cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Azure VMSS - Gaia Certificates

In Azure we use a VMSS with several FW Instances and we would like to configure the scale up and scale down process completely automatically. 

For this we use the autoprov-cfg script (-cg) and add a configuration file with all necessary routes etc. for the FW Instances:

It looks more or less like this:

 

 

 

#!/bin/bash
#
. /tmp/.CPprofile.sh
#
# clish
clish -c 'add host name host.test.org ipv4-address 10.30.10.58'
clish -c 'add host name hist2.tes.org ipv4-address 10.30.10.59'
clish -c 'set static-route 4.4.0.0/16 nexthop gateway address 10.26.0.241 on'
clish -c 'set ntp active on'
clish -c 'set ntp server primary 10.30.0.248 version 1'
clish -c 'set ntp server secondary 10.30.0.249 version 1'
clish -c 'add syslog log-remote-address 10.30.0.205 level all'
clish -c 'set expert-password-hash $1234567890'
clish -c 'save config'
#
#
# SecureXL Fast Access
echo "SAP" | fw ctl fast_accel add 1.1.1.1/32 10.10.10.10/32 50000 6
fw ctl fast_accel enable
#
#
# fw ctl set
fw ctl set int fw_reuse_established_conn 3299
#
#
# fwkern.conf
echo "fw_reuse_established_conn=3299" >> $FWDIR/boot/modules/fwkern.conf
#
#
# change sshd
sed -i 's/ChallengeResponseAuthentication yes/ChallengeResponseAuthentication no/g' /etc/ssh/sshd_config
service sshd restart
#
#
# change Gaia WebUI SSLCipher
cp /web/templates/httpd-ssl.conf.templ /web/templates/httpd-ssl.conf.templ.ORIGINAL
chmod -v u+w /web/templates/httpd-ssl.conf.templ
sed -i 's/SSLCipherSuite HIGH:!RC4:!LOW:!EXP:!aNULL:!SSLv2:!MD5/SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:!ADH:!EXP:RSA:+HIGH:+MEDIUM:!MD5:!LOW:!NULL:!SSLv2:!eNULL:!aNULL:!RC4:!SHA1:!3DES/g' /web/templates/httpd-ssl.conf.templ
sed -i 's/SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 +TLSv1 +TLSv1.1 +TLSv1.2/SSLProtocol -ALL {ifcmp = $httpd:ssl3_enabled 1}+{else}-{endif}SSLv3 +TLSv1.1 +TLSv1.2/g' /web/templates/httpd-ssl.conf.templ
chmod -v u-w /web/templates/httpd-ssl.conf.templ
#

 

 

 

 

Problem:

The Gaia Web Certificate contains all VMSS DNS Names and IP Addresses as Subject Alternate Name and we would like to roll it out using the same script which is shown above. 

But the Multi Portal is active and the sk95064 doesn't work (change certificate files in /web/conf). The only option would be to change the Portal Port to 4434 for example. 

Can we somehow change the WebUI Gaia Port using CLI? "set web ssl-port 4434" is not an option, because it will be overwritten by a policy push.

Therefore we need a command like "mgmt_cli" or something else which is able to change the Portal Port from 443 to 4434.  

0 Kudos
8 Replies
Highlighted
Admin
Admin

Re: Azure VMSS - Gaia Certificates

There's no official API to change the gateway object platform portal port.
However, it can probably be done with the generic-object API.
That said, it does not appear to be simple.
Hoping @Omer_Kleinstern has an idea how to accomplish this.

0 Kudos
Highlighted

Re: Azure VMSS - Gaia Certificates

An official API to change the gateway object platform portal port is in development and planned for the next release.

Unfortunately, it cannot be done with the generic-object API.

0 Kudos
Highlighted

Re: Azure VMSS - Gaia Certificates

Thanks. Do you think there is something available using dbebit?
0 Kudos
Highlighted
Admin
Admin

Re: Azure VMSS - Gaia Certificates

Looks like something like the following might work:

modify network_objects gw_object portals:0:main_url https://your-ip:4434

You will need to verify in objects_5_0.C that the platform portal is listed first in the portals stanza.
It was in my case, but I'm not sure that's universally true or not.
Highlighted

Re: Azure VMSS - Gaia Certificates

Looks good, my colleague @Matthias_Haas tried it and it seems to work fine 🙂

 

dbedit> modify network_objects gwr8030v2 portals:0:main_url https://10.0.0.1:4455

dbedit> quit -update_all
network_objects::gwr8030v2 Updated Successfully

[Expert@mngr8030:0]#

 

0 Kudos
Highlighted

Re: Azure VMSS - Gaia Certificates

Hello Omer,

same challenge here, see https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Generic-API-List-Index/m-p/81217/...

when will that new release come out that implements that imho very basic feature in the API?

Regards, Christian Riede

0 Kudos
Highlighted

Re: Azure VMSS - Gaia Certificates

why don't you simply drop all https traffic to gateway and allow just certain source ip's?
0 Kudos
Highlighted

Re: Azure VMSS - Gaia Certificates

This is because of PCI regulation. This option is not allowed. 😉
0 Kudos