Create a Post
Soeren_Rothe
Collaborator

Azure VMSS - Gaia Certificates

In Azure we use a VMSS with several FW Instances and we would like to configure the scale up and scale down process completely automatically. 

For this we use the autoprov-cfg script (-cg) and add a configuration file with all necessary routes etc. for the FW Instances:

It looks more or less like this:

 

 

 

#!/bin/bash
#
. /tmp/.CPprofile.sh
#
# clish
clish -c 'add host name host.test.org ipv4-address 10.30.10.58'
clish -c 'add host name hist2.tes.org ipv4-address 10.30.10.59'
clish -c 'set static-route 4.4.0.0/16 nexthop gateway address 10.26.0.241 on'
clish -c 'set ntp active on'
clish -c 'set ntp server primary 10.30.0.248 version 1'
clish -c 'set ntp server secondary 10.30.0.249 version 1'
clish -c 'add syslog log-remote-address 10.30.0.205 level all'
clish -c 'set expert-password-hash $1234567890'
clish -c 'save config'
#
#
# SecureXL Fast Access
echo "SAP" | fw ctl fast_accel add 1.1.1.1/32 10.10.10.10/32 50000 6
fw ctl fast_accel enable
#
#
# fw ctl set
fw ctl set int fw_reuse_established_conn 3299
#
#
# fwkern.conf
echo "fw_reuse_established_conn=3299" >> $FWDIR/boot/modules/fwkern.conf
#
#
# change sshd
sed -i 's/ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/g' /etc/ssh/sshd_config
service sshd restart
#
#
# change Gaia WebUI SSLCipher
cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ.ORIGINAL
chmod -v u+w /web/templates/httpd-ssl.conf.templ
sed -i 's/SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5/SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1:!3DES/g' /web/templates/httpd-ssl.conf.templ
sed -i 's/SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2/SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 +TLSv1.1 +TLSv1.2/g' /web/templates/httpd-ssl.conf.templ
chmod -v u-w /web/templates/httpd-ssl.conf.templ
#

 

 

 

 

Problem:

The Gaia Web Certificate contains all VMSS DNS Names and IP Addresses as Subject Alternate Name and we would like to roll it out using the same script which is shown above. 

But the Multi Portal is active and the sk95064 doesn't work (change certificate files in /web/conf). The only option would be to change the Portal Port to 4434 for example. 

Can we somehow change the WebUI Gaia Port using CLI? "set web ssl-port 4434" is not an option, because it will be overwritten by a policy push.

Therefore we need a command like "mgmt_cli" or something else which is able to change the Portal Port from 443 to 4434.  

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

There's no official API to change the gateway object platform portal port.
However, it can probably be done with the generic-object API.
That said, it does not appear to be simple.
Hoping @Omer_Kleinstern has an idea how to accomplish this.

0 Kudos
Omer_Kleinstern
Employee
Employee

An official API to change the gateway object platform portal port is in development and planned for the next release.

Unfortunately, it cannot be done with the generic-object API.

0 Kudos
Soeren_Rothe
Collaborator

Thanks. Do you think there is something available using dbebit?
0 Kudos
PhoneBoy
Admin
Admin

Looks like something like the following might work:

modify network_objects gw_object portals:0:main_url https://your-ip:4434

You will need to verify in objects_5_0.C that the platform portal is listed first in the portals stanza.
It was in my case, but I'm not sure that's universally true or not.
Soeren_Rothe
Collaborator

Looks good, my colleague @Matthias_Haas tried it and it seems to work fine 🙂

 

dbedit> modify network_objects gwr8030v2 portals:0:main_url https://10.0.0.1:4455

dbedit> quit -update_all
network_objects::gwr8030v2 Updated Successfully

[Expert@mngr8030:0]#

 

0 Kudos
Christian_Riede
Collaborator

Hello Omer,

same challenge here, see https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Generic-API-List-Index/m-p/81217/...

when will that new release come out that implements that imho very basic feature in the API?

Regards, Christian Riede

0 Kudos
Martin_Valenta
Advisor

why don't you simply drop all https traffic to gateway and allow just certain source ip's?
0 Kudos
Soeren_Rothe
Collaborator

This is because of PCI regulation. This option is not allowed. 😉
0 Kudos