Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mark_Colatosti
Contributor

How to automate changes to Checkpoint firewall settings not managed by the Management server?

Hello everyone,

My ultimate goal is to allow for the initial and ongoing configuration of core security and networking components, including checkpoint systems via Terraform.  Elements of particular interest to be managed would include network and routing components like:  vpnt interfaces, bgp routing setup, bgp route-maps, inbound and outbound bgp ACL groups as well as items managed by the Checkpoint policy server, like VPN communities, network topologies, foreign VPN devices, etc.

Usage would include the initial setup (this is less critical as this can be done less elegantly with initial dynamic scripts), but also more importantly the ongoing maintenance using standard CRUD operations on these type of objects which I suspect will be much harder to accomplish this way.  Ideally this can be accomplished in a more declaritive fashion versus imperative which would require all kinds of code to be introduced to check current state, what changes are really necessary, etc.     

I'm aware and have reviewed the existing cloudformation templates, including Checkpoint WAN/VPC Transport automation.  I've also gone through the bash and python scripts.  I'm aware of the management APIs, but many of the objects I want to manipulate are not manageable from the central policy server.

Now for all the questions to Checkpoint and any users who may have made any progress in the area on their own:

Is there a roadmap to create a terraform provider for the management server?  One or more significant competitors have.

Is there a roadmap for filling the management gap for all the items still configured directly on the firewalls and not maintained by the management server (i.e. all the cli.sh type stuff, I'm immediately interested in the networking/routing stack)?   Is there a reason this cannot be retained and managed by a structure in the central management database? 

Has anyone made any headway in this area and would care to share successes and failures?

 

 

 

2 Replies
PhoneBoy
Admin
Admin

There have been various efforts to develop support for Terraform.
At least one such effort was posted on CheckMates recently: https://community.checkpoint.com/t5/Developers-API-CLI/First-Step-with-Automation-for-newbies-Ansibl...

The Gaia OS just recently got a direct API, which you can add to R80.x gateways: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
This should be part of R80.30.
You've always been able to use the "run-script" API to manage specific settings on gateways as well.

As for unifying the OS/security policy management, I believe it's on the roadmap, but don't believe the timelines have been finalized.
On Terraform in particular, engaging with your local office would be helpful.

Mark_Colatosti
Contributor

First off, thanks for the reply.  I'll likely hit my account manager up for availability for any Terraform pre-release versions that could be reviewed.   I was also completely unaware of the ability to add an API to a Gaia firewall gateway system, this is potentially awesome if pretty full featured.  I'll have to check it out.

It also looks promising that if there are APIs for both Gaia and the management server, that creating a Terraform provider around these APIs would seem very possible, even by a  3rd party like myself (not that I have the time to take something like that on - but would be a good excuse to look at Golang).  So hopefully the release of such things are not too far off.

The ansible script appears to be just that though, some initial ansible setup script and it appears to be testing the ability to call Checkpoint Management APIs (but maybe with the install mentioned above its used for gateways?), so nothing really usable or new for Terraform implementations.  i understand how I can deploy initial environments, pass startup commands and config via userdata, etc., and also I just could call existing Checkpoint cloudformation templates, but I was also looking into ongoing (change) management.

Thanks again for your assistance.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events