Contenu connexe Similaire à Check Point automatizace a orchestrace (20) Plus de MarketingArrowECS_CZ (20) Check Point automatizace a orchestrace1. 1©2018 Check Point Software Technologies Ltd.©2018 Check Point Software Technologies Ltd.
Jan Kurdík | Security Engineer
jan.kurdik@arrow.com
R80.10
AUTOMATION AND
ORCHESTRATION
[Protected] Distribution or modification is subject to approval
2. 2©2018 Check Point Software Technologies Ltd.©2018 Check Point Software Technologies Ltd. [Protected] Distribution or modification is subject to approval
• Orchestration Needs
• Intro to API, JSON & YAML
• Check Point Automation Solutions
• Introduction to Ansible
• Orchestra and automate Check Point
• Blink
Agenda
3. 3©2018 Check Point Software Technologies Ltd. [Protected] Distribution or modification is subject to approval
Automation is about codifying tasks
Orchestration is about codifying processes
Orchestration takes advantage of automation
by reusing these basic building blocks.
4. 4©2018 Check Point Software Technologies Ltd.
Key Drivers
Public Cloud
SD-WAN
Private Cloud Efficiency Improvements
5. 5©2018 Check Point Software Technologies Ltd.
Orchestration Deployment Example
Deploy an entire web environment including
Check Point gateways in Open Stack
“all from a template configuration file”
6. 6©2018 Check Point Software Technologies Ltd. [Protected] Distribution or modification is subject to approval
7. 7©2018 Check Point Software Technologies Ltd.
Intro to API, JSON & YAML
[Protected] Distribution or modification is subject to approval
8. 8©2018 Check Point Software Technologies Ltd.
RESTful API ?? , what is that?
[Protected] Distribution or modification is subject to approval
• HTTP-based RESTful APIs are defined with the following aspects:
̶ Using standard HTTP methods (e.g., OPTIONS, GET, PUT, POST, and DELETE)
̶ Called via a base URL such as https://<mgmt>/web_api/
̶ An internet content type that tells the client how to compose requests in the body
to the server (e.g. HTML , JSON , XML)
GET POST PUT DELETE
9. 9©2018 Check Point Software Technologies Ltd. [Protected] Distribution or modification is subject to approval
• JavaScript Object Notation (JSON) is a textual representation defined by
a small set of governing rules in which data is structured.
• This makes it:
̶ Easy for humans to read and write.
̶ Easy for machines to parse and generate.
• YAML – YAML Ain’t Markup Language (YAML)
̶ YAML is a superset of the JSON serialization language
̶ YAML and JSON aim to be human readable as a data interchange format
̶ YAML is similar to Python and indentation-based scoping is used
What is JSON & YAML?
10. 10©2018 Check Point Software Technologies Ltd. [Protected] Non-confidential content
Comparison of JSON vs YAML
{
"name" : "host1",
"ip-address" : "1.1.1.1",
"tags" : ["1st", "2nd", "3rd"],
"nat-settings" : {
"auto-rule" : true,
"ip-address" : "192.0.0.1"
}
}
---
name: host1
ip-address: 1.1.1.1
tags:
- 1st
- 2nd
- 3rd
nat-settings:
auto-rule: true
ip-address: 192.0.0.1
11. 11©2018 Check Point Software Technologies Ltd. [Protected] Non-confidential content
https://community.checkpoint.com/docs/DOC-2894
12. 12©2018 Check Point Software Technologies Ltd.
Check Point Automation Solutions
[Protected] Distribution or modification is subject to approval
13. 13©2018 Check Point Software Technologies Ltd. [Protected] Distribution or modification is subject to approval
SK121360 - Check Point APIs Homepage
• Management
̶ Policy
̶ IoT API
̶ Gaia
̶ SmartConsole
̶ Log Events
̶ Provisioning
̶ Identity
• Mobile
̶ SandBlast Mobile
• Threat Prevention
̶ SandBlast API
̶ Block Lists
̶ IoC Feeds
14. 14©2018 Check Point Software Technologies Ltd. [Protected] Distribution or modification is subject to approval
Introduction to the
R80.10 Management API
15. 15©2018 Check Point Software Technologies Ltd.
What type of API does the “Management API” use?
[Protected] Distribution or modification is subject to approval
• Security Management API uses a HTTP-based RESTful API
̶ All calls are sent using the “POST” HTTP method
̶ Base URL is https://<mgmt>/web_api/
̶ Header is defined with content type JavaScript Object Notation (JSON)
̶ Payload is written in JSON style format for the HTTP body
HTTP POST https://<mgmt>/web_api/login
Headers Content-Type: application/json
Body {
"user" : "Jim",
"password" : "MyPwd",
"domain" : "Nordics"
}
HTTP Method
Content type
16. 16©2018 Check Point Software Technologies Ltd.
Gaia CLI
Configuration templates
mgmt add host name host1
ip-address 1.1.1.1
API Guide : https://sc1.checkpoint.com/documents/latest/APIs/index.html
[Protected] Distribution or modification is subject to approval
SmartConsolemgmt_cli toolWeb Services
Four ways to interact with management API Server
RESTFul API / JSON format Shell Scripting Faster operations
Which are all sending HTTP-based RESTful API calls to the management API server
--------------------------------------
2017-01-26 16:17:57,647 INFO [GUI] org.apache.cxf.interceptor.LoggingInInterceptor.log:250 [qtp-578874734-25] - Inbound Message
----------------------------
ID: 26
Address: http://127.0.0.1:50276/web_api/add-host
Encoding: ISO-8859-1
Http-Method: POST
Content-Type: application/json
Headers: {Accept=[text/plain], Content-Length=[42], content-type=[application/json], Host=[127.0.0.1:50276], Max-Forwards=[10],
X-chkp-debug=[GUI], X-chkp-sid=[9NOURe8pOk1hL8qPlFXdM6hScj6XbKLatZhD96JLQQ8], X-Forwarded-For=[127.0.0.1], X-Forwarded-
Host=[127.0.0.1], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[192.168.233.20]}
Payload: {"ip-address":“1.1.1.1","name":"host1"}
# mgmt_cli –r true add host
name host1 ip-address 1.1.1.1
$FWDIR/log/api.elg
17. 17©2018 Check Point Software Technologies Ltd.
Always remember the flow
Login
(Get session ID)
Make
Changes Publish Logout
https://<mgmt>/web_api/login https://<mgmt>/web_api/add-host https://<mgmt>/web_api/publish https://<mgmt>/web_api/logout
Install Policy
https://<mgmt>/web_api/install_policy
[Protected] Distribution or modification is subject to approval
18. 18©2018 Check Point Software Technologies Ltd.
• To troubleshoot the API calls
• Check the API status
• Restart the API
• Reconfigure the API (Faster than restart)
Useful commands
# tail –f $FWDIR/log/api.elg
# api status
# api restart
# api reconf
[Protected] Distribution or modification is subject to approval
19. 19©2018 Check Point Software Technologies Ltd.
Testing the API calls
[Protected] Distribution or modification is subject to approval
• Postman
̶ Can import R80 collections
̶ https://community.checkpoint.com/message/5648
̶ Can export calls as scripts
20. 20©2018 Check Point Software Technologies Ltd.
Introduction to Ansible
[Protected] Distribution or modification is subject to approval
21. 21©2018 Check Point Software Technologies Ltd. [Protected] Distribution or modification is subject to approval
What is this “Ansible” thing…
22. 22©2018 Check Point Software Technologies Ltd. [Protected] Non-confidential content
In short…
Ansible can automate IT environments whether they are hosted
on traditional bare metal servers, virtualization platforms, or in the
cloud.
It can also automate the configuration of a wide range of systems
and devices such as databases, storage devices, networks,
firewalls, and many others.
23. 23©2018 Check Point Software Technologies Ltd. [Protected] Distribution or modification is subject to approval
• Ansible is software that automates software provisioning, configuration
management, and application deployment.
̶ Commands are sent to the end modules via SSH
̶ Modules are available to make Ansible extensible
̶ Many are included by default
̶ Check Point’s module is currently included by default
Ansible – What is it???
24. 24©2018 Check Point Software Technologies Ltd. [Protected] Distribution or modification is subject to approval
• The "Ansible Check Point Management" module provides the ability to
automate Check Point management tasks (e.g. add objects, manipulate
the rule base, push policy) into the Ansible automation platform.
̶ More information is available on communit.checkpoint.com
̶ https://community.checkpoint.com/docs/DOC-1928
̶ The latest version is available on GitHub
̶ https://github.com/CheckPoint-APIs-Team/cpAnsible
Sk121360 - Automate management using "Ansible"
25. 25©2018 Check Point Software Technologies Ltd. [Protected] Distribution or modification is subject to approval
• Ansible uses an inventory system
̶ Simple Text Files (/etc/ansible/hosts)
̶ Dynamic Inventory – think AWS, Azure, or OpenStack
• Ansible Playbooks are used to orchestrate move/add/changes
̶ Multiple tasks can be run in a Playbook
̶ Playbooks can be combined
• Ansible is driven by Python
• Ansible playbooks are written in YAML
Ansible – What is it???
26. 26©2018 Check Point Software Technologies Ltd.
Orchestration Deployment Example
• Deploy and configure:
̶ Primary & Secondary Management Server
̶ Establish SIC between Management Servers
̶ Access Control and Threat Prevention Policy
̶ To protect our new WebShop
̶ Security Gateway
̶ Establish SIC with Security Gateway
̶ Install Access Control and Threat Prevention Policy
̶ Deploy new WebShop Web Server
“all from a template configuration file”
27. 27©2018 Check Point Software Technologies Ltd.
Blink
[Protected] Distribution or modification is subject to approval
28. 28©2018 Check Point Software Technologies Ltd.
Gateway provisioning
• Provisioning a gateway with
̶ Any clish command
̶ Latest JHF
̶ IP-address
̶ Default Gateway
̶ NTP
̶ DNS
̶ SIC
• Using blink under 4 minutes