This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nicholas_Sherid
Contributor
‎2018-09-23 11:34 PM
Jump to solution

Automatic Configuration of Appliance on boot

Hi forum,

Linux has a 'cloud-init' script that allows a server to be created and run scripts at time of creation, which something that I've used before with ansible. 

The net effect of this is it creates a infrastructure that is completely defined as code, and allows the management of the device through version control, and modified through redeployment.  It also allows a 'complete package' to be deployed, effectly allowing infrastructure definition and configuration management to be managed more as a single unit.

Is anyone aware of any such configuraton option available in gaia?  Just to emphasise this is automatic configuration at the point of instantiation, and not at reboot.

I ask as there is all this cool ansible stuff avialable now for checkpoint, ideally I just want to be able to deploy a firewall with minimum manual involvement, and be less 'precious' about the VM, so I can be more 'precious' abut the policy.

Thanks! 

0 Kudos
1 Solution

Accepted Solutions
11 Replies
_Val_
Admin
Admin
‎2018-09-24 03:14 AM
Jump to solution

Did you consider Blink as an option? Blink - Gaia Fast Deployment 

Nicholas_Sherid
Contributor
‎2018-09-24 06:10 AM
In response to _Val_
Jump to solution

Hi Valeri,

Looks just the ticket! thanks Smiley Happy

Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2018-09-25 11:32 AM
Jump to solution

Are you referring to the physical machine or virtual machine?

AFAIK cloud-init - is been used for the CloudGaurd IaaS - you can see Check Point CloudGaurd IaaS solution for KVM/Azure/AWS/Google that leverage it : vSEC for OpenStack R80.10 Administration Guide  "

To launch a Gateway instance with an automated script:

  1. Create a USER-SCRIPT that runs at the time the computer boots up for the first time. Use these commands in the script to configure the password for the OS admin user and to set the gateway as a standalone Security Management Server and Security Gateway. "

Azure: Using Custom Data to execute an initialization script when you launch your Check Point Security Gate... 

AWS: Using User Data to execute an initialization script when you launch your Check Point Security Gatewa... 

Google Cloud : Check Point CloudGuard IaaS reference architecture for Google Cloud Platform 

  under "Advanced deployment options:"

For the physical machine:

You can use kickstart or Blink as Valeri Loukine‌ mention or any other automation as Ansible and etc..

I'm personally using Blink , I created install_content.sh file with content :

"

#!/bin/bash -f
source /etc/profile.d/CP.sh
clish -ic "lock database override"
clish -ic "set user admin shell /bin/bash"
clish -ic "set password-controls complexity 1"
clish -ic "set password-controls history-checking false"
clish -ic "set message banner off"
clish -ic "set message caption on"
clish -ic "set timezone Asia / Jerusalem"
clish -ic "save config"
clish -ic "unlock database"

"

I use Blink as follow: I first copy to the machine the Blink files

--blink_genrate_answers.sh is a scrip that I made for genrate the Blink answer file Smiley Happy

The flow that I use with my Blink , you can use Ansible simple paybook that will run it

tar -tvf /var/log/MyDIR/blink_image_1.0_Check_Point_R80.10_T462_Jumbo_T103.tgz
tar -zxvf blink.tgz
chmod -v +x blink
mkdir -p /var/log/bli
./blink -i /var/log/MyDIR/blink_image_1.0_Check_Point_R80.10_T462_Jumbo_T103.tgz -x -d /var/log/bli/
chmod 777 blink_genrate_answers.sh
chmod 777 install_content.sh
dos2unix install_content.sh
cp /var/log/MyDIR/install_content.sh /var/log/bli/user_updates/
dos2unix blink_genrate_answers.sh
cd /var/log/bli/installation_logic/
/var/log/MyDIR/blink_genrate_answers.sh
cd /var/log/bli
cat /var/log/bli/installation_logic/answers.xml
cat /var/log/bli/user_updates/install_content.sh
cd /var/log/bli/
nohup ./BlinkInstaller --reimage --delete-old-partition --force &

_Val_
Admin
Admin
‎2018-09-26 12:51 AM
In response to Ofir_Shikolski
Jump to solution

Perfect explanation, Ofir Sh

0 Kudos
Nicholas_Sherid
Contributor
‎2018-09-26 11:17 PM
In response to Ofir_Shikolski
Jump to solution

Awesome posts guys!

Last time I used cloud-init I used git to clone a repo that contained my playbooks onto the VM which then ran them on itself, obviously you'd need git and ansible on the firewall mind you just to run as a client. 

With this approach jenkins can detect a change when you push to the repo at the next poll, run the infrastructure pipeline, deploy a fresh VM, and apply the configuration.  You can always intoduce an interactive step in the pipeline if you are worried about outages caused by unscheduled changes - but being able to effective version control infratructure and configuration was very appealing - namely precision you get with it.

I'll check out this more in my free time but looks very interesting - I guess you can get it to create a SIC and request the latest policy too right? Ideally, I'd like to see " and end to upgrades" and do a fresh install everytime.

Anyone done anything similar?  I ask as from what I can gather gaia is 'just' linux right? (not meant to be detrimental) - maybe I am being too ambitious deploying firewalls as a pipeline... (not for my current use case that's for sure!!)

Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2018-09-28 07:20 AM
In response to Nicholas_Sherid
Jump to solution

Kfir Bachar‌ + Tsahi Etziony‌ 

Are you using the ISO for installation or the ovf format?

I'm using the ISO format on ESX + PXE server, I fully automate end to end Check Point :

1. Install CKP

2. Pull the OS settings

3. Configure the OS 

4. Connect to the MGMT to establish the SIC and GW object

5. Push policy to the GW

For physical appliance I use Blink

I do not have experience with Jenkins Smiley Sad I was not able to understand what I can do with that.

HTH,

Ofir S

0 Kudos
Nicholas_Sherid
Contributor
‎2018-09-29 03:27 AM
In response to Ofir_Shikolski
Jump to solution

Ah right - I am only really interested in azure - so I guess its a case of creating a custom image with packer or something?

You got any pointers?

Jenkins just keeps track of a repo and manages worker nodes (it executes groovy pipelines) when it sees changes, in it's simplest form.  CI/CD stuff. 

Because we are all one 'agile' devops happy family right? Smiley Happy Smiley Happy Smiley Happy

0 Kudos
Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2018-09-29 10:21 AM
In response to Nicholas_Sherid
Jump to solution

Using Custom Data to execute an initialization script when you launch your Check Point Security Gate... 

Using Custom Data to execute an initialization script when you launch your Check Point Security Gateway in Microsoft Azure

Solution

Introduction

It is now possible to create an initialization script that would be executed the first time you launch your Check Point Security Gateway instance in Microsoft Azure.
This initialization script can be used to set operating system configuration and to automate the Security Gateway's provisioning process.

Prerequisites

It is assumed that the reader is familiar with general Microsoft Azure concepts and services.

Overview

When you launch an instance in Microsoft Azure, you can optionally pass your own custom data to it. The Check Point Security Gateway treats this data as an initialization script. This script can be used to modify operating system settings, as well as to replace the First Time Configuration Wizard configuration process.

Note: If no custom data is supplied at boot time, the machine will boot normally and you would need to complete its configuration manually.

 

Known Limitations

  • This feature is available starting from R77.30.

Configuration Flow

When the Check Point Security Gateway launches for the first time, it fetches the custom data from Microsoft Azure.

The Security Gateway saves the custom data to a temporary script file and then executes it. The output of the script is redirected to /var/log/cloud-user-data file.

Note: The script would only be executed when the instance boots for the first time.

 

Setup

Create your own initialization script to be executed when the instance first launches.

You can use the following script as an example:

#!/bin/bash  clish -c 'set hostname HOSTNAME' -s  config_system -s 'install_security_gw=true&install_ppak=true&install_security_managment=false&ipstat_v6=off&ftw_sic_key=SIC_KEY'  shutdown -r now

Where:

VariableUsage
HOSTNAMEThe host name.
SIC_KEYSecure Internal communication key - a one-time key used to set up trust with Security Management Server.

This script:

  • Sets the host name
  • Uses the config_system utility to automate the First Time Configuration Wizard process
  • Reboots the instance to complete the installation

Pass the script to Microsoft Azure, when you launch the instance, as explained in Custom Data and Cloud-Init on Microsoft Azure article.


Additional Information and Resources

 

Troubleshooting:

The output of the script is saved to the /var/log/cloud-user-data file.

Nicholas_Sherid
Contributor
‎2018-09-30 06:10 AM
In response to Nicholas_Sherid
Jump to solution

Wrote up a python script to help generate the file 

#!/usr/bin/env python
import jinja2
import argparse

def request_template_parameters():
parser = argparse.ArgumentParser(
description='Gather parameters for generating custom data file'
)
parser.add_argument(
'--hostname' ,
action="store" ,
type=str ,
help='The hostname of the firewall'
)
parser.add_argument(
'--install_security_gw' ,
action="store" ,
type=str ,
help='Defining a secure gateway or management function - values are true or false'
)
parser.add_argument(
'--install_ppak' ,
action="store" ,
type=str ,
help='values are true or false'
)
parser.add_argument(
'--install_security_managment' ,
action="store" ,
type=str ,
help='values are true or false'
)
parser.add_argument(
'--ipstat_v6' ,
action="store" ,
type=str ,
help='values are true or false for ipv6'
)
parser.add_argument(
'--sic_key' ,
action="store" ,
type=str ,
help='The one time Secure Internal Communication key'
)
args = parser.parse_args()
hostname = args.hostname
install_security_gw = args.install_security_gw
install_ppak = args.install_ppak
install_security_managment = args.install_security_managment
ipstat_v6 = args.ipstat_v6
sic_key = args.sic_key
return hostname, install_security_gw, install_ppak, install_security_managment, ipstat_v6, sic_key

def load_template(template_filename😞
templateLoader = jinja2.FileSystemLoader(searchpath="./")
templateEnv = jinja2.Environment(loader=templateLoader)
template_object = template_filename
template = templateEnv.get_template(template_object)
return template

def write_to_file(filename, contents😞
file = open(filename,"w")
file.write(contents)
file.close()

def main():
script_input = request_template_parameters()
hostname_input = script_input[0]
install_security_gw_input = script_input[1]
install_ppak_input = script_input[2]
install_security_managment_input = script_input[3]
ipstat_v6_input = script_input[4]
sic_key_input = script_input[5]

template = load_template("cloudguard_init.j2")
# Place arguments here to build up a configuration file to pass to --cloud
outputText = template.render(
hostname = hostname_input ,
install_security_gw = install_security_gw_input ,
install_ppak = install_ppak_input ,
install_security_managment = install_security_managment_input ,
ipstat_v6 = ipstat_v6_input ,
sic_key = sic_key_input
)
print('cloudguard-init.txt file generated in present working directory')
write_to_file("cloudguard-init.txt",outputText)

if __name__ == '__main__':
main()

And the template file

#!/bin/bash
clish -c 'set hostname {{ hostname }} ' -s
config_system -s 'install_security_gw={{ install_security_gw }}&install_ppak={{ install_ppak }}&install_security_managment={{ install_security_managment }}&ipstat_v6={{ ipstat_v6 }}&ftw_sic_key={{ sic_key }}'
shutdown -r now

and usage:

./template_engine.py \
--hostname some_firewall_hostnme \
--install_security_gw true \
--install_ppak true \
--install_security_managment false \
--ipstat_v6 false \
--sic_key some_complex_key

cheers

Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2018-09-30 06:13 AM
In response to Nicholas_Sherid
Jump to solution

Wow amazing Smiley Happy

Do you think that you can share it with all under Developer Network ? it will be more awesome 

https://community.checkpoint.com/news?streamSource=publication&streamID=87802 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    li.common.scroll-to.top