Scribd Logo
Upload

Welcome to Scribd!

  • 119 views

    Orchestration and Automation - Ryan Darst - Marco Garcia

    Uploaded by

    Machhindra Pawar
    docs

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content

    You might also like

    Orchestration and Automation - Ryan Darst - Marco Garcia

    Uploaded by

    Machhindra Pawar
    119 views41 pages
    docs

    Original Title

    Orchestration and Automation_Ryan Darst_Marco Garcia

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    docs

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    119 views41 pages

    Orchestration and Automation - Ryan Darst - Marco Garcia

    Uploaded by

    Machhindra Pawar
    docs

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as pdf or txt
    of 41

    AUTOMATION AND

    ORCHESTRATION
    R80.10

    Ryan Darst| Solution Manager


    Central and North East US

    ©2017 Check Point Software Technologies Ltd. 1


    Intro to APIs

    ©2017 Check Point Software Technologies Ltd. 2


    REST APIs ?? , what is that?
    • Is the mechanism that allows for systems to acesss , manipulate , delete , change , add
    resources on an application via web services.
    • Rest APIs are called via standard URLs , for example:
    ̶ https://r80-mgmt/web_api/add_host
    • The application exposes HTML calls such as : get/post/put/delete , etc.
    • The data being exchanged can be in formats such as:
    ̶ HTML , JSON , XML.
    R80 SmartCenter/MDM

    https://r80mgmt/web_api/add_host

    ©2017 Check Point Software Technologies Ltd. 3


    API Documentation
    • The documentation for the installed version is available at
    ̶ https://mgmt-ip/api_docs
    ̶ API server must be enabled
    ̶ Client must be a trusted client/GUI client

    • All four methods of using the API are documented

    ©2017 Check Point Software Technologies Ltd. [Protected] Non-confidential content 4


    Enabling the API

    ©2017 Check Point Software Technologies Ltd. [Protected] Non-confidential content 5


    What type of APIs does R80 use?
    • Web Services Rest APIs with a JSON style format for the HTTP body
    • Most Calls are “POST” requests

    ©2017 Check Point Software Technologies Ltd. 6


    R80 Architecture

    ©2017 Check Point Software Technologies Ltd. 7


    How do I use/test the API calls ?

    ©2017 Check Point Software Technologies Ltd. 8


    Always remember the flow

    Login Send Rest


    Action Publish Logout

    https://<mgmt>/web_api/login https://<mgmt>/web_api/add-host https://<mgmt>/web_api/publish https://<mgmt>/web_api/logout

    Install Policy

    https://<mgmt>/web_api/install_policy

    ©2017 Check Point Software Technologies Ltd. 9


    Testing the API calls
    • CURL
    ̶ Very useful for simple bash scripts

    ©2017 Check Point Software Technologies Ltd. 10


    Testing the API calls
    • Postman
    ̶ Can import R80 collections
    ̶ Can export calls as scripts

    ©2017 Check Point Software Technologies Ltd. 11


    Testing the API calls
    • REST API Demo Tool (Check Point)

    ©2017 Check Point Software Technologies Ltd. 12


    Other ways
    • Programing languages
    ̶ Python
    ̶ PHP
    ̶ Perl
    ̶ Java , etc

    • Automation Tools
    ̶ Ansible (ansible library available)
    ̶ OpenStack Heat

    ©2017 Check Point Software Technologies Ltd. 13


    Don’t forget about the mgmt_cli and smartconsole
    CLI
    Web SmartConsole
    Mgmt CLI
    Services API Command
    Line

    [Expert@r80mgmt:0]#
    mgmt_cli login

    Rest APIs / Shell Scripting Faster


    JSON format Operations

    API Guide : https://sc1.checkpoint.com/documents/R80/APIs/index.html


    ©2017 Check Point Software Technologies Ltd. [Protected] Non-confidential content 14
    R80 Layers and Sessions Review
    • R80 policies are made up of layers
    ̶ Layers can be inline and/or ordered
    ̶ RBA can be delegated to specific layers

    • Sessions are what is used to achieve admin concurrency


    ̶ Think of the automated API working along with users in the system
    ̶ Sessions are private until they are published

    ©2017 Check Point Software Technologies Ltd. 15


    Let’s do some fun stuff

    ©2017 Check Point Software Technologies Ltd. 16


    Lab Setup

    • https://cpxlab-##.cpmarco.com/guacamole
    ̶ user: cpx2017/ pw: cpx2017

    • SmartConsole:
    ̶ user: admin/ pw: cpx2017

    ©2017 Check Point Software Technologies Ltd. 17


    Setting up the SmartConsole to accept API calls

    Manage & Settings -> Blades -> Management API -> Advanced Settings

    After Publish -> Logon to the R80 Server via CLI and type “api restart”
    ©2017 Check Point Software Technologies Ltd. 18
    Setup Postman

    • Turn off SSL certificate verification

    ©2017 Check Point Software Technologies Ltd. 19


    Setup Postman - Environment
    • Click “the icon shown bellow” -> “Manage Environment” -> “Globals”

    • Add under the “server” value : “https://10.0.102.100/web_api , and save

    ©2017 Check Point Software Technologies Ltd. 20


    Now we are ready to build some stuff

    Login Send Rest


    Action Publish Logout

    https://<mgmt>/web_api/login https://<mgmt>/web_api/add-host https://<mgmt>/web_api/publish

    Install Policy

    https://<mgmt>/web_api/install_policy

    ©2017 Check Point Software Technologies Ltd. 21


    Lab 01

    Login
    - Save the token
    - Create a host object
    - Publish
    - Logout

    ©2017 Check Point Software Technologies Ltd. 22


    Lab 01 Continuation

    ©2017 Check Point Software Technologies Ltd. 23


    Lab 02
    https://10.0.102.100/api_docs/
    ̶ Create Group
    ̶ Create Host Object and Add it to the group in a single call.
    ̶ Publish
    Lab 03
    ̶ Create a new policy package called “CPXTraining”
    ̶ Add a new section tittle on the top called - "Admin Access”
    ̶ Add another section tittle below called - "CPX Access”
    ̶ Add a new rule on section Admin Access
    ̶ Add a new rule on section CPX Access
    ̶ Publish

    ©2017 Check Point Software Technologies Ltd. 24


    Policy Package: CPX2017

    Network

    CPX2017 Network

    ©2017 Check Point Software Technologies Ltd. 25


    Lab 04
    • Create a gateway object (add-simple-gateway) with SIC
    ̶ Gateway Name: vsec-gw
    ̶ Version : R77.30
    ̶ Blades – FW, IPS, Anti-Bot, Anti-Virus, and Threat-Emulation
    ̶ Gateway IP: 10.0.102.10
    ̶ SIC PW : cpx2017
    ̶ Interfaces: (Antispoofing off)
    ̶ Eth0 : 10.0.100.10/24 External
    ̶ Eth1 : 10.0.101.10/24 Internal
    ̶ Eth2 : 10.0.102.10/24 Internal
    ̶ Color: Blue
    ̶ Publish
    ©2017* Verify
    Check that
    Point Software theLtd.gateway shows up on the dashboard and trust is established.
    Technologies 26
    Lab 04
    • Push the Standard Policy to the new gateway
    • Check the task id that was given and see when it completes
    • Check your access to ssh to the internal-host with Putty

    ©2017 Check Point Software Technologies Ltd. 27


    Don’t feel like typing it all in ?

    • Sample calls (json) are here


    ̶ https://s3-us-west-2.amazonaws.com/cpx2017-automation/cpx-
    automation/sample_json_calls.txt

    ©2017 Check Point Software Technologies Ltd. 28


    Useful commands
    • To troubleshoot the API calls
    tail –f $FWDIR/log/api.elg

    • Check the API status


    api status

    • Restart the API


    api restart

    ©2017 Check Point Software Technologies Ltd. 29


    MGMT_CLI

    • Available for GAIA , Linux , Windows


    ̶ Easy to use:
    ̶ Sample:
    mgmt_cli login | tee session.txt
    mgmt_cli show-objects -s session.txt
    mgmt_cli add host name ”cpx-host3" ip-address “10.1.1.1“ –s session.txt
    mgmt_cli publish -s session.txt
    mgmt_cli logout –s session.txt

    ©2017 Check Point Software Technologies Ltd. 30


    mgmt_cli - bulk add objects

    • Create a CSV file


    For example:
    name,ip-address,color,comments
    cpx1,1.1.1.100,blue,batch
    cpx2,1.1.1.101,blue,batch
    cpx3,1.1.1.102,blue,batch

    • Run mgmt_cli with the batch function:


    mgmt_cli login | tee session.txt
    mgmt_cli add-host -b csvfile.csv -s session.txt
    mgmt_cli publish –s session.txt
    ©2017 Check Point Software Technologies Ltd. 31
    MGMT_CLI Lab

    • Using the mgmt_cli , create a csv file and add a list of hosts with the
    batch function.
    • Using the mgmt_cli , create a csv file and add a list of services with the
    batch function.
    • Using the mgmt_cli , create a csv file and add a list of rules with the
    batch function from the hosts and services created earlier

    ©2017 Check Point Software Technologies Ltd. 32


    Mgmt_CLI in SmartConsole

    • Now use the mgmt_cli, try it in SmartConsole


    • Change the color of a host
    • Add a new UDP service
    • Notice where the publish occurs!

    ©2017 Check Point Software Technologies Ltd. 33


    Changes using Clish

    • Use the API from clish on your management server


    • Add a new host and set the color to blue
    • Add a new tcp service

    ©2017 Check Point Software Technologies Ltd. 34


    Sample Scripts (shell)

    • On your lab , open the orchestrator (SSH), under the /scripts folder
    ̶ Go to /scripts/r80_shell_scripts
    ̶ Run : ./create-host
    Verify that is on the dashboard
    ̶ Run: ./delete-host

    • On your Management Server under /home/admin/R80_Scripts


    ̶ Run the Create* scripts bash Create_All
    ̶ Run the Delete_All Script
    ̶ Review the scripts and see how it is done!

    ©2017 Check Point Software Technologies Ltd. 35


    Sample Scripts (python)

    • On your lab (orchestrator) go to:


    ̶ /scripts/r80_python_scripts
    ̶ r80_apis.py (sample library created from rest API scripts)
    ̶ add_host.py
    ̶ add_hosts_from_csv.py
    ̶ add_rulebase_from_csv.py
    ̶ delete_rulebase_from_csv.py
    ̶ delete_hosts_from_csv.py
    ̶ delete_host.py
    ̶ add_hosts_from_csv_staging.py

    ©2017 Check Point Software Technologies Ltd. 36


    Ansible

    • Ansible library provided by CP - See “sk114661”


    • Automate and orchestrate the build of your infrastructure , including
    security policies , rules and objects using ansible and CP.
    ̶ On your lab go to /etc/ansible/

    Example
    ansible-playbook cpx_add_host_w_inputs.yml –extra-vars “ip=1.2.3.4 host=myhost”

    ©2017 Check Point Software Technologies Ltd. 37


    Sample Portal

    • https://<your ip>/cpportal
    ̶ User: api_user PW: cpx2017

    ©2017 Check Point Software Technologies Ltd. 38


    Where do I download the sample files from?

    https://s3-us-west-2.amazonaws.com/cpx2017-automation/list.html

    • It will be available for the next 30 days.

    ©2017 Check Point Software Technologies Ltd. 39


    ​Script Repositories

    • Exchange Point
    https://community.checkpoint.com

    ©2017 Check Point Software Technologies Ltd. [Protected] Non-confidential content 40


    THANK YOU

    ©2017 Check Point Software Technologies Ltd. 41

    You might also like