topic Re: Cluster FW Check Point - Wipe & Rebuild with Ansible in Ansible

Cluster FW Check Point - Wipe & Rebuild with Ansible

Mando_92 — Tue, 08 Feb 2022 18:38:29 GMT

Hi everyone,
It is the first time that I write on the forum and I thank you in advance to those who will reply.

I wanted to know if officially Check Point supports a wipe and rebuild procedure via Ansible for two physical devices (HA clusters).

I state that I do not know Ansible very well but what was requested of me talking about physical devices is not feasible or conceptually correct for me by whoever made the request. I think instead that it is possible to implement parts of configurations automatically through ansible, for example: creation of interfaces, objects on the FW or routes, even simple repetitive operations during the day, for example installation of Policy.

I hope someone can confirm or contradict what I think about the customer's request.

Thanks

Re: Cluster FW Check Point - Wipe & Rebuild with Ansible

Bob_Zimmerman — Tue, 08 Feb 2022 21:45:03 GMT

Depends on what exactly you mean by "wipe" and what exactly you mean by "rebuild".

Ansible would have a really hard time reinstalling the OS, for example. Would also have a hard time selecting a snapshot from the boot menu. Those are what I would typically consider a "wipe".

As for the "rebuild" part, the first-time wizard can be handled with a command called config_system. I don't think that would interact especially well with a declarative desired state system.

Re: Cluster FW Check Point - Wipe & Rebuild with Ansible

User1234 — Wed, 09 Feb 2022 16:06:55 GMT

I don't exactly know what you mean by wipe and rebuild, but let me try to summarise my CP ansible experience.

CP offers two ansible plugins: mgmt and gaia.

The mgmt plugin is simply said for managing the rulebase on the Checkpoint Management Server. The modules there are fine for doing "daily tasks" like adding/modifying/deleting objects (hosts, groups, networks, etc.) and rules but does not support any modification of general settings.
The gaia plugin does only supports changing hostnames, dns server and physical interfaces at the gaia system. There is not even a documentation for this on ansible (so the only docs is the code on github).

So I would recommend the mgmt plugin only for regular tasks, and the gaia plugin not at all at the moment. This really means at the moment. There are updates getting regularly published, so there is really a progress going on, but there is still a lot to do to really support managing the mgmt and gws with ansible.

If you don't want to wait, there is also the API documentation, so you could build modules yourself. The CP ansible modules only address the APIs, so if a new API appears, chances are, that they will appear as an ansible module as well.

Re: Cluster FW Check Point - Wipe & Rebuild with Ansible

Mando_92 — Wed, 09 Feb 2022 20:30:44 GMT

Thanks for the reply Bob!

Yes, by wipe and rebuild I meant in case of criticality, the device would be restored to factory settings (lack of a better word) and restore it to the last secure configuration prior to an attack within the infrastructure.

Re: Cluster FW Check Point - Wipe & Rebuild with Ansible

Mando_92 — Wed, 09 Feb 2022 20:44:11 GMT

Thanks for the reply User1234 !

Your answer is very complete and detailed and largely confirms what I thought about the customer's request.

When you talk about the code on GITHUB has it been officially verified and approved by Check Point? In case of problems do you think the support would assist us ?
Since the R80.X was released, I have always found the page made available by Check Point about the API very convenient.

Can you then confirm to me that as of today with possible maximum I could do those things reported in my first post ?

Thanks for taking the time

Re: Cluster FW Check Point - Wipe & Rebuild with Ansible

Bob_Zimmerman — Thu, 10 Feb 2022 03:36:57 GMT

In that case, the answer also depends on what you mean by "device".

If the cluster members are VMs, and Ansible can interact with the VM platform, it should be possible. You make a "clean" snapshot and clone it or whatever.

If the cluster members are open servers, a script may be able to interact with the LOM card to present an installation ISO and step through the installation by simulating keystrokes. I don't think Ansible is likely to be able to do this, but something more imperative on the same server might be able to. A PowerShell script or whatever. You might be able to use IPMI for remote installation from an ISO, but I've run across lots of older servers with really iffy IPMI implementations. I like Redfish a lot more, but it's only a few years old, so only newer LOM cards offer it.

If the cluster members are Check Point branded servers, you're probably out of luck. No official IPMI support, no Redfish support.

Of course, if you want to rebuild your firewalls because you suspect they may have been compromised, you have big enough problems that you can't really trust the Ansible server either.

Re: Cluster FW Check Point - Wipe & Rebuild with Ansible

User1234 — Thu, 10 Feb 2022 10:21:35 GMT

The github repos are maintained by checkpoint, so they are official.

As of your initial question. I don't think so. It is definitly not possible atm with checkpoints ansible modules. Maybe you can script something on your on with the API but I would not recommend it. But as I wrote already, maybe this will be available later.

Re: Cluster FW Check Point - Wipe & Rebuild with Ansible

Hugo_vd_Kooij — Tue, 17 May 2022 12:40:34 GMT

Doing a rebuild will require some minimal actions. But some of the things you ask for could be done with snapshots on the apliance and if you can run it by hand then you can script it in Ansible.

Rebuilding a firewall on brand new hardware requires some basic steps. But if you really want to and do the right backups you can automate part of it.

Re: Cluster FW Check Point - Wipe & Rebuild with Ansible

Mando_92 — Mon, 23 May 2022 15:24:31 GMT

Hi Hugo!

Thanks for response, but an official playbook on Ansible documentation for Check Point that does what you say is not present only some operations and in part.

To do what you say (custom script) you would need a DevOps net that is very familiar with firewalls Check Points and how they work.

Thanks