- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- Automatic Configuration of Appliance on boot
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Automatic Configuration of Appliance on boot
Hi forum,
Linux has a 'cloud-init' script that allows a server to be created and run scripts at time of creation, which something that I've used before with ansible.
The net effect of this is it creates a infrastructure that is completely defined as code, and allows the management of the device through version control, and modified through redeployment. It also allows a 'complete package' to be deployed, effectly allowing infrastructure definition and configuration management to be managed more as a single unit.
Is anyone aware of any such configuraton option available in gaia? Just to emphasise this is automatic configuration at the point of instantiation, and not at reboot.
I ask as there is all this cool ansible stuff avialable now for checkpoint, ideally I just want to be able to deploy a firewall with minimum manual involvement, and be less 'precious' about the VM, so I can be more 'precious' abut the policy.
Thanks!
- Tags:
- cloud-init
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you consider Blink as an option? Blink - Gaia Fast Deployment
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Did you consider Blink as an option? Blink - Gaia Fast Deployment
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Valeri,
Looks just the ticket! thanks
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you referring to the physical machine or virtual machine?
AFAIK cloud-init - is been used for the CloudGaurd IaaS - you can see Check Point CloudGaurd IaaS solution for KVM/Azure/AWS/Google that leverage it : vSEC for OpenStack R80.10 Administration Guide "
To launch a Gateway instance with an automated script:
- Create a
that runs at the time the computer boots up for the first time. Use these commands in the script to configure the password for the OS admin user and to set the gateway as a standalone Security Management Server and Security Gateway. "USER-SCRIPT
Google Cloud : Check Point CloudGuard IaaS reference architecture for Google Cloud Platform
under "Advanced deployment options:"
For the physical machine:
You can use kickstart or Blink as Valeri Loukine mention or any other automation as Ansible and etc..
I'm personally using Blink , I created install_content.sh file with content :
"
#!/bin/bash -f
source /etc/profile.d/CP.sh
clish -ic "lock database override"
clish -ic "set user admin shell /bin/bash"
clish -ic "set password-controls complexity 1"
clish -ic "set password-controls history-checking false"
clish -ic "set message banner off"
clish -ic "set message caption on"
clish -ic "set timezone Asia / Jerusalem"
clish -ic "save config"
clish -ic "unlock database"
"
I use Blink as follow: I first copy to the machine the Blink files
--blink_genrate_answers.sh is a scrip that I made for genrate the Blink answer file
The flow that I use with my Blink , you can use Ansible simple paybook that will run it
tar -tvf /var/log/MyDIR/blink_image_1.0_Check_Point_R80.10_T462_Jumbo_T103.tgz
tar -zxvf blink.tgz
chmod -v +x blink
mkdir -p /var/log/bli
./blink -i /var/log/MyDIR/blink_image_1.0_Check_Point_R80.10_T462_Jumbo_T103.tgz -x -d /var/log/bli/
chmod 777 blink_genrate_answers.sh
chmod 777 install_content.sh
dos2unix install_content.sh
cp /var/log/MyDIR/install_content.sh /var/log/bli/user_updates/
dos2unix blink_genrate_answers.sh
cd /var/log/bli/installation_logic/
/var/log/MyDIR/blink_genrate_answers.sh
cd /var/log/bli
cat /var/log/bli/installation_logic/answers.xml
cat /var/log/bli/user_updates/install_content.sh
cd /var/log/bli/
nohup ./BlinkInstaller --reimage --delete-old-partition --force &
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Perfect explanation, Ofir Sh
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome posts guys!
Last time I used cloud-init I used git to clone a repo that contained my playbooks onto the VM which then ran them on itself, obviously you'd need git and ansible on the firewall mind you just to run as a client.
With this approach jenkins can detect a change when you push to the repo at the next poll, run the infrastructure pipeline, deploy a fresh VM, and apply the configuration. You can always intoduce an interactive step in the pipeline if you are worried about outages caused by unscheduled changes - but being able to effective version control infratructure and configuration was very appealing - namely precision you get with it.
I'll check out this more in my free time but looks very interesting - I guess you can get it to create a SIC and request the latest policy too right? Ideally, I'd like to see " and end to upgrades" and do a fresh install everytime.
Anyone done anything similar? I ask as from what I can gather gaia is 'just' linux right? (not meant to be detrimental) - maybe I am being too ambitious deploying firewalls as a pipeline... (not for my current use case that's for sure!!)
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Are you using the ISO for installation or the ovf format?
I'm using the ISO format on ESX + PXE server, I fully automate end to end Check Point :
1. Install CKP
2. Pull the OS settings
3. Configure the OS
4. Connect to the MGMT to establish the SIC and GW object
5. Push policy to the GW
For physical appliance I use Blink
I do not have experience with Jenkins I was not able to understand what I can do with that.
HTH,
Ofir S
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ah right - I am only really interested in azure - so I guess its a case of creating a custom image with packer or something?
You got any pointers?
Jenkins just keeps track of a repo and manages worker nodes (it executes groovy pipelines) when it sees changes, in it's simplest form. CI/CD stuff.
Because we are all one 'agile' devops happy family right?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Using Custom Data to execute an initialization script when you launch your Check Point Security Gateway in Microsoft Azure
Introduction
It is now possible to create an initialization script that would be executed the first time you launch your Check Point Security Gateway instance in Microsoft Azure.
This initialization script can be used to set operating system configuration and to automate the Security Gateway's provisioning process.
Prerequisites
It is assumed that the reader is familiar with general Microsoft Azure concepts and services.
Overview
When you launch an instance in Microsoft Azure, you can optionally pass your own custom data to it. The Check Point Security Gateway treats this data as an initialization script. This script can be used to modify operating system settings, as well as to replace the First Time Configuration Wizard configuration process.
Note: If no custom data is supplied at boot time, the machine will boot normally and you would need to complete its configuration manually.
Known Limitations
- This feature is available starting from R77.30.
Configuration Flow
When the Check Point Security Gateway launches for the first time, it fetches the custom data from Microsoft Azure.
The Security Gateway saves the custom data to a temporary script file and then executes it. The output of the script is redirected to /var/log/cloud-user-data file.
Note: The script would only be executed when the instance boots for the first time.
Setup
Create your own initialization script to be executed when the instance first launches.
You can use the following script as an example:
#!/bin/bash clish -c 'set hostname HOSTNAME' -s config_system -s 'install_security_gw=true&install_ppak=true&install_security_managment=false&ipstat_v6=off&ftw_sic_key=SIC_KEY' shutdown -r now
Where:
Variable | Usage |
HOSTNAME | The host name. |
SIC_KEY | Secure Internal communication key - a one-time key used to set up trust with Security Management Server. |
This script:
- Sets the host name
- Uses the config_system utility to automate the First Time Configuration Wizard process
- Reboots the instance to complete the installation
Pass the script to Microsoft Azure, when you launch the instance, as explained in Custom Data and Cloud-Init on Microsoft Azure article.
Additional Information and Resources
- Custom Data in Microsoft Azure: http://azure.microsoft.com/blog/2014/04/21/custom-data-and-cloud-init-on-windows-azure
- sk69701 - How to run the First Time Configuration Wizard through CLI in Gaia
- Examples on how to use this in PowerShell and in ARM templates: (Check Point templates are now available as marketplace solution templates.)
Troubleshooting:
The output of the script is saved to the /var/log/cloud-user-data file.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Awesome - just came acros this, this morning - you beat me to it - thanks!
Custom initialisation script
Cloud-init on Azure
https://azure.microsoft.com/en-gb/blog/custom-data-and-cloud-init-on-windows-azure/
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wrote up a python script to help generate the file
And the template file
and usage:
cheers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wow amazing
Do you think that you can share it with all under Developer Network ? it will be more awesome
https://community.checkpoint.com/news?streamSource=publication&streamID=87802
