Support Center > Search Results > SecureKnowledge Details
CloudGuard Edge Automation for KVM Based Platforms Technical Level
Solution

Overview

This article describes how cloud-init automation within the CloudGuard Edge image can be leveraged to bootstrap a virtual machine built to run on the KVM hypervisor by various platforms. The bootstrap process includes multiple methods of user-data input and user-data formats. As of this writing, these Generic and OpenStack images are provided by the Check Point Cloud Alliance or Telco teams upon customer request. The automation described in this article will be added to Generally Available images in the future.

Metadata Input Methods

Config Drive

The most common method of providing metadata is a config drive. A config drive is a predefined file structure of VM configuration information that is contained in a specially labeled ISO and then attached at VM creation time. Upon first boot, the OS starts a bootstrapping service that searches for this mounted ISO via a blkid label and\or filesystem type and then reads the metadata from the file structure. It is possible to input basic VM meta information or complex multi-part scripts, service provider logos, and more via this method.

While Check Point references the standards of cloud-init, some variations may exist. The Check Point image with this updated bootstrapping has a naming convention that distinguishes the image automation within the image Generic and OpenStack.

HTTP Metadata Service

Virtual machine information may be polled from an HTTP metadata service within OpenStack KVM platform providers. Be aware that not all OpenStack or KVM operators enable this service. The data available via the HTTP meta-service is the same as what is provided via config drive (vendor, network, meta, and user data). The CG IaaS bootstrap service shows preference to a mounted config drive at first boot; when an attached config drive is not detected, the bootstrap service will attempt to poll the http service for the configuration data. One benefit of HTTP metadata vs. config drive is that it is dynamic, presenting network interface changes to the VM post deployment. Conversely, config drive data is only populated by the platform at VM instantiation.

This section is for information purposes only. The CloudGuard Edge bootstrap service does not consume HTTP metadata service data.

Check Point OpenStack Labeled QCOW Image Requirements

  1. ISO label is set as "config-2"
  2. The file structure for an OpenStack deployment has the following requirements:
    1. The configuration files (vendor, network, meta, and user data) must be placed in the ISO /openstack/latest/ directory by the platform.
    2. vendor_data.json
      1. Check Point does not utilize this file.
    3. network_data.json
      1. May specify DHCP or static interface configurations per interface.
      2. If configured as DHCP, the bootstrapping automation polls for a DHCP provided address on specified interfaces, consumes that DHCP address, and statically assigns it to the interface.
    4. meta_data.json
      1. SSH Key
      2. Virtual machine name is provided by the platform. This VM name is consumed as the OS hostname unless a hostname is specified in user_data.
    5. user_data
      1. user_data file incurs a 16k file size limit
      2. Description of additional data provided in user_data section.

Check Point Generic Labeled QCOW Image Requirements

  1. ISO must be type “ISO9660”
  2. The ISO file structure has the following requirements:
    1. The user_data file can be placed anywhere within the ISO (Check Point recommends the root directory).
    2. user_data file incurs a 16k file size limit
    3. Description of additional data provided in the user_data section.

CloudGuard Edge VNF Interface Requirements

  1. CG Edge VNF images require a minimum of three interfaces:
    1. Virtual machine eth0 maps to WAN interface.
    2. Virtual machine eth1 maps to DMZ interface.
    3. Virtual machine eth2 maps to LAN1 interface.
    4. Virtual machine eth3 maps to LAN2 interface.
    5. Series continues...
  2. OpenStack images rely on interface configuration to be provided by the platform. When this information is not provided, the defaults are:
    1. WAN - the bootstrapping service will attempt to configure the interface with a static IP obtained via DHCP.
    2. DMZ - interface will be unconfigured.
    3. LAN1 - the bootstrapping service will configure with a static IP address of 192.168.1.1/24.
    4. LAN2, etc - unconfigured.
  3. Generic images rely on interface configuration to be provided in the user_data file. When not providing this information, the defaults are:
    1. WAN - the bootstrapping service will attempt to configure the interface with a static IP obtained via DHCP.
    2. DMZ - interface will be unconfigured.
    3. LAN1 - the bootstrapping service will configure with a static IP address of 192.168.1.1/24.
    4. LAN2, etc - unconfigured.

Check Point user_data Customization Formats

The information in this section applies to both Generic and OpenStack images.

  1. User_data may be provided via HTTP metadata service or config drive; not all operators enable platform HTTP metadata services.
  2. Config Drive ISO file structure has the following options:
    1. The Check Point bootstrapping service will parse user_data and determine the format of the scripts to parse automatically.
    2. user_data has no format requirement besides properly following the convention of the chosen file format.
    3. The order of operation for the Check Point bootstrapping service is MIME, cloud-config, and bash.
    4. In the event that MIME or cloud-config are not detected, the user_data is processed as a bash script.
    5. The user_data file may be presented as cloud-config in a yaml format.
    6. user_data may be presented as bash format.
    7. user_data may be presented as multi-part mime format.
    8. This method supports text/cloud-config and text/x-shellscript.
      1. An example of when to use multi-part mime is terraform templates.
      2. For complex configurations using a mixture of cloud-config and bash it is suggested to utilize multi-part mime.

Examples

CloudGuard Edge VNF cloud-config user_data yaml

The generic CG Edge image has no explicitly required settings for a "cloud-config" based gateway deployment. However, not providing any user data will result in a VNF with a default configuration and require the first-time-wizard to be run manually.


  ###Example file. Removing a stanza will result in system defaults for that section.
#cloud-config system: hostname: CloudGuardEdge domainname: labnet.com management_mode: central central_management: address: 10.200.1.3 gateway_sic_key: vpn123 ### DNS set in system area is redundant when implemented on WAN interface. dns1: 1.1.1.1 dns2: 8.8.8.8 dns3: 4.2.2.2 ntp1: address: ntp.checkpoint.com ntp2: address: ntp2.checkpoint.com ssh_authorized_keys: - ssh-rsa AA/yxVV1zfVGaJD801Xt6EiQ2LWPEwVc3e5GsCkCgWyBb6HLkMyR0VLZzM7QLrXJgcC/ replace@me cpusers: - name: admin shell: /bin/bash password-hash: $1$Gz8EHpk6$L7YYYtIN6zThsBp0n6cAI0 - name: joe shell: /etc/cli.sh password-hash: $1$Gz8EHpk6$L7YYYtIN6zThsBp0n6cAI0 permission: read-write ### Static WAN/Mgmt interface example interfaces: - name: WAN ipv4-address: 10.87.0.105 subnet-mask: 255.255.255.0 dns1: 10.56.0.1 dns2: 8.8.8.8 default-gw: 10.87.0.200 mgmt: true - name: br0 ipv4-address: 172.34.150.100 subnet-mask: 255.255.255.248 - name: DMZ bridge: br0 - name: LAN1 bridge: br0 ### DHCP WAN/Management interface example interfaces: - name: WAN mgmt: true ipv4-address: dhcp - name: br0 ipv4-address: 172.34.150.100 subnet-mask: 255.255.255.248 - name: DMZ bridge: br0 - name: LAN1 bridge: br0 vpn: sites: - peer_name: VPNPeer1 peer_address: 1.2.3.4 peer_encryption_domain_network: 192.168.70.0 peer_encryption_domain_subnet: 255.255.255.0 peer_shared_secret: supersecretkey1 - peer_name: VPNPeer2 peer_address: 4.5.6.7 peer_encryption_domain_network: 192.168.80.0 peer_encryption_domain_subnet: 255.255.255.0 peer_shared_secret: supersecretkey2 cpusers: - name: admin shell: /bin/bash password-hash: $1$t00e9wFc$R/8X5130WvmJbgdhj7D/T/ - name: john shell: /etc/cli.sh password-hash: $1$t00e9wFc$R/8X5130WvmJbgdhj7D/T/ permission: read-write clishcmd: - set message banner msgvalue "Welcome to Check Point CloudGuard Edge" on - set ui-settings use-custom-webui-logo true - set ui-settings custom-webui-logo-url https://www.customer.com/ write_files: - path: /opt/fw1/conf/custom_ui_logo.png permissions: '0664' owner: admin:root encoding: b64 content: | AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQH/2wBDAQEBAQEBAQEBAQEBAQEBAQEBAQEB 5peaMhIa91kjG_THIS_IS_A_BASE_64_ENCRYPTED_JPG_Zm3I7ihjxrlw0pLNDneVDlrVc0pNFW hxtDiqSmnDXRV_THIS_IS_JUST_AN_EXAMPLE_NOT_REQUIRED_sS+Mus+8s+7P8ivNyL+FY/l5P +YrxlNn4ir7yr/NGYYf7Uv8Asf0eHxkzvYj+bHnzwIZF/fGh/wA26/6WJ4ylyf6X+lvm7GDH1g/w K4D/ACq4f9GuHjMvP//Z+bHnzwIZF/fGh/wA26/6WJ4ylyf6X+lvm7GDH1g/wfGh/w8Asf0eHxkz

Yaml Option Table

Root Option Option Sub Option Data Note
system
hostname
domainname
management_mode local or central
local_management
identity_awareness true or false
app_control true or false
anti_virus true or false
anti_bot true or false
ips true or false
threat_emulation true or false
central_management
address SMS IP address
gateway_sic_key GW SIC key
dns1 DNS1 IP address
dns2 DNS2 IP address
dns3 DNS3 IP address
ntp1
address NTP1 IP Address
ntp2
address NTP2 IP Address
ssh_authorized_keys
- ssh-rsa admin user SSH public key 1
- ssh-rsa admin user SSH public key 2
cpusers
- name admin
shell /bin/bash or /etc/cli.sh
password-hash password hash
- name example
shell /bin/bash or /etc/cli.sh
password-hash password-hash
interfaces
- name br0, 1, 2, WAN, DMZ, LAN1, 2, 3, etc. When set to brX creates a bridge group for later assignment
ipv4-address dhcp or IP Address
subnet-mask
dns1
dns2
default-gw Sets default gateway IP address for WAN interface
bridge br0, 1, 2, etc Assigns interface to bridge group
vpn
sites
- peer_name vpn peer name
peer_address vpn peer Ip address
peer_encryption_domain_network vpn peer subnet
peer_encryption_domain_subnet vpn peer subnet mask
peer_shared_secret vpn peer shared secret
clishcmd This section enables corner cases, any valid clish command is allowed
- set message banner msgvalue "Welcome to Check Point CloudGuard Edge" on
- set ui-settings use-custom-webui-logo true
- set ui-settings custom-webui-logo-url https://www.example.com/
write_files This section enables logo and script upload
- path: /opt/fw1/conf/custom_ui_logo.png
permissions file permission
owner file owner
encoding file encoding
content base64 encoded content
runcmd This section enables corner cases
- 'touch /home/admin/runcmd'

Bash CG Edge Gateway user_data


  # Management interface 

  add internet-connection interface WAN type static ipv4-address 10.100.0.5 subnet-mask 255.255.255.0 default-gw 10.100.0.1 conn-test-timeout 0 name Mgmt 
  OR  
  add internet-connection interface WAN type dhcp name Mgmt conn-test-timeout 0 
  THEN 
  set internet-connection Mgmt disable-nat on 
  set internet-connection Mgmt route-traffic-through-default-gateway false 

  # Internet Interfaces 

  add internet-connection interface LAN4 type dhcp name Internet1 conn-test-timeout 0 
  add internet-connection interface LAN5 type dhcp name Internet2 conn-test-timeout 0 
  OR 
  add internet-connection interface LAN4 type static ipv4-address 10.100.0.7 subnet-mask 255.255.255.0 default-gw 10.100.0.1 conn-test-timeout 0 name Internet1  
  add internet-connection interface LAN5 type static ipv4-address 10.100.0.8 subnet-mask 255.255.255.0 default-gw 10.100.0.1 conn-test-timeout 0 name Internet2 

  # Globals with local Management
  set property first-time-wizard off 
  set admin-access interfaces WAN access allow 
  set admin-access allowed-ipv4-addresses any 
  set security-management mode locally-managed 
  set antispoofing advanced-settings global-activation "false" 
  set dhcp server interface WAN disable 
  set dhcp server interface DMZ disable 
  set dhcp server interface LAN1 disable 
  set dhcp server interface LAN2 disable 
  set dhcp server interface LAN3 disable 
  set dhcp server interface LAN4 disable 
  set dhcp server interface LAN5 disable 

  # DMZ Interface with multiple vlans on a bridge

  add interface DMZ vlan 100 
  add interface DMZ vlan 101 
  add interface DMZ vlan 150 
  add interface DMZ vlan 151 
  set interface DMZ:100 ipv4-address 192.168.100.254 mask-length 24 
  set interface DMZ:101 ipv4-address 192.168.101.254 mask-length 24 
  add bridge name br0 
  set dhcp server interface br0 disable 
  set interface br0 ipv4-address 172.34.150.100 mask-length 24 
  set bridge br0 add member DMZ:150 
  set bridge br0 add member DMZ:151 

  # LAN1 Interface as trunk

  add interface LAN1 vlan 200 
  add interface LAN1 vlan 201 
  add interface LAN1 vlan 250 
  add interface LAN1 vlan 251 
  set interface LAN1:200 ipv4-address 192.168.200.254 mask-length 24 
  set interface LAN1:201 ipv4-address 192.168.201.254 mask-length 24 
  add bridge name br1 
  set dhcp server interface br1 disable 
  set interface br1 ipv4-address 172.34.250.100 mask-length 24 
  set bridge br1 add member LAN1:250 
  set bridge br1 add member LAN1:251

ISO Creation

There are various tools to create an ISO: genisofs, mkisofs, and xorriso are the most common.

  • bash_prompt:> genisoimage -output /tmp/myUserData-gw.iso -volid config-2 -joliet -r ~/cloud-init/myUserData/openstack.gw/
  • bash_prompt:> mkisofs -r -V config-2 -o /tmp/myUserData-gw.iso /tmp/cloud-init/myUserData/openstack.gw/
  • bash_prompt:> xorriso -as mkisofs -o /tmp/myUserData-gw.iso /tmp/cloud-init/myUserData/openstack.gw/
Applies To:
  • kvm
  • openstack
  • automation

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment