Check Point automatizace a orchestrace

1©2018 Check Point Software Technologies Ltd.©2018 Check Point Software Technologies Ltd.
Jan Kurdík | Security Engineer
jan.kurdik@arrow.com
R80.10
AUTOMATION AND
ORCHESTRATION
[Protected] Distribution or modification is subject to approval

2©2018 Check Point Software Technologies Ltd.©2018 Check Point Software Technologies Ltd. [Protected] Distribution or modification is subject to approval
• Orchestration Needs
• Intro to API, JSON & YAML
• Check Point Automation Solutions
• Introduction to Ansible
• Orchestra and automate Check Point
• Blink
Agenda

3©2018 Check Point Software Technologies Ltd. [Protected] Distribution or modification is subject to approval
Automation is about codifying tasks
Orchestration is about codifying processes
Orchestration takes advantage of automation
by reusing these basic building blocks.

4©2018 Check Point Software Technologies Ltd.
Key Drivers
Public Cloud
SD-WAN
Private Cloud Efficiency Improvements

Orchestration Deployment Example
Deploy an entire web environment including
Check Point gateways in Open Stack
“all from a template configuration file”

Intro to API, JSON & YAML

RESTful API ?? , what is that?
• HTTP-based RESTful APIs are defined with the following aspects:
̶ Using standard HTTP methods (e.g., OPTIONS, GET, PUT, POST, and DELETE)
̶ Called via a base URL such as https://<mgmt>/web_api/
̶ An internet content type that tells the client how to compose requests in the body
to the server (e.g. HTML , JSON , XML)
GET POST PUT DELETE

• JavaScript Object Notation (JSON) is a textual representation defined by
a small set of governing rules in which data is structured.
• This makes it:
̶ Easy for humans to read and write.
̶ Easy for machines to parse and generate.
• YAML – YAML Ain’t Markup Language (YAML)
̶ YAML is a superset of the JSON serialization language
̶ YAML and JSON aim to be human readable as a data interchange format
̶ YAML is similar to Python and indentation-based scoping is used
What is JSON & YAML?

10©2018 Check Point Software Technologies Ltd. [Protected] Non-confidential content
Comparison of JSON vs YAML
{
"name" : "host1",
"ip-address" : "1.1.1.1",
"tags" : ["1st", "2nd", "3rd"],
"nat-settings" : {
"auto-rule" : true,
"ip-address" : "192.0.0.1"
}
}
---
name: host1
ip-address: 1.1.1.1
tags:
- 1st
- 2nd
- 3rd
nat-settings:
auto-rule: true
ip-address: 192.0.0.1

https://community.checkpoint.com/docs/DOC-2894

Check Point Automation Solutions

SK121360 - Check Point APIs Homepage
• Management
̶ Policy
̶ IoT API
̶ Gaia
̶ SmartConsole
̶ Log Events
̶ Provisioning
̶ Identity
• Mobile
̶ SandBlast Mobile
• Threat Prevention
̶ SandBlast API
̶ Block Lists
̶ IoC Feeds

Introduction to the
R80.10 Management API

What type of API does the “Management API” use?
• Security Management API uses a HTTP-based RESTful API
̶ All calls are sent using the “POST” HTTP method
̶ Base URL is https://<mgmt>/web_api/
̶ Header is defined with content type JavaScript Object Notation (JSON)
̶ Payload is written in JSON style format for the HTTP body
HTTP POST https://<mgmt>/web_api/login
Headers Content-Type: application/json
Body {
"user" : "Jim",
"password" : "MyPwd",
"domain" : "Nordics"
}
HTTP Method
Content type

Gaia CLI
Configuration templates
mgmt add host name host1
ip-address 1.1.1.1
API Guide : https://sc1.checkpoint.com/documents/latest/APIs/index.html
SmartConsolemgmt_cli toolWeb Services
Four ways to interact with management API Server
RESTFul API / JSON format Shell Scripting Faster operations
Which are all sending HTTP-based RESTful API calls to the management API server
--------------------------------------
2017-01-26 16:17:57,647 INFO [GUI] org.apache.cxf.interceptor.LoggingInInterceptor.log:250 [qtp-578874734-25] - Inbound Message
----------------------------
ID: 26
Address: http://127.0.0.1:50276/web_api/add-host
Encoding: ISO-8859-1
Http-Method: POST
Content-Type: application/json
Headers: {Accept=[text/plain], Content-Length=[42], content-type=[application/json], Host=[127.0.0.1:50276], Max-Forwards=[10],
X-chkp-debug=[GUI], X-chkp-sid=[9NOURe8pOk1hL8qPlFXdM6hScj6XbKLatZhD96JLQQ8], X-Forwarded-For=[127.0.0.1], X-Forwarded-
Host=[127.0.0.1], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[192.168.233.20]}
Payload: {"ip-address":“1.1.1.1","name":"host1"}
# mgmt_cli –r true add host
name host1 ip-address 1.1.1.1
$FWDIR/log/api.elg

Always remember the flow
Login
(Get session ID)
Make
Changes Publish Logout
https://<mgmt>/web_api/login https://<mgmt>/web_api/add-host https://<mgmt>/web_api/publish https://<mgmt>/web_api/logout
Install Policy
https://<mgmt>/web_api/install_policy

• To troubleshoot the API calls
• Check the API status
• Restart the API
• Reconfigure the API (Faster than restart)
Useful commands
# tail –f $FWDIR/log/api.elg
# api status
# api restart
# api reconf

Testing the API calls
• Postman
̶ Can import R80 collections
̶ https://community.checkpoint.com/message/5648
̶ Can export calls as scripts

Introduction to Ansible

What is this “Ansible” thing…

In short…
Ansible can automate IT environments whether they are hosted
on traditional bare metal servers, virtualization platforms, or in the
cloud.
It can also automate the configuration of a wide range of systems
and devices such as databases, storage devices, networks,
firewalls, and many others.

• Ansible is software that automates software provisioning, configuration
management, and application deployment.
̶ Commands are sent to the end modules via SSH
̶ Modules are available to make Ansible extensible
̶ Many are included by default
̶ Check Point’s module is currently included by default
Ansible – What is it???

• The "Ansible Check Point Management" module provides the ability to
automate Check Point management tasks (e.g. add objects, manipulate
the rule base, push policy) into the Ansible automation platform.
̶ More information is available on communit.checkpoint.com
̶ https://community.checkpoint.com/docs/DOC-1928
̶ The latest version is available on GitHub
̶ https://github.com/CheckPoint-APIs-Team/cpAnsible
Sk121360 - Automate management using "Ansible"

• Ansible uses an inventory system
̶ Simple Text Files (/etc/ansible/hosts)
̶ Dynamic Inventory – think AWS, Azure, or OpenStack
• Ansible Playbooks are used to orchestrate move/add/changes
̶ Multiple tasks can be run in a Playbook
̶ Playbooks can be combined
• Ansible is driven by Python
• Ansible playbooks are written in YAML
Ansible – What is it???

Orchestration Deployment Example
• Deploy and configure:
̶ Primary & Secondary Management Server
̶ Establish SIC between Management Servers
̶ Access Control and Threat Prevention Policy
̶ To protect our new WebShop
̶ Security Gateway
̶ Establish SIC with Security Gateway
̶ Install Access Control and Threat Prevention Policy
̶ Deploy new WebShop Web Server
“all from a template configuration file”

Blink

Gateway provisioning
• Provisioning a gateway with
̶ Any clish command
̶ Latest JHF
̶ IP-address
̶ Default Gateway
̶ NTP
̶ DNS
̶ SIC
• Using blink under 4 minutes

Thank You

Check Point automatizace a orchestrace

More Related Content

What's hot (20)

Similar to Check Point automatizace a orchestrace (10)

More from MarketingArrowECS_CZ (20)

Recently uploaded (20)

Check Point automatizace a orchestrace