Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nicolas_Boisse
Employee Alumnus
Employee Alumnus

add simple-cluster API

For those how are waiting for Cluster API, I have good news for you. Its coming in R80.40 witch is in EA right now. You can register to EA here: 

R80.40 EA Program

R80.40 features centralized management control across all networks, on premise or in the cloud, lowering the complexity of managing your security and increasing operational efficiency. As part of the Check Point Infinity architecture, R80.40 provides customers with the best security management, utilizing the Industry’s largest integration of technologies from more than 160 technology partners. With Check Point R80.40 Cyber Security for Gateways and Management, businesses everywhere can easily step up to Gen V.

clipboard_image_0.jpeg

I'm one of the lucky dudes who gets a pre EA release of the API code 🙂 Here an example of what we can do with Check Point in terms of automation. 

So, using my script, here how to add a cluster in a new Tenant in OpenStack:

The script runs from Checkpoint management server sending API calls to OpenStack using curl_cli and to Checkpoint using mgmt_cli.

This script will deploy a checkpoint a cluster of two members from scratch in OpenStack(spinning VMs) to Checkpoint management objects with SIC + Policy install.

 

Networks are fetched from OpenStack tenant:

 

clipboard_image_1.jpeg

First step: run the script from the management server and give a name to the cluster:

./clusterdeployment MyCluster

Once the script runs, I'm fetching network information from tenant and display it to the Admin. Here how looks the API call to OpenStack to fetch Network information:

 
 
 

# Get Networks list from tenant in OpenStack Neutron
curl_cli -s -X GET $OS_NEUTRON_URL/networks \
-H "Content-Type: application/json" \
-H "X-Auth-Token: $API_TOKEN" > networks.json

This call returns a Json template with all networking information.

From that json, I provide a menu so user can choose  OpenStack networking for the cluster:

clipboard_image_2.png

All ip information is fetched from OpenStack neutron and nova. No hardcoded IP, everything is fetched from open-stack automatically.

Example: user choose 4,3,2,1,5(Done):

Networking will be set like this:

Eth0=TransportNetwork

Eth1=SyncNetwork

Eth2=NetworkA (SubnetA)

Eth3=NetworkB (Subnet B)

Number of interfaces is Dynamic. You can have 2,3,10,any number, the script will auto detect the amount of interfaces and defines it.

In OpenStack, each Network definition can have a default gateway defined. I’m using this information to automate the VIP creation on the cluster:

clipboard_image_3.jpeg

Again, sending an API call to OpenStack to get this information available for the cluster deployment in Checkpoint Management.

Once Networking is choose by the Admin, I'm sending an API call to spin up 2 VMs: MyCluster-1 and MyCluster-2:

printf -v Request '{"server": {"name": "%s","imageRef": "4ade0d58-6c85-4e49-9d2c-bbec5bdbf0e5","flavorRef": "869aa389-a79c-473a-a25d-aa3fe0de3e54", "config_drive": true,"max_count": 2,"min_count": 2,"key_name": "nicolas","security_groups": [], "metadata" : {"cp_ftw" : "blink_config -s \\\"gateway_cluster_member=true&ftw_sic_key=%s&upload_info=true&download_info=true&reboot_if_required=true\\\"","cp_config_001" : "echo \\\"fwha_forw_packet_to_not_active=1\\\" > /opt/CPsuite-R80.20/fw1/boot/modules/fwkern.conf"},%s}}' "$CLUSTERNAME" "$SIC" "$NFILTER"
echo "$Request"
echo "$OS_NOVA_URL/$OS_TENANT_ID/servers"

Once both VM are created in openstack, all IP’s are automatically defined:

clipboard_image_4.jpeg

 

My script fetch those IP’s from an OpenStack API call and then create the cluster object + members in Checkpoint Smart Console. VIP fetched from the network object Gateway IP information.

As you can see, I'm also running the blink first time wizard: blink_config -s . So once the VM spin up, will fetch IP information from OpenStack then will run wizard and reboot. So All IP information is also automaticly defined on the gateway side.

Users just need to run the script and provide a cluster name, select the networks, and then the script taking care of everything else.

I'm using a hotfix on top of R80.20 to enabled cluster APi. As I mention previously, Cluster API will be built into R80.40.

See Attached, a full exemple on how to deploy a cluster in Openstack fully automated.

Happy scripting 🙂

0 Replies

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events