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2/SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 +TLSv1.1 +TLSv1.2/g' /web/templates/httpd-ssl.conf.templ chmod -v u-w /web/templates/httpd-ssl.conf.templ #

Problem:

The Gaia Web Certificate contains all VMSS DNS Names and IP Addresses as Subject Alternate Name and we would like to roll it out using the same script which is shown above.

But the Multi Portal is active and the sk95064 doesn't work (change certificate files in /web/conf). The only option would be to change the Portal Port to 4434 for example.

Can we somehow change the WebUI Gaia Port using CLI? "set web ssl-port 4434" is not an option, because it will be overwritten by a policy push.

Therefore we need a command like "mgmt_cli" or something else which is able to change the Portal Port from 443 to 4434.

Re: Azure VMSS - Gaia Certificates

PhoneBoy — Tue, 07 Apr 2020 04:55:04 GMT

There's no official API to change the gateway object platform portal port.
However, it can probably be done with the generic-object API.
That said, it does not appear to be simple.
Hoping @Omer_Kleinstern has an idea how to accomplish this.

Re: Azure VMSS - Gaia Certificates

Omer_Kleinstern — Tue, 07 Apr 2020 09:25:33 GMT

An official API to change the gateway object platform portal port is in development and planned for the next release.

Unfortunately, it cannot be done with the generic-object API.

Re: Azure VMSS - Gaia Certificates

Martin_Valenta — Tue, 07 Apr 2020 11:30:59 GMT

why don't you simply drop all https traffic to gateway and allow just certain source ip's?

Re: Azure VMSS - Gaia Certificates

Soeren_Rothe — Tue, 07 Apr 2020 13:26:02 GMT

Thanks. Do you think there is something available using dbebit?

Re: Azure VMSS - Gaia Certificates

Soeren_Rothe — Tue, 07 Apr 2020 13:27:00 GMT

This is because of PCI regulation. This option is not allowed. 😉

Re: Azure VMSS - Gaia Certificates

PhoneBoy — Tue, 07 Apr 2020 19:57:37 GMT

Looks like something like the following might work:

modify network_objects gw_object portals:0:main_url https://your-ip:4434

You will need to verify in objects_5_0.C that the platform portal is listed first in the portals stanza.
It was in my case, but I'm not sure that's universally true or not.

Re: Azure VMSS - Gaia Certificates

Christian_Riede — Wed, 08 Apr 2020 09:30:03 GMT

Hello Omer,

same challenge here, see https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Generic-API-List-Index/m-p/81217/highlight/false#M4688

when will that new release come out that implements that imho very basic feature in the API?

Regards, Christian Riede

Re: Azure VMSS - Gaia Certificates

Soeren_Rothe — Wed, 08 Apr 2020 11:13:46 GMT

Looks good, my colleague @Matthias_Haas tried it and it seems to work fine 🙂

dbedit> modify network_objects gwr8030v2 portals:0:main_url https://10.0.0.1:4455 dbedit> quit -update_all network_objects::gwr8030v2 Updated Successfully [Expert@mngr8030:0]#