cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Employee+
Employee+

Cloud Guard: Automated firewall Cluster Deployment with auto-scaling option

If you are playing with the API's, you will realise there is no API call yet available for Cluster Deployment. In the meantime, with little help from R&D, we've created this automation script: "vsecClusterObject.sh"

The script run from the management server and as many functions available. We leverage DBEDIT code and API Calls to help automate the cluster deployment and auto-scaling.

Here the function available:

# createClusterObject   (4 variables needed):
This will create the cluster object: CreateClusterObject Cluster_Name Cluster_IP SYNC_Network SYNC_Netmask

EX:

./vsecClusterObject.sh createClusterObject vSECCluster 192.168.1.14 1.1.1.0 255.255.255.0

# Adding Member 1:

# createMemberObject (8 Variables):
This will add member 1 into the cluster object

createMemberObject Cluster_Name Member_Name Management_IP Management_Netmask Sync_IP Sync_Mask External_IP External_Netmask

EX:

./vsecClusterObject.sh createMemberObject vSECCluster member1 192.168.1.15 255.255.255.0 1.1.1.2 255.255.255.0 192.168.2.40 255.255.255.0

./vsecClusterObject.sh createSICWithObject vSECCluster member1 MXEydzNlNHI=

# Adding Member 2:
This will add member 2 into the cluster object
./vsecClusterObject.sh createMemberObject vSECCluster member2 192.168.1.16 255.255.255.0 1.1.1.3 255.255.255.0 192.168.2.41 255.255.255.0
./vsecClusterObject.sh createSICWithObject vSECCluster member2 MXEydzNlNHI=

# createSICWithObject

This function create the SIC with previously defined cluster member. IMPORTANT NOTE: SIC password needs to be encoded in base64

Once the members are added into the cluster object, we need to define the virtual IP (VIP). This second script do the job:

vip.sh Cluster_Name VIP Interface_Name

EX: for a Cluster with 3 interfaces, we call the script 3 times:

./vip.sh vSECCluster 192.168.1.14 eth0
./vip.sh vSECCluster 1.1.1.1 eth1 # NEED VIP ON SYNC INTERFACE FOR AUTOSCALEUP AND DOWN option
./vip.sh vSECCluster 192.168.2.39 eth2

Now its time to push the policy:

# pushing Policy:
installPolicyOnObject Cluster_Name Policy_Package_Name
./vsecClusterObject.sh installPolicyOnObject vSECCLuster AutomationTest

Now we have a cluster with two members auto deployed. This open up the door for Auto-Scaling. Since we have a HA cluster deployed, we can add a cluster member and switch the cluster mode to LoadSharing. This part of the  script doing this function:

#!/bin/bash

#
# First, we need to add cluster member 3:
echo "=========================="
echo "Adding member3 to cluster "
echo "=========================="
./vsecClusterObject.sh createMemberObject vSECCluster member3 192.168.1.17 255.255.255.0 1.1.1.4 255.255.255.0 192.168.2.42 255.255.255.0
./vsecClusterObject.sh createSICWithObject vSECCluster member3 MXEydzNlNHI=
./vsecClusterObject.sh installPolicyOnObject vSECCLuster AutomationTest
echo "=========================="


echo "=========================="
echo "set cluster in LoadSharingMode"
./vsecClusterObject.sh setHAMode vSECCluster LoadSharing
echo "=========================="

# 5
# pushing Policy:
echo "=========================="
echo "Installing policy..."
echo "=========================="
./vsecClusterObject.sh installPolicyOnObject vSECCLuster AutomationTest

We now have a cluster of 3 members in loadsharing mode. 

To Scale-Down we just need to delete member3 and switch back to HA mode:

#!/bin/bash

echo "=========================="
echo "Scaling down..."
echo "=========================="
./vsecClusterObject.sh setHAMode vSECCluster HighAvailability
./vsecClusterObject.sh deleteMemberObject member3 vSECCluster
echo "=========================="
echo "Installing policy..."
echo "=========================="
./vsecClusterObject.sh installPolicyOnObject vSECCLuster AutomationTest

One way to orchestrate is if by using Ansible and calling those scripts with SSH command on the management server. See attached Ansible Document for an how to. For a quick test, Here is a bash script example to call all those functions:

create.sh

#!/bin/bash
# 1
# Creating cluster Object:
echo "=========================="
echo "Creating cluster object..."
echo "=========================="
./vsecClusterObject.sh createClusterObject vSECCluster 192.168.1.14 1.1.1.0 255.255.255.0
echo "=========================="

# 2
# Adding Member 1:
echo "=========================="
echo "Adding member1 to cluster "
echo "=========================="
./vsecClusterObject.sh createMemberObject vSECCluster member1 192.168.1.15 255.255.255.0 1.1.1.2 255.255.255.0 192.168.2.40 255.255.255.0
./vsecClusterObject.sh createSICWithObject vSECCluster member1 MXEydzNlNHI=
echo "=========================="


# 3
# Adding Member 2:
echo "=========================="
echo "Adding member2 to cluster "
echo "=========================="
./vsecClusterObject.sh createMemberObject vSECCluster member2 192.168.1.16 255.255.255.0 1.1.1.3 255.255.255.0 192.168.2.41 255.255.255.0
./vsecClusterObject.sh createSICWithObject vSECCluster member2 MXEydzNlNHI=
echo "=========================="

# 4
# Creating Cluster Virtual IP:
echo "==========================="
echo "Creating cluster virtual IP"
echo "==========================="
mgmt_cli login --root true > login.txt
./vip.sh vSECCluster 192.168.1.14 eth0
./vip.sh vSECCluster 1.1.1.1 eth1 # NEED VIP ON SYNC INTERFACE FOR AUTOSCALEUP AND DOWN
./vip.sh vSECCluster 192.168.2.39 eth2
mgmt_cli publish -s login.txt
mgmt_cli logout -s login.txt
rm login.txt
echo "=========================="

# 5
# pushing Policy:
echo "=========================="
echo "Installing policy..."
echo "=========================="
./vsecClusterObject.sh installPolicyOnObject vSECCLuster AutomationTest

I hope you enjoy and happy Scripting! 

🙂

9 Replies
Admin
Admin

Re: Cloud Guard: Automated firewall Cluster Deployment with auto-scaling option

Nice Smiley Happy

Employee++
Employee++

Re: Cloud Guard: Automated firewall Cluster Deployment with auto-scaling option

Excellent work! You master the API and JQ really good.

Please be careful using the "generic-objects" API, it is not supported and it will be dismissed in the future, once the new gateway/cluster schema changes.

Take a look at our Ansible development kit on GitHub:

GitHub - CheckPoint-APIs-Team/cpAnsible: Ansible module provides control over a Check Point Manageme... 

You can try and further leverage it for your future uses.

Robert.

Employee+
Employee+

Re: Cloud Guard: Automated firewall Cluster Deployment with auto-scaling option

Thanks Robert

0 Kudos

Re: Cloud Guard: Automated firewall Cluster Deployment with auto-scaling option

nice, THX

0 Kudos
Employee+
Employee+

Re: Cloud Guard: Automated firewall Cluster Deployment with auto-scaling option

Great material, thanks Nicolas!

Re: Cloud Guard: Automated firewall Cluster Deployment with auto-scaling option

As R80.20 is in EA stage, I would expect that the API will support Cluster handling.

In fact this is not true and R80.20 API (version 1.2) cannot do anything with Cluster deployment.

Any plans on that ? For example create new VLANs using API ?

Kind regards,
Jozko Mrkvicka
0 Kudos
Employee++
Employee++

Re: Cloud Guard: Automated firewall Cluster Deployment with auto-scaling option

Hi Jozko,

The development of new gateway/cluster/vsx objects is still in progress.

This is a major shift from R77.x into R80.x and it takes time.

Once these objects development will be completed, it will also include full API support.

Robert.

Re: Cloud Guard: Automated firewall Cluster Deployment with auto-scaling option

Hi Robert,

Thank you for letting us know that this topic is still ongoing Smiley Happy

Hope it will be included in R80.30.

Kind regards,
Jozko Mrkvicka
Employee
Employee

Re: Cloud Guard: Automated firewall Cluster Deployment with auto-scaling option

Great stuff. New API commands needs a lot of time and this seems to be a great option.

0 Kudos