Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Thiago_Mourao
Employee
Employee

Link Load Balacing per User

Link Load Balacing per User

 

Security Engineering Brazil

March, 2020

Version 01

 

Author:

Thiago Mourao, SE

 

Contents

Creating BPR per User - PoC

Objective

Know Limitation and Requirements

Topology

Scripts

Step by Step

 

 

Objective

Change the default route from selected users.

 

Know Limitation and Requirements

  • ISP Redundancy cannot be used together with PBR
  • Need to manually change the object name of each user to match the SCRIPT configuration
  • To use more than 2 internet Links, the script need to be adapted.
  • For this PoC we assume that you already have IA integrated with AD using WMI
  • For this PoC we are using API Key to authenticate instead of User/Pass
  • IA Configuration "Assume that only one user is connected per computer" need to turned on

 

Topology

Thiago_Mourao_1-1585618933112.png

On our lab we are using GloudGuard VE (Virtual Edition) on R80.40 on both Security Gateway and Manager on VMware Workstation 12.

 

Virtual Environment:

  • 1 x Check Point Gateway R80.40
  • 1 x Check Point Manager R80.40
  • 1 x Microsoft Windows Server 2012 R2
  • 3 x Windows 7 Ultimate

 

Host Environment:

  • 1 x Notebook (Windows Professional) with VMWare Workstation 12

 

 

Scripts

FirstTimeSetup.sh

This script will prepare the environment for the first time run.

 

#!/bin/bash -f

source /opt/CPshrd-R80.40/tmp/.CPprofile.sh

#Script Directory

EXECDIR="/home/admin/PBRPerUser"

#User that will Execute the Scripts and Cron Job

EXECUSER="admin"

 

echo "First time setup"

echo "Creating all files and Gaia configuration"

 

echo "Creating Exec Directory"

mkdir $EXECDIR

 

echo "Creating Files"

touch $EXECDIR/PBRPerUser.log

touch $EXECDIR/PBRPerUserLink1.sh

touch $EXECDIR/PBRPerUserLink1_IPs.txt

touch $EXECDIR/PBRPerUserLink1_Table.txt

touch $EXECDIR/PBRPerUserLink1_Table_To_Compare.txt

touch $EXECDIR/PBRPerUserLink1_ToRemove.txt

touch $EXECDIR/PBRPerUserLink1_Users.txt

touch $EXECDIR/PBRPerUserLink1_Watch.sh

touch $EXECDIR/sid_c.txt

 

echo "Copying Scripts to $EXECDIR"

cp ./PBRPerUserLink1.sh $EXECDIR/PBRPerUserLink1.sh

cp ./PBRPerUserLink1_Watch.sh $EXECDIR/PBRPerUserLink1_Watch.sh

cp ./PBRPerUserLink1_CronJob.sh $EXECDIR/PBRPerUserLink1_CronJob.sh

 

echo "Change Permission"

chmod 760 $EXECDIR/PBRPerUserLink1.sh

chmod 760 $EXECDIR/PBRPerUserLink1_Watch.sh

chmod 760 $EXECDIR/PBRPerUserLink1_CronJob.sh

 

echo "Adding System-Startup Recurrence for PBRPerUserLink1_Watch.sh at Cron Job"

clish -c "add cron job PBRPerUserLink1_CronJob command '$EXECDIR/PBRPerUserLink1_CronJob.sh >> $EXECDIR/PBRPerUser.log 2>&1' recurrence system-startup"

 

if grep -q PBRPerUserLink1_Watch.sh /var/spool/cron/admin; then

    echo "Job already in Cron"

else

    echo "Creating Cron Job"

    echo "##PBRPerUser" >> /var/spool/cron/$EXECUSER

    echo "*       *       *       *       * $EXECDIR/PBRPerUserLink1_Watch.sh >> $EXECDIR/PBRPerUser.log 2>&1" >> /var/spool/cron/$EXECUSER

fi

 

echo "Lock Database Override"

clish -c "lock database override"

 

### Creating IP Reachability Detection ###

### CHANGE IP TO REFLET YOUR ON ENVIRONMENT ###

echo "Creating IP Reachability Detection"

clish -c "set ip-reachability-detection ping address 200.150.0.100 enable-ping on"

clish -c "set ip-reachability-detection ping address 200.200.0.100 enable-ping on"

 

### Creating Default Route HA without ISP Redundancy With ICMP Health Checking ###

### CHANGE IP TO REFLET YOUR ON ENVIRONMENT ###

echo "Creating Default Route HA without ISP Redundancy With ICMP Health Checking"

clish -c "set static-route default nexthop gateway address 200.150.0.100 priority 1 on"

clish -c "set static-route default nexthop gateway address 200.150.0.100 monitored-ip 200.150.0.100 on"

clish -c "set static-route default nexthop gateway address 200.150.0.100 monitored-ip-option fail-any"

clish -c "set static-route default nexthop gateway address 200.200.0.100 priority 2 on"

clish -c "set static-route default nexthop gateway address 200.200.0.100 monitored-ip 200.200.0.100 on"

clish -c "set static-route default nexthop gateway address 200.200.0.100 monitored-ip-option fail-any"

 

### Creating PBR Table ###

### CHANGE IP TO REFLET YOUR ON ENVIRONMENT ###

echo "Creating PBR Table"

clish -c "set pbr table PBRPerUserLink1 static-route default nexthop gateway address 200.200.0.100 on"

 

echo "Saving Config"

clish -c "save config"

 

 

 

PBRPerUserLink1_Watch.sh

This script will check if there is change between the last time the script run and if yes, execute the script to change the PBR

 

#!/bin/bash -f

source /opt/CPshrd-R80.40/tmp/.CPprofile.sh

 

#Script Directory

EXECDIR="/home/admin/PBRPerUser"

#User that will Execute the Scripts and Cron Job

EXECUSER="admin"

APIKEY="4JjIKMtzRCLx8MEs4rcRTg=="

MGMTIP="10.0.50.10"

 

cd $EXECDIR

 

echo "#### Executing PBRPerUserScript_Watch.sh at $(date -u) ####"

echo "MGMT Login"

mgmt_cli login --management $MGMTIP api-key $APIKEY > sid_c.txt

echo "Erasing PBRPerUserLink1_Users.txt file"

> PBRPerUserLink1_Users.txt

echo "Getting information from AR_PBRPerUserLink1 Object and saving on file PBRPerUserLink1_Users.txt"

mgmt_cli --management $MGMTIP -s sid_c.txt show access-role name "AR_PBRPerUserLink1" --format json | jq '.users[].name' | awk -F'_' '{gsub(/"/, "", $2); print $2}' > PBRPerUserLink1_Users.txt

echo "MGMT Logout"

mgmt_cli --management $MGMTIP -s sid_c.txt logout

echo "Erasing PBRPerUserLink1_Table.txt file"

> PBRPerUserLink1_Table.txt

echo "Creating Matrix with User and IP Information"

sort PBRPerUserLink1_Users.txt | while read a; do NAME=$a; IP=$(pdp monitor user $a | grep "Ip: " | awk -F ' ' '{print $2}'); echo "$NAME;$IP" >> PBRPerUserLink1_Table.txt; done

echo "Comparing PBRPerUserLink1_Table.txt file with previous version"

diff -q PBRPerUserLink1_Table_To_Compare.txt PBRPerUserLink1_Table.txt 1>/dev/null

if [[ $? == "0" ]]

then

  echo "No changes on PBRPerUserLink1_Table.txt file"

else

  echo "Running script $EXECDIR/PBRPerUserLink1.sh"

  sh PBRPerUserLink1.sh     

fi

echo "#### End of Execution of PBRPerUserScript_Watch.sh at $(date -u) ####"

 

PBRPerUserLink1.sh

This script will change the PBR configuration on Gaia.

 

#!/bin/bash -f

source /opt/CPshrd-R80.40/tmp/.CPprofile.sh

 

#Script Directory

EXECDIR="/home/admin/PBRPerUser"

#User that will Execute the Scripts and Cron Job

EXECUSER="admin"

 

cd $EXECDIR

 

echo "#### Executing PBRPerUserScript.sh at $(date -u) ####"

echo "Lock Database Override"

clish -c "lock database override"

echo "Erasing current PBR per User"

cat PBRPerUserLink1_ToRemove.txt | while read a; do clish -c "$a"; done

echo "Erasing old PBRPerUserLink1_IPs.txt file"

> PBRPerUserLink1_IPs.txt

echo "Creating new PBRPerUserLink1_IPs.txt file"

sort PBRPerUserLink1_Users.txt | while read a; do pdp monitor user $a | grep "Ip: " | awk -F ' ' '{print $2}' >> PBRPerUserLink1_IPs.txt; done

echo "Creating PBR Match condition Based on Extracted IP Information form User"

pn=100 && cat PBRPerUserLink1_IPs.txt | while read a; do clish -c "set pbr rule priority $pn match from $a/32"; clish -c "set pbr rule priority $pn action table PBRPerUserLink1"; pn=$((pn+1)); done

echo "Erasing PBRPerUserLink1_ToRemove.txt file"

> PBRPerUserLink1_ToRemove.txt

echo "Create file to remove PBR"

pn=100 && cat PBRPerUserLink1_IPs.txt | while read a; do echo "set pbr rule priority $pn off" >> PBRPerUserLink1_ToRemove.txt; pn=$((pn+1)); done

echo "Creating copy of PBRPerUserLink1_Table.txt"

cp PBRPerUserLink1_Table.txt PBRPerUserLink1_Table_To_Compare.txt

echo "#### End of Execution of PBRPerUserScript.sh at $(date -u) ####"

 

 

 

PBRPerUserLink1_CronJob.sh

This script will be called by the Cron Job PBRPerUserLink1_CronJob to create a customized Cron Job that will run every minute to check changes on the PDP MONITOR and/or on AR_PBRPerUserLink1 object .

 

#!/bin/bash -f

source /opt/CPshrd-R80.40/tmp/.CPprofile.sh

 

#Script Directory

EXECDIR="/home/admin/PBRPerUser"

#User that will Execute the Scripts and Cron Job

EXECUSER="admin"

 

cd $EXECDIR

 

echo "#### Executing PBRPerUserScript.sh at $(date -u) ####"

echo "Lock Database Override"

clish -c "lock database override"

echo "Erasing current PBR per User"

cat PBRPerUserLink1_ToRemove.txt | while read a; do clish -c "$a"; done

echo "Erasing old PBRPerUserLink1_IPs.txt file"

> PBRPerUserLink1_IPs.txt

echo "Creating new PBRPerUserLink1_IPs.txt file"

sort PBRPerUserLink1_Users.txt | while read a; do pdp monitor user $a | grep "Ip: " | awk -F ' ' '{print $2}' >> PBRPerUserLink1_IPs.txt; done

echo "Creating PBR Match condition Based on Extracted IP Information form User"

pn=100 && cat PBRPerUserLink1_IPs.txt | while read a; do clish -c "set pbr rule priority $pn match from $a/32"; clish -c "set pbr rule priority $pn action table PBRPerUserLink1"; pn=$((pn+1)); done

echo "Erasing PBRPerUserLink1_ToRemove.txt file"

> PBRPerUserLink1_ToRemove.txt

echo "Create file to remove PBR"

pn=100 && cat PBRPerUserLink1_IPs.txt | while read a; do echo "set pbr rule priority $pn off" >> PBRPerUserLink1_ToRemove.txt; pn=$((pn+1)); done

echo "Creating copy of PBRPerUserLink1_Table.txt"

cp PBRPerUserLink1_Table.txt PBRPerUserLink1_Table_To_Compare.txt

echo "#### End of Execution of PBRPerUserScript.sh at $(date -u) ####"

 

Step by Step

  • Copy the 3 (three) scripts to the Gateway

Thiago_Mourao_2-1585618933115.png

 

  • Change permission of “FirstTimeSetup.sh”

Thiago_Mourao_3-1585618933118.png

 

  • Execute the “FirstTimeSetup.sh”

Thiago_Mourao_4-1585618933120.png

 

  • Check if CRON JOB was created

Thiago_Mourao_5-1585618933123.png

PS: Customized Cron Job do not survive to reboot, because of that, we create a Job to bring back the customized Job on Startup.

PPS: If you use Gaia to edit Cron Job, customized Jobs will be erased

 

  • Create user for the API authentication

Thiago_Mourao_6-1585618933133.png

 

  • Create the Access Role Object with the name “AR_PBRPerUserLink1” and add all the users that you want to route to the first non-default internet Link

Thiago_Mourao_7-1585618933138.png

 

  • Click on each member of the group and change the object name to match the following structure PBR_[AD_Login]

Thiago_Mourao_8-1585618933142.png

PS: On this example, the original name of the object was ad_user_Anna_Smith and we changed to PBR_asmith.

 

  • Check PBRPerUser.log file to see if the scripts are running well

Thiago_Mourao_9-1585618933149.png

 

  • Check PBRPerUserLink1_Table.txt file to see the Logged Users from the Access Role Object AR_PBRPerUserLink1 and their respective IPs

Thiago_Mourao_10-1585618933150.png

 

  • Check if the respective PBR RULES were created
 

pbr_rules.png

 

 

3 Replies
Eduardo_Pereira
Employee Alumnus
Employee Alumnus

Superb work!

This opens so many possibilities, like routing per application, routing per user, balancing link per application or per user.

Very useful indeed.

MiguelHernandez
Employee
Employee

Awesome!! 😀

0 Kudos
PhoneBoy
Admin
Admin

Pretty sure this is leveraging a "hidden" feature in R80.40.
Clever application of it, though.
0 Kudos