Link Load Balacing per User

Thiago_Mourao — Fri, 24 Apr 2020 13:45:06 GMT

Link Load Balacing per User

Security Engineering Brazil

March, 2020

Version 01

Author:

Thiago Mourao, SE

Contents

Creating BPR per User - PoC

Objective

Know Limitation and Requirements

Topology

Scripts

Step by Step

Objective

Change the default route from selected users.

Know Limitation and Requirements

ISP Redundancy cannot be used together with PBR
Need to manually change the object name of each user to match the SCRIPT configuration
To use more than 2 internet Links, the script need to be adapted.
For this PoC we assume that you already have IA integrated with AD using WMI
For this PoC we are using API Key to authenticate instead of User/Pass
IA Configuration "Assume that only one user is connected per computer" need to turned on

Topology

On our lab we are using GloudGuard VE (Virtual Edition) on R80.40 on both Security Gateway and Manager on VMware Workstation 12.

Virtual Environment:

1 x Check Point Gateway R80.40
1 x Check Point Manager R80.40
1 x Microsoft Windows Server 2012 R2
3 x Windows 7 Ultimate

Host Environment:

1 x Notebook (Windows Professional) with VMWare Workstation 12

Scripts

FirstTimeSetup.sh

This script will prepare the environment for the first time run.

#!/bin/bash -f

source /opt/CPshrd-R80.40/tmp/.CPprofile.sh

#Script Directory

EXECDIR="/home/admin/PBRPerUser"

#User that will Execute the Scripts and Cron Job

EXECUSER="admin"

echo "First time setup"

echo "Creating all files and Gaia configuration"

echo "Creating Exec Directory"

mkdir $EXECDIR

echo "Creating Files"

touch $EXECDIR/PBRPerUser.log

touch $EXECDIR/PBRPerUserLink1.sh

touch $EXECDIR/PBRPerUserLink1_IPs.txt

touch $EXECDIR/PBRPerUserLink1_Table.txt

touch $EXECDIR/PBRPerUserLink1_Table_To_Compare.txt

touch $EXECDIR/PBRPerUserLink1_ToRemove.txt

touch $EXECDIR/PBRPerUserLink1_Users.txt

touch $EXECDIR/PBRPerUserLink1_Watch.sh

touch $EXECDIR/sid_c.txt

echo "Copying Scripts to $EXECDIR"

cp ./PBRPerUserLink1.sh $EXECDIR/PBRPerUserLink1.sh

cp ./PBRPerUserLink1_Watch.sh $EXECDIR/PBRPerUserLink1_Watch.sh

cp ./PBRPerUserLink1_CronJob.sh $EXECDIR/PBRPerUserLink1_CronJob.sh

echo "Change Permission"

chmod 760 $EXECDIR/PBRPerUserLink1.sh

chmod 760 $EXECDIR/PBRPerUserLink1_Watch.sh

chmod 760 $EXECDIR/PBRPerUserLink1_CronJob.sh

echo "Adding System-Startup Recurrence for PBRPerUserLink1_Watch.sh at Cron Job"

clish -c "add cron job PBRPerUserLink1_CronJob command '$EXECDIR/PBRPerUserLink1_CronJob.sh >> $EXECDIR/PBRPerUser.log 2>&1' recurrence system-startup"

if grep -q PBRPerUserLink1_Watch.sh /var/spool/cron/admin; then

echo "Job already in Cron"

else

echo "Creating Cron Job"

echo "##PBRPerUser" >> /var/spool/cron/$EXECUSER

echo "* * * * * $EXECDIR/PBRPerUserLink1_Watch.sh >> $EXECDIR/PBRPerUser.log 2>&1" >> /var/spool/cron/$EXECUSER

echo "Lock Database Override"

clish -c "lock database override"

### Creating IP Reachability Detection ###

### CHANGE IP TO REFLET YOUR ON ENVIRONMENT ###

echo "Creating IP Reachability Detection"

clish -c "set ip-reachability-detection ping address 200.150.0.100 enable-ping on"

clish -c "set ip-reachability-detection ping address 200.200.0.100 enable-ping on"

### Creating Default Route HA without ISP Redundancy With ICMP Health Checking ###

### CHANGE IP TO REFLET YOUR ON ENVIRONMENT ###

echo "Creating Default Route HA without ISP Redundancy With ICMP Health Checking"

clish -c "set static-route default nexthop gateway address 200.150.0.100 priority 1 on"

clish -c "set static-route default nexthop gateway address 200.150.0.100 monitored-ip 200.150.0.100 on"

clish -c "set static-route default nexthop gateway address 200.150.0.100 monitored-ip-option fail-any"

clish -c "set static-route default nexthop gateway address 200.200.0.100 priority 2 on"

clish -c "set static-route default nexthop gateway address 200.200.0.100 monitored-ip 200.200.0.100 on"

clish -c "set static-route default nexthop gateway address 200.200.0.100 monitored-ip-option fail-any"

### Creating PBR Table ###

### CHANGE IP TO REFLET YOUR ON ENVIRONMENT ###

echo "Creating PBR Table"

clish -c "set pbr table PBRPerUserLink1 static-route default nexthop gateway address 200.200.0.100 on"

echo "Saving Config"

clish -c "save config"

PBRPerUserLink1_Watch.sh

This script will check if there is change between the last time the script run and if yes, execute the script to change the PBR

#!/bin/bash -f

source /opt/CPshrd-R80.40/tmp/.CPprofile.sh

#Script Directory

EXECDIR="/home/admin/PBRPerUser"

#User that will Execute the Scripts and Cron Job

EXECUSER="admin"

APIKEY="4JjIKMtzRCLx8MEs4rcRTg=="

MGMTIP="10.0.50.10"

cd $EXECDIR

echo "#### Executing PBRPerUserScript_Watch.sh at $(date -u) ####"

echo "MGMT Login"

mgmt_cli login --management $MGMTIP api-key $APIKEY > sid_c.txt

echo "Erasing PBRPerUserLink1_Users.txt file"

> PBRPerUserLink1_Users.txt

echo "Getting information from AR_PBRPerUserLink1 Object and saving on file PBRPerUserLink1_Users.txt"

mgmt_cli --management $MGMTIP -s sid_c.txt show access-role name "AR_PBRPerUserLink1" --format json | jq '.users[].name' | awk -F'_' '{gsub(/"/, "", $2); print $2}' > PBRPerUserLink1_Users.txt

echo "MGMT Logout"

mgmt_cli --management $MGMTIP -s sid_c.txt logout

echo "Erasing PBRPerUserLink1_Table.txt file"

> PBRPerUserLink1_Table.txt

echo "Creating Matrix with User and IP Information"

sort PBRPerUserLink1_Users.txt | while read a; do NAME=$a; IP=$(pdp monitor user $a | grep "Ip: " | awk -F ' ' '{print $2}'); echo "$NAME;$IP" >> PBRPerUserLink1_Table.txt; done

echo "Comparing PBRPerUserLink1_Table.txt file with previous version"

diff -q PBRPerUserLink1_Table_To_Compare.txt PBRPerUserLink1_Table.txt 1>/dev/null

if [[ $? == "0" ]]

then

echo "No changes on PBRPerUserLink1_Table.txt file"

else

echo "Running script $EXECDIR/PBRPerUserLink1.sh"

sh PBRPerUserLink1.sh

echo "#### End of Execution of PBRPerUserScript_Watch.sh at $(date -u) ####"

PBRPerUserLink1.sh

This script will change the PBR configuration on Gaia.

#!/bin/bash -f

source /opt/CPshrd-R80.40/tmp/.CPprofile.sh

#Script Directory

EXECDIR="/home/admin/PBRPerUser"

#User that will Execute the Scripts and Cron Job

EXECUSER="admin"

cd $EXECDIR

echo "#### Executing PBRPerUserScript.sh at $(date -u) ####"

echo "Lock Database Override"

clish -c "lock database override"

echo "Erasing current PBR per User"

cat PBRPerUserLink1_ToRemove.txt | while read a; do clish -c "$a"; done

echo "Erasing old PBRPerUserLink1_IPs.txt file"

> PBRPerUserLink1_IPs.txt

echo "Creating new PBRPerUserLink1_IPs.txt file"

sort PBRPerUserLink1_Users.txt | while read a; do pdp monitor user $a | grep "Ip: " | awk -F ' ' '{print $2}' >> PBRPerUserLink1_IPs.txt; done

echo "Creating PBR Match condition Based on Extracted IP Information form User"

pn=100 && cat PBRPerUserLink1_IPs.txt | while read a; do clish -c "set pbr rule priority $pn match from $a/32"; clish -c "set pbr rule priority $pn action table PBRPerUserLink1"; pn=$((pn+1)); done

echo "Erasing PBRPerUserLink1_ToRemove.txt file"

> PBRPerUserLink1_ToRemove.txt

echo "Create file to remove PBR"

pn=100 && cat PBRPerUserLink1_IPs.txt | while read a; do echo "set pbr rule priority $pn off" >> PBRPerUserLink1_ToRemove.txt; pn=$((pn+1)); done

echo "Creating copy of PBRPerUserLink1_Table.txt"

cp PBRPerUserLink1_Table.txt PBRPerUserLink1_Table_To_Compare.txt

echo "#### End of Execution of PBRPerUserScript.sh at $(date -u) ####"

PBRPerUserLink1_CronJob.sh

This script will be called by the Cron Job PBRPerUserLink1_CronJob to create a customized Cron Job that will run every minute to check changes on the PDP MONITOR and/or on AR_PBRPerUserLink1 object .

#!/bin/bash -f

source /opt/CPshrd-R80.40/tmp/.CPprofile.sh

#Script Directory

EXECDIR="/home/admin/PBRPerUser"

#User that will Execute the Scripts and Cron Job

EXECUSER="admin"

cd $EXECDIR

echo "#### Executing PBRPerUserScript.sh at $(date -u) ####"

echo "Lock Database Override"

clish -c "lock database override"

echo "Erasing current PBR per User"

cat PBRPerUserLink1_ToRemove.txt | while read a; do clish -c "$a"; done

echo "Erasing old PBRPerUserLink1_IPs.txt file"

> PBRPerUserLink1_IPs.txt

echo "Creating new PBRPerUserLink1_IPs.txt file"

sort PBRPerUserLink1_Users.txt | while read a; do pdp monitor user $a | grep "Ip: " | awk -F ' ' '{print $2}' >> PBRPerUserLink1_IPs.txt; done

echo "Creating PBR Match condition Based on Extracted IP Information form User"

pn=100 && cat PBRPerUserLink1_IPs.txt | while read a; do clish -c "set pbr rule priority $pn match from $a/32"; clish -c "set pbr rule priority $pn action table PBRPerUserLink1"; pn=$((pn+1)); done

echo "Erasing PBRPerUserLink1_ToRemove.txt file"

> PBRPerUserLink1_ToRemove.txt

echo "Create file to remove PBR"

pn=100 && cat PBRPerUserLink1_IPs.txt | while read a; do echo "set pbr rule priority $pn off" >> PBRPerUserLink1_ToRemove.txt; pn=$((pn+1)); done

echo "Creating copy of PBRPerUserLink1_Table.txt"

cp PBRPerUserLink1_Table.txt PBRPerUserLink1_Table_To_Compare.txt

echo "#### End of Execution of PBRPerUserScript.sh at $(date -u) ####"

Step by Step

Copy the 3 (three) scripts to the Gateway

Change permission of “FirstTimeSetup.sh”

Execute the “FirstTimeSetup.sh”

Check if CRON JOB was created

PS: Customized Cron Job do not survive to reboot, because of that, we create a Job to bring back the customized Job on Startup.

PPS: If you use Gaia to edit Cron Job, customized Jobs will be erased

Create user for the API authentication

Create the Access Role Object with the name “AR_PBRPerUserLink1” and add all the users that you want to route to the first non-default internet Link

Click on each member of the group and change the object name to match the following structure PBR_[AD_Login]

PS: On this example, the original name of the object was ad_user_Anna_Smith and we changed to PBR_asmith.

Check PBRPerUser.log file to see if the scripts are running well

Check PBRPerUserLink1_Table.txt file to see the Logged Users from the Access Role Object AR_PBRPerUserLink1 and their respective IPs

Check if the respective PBR RULES were created

topic Re: Creating BPR per User - PoC in API / CLI Discussion

Link Load Balacing per User

Re: Creating BPR per User - PoC

Re: Creating BPR per User - PoC

Re: Link Load Balacing per User