topic Re: Automatic Configuration on boot in Firewall and Security Management

Automatic Configuration of Appliance on boot

Nicholas_Sherid — Mon, 24 Sep 2018 06:34:30 GMT

Hi forum,

Linux has a 'cloud-init' script that allows a server to be created and run scripts at time of creation, which something that I've used before with ansible.

The net effect of this is it creates a infrastructure that is completely defined as code, and allows the management of the device through version control, and modified through redeployment. It also allows a 'complete package' to be deployed, effectly allowing infrastructure definition and configuration management to be managed more as a single unit.

Is anyone aware of any such configuraton option available in gaia? Just to emphasise this is automatic configuration at the point of instantiation, and not at reboot.

I ask as there is all this cool ansible stuff avialable now for checkpoint, ideally I just want to be able to deploy a firewall with minimum manual involvement, and be less 'precious' about the VM, so I can be more 'precious' abut the policy.

Thanks!

Re: Automatic Configuration on boot

_Val_ — Mon, 24 Sep 2018 10:14:56 GMT

Did you consider Blink as an option? Blink - Gaia Fast Deployment

Re: Automatic Configuration on boot

Nicholas_Sherid — Mon, 24 Sep 2018 13:10:15 GMT

Hi Valeri,

Looks just the ticket! thanks

Re: Automatic Configuration on boot

Ofir_Shikolski — Tue, 25 Sep 2018 18:32:20 GMT

Are you referring to the physical machine or virtual machine?

AFAIK cloud-init - is been used for the CloudGaurd IaaS - you can see Check Point CloudGaurd IaaS solution for KVM/Azure/AWS/Google that leverage it : vSEC for OpenStack R80.10 Administration Guide "

To launch a Gateway instance with an automated script:

Create a USER-SCRIPT that runs at the time the computer boots up for the first time. Use these commands in the script to configure the password for the OS admin user and to set the gateway as a standalone Security Management Server and Security Gateway. "

Azure: Using Custom Data to execute an initialization script when you launch your Check Point Security Gateway in Microsoft Azu…

AWS: Using User Data to execute an initialization script when you launch your Check Point Security Gateway in AWS

Google Cloud : Check Point CloudGuard IaaS reference architecture for Google Cloud Platform

under "Advanced deployment options:"

For the physical machine:

You can use kickstart or Blink as Valeri Loukine‌ mention or any other automation as Ansible and etc..

I'm personally using Blink , I created install_content.sh file with content :

#!/bin/bash -f
source /etc/profile.d/CP.sh
clish -ic "lock database override"
clish -ic "set user admin shell /bin/bash"
clish -ic "set password-controls complexity 1"
clish -ic "set password-controls history-checking false"
clish -ic "set message banner off"
clish -ic "set message caption on"
clish -ic "set timezone Asia / Jerusalem"
clish -ic "save config"
clish -ic "unlock database"

I use Blink as follow: I first copy to the machine the Blink files

--blink_genrate_answers.sh is a scrip that I made for genrate the Blink answer file

The flow that I use with my Blink , you can use Ansible simple paybook that will run it

tar -tvf /var/log/MyDIR/blink_image_1.0_Check_Point_R80.10_T462_Jumbo_T103.tgz
tar -zxvf blink.tgz
chmod -v +x blink
mkdir -p /var/log/bli
./blink -i /var/log/MyDIR/blink_image_1.0_Check_Point_R80.10_T462_Jumbo_T103.tgz -x -d /var/log/bli/
chmod 777 blink_genrate_answers.sh
chmod 777 install_content.sh
dos2unix install_content.sh
cp /var/log/MyDIR/install_content.sh /var/log/bli/user_updates/
dos2unix blink_genrate_answers.sh
cd /var/log/bli/installation_logic/
/var/log/MyDIR/blink_genrate_answers.sh
cd /var/log/bli
cat /var/log/bli/installation_logic/answers.xml
cat /var/log/bli/user_updates/install_content.sh
cd /var/log/bli/
nohup ./BlinkInstaller --reimage --delete-old-partition --force &

Re: Automatic Configuration on boot

_Val_ — Wed, 26 Sep 2018 07:51:16 GMT

Perfect explanation, Ofir Sh‌

Re: Automatic Configuration on boot

Nicholas_Sherid — Thu, 27 Sep 2018 06:17:22 GMT

Awesome posts guys!

Last time I used cloud-init I used git to clone a repo that contained my playbooks onto the VM which then ran them on itself, obviously you'd need git and ansible on the firewall mind you just to run as a client.

With this approach jenkins can detect a change when you push to the repo at the next poll, run the infrastructure pipeline, deploy a fresh VM, and apply the configuration. You can always intoduce an interactive step in the pipeline if you are worried about outages caused by unscheduled changes - but being able to effective version control infratructure and configuration was very appealing - namely precision you get with it.

I'll check out this more in my free time but looks very interesting - I guess you can get it to create a SIC and request the latest policy too right? Ideally, I'd like to see " and end to upgrades" and do a fresh install everytime.

Anyone done anything similar? I ask as from what I can gather gaia is 'just' linux right? (not meant to be detrimental) - maybe I am being too ambitious deploying firewalls as a pipeline... (not for my current use case that's for sure!!)

Re: Automatic Configuration on boot

Ofir_Shikolski — Fri, 28 Sep 2018 14:20:24 GMT

Kfir Bachar‌ + Tsahi Etziony‌

Are you using the ISO for installation or the ovf format?

I'm using the ISO format on ESX + PXE server, I fully automate end to end Check Point :

1. Install CKP

2. Pull the OS settings

3. Configure the OS

4. Connect to the MGMT to establish the SIC and GW object

5. Push policy to the GW

For physical appliance I use Blink

I do not have experience with Jenkins I was not able to understand what I can do with that.

HTH,

Ofir S

Re: Automatic Configuration on boot

Nicholas_Sherid — Sat, 29 Sep 2018 10:27:18 GMT

Ah right - I am only really interested in azure - so I guess its a case of creating a custom image with packer or something?

You got any pointers?

Jenkins just keeps track of a repo and manages worker nodes (it executes groovy pipelines) when it sees changes, in it's simplest form. CI/CD stuff.

Because we are all one 'agile' devops happy family right?

Re: Automatic Configuration of Appliance on boot

Ofir_Shikolski — Sat, 29 Sep 2018 17:21:07 GMT

Using Custom Data to execute an initialization script when you launch your Check Point Security Gateway in Microsoft Azu…

Using Custom Data to execute an initialization script when you launch your Check Point Security Gateway in Microsoft Azure

Solution

Introduction

It is now possible to create an initialization script that would be executed the first time you launch your Check Point Security Gateway instance in Microsoft Azure.
This initialization script can be used to set operating system configuration and to automate the Security Gateway's provisioning process.

Prerequisites

It is assumed that the reader is familiar with general Microsoft Azure concepts and services.

Overview

When you launch an instance in Microsoft Azure, you can optionally pass your own custom data to it. The Check Point Security Gateway treats this data as an initialization script. This script can be used to modify operating system settings, as well as to replace the First Time Configuration Wizard configuration process.

Note: If no custom data is supplied at boot time, the machine will boot normally and you would need to complete its configuration manually.

Known Limitations

This feature is available starting from R77.30.

Configuration Flow

When the Check Point Security Gateway launches for the first time, it fetches the custom data from Microsoft Azure.

The Security Gateway saves the custom data to a temporary script file and then executes it. The output of the script is redirected to /var/log/cloud-user-data file.

Note: The script would only be executed when the instance boots for the first time.

Setup

Create your own initialization script to be executed when the instance first launches.

You can use the following script as an example:

#!/bin/bash  clish -c 'set hostname HOSTNAME' -s  config_system -s 'install_security_gw=true&install_ppak=true&install_security_managment=false&ipstat_v6=off&ftw_sic_key=SIC_KEY'  shutdown -r now

Where:

Variable	Usage
`HOSTNAME`	The host name.
`SIC_KEY`	Secure Internal communication key - a one-time key used to set up trust with Security Management Server.

This script:

Sets the host name
Uses the config_system utility to automate the First Time Configuration Wizard process
Reboots the instance to complete the installation

Pass the script to Microsoft Azure, when you launch the instance, as explained in Custom Data and Cloud-Init on Microsoft Azure article.

Additional Information and Resources

Custom Data in Microsoft Azure: http://azure.microsoft.com/blog/2014/04/21/custom-data-and-cloud-init-on-windows-azure
sk69701 - How to run the First Time Configuration Wizard through CLI in Gaia
Examples on how to use this in PowerShell and in ARM templates: (Check Point templates are now available as marketplace solution templates.)

Troubleshooting:

The output of the script is saved to the /var/log/cloud-user-data file.

Re: Automatic Configuration of Appliance on boot

Nicholas_Sherid — Sun, 30 Sep 2018 09:04:54 GMT

Awesome - just came acros this, this morning - you beat me to it - thanks!

Custom initialisation script

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk105242

Cloud-init on Azure

https://azure.microsoft.com/en-gb/blog/custom-data-and-cloud-init-on-windows-azure/

Re: Automatic Configuration of Appliance on boot

Nicholas_Sherid — Sun, 30 Sep 2018 13:10:17 GMT

Wrote up a python script to help generate the file

#!/usr/bin/env python

import jinja2

import argparse

def request_template_parameters():

parser = argparse.ArgumentParser(

description='Gather parameters for generating custom data file'

)

parser.add_argument(

'--hostname' ,

action="store" ,

type=str ,

help='The hostname of the firewall'

)

parser.add_argument(

'--install_security_gw' ,

action="store" ,

type=str ,

help='Defining a secure gateway or management function - values are true or false'

)

parser.add_argument(

'--install_ppak' ,

action="store" ,

type=str ,

help='values are true or false'

)

parser.add_argument(

'--install_security_managment' ,

action="store" ,

type=str ,

help='values are true or false'

)

parser.add_argument(

'--ipstat_v6' ,

action="store" ,

type=str ,

help='values are true or false for ipv6'

)

parser.add_argument(

'--sic_key' ,

action="store" ,

type=str ,

help='The one time Secure Internal Communication key'

)

args = parser.parse_args()

hostname = args.hostname

install_security_gw = args.install_security_gw

install_ppak = args.install_ppak

install_security_managment = args.install_security_managment

ipstat_v6 = args.ipstat_v6

sic_key = args.sic_key

return hostname, install_security_gw, install_ppak, install_security_managment, ipstat_v6, sic_key

def load_template(template_filename😞

templateLoader = jinja2.FileSystemLoader(searchpath="./")

templateEnv = jinja2.Environment(loader=templateLoader)

template_object = template_filename

template = templateEnv.get_template(template_object)

return template

def write_to_file(filename, contents😞

file = open(filename,"w")

file.write(contents)

file.close()

def main():

script_input = request_template_parameters()

hostname_input = script_input[0]

install_security_gw_input = script_input[1]

install_ppak_input = script_input[2]

install_security_managment_input = script_input[3]

ipstat_v6_input = script_input[4]

sic_key_input = script_input[5]

template = load_template("cloudguard_init.j2")

# Place arguments here to build up a configuration file to pass to --cloud

outputText = template.render(

hostname = hostname_input ,

install_security_gw = install_security_gw_input ,

install_ppak = install_ppak_input ,

install_security_managment = install_security_managment_input ,

ipstat_v6 = ipstat_v6_input ,

sic_key = sic_key_input

)

print('cloudguard-init.txt file generated in present working directory')

write_to_file("cloudguard-init.txt",outputText)

if __name__ == '__main__':

main()

And the template file

#!/bin/bash

clish -c 'set hostname {{ hostname }} ' -s

config_system -s 'install_security_gw={{ install_security_gw }}&install_ppak={{ install_ppak }}&install_security_managment={{ install_security_managment }}&ipstat_v6={{ ipstat_v6 }}&ftw_sic_key={{ sic_key }}'

shutdown -r now

and usage:

./template_engine.py \

--hostname some_firewall_hostnme \

--install_security_gw true \

--install_ppak true \

--install_security_managment false \

--ipstat_v6 false \

--sic_key some_complex_key

cheers

Re: Automatic Configuration of Appliance on boot

Ofir_Shikolski — Sun, 30 Sep 2018 13:13:20 GMT

Wow amazing

Do you think that you can share it with all under Developer Network ? it will be more awesome

https://community.checkpoint.com/news?streamSource=publication&streamID=87802