Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Mando_92
Participant

Cluster FW Check Point - Wipe & Rebuild with Ansible

Jump to solution

Hi everyone,
It is the first time that I write on the forum and I thank you in advance to those who will reply.

I wanted to know if officially Check Point supports a wipe and rebuild procedure via Ansible for two physical devices (HA clusters).

I state that I do not know Ansible very well but what was requested of me talking about physical devices is not feasible or conceptually correct for me by whoever made the request. I think instead that it is possible to implement parts of configurations automatically through ansible, for example: creation of interfaces, objects on the FW or routes, even simple repetitive operations during the day, for example installation of Policy.

I hope someone can confirm or contradict what I think about the customer's request.

Thanks

 

0 Kudos
2 Solutions

Accepted Solutions
Bob_Zimmerman
Advisor

In that case, the answer also depends on what you mean by "device".

If the cluster members are VMs, and Ansible can interact with the VM platform, it should be possible. You make a "clean" snapshot and clone it or whatever.

If the cluster members are open servers, a script may be able to interact with the LOM card to present an installation ISO and step through the installation by simulating keystrokes. I don't think Ansible is likely to be able to do this, but something more imperative on the same server might be able to. A PowerShell script or whatever. You might be able to use IPMI for remote installation from an ISO, but I've run across lots of older servers with really iffy IPMI implementations. I like Redfish a lot more, but it's only a few years old, so only newer LOM cards offer it.

If the cluster members are Check Point branded servers, you're probably out of luck. No official IPMI support, no Redfish support.

 

Of course, if you want to rebuild your firewalls because you suspect they may have been compromised, you have big enough problems that you can't really trust the Ansible server either.

View solution in original post

User1234
Contributor

The github repos are maintained by checkpoint, so they are official.

As of your initial question. I don't think so. It is definitly not possible atm with checkpoints ansible modules. Maybe you can script something on your on with the API but I would not recommend it. But as I wrote already, maybe this will be available later.

View solution in original post

(1)
8 Replies
Bob_Zimmerman
Advisor

Depends on what exactly you mean by "wipe" and what exactly you mean by "rebuild".

Ansible would have a really hard time reinstalling the OS, for example. Would also have a hard time selecting a snapshot from the boot menu. Those are what I would typically consider a "wipe".

As for the "rebuild" part, the first-time wizard can be handled with a command called config_system. I don't think that would interact especially well with a declarative desired state system.

(1)
Mando_92
Participant

Thanks for the reply Bob!

Yes, by wipe and rebuild I meant in case of criticality, the device would be restored to factory settings (lack of a better word) and restore it to the last secure configuration prior to an attack within the infrastructure.

 

0 Kudos
Bob_Zimmerman
Advisor

In that case, the answer also depends on what you mean by "device".

If the cluster members are VMs, and Ansible can interact with the VM platform, it should be possible. You make a "clean" snapshot and clone it or whatever.

If the cluster members are open servers, a script may be able to interact with the LOM card to present an installation ISO and step through the installation by simulating keystrokes. I don't think Ansible is likely to be able to do this, but something more imperative on the same server might be able to. A PowerShell script or whatever. You might be able to use IPMI for remote installation from an ISO, but I've run across lots of older servers with really iffy IPMI implementations. I like Redfish a lot more, but it's only a few years old, so only newer LOM cards offer it.

If the cluster members are Check Point branded servers, you're probably out of luck. No official IPMI support, no Redfish support.

 

Of course, if you want to rebuild your firewalls because you suspect they may have been compromised, you have big enough problems that you can't really trust the Ansible server either.

User1234
Contributor

I don't exactly know what you mean by wipe and rebuild, but let me try to summarise my CP ansible experience.

CP offers two ansible plugins: mgmt and gaia.

The mgmt plugin is simply said for managing the rulebase on the Checkpoint Management Server. The modules there are fine for doing "daily tasks" like adding/modifying/deleting objects (hosts, groups, networks, etc.) and rules but does not support any modification of general settings.
The gaia plugin does only supports changing hostnames, dns server and physical interfaces at the gaia system. There is not even a documentation for this on ansible (so the only docs is the code on github).

So I would recommend the mgmt plugin only for regular tasks, and the gaia plugin not at all at the moment. This really means at the moment. There are updates getting regularly published, so there is really a progress going on, but there is still a lot to do to really support managing the mgmt and gws with ansible.

If you don't want to wait, there is also the API documentation, so you could build modules yourself. The CP ansible modules only address the APIs, so if a new API appears, chances are, that they will appear as an ansible module as well.

(1)
Mando_92
Participant

Thanks for the reply User1234 !

Your answer is very complete and detailed and largely confirms what I thought about the customer's request.

When you talk about the code on GITHUB has it been officially verified and approved by Check Point? In case of problems do you think the support would assist us ?
Since the R80.X was released, I have always found the page made available by Check Point about the API very convenient.

Can you then confirm to me that as of today with possible maximum I could do those things reported in my first post ?

Thanks for taking the time

 

User1234
Contributor

The github repos are maintained by checkpoint, so they are official.

As of your initial question. I don't think so. It is definitly not possible atm with checkpoints ansible modules. Maybe you can script something on your on with the API but I would not recommend it. But as I wrote already, maybe this will be available later.

(1)
Hugo_vd_Kooij
Advisor

Doing a rebuild will require some minimal actions. But some of the things you ask for could be done with snapshots on the apliance and if you can run it by hand then you can script it in Ansible.

Rebuilding a firewall on brand new hardware requires some basic steps. But if you really want to and do the right backups you can automate part of it.

 

Miracles happen while you wait. The impossible jobs take just a bit longer.
Mando_92
Participant

Hi Hugo!

Thanks for response, but an official playbook on Ansible documentation for Check Point that does what you say is not present only some operations and in part.

To do what you say (custom script) you would need a DevOps net that is very familiar with firewalls Check Points and how they work.

Thanks

 

0 Kudos