Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Employee
Employee

Link Load Balacing per User

Link Load Balacing per User

 

Security Engineering Brazil

March, 2020

Version 01

 

Author:

Thiago Mourao, SE

 

Contents

Creating BPR per User - PoC

Objective

Know Limitation and Requirements

Topology

Scripts

Step by Step

 

 

Objective

Change the default route from selected users.

 

Know Limitation and Requirements

  • ISP Redundancy cannot be used together with PBR
  • Need to manually change the object name of each user to match the SCRIPT configuration
  • To use more than 2 internet Links, the script need to be adapted.
  • For this PoC we assume that you already have IA integrated with AD using WMI
  • For this PoC we are using API Key to authenticate instead of User/Pass
  • IA Configuration "Assume that only one user is connected per computer" need to turned on

 

Topology

Thiago_Mourao_1-1585618933112.png

On our lab we are using GloudGuard VE (Virtual Edition) on R80.40 on both Security Gateway and Manager on VMware Workstation 12.

 

Virtual Environment:

  • 1 x Check Point Gateway R80.40
  • 1 x Check Point Manager R80.40
  • 1 x Microsoft Windows Server 2012 R2
  • 3 x Windows 7 Ultimate

 

Host Environment:

  • 1 x Notebook (Windows Professional) with VMWare Workstation 12

 

 

Scripts

FirstTimeSetup.sh

This script will prepare the environment for the first time run.

 

#!/bin/bash -f

source /opt/CPshrd-R80.40/tmp/.CPprofile.sh

#Script Directory

EXECDIR="/home/admin/PBRPerUser"

#User that will Execute the Scripts and Cron Job

EXECUSER="admin"

 

echo "First time setup"

echo "Creating all files and Gaia configuration"

 

echo "Creating Exec Directory"

mkdir $EXECDIR

 

echo "Creating Files"

touch $EXECDIR/PBRPerUser.log

touch $EXECDIR/PBRPerUserLink1.sh

touch $EXECDIR/PBRPerUserLink1_IPs.txt

touch $EXECDIR/PBRPerUserLink1_Table.txt

touch $EXECDIR/PBRPerUserLink1_Table_To_Compare.txt

touch $EXECDIR/PBRPerUserLink1_ToRemove.txt

touch $EXECDIR/PBRPerUserLink1_Users.txt

touch $EXECDIR/PBRPerUserLink1_Watch.sh

touch $EXECDIR/sid_c.txt

 

echo "Copying Scripts to $EXECDIR"

cp ./PBRPerUserLink1.sh $EXECDIR/PBRPerUserLink1.sh

cp ./PBRPerUserLink1_Watch.sh $EXECDIR/PBRPerUserLink1_Watch.sh

cp ./PBRPerUserLink1_CronJob.sh $EXECDIR/PBRPerUserLink1_CronJob.sh

 

echo "Change Permission"

chmod 760 $EXECDIR/PBRPerUserLink1.sh

chmod 760 $EXECDIR/PBRPerUserLink1_Watch.sh

chmod 760 $EXECDIR/PBRPerUserLink1_CronJob.sh

 

echo "Adding System-Startup Recurrence for PBRPerUserLink1_Watch.sh at Cron Job"

clish -c "add cron job PBRPerUserLink1_CronJob command '$EXECDIR/PBRPerUserLink1_CronJob.sh >> $EXECDIR/PBRPerUser.log 2>&1' recurrence system-startup"

 

if grep -q PBRPerUserLink1_Watch.sh /var/spool/cron/admin; then

    echo "Job already in Cron"

else

    echo "Creating Cron Job"

    echo "##PBRPerUser" >> /var/spool/cron/$EXECUSER

    echo "*       *       *       *       * $EXECDIR/PBRPerUserLink1_Watch.sh >> $EXECDIR/PBRPerUser.log 2>&1" >> /var/spool/cron/$EXECUSER

fi

 

echo "Lock Database Override"

clish -c "lock database override"

 

### Creating IP Reachability Detection ###

### CHANGE IP TO REFLET YOUR ON ENVIRONMENT ###

echo "Creating IP Reachability Detection"

clish -c "set ip-reachability-detection ping address 200.150.0.100 enable-ping on"

clish -c "set ip-reachability-detection ping address 200.200.0.100 enable-ping on"

 

### Creating Default Route HA without ISP Redundancy With ICMP Health Checking ###

### CHANGE IP TO REFLET YOUR ON ENVIRONMENT ###

echo "Creating Default Route HA without ISP Redundancy With ICMP Health Checking"

clish -c "set static-route default nexthop gateway address 200.150.0.100 priority 1 on"

clish -c "set static-route default nexthop gateway address 200.150.0.100 monitored-ip 200.150.0.100 on"

clish -c "set static-route default nexthop gateway address 200.150.0.100 monitored-ip-option fail-any"

clish -c "set static-route default nexthop gateway address 200.200.0.100 priority 2 on"

clish -c "set static-route default nexthop gateway address 200.200.0.100 monitored-ip 200.200.0.100 on"

clish -c "set static-route default nexthop gateway address 200.200.0.100 monitored-ip-option fail-any"

 

### Creating PBR Table ###

### CHANGE IP TO REFLET YOUR ON ENVIRONMENT ###

echo "Creating PBR Table"

clish -c "set pbr table PBRPerUserLink1 static-route default nexthop gateway address 200.200.0.100 on"

 

echo "Saving Config"

clish -c "save config"

 

 

 

PBRPerUserLink1_Watch.sh

This script will check if there is change between the last time the script run and if yes, execute the script to change the PBR

 

#!/bin/bash -f

source /opt/CPshrd-R80.40/tmp/.CPprofile.sh

 

#Script Directory

EXECDIR="/home/admin/PBRPerUser"

#User that will Execute the Scripts and Cron Job

EXECUSER="admin"

APIKEY="4JjIKMtzRCLx8MEs4rcRTg=="

MGMTIP="10.0.50.10"

 

cd $EXECDIR

 

echo "#### Executing PBRPerUserScript_Watch.sh at $(date -u) ####"

echo "MGMT Login"

mgmt_cli login --management $MGMTIP api-key $APIKEY > sid_c.txt

echo "Erasing PBRPerUserLink1_Users.txt file"

> PBRPerUserLink1_Users.txt

echo "Getting information from AR_PBRPerUserLink1 Object and saving on file PBRPerUserLink1_Users.txt"

mgmt_cli --management $MGMTIP -s sid_c.txt show access-role name "AR_PBRPerUserLink1" --format json | jq '.users[].name' | awk -F'_' '{gsub(/"/, "", $2); print $2}' > PBRPerUserLink1_Users.txt

echo "MGMT Logout"

mgmt_cli --management $MGMTIP -s sid_c.txt logout

echo "Erasing PBRPerUserLink1_Table.txt file"

> PBRPerUserLink1_Table.txt

echo "Creating Matrix with User and IP Information"

sort PBRPerUserLink1_Users.txt | while read a; do NAME=$a; IP=$(pdp monitor user $a | grep "Ip: " | awk -F ' ' '{print $2}'); echo "$NAME;$IP" >> PBRPerUserLink1_Table.txt; done

echo "Comparing PBRPerUserLink1_Table.txt file with previous version"

diff -q PBRPerUserLink1_Table_To_Compare.txt PBRPerUserLink1_Table.txt 1>/dev/null

if [[ $? == "0" ]]

then

  echo "No changes on PBRPerUserLink1_Table.txt file"

else

  echo "Running script $EXECDIR/PBRPerUserLink1.sh"

  sh PBRPerUserLink1.sh     

fi

echo "#### End of Execution of PBRPerUserScript_Watch.sh at $(date -u) ####"

 

PBRPerUserLink1.sh

This script will change the PBR configuration on Gaia.

 

#!/bin/bash -f

source /opt/CPshrd-R80.40/tmp/.CPprofile.sh

 

#Script Directory

EXECDIR="/home/admin/PBRPerUser"

#User that will Execute the Scripts and Cron Job

EXECUSER="admin"

 

cd $EXECDIR

 

echo "#### Executing PBRPerUserScript.sh at $(date -u) ####"

echo "Lock Database Override"

clish -c "lock database override"

echo "Erasing current PBR per User"

cat PBRPerUserLink1_ToRemove.txt | while read a; do clish -c "$a"; done

echo "Erasing old PBRPerUserLink1_IPs.txt file"

> PBRPerUserLink1_IPs.txt

echo "Creating new PBRPerUserLink1_IPs.txt file"

sort PBRPerUserLink1_Users.txt | while read a; do pdp monitor user $a | grep "Ip: " | awk -F ' ' '{print $2}' >> PBRPerUserLink1_IPs.txt; done

echo "Creating PBR Match condition Based on Extracted IP Information form User"

pn=100 && cat PBRPerUserLink1_IPs.txt | while read a; do clish -c "set pbr rule priority $pn match from $a/32"; clish -c "set pbr rule priority $pn action table PBRPerUserLink1"; pn=$((pn+1)); done

echo "Erasing PBRPerUserLink1_ToRemove.txt file"

> PBRPerUserLink1_ToRemove.txt

echo "Create file to remove PBR"

pn=100 && cat PBRPerUserLink1_IPs.txt | while read a; do echo "set pbr rule priority $pn off" >> PBRPerUserLink1_ToRemove.txt; pn=$((pn+1)); done

echo "Creating copy of PBRPerUserLink1_Table.txt"

cp PBRPerUserLink1_Table.txt PBRPerUserLink1_Table_To_Compare.txt

echo "#### End of Execution of PBRPerUserScript.sh at $(date -u) ####"

 

 

 

PBRPerUserLink1_CronJob.sh

This script will be called by the Cron Job PBRPerUserLink1_CronJob to create a customized Cron Job that will run every minute to check changes on the PDP MONITOR and/or on AR_PBRPerUserLink1 object .

 

#!/bin/bash -f

source /opt/CPshrd-R80.40/tmp/.CPprofile.sh

 

#Script Directory

EXECDIR="/home/admin/PBRPerUser"

#User that will Execute the Scripts and Cron Job

EXECUSER="admin"

 

cd $EXECDIR

 

echo "#### Executing PBRPerUserScript.sh at $(date -u) ####"

echo "Lock Database Override"

clish -c "lock database override"

echo "Erasing current PBR per User"

cat PBRPerUserLink1_ToRemove.txt | while read a; do clish -c "$a"; done

echo "Erasing old PBRPerUserLink1_IPs.txt file"

> PBRPerUserLink1_IPs.txt

echo "Creating new PBRPerUserLink1_IPs.txt file"

sort PBRPerUserLink1_Users.txt | while read a; do pdp monitor user $a | grep "Ip: " | awk -F ' ' '{print $2}' >> PBRPerUserLink1_IPs.txt; done

echo "Creating PBR Match condition Based on Extracted IP Information form User"

pn=100 && cat PBRPerUserLink1_IPs.txt | while read a; do clish -c "set pbr rule priority $pn match from $a/32"; clish -c "set pbr rule priority $pn action table PBRPerUserLink1"; pn=$((pn+1)); done

echo "Erasing PBRPerUserLink1_ToRemove.txt file"

> PBRPerUserLink1_ToRemove.txt

echo "Create file to remove PBR"

pn=100 && cat PBRPerUserLink1_IPs.txt | while read a; do echo "set pbr rule priority $pn off" >> PBRPerUserLink1_ToRemove.txt; pn=$((pn+1)); done

echo "Creating copy of PBRPerUserLink1_Table.txt"

cp PBRPerUserLink1_Table.txt PBRPerUserLink1_Table_To_Compare.txt

echo "#### End of Execution of PBRPerUserScript.sh at $(date -u) ####"

 

Step by Step

  • Copy the 3 (three) scripts to the Gateway

Thiago_Mourao_2-1585618933115.png

 

  • Change permission of “FirstTimeSetup.sh”

Thiago_Mourao_3-1585618933118.png

 

  • Execute the “FirstTimeSetup.sh”

Thiago_Mourao_4-1585618933120.png

 

  • Check if CRON JOB was created

Thiago_Mourao_5-1585618933123.png

PS: Customized Cron Job do not survive to reboot, because of that, we create a Job to bring back the customized Job on Startup.

PPS: If you use Gaia to edit Cron Job, customized Jobs will be erased

 

  • Create user for the API authentication

Thiago_Mourao_6-1585618933133.png

 

  • Create the Access Role Object with the name “AR_PBRPerUserLink1” and add all the users that you want to route to the first non-default internet Link

Thiago_Mourao_7-1585618933138.png

 

  • Click on each member of the group and change the object name to match the following structure PBR_[AD_Login]

Thiago_Mourao_8-1585618933142.png

PS: On this example, the original name of the object was ad_user_Anna_Smith and we changed to PBR_asmith.

 

  • Check PBRPerUser.log file to see if the scripts are running well

Thiago_Mourao_9-1585618933149.png

 

  • Check PBRPerUserLink1_Table.txt file to see the Logged Users from the Access Role Object AR_PBRPerUserLink1 and their respective IPs

Thiago_Mourao_10-1585618933150.png

 

  • Check if the respective PBR RULES were created
 

pbr_rules.png

 

 

Tags (3)
3 Replies
Highlighted
Employee+
Employee+

Superb work!

This opens so many possibilities, like routing per application, routing per user, balancing link per application or per user.

Very useful indeed.

Highlighted
Employee+
Employee+

Awesome!! 😀

0 Kudos
Highlighted
Admin
Admin

Pretty sure this is leveraging a "hidden" feature in R80.40.
Clever application of it, though.
0 Kudos