Overview
This article describes how cloud-init automation within the CloudGuard Edge image can be leveraged to bootstrap a virtual machine built to run on the KVM hypervisor by various platforms. The bootstrap process includes multiple methods of user-data input and user-data formats. As of this writing, these Generic and OpenStack images are provided by the Check Point Cloud Alliance or Telco teams upon customer request. The automation described in this article will be added to Generally Available images in the future.
Metadata Input Methods
Config Drive
The most common method of providing metadata is a config drive. A config drive is a predefined file structure of VM configuration information that is contained in a specially labeled ISO and then attached at VM creation time. Upon first boot, the OS starts a bootstrapping service that searches for this mounted ISO via a blkid label and\or filesystem type and then reads the metadata from the file structure. It is possible to input basic VM meta information or complex multi-part scripts, service provider logos, and more via this method.
While Check Point references the standards of cloud-init, some variations may exist. The Check Point image with this updated bootstrapping has a naming convention that distinguishes the image automation within the image Generic and OpenStack.
HTTP Metadata Service
Virtual machine information may be polled from an HTTP metadata service within OpenStack KVM platform providers. Be aware that not all OpenStack or KVM operators enable this service. The data available via the HTTP meta-service is the same as what is provided via config drive (vendor, network, meta, and user data). The CG IaaS bootstrap service shows preference to a mounted config drive at first boot; when an attached config drive is not detected, the bootstrap service will attempt to poll the http service for the configuration data. One benefit of HTTP metadata vs. config drive is that it is dynamic, presenting network interface changes to the VM post deployment. Conversely, config drive data is only populated by the platform at VM instantiation.
This section is for information purposes only. The CloudGuard Edge bootstrap service does not consume HTTP metadata service data.
Check Point OpenStack Labeled QCOW Image Requirements
- ISO label is set as "config-2"
- The file structure for an OpenStack deployment has the following requirements:
- The configuration files (vendor, network, meta, and user data) must be placed in the ISO /openstack/latest/ directory by the platform.
- vendor_data.json
- Check Point does not utilize this file.
- network_data.json
- May specify DHCP or static interface configurations per interface.
- If configured as DHCP, the bootstrapping automation polls for a DHCP provided address on specified interfaces, consumes that DHCP address, and statically assigns it to the interface.
- meta_data.json
- SSH Key
- Virtual machine name is provided by the platform. This VM name is consumed as the OS hostname unless a hostname is specified in user_data.
- user_data
- user_data file incurs a 16k file size limit
- Description of additional data provided in user_data section.
Check Point Generic Labeled QCOW Image Requirements
- ISO must be type “ISO9660”
- The ISO file structure has the following requirements:
- The user_data file can be placed anywhere within the ISO (Check Point recommends the root directory).
- user_data file incurs a 16k file size limit
- Description of additional data provided in the user_data section.
CloudGuard Edge VNF Interface Requirements
- CG Edge VNF images require a minimum of three interfaces:
- Virtual machine eth0 maps to WAN interface.
- Virtual machine eth1 maps to DMZ interface.
- Virtual machine eth2 maps to LAN1 interface.
- Virtual machine eth3 maps to LAN2 interface.
- Series continues...
- OpenStack images rely on interface configuration to be provided by the platform. When this information is not provided, the defaults are:
- WAN - the bootstrapping service will attempt to configure the interface with a static IP obtained via DHCP.
- DMZ - interface will be unconfigured.
- LAN1 - the bootstrapping service will configure with a static IP address of 192.168.1.1/24.
- LAN2, etc - unconfigured.
- Generic images rely on interface configuration to be provided in the user_data file. When not providing this information, the defaults are:
- WAN - the bootstrapping service will attempt to configure the interface with a static IP obtained via DHCP.
- DMZ - interface will be unconfigured.
- LAN1 - the bootstrapping service will configure with a static IP address of 192.168.1.1/24.
- LAN2, etc - unconfigured.
Check Point user_data Customization Formats
The information in this section applies to both Generic and OpenStack images.
- User_data may be provided via HTTP metadata service or config drive; not all operators enable platform HTTP metadata services.
- Config Drive ISO file structure has the following options:
- The Check Point bootstrapping service will parse user_data and determine the format of the scripts to parse automatically.
- user_data has no format requirement besides properly following the convention of the chosen file format.
- The order of operation for the Check Point bootstrapping service is MIME, cloud-config, and bash.
- In the event that MIME or cloud-config are not detected, the user_data is processed as a bash script.
- The user_data file may be presented as cloud-config in a yaml format.
- user_data may be presented as bash format.
- user_data may be presented as multi-part mime format.
- This method supports text/cloud-config and text/x-shellscript.
- An example of when to use multi-part mime is terraform templates.
- For complex configurations using a mixture of cloud-config and bash it is suggested to utilize multi-part mime.
Examples
CloudGuard Edge VNF cloud-config user_data yaml
The generic CG Edge image has no explicitly required settings for a "cloud-config" based gateway deployment. However, not providing any user data will result in a VNF with a default configuration and require the first-time-wizard to be run manually.
###Example file. Removing a stanza will result in system defaults for that section.
#cloud-config
system:
hostname: CloudGuardEdge
domainname: labnet.com
management_mode: central
central_management:
address: 10.200.1.3
gateway_sic_key: vpn123
### DNS set in system area is redundant when implemented on WAN interface.
dns1: 1.1.1.1
dns2: 8.8.8.8
dns3: 4.2.2.2
ntp1:
address: ntp.checkpoint.com
ntp2:
address: ntp2.checkpoint.com
ssh_authorized_keys:
- ssh-rsa AA/yxVV1zfVGaJD801Xt6EiQ2LWPEwVc3e5GsCkCgWyBb6HLkMyR0VLZzM7QLrXJgcC/ replace@me
cpusers:
- name: admin
shell: /bin/bash
password-hash: $1$Gz8EHpk6$L7YYYtIN6zThsBp0n6cAI0
- name: joe
shell: /etc/cli.sh
password-hash: $1$Gz8EHpk6$L7YYYtIN6zThsBp0n6cAI0
permission: read-write
### Static WAN/Mgmt interface example
interfaces:
- name: WAN
ipv4-address: 10.87.0.105
subnet-mask: 255.255.255.0
dns1: 10.56.0.1
dns2: 8.8.8.8
default-gw: 10.87.0.200
mgmt: true
- name: br0
ipv4-address: 172.34.150.100
subnet-mask: 255.255.255.248
- name: DMZ
bridge: br0
- name: LAN1
bridge: br0
### DHCP WAN/Management interface example
interfaces:
- name: WAN
mgmt: true
ipv4-address: dhcp
- name: br0
ipv4-address: 172.34.150.100
subnet-mask: 255.255.255.248
- name: DMZ
bridge: br0
- name: LAN1
bridge: br0
vpn:
sites:
- peer_name: VPNPeer1
peer_address: 1.2.3.4
peer_encryption_domain_network: 192.168.70.0
peer_encryption_domain_subnet: 255.255.255.0
peer_shared_secret: supersecretkey1
- peer_name: VPNPeer2
peer_address: 4.5.6.7
peer_encryption_domain_network: 192.168.80.0
peer_encryption_domain_subnet: 255.255.255.0
peer_shared_secret: supersecretkey2
cpusers:
- name: admin
shell: /bin/bash
password-hash: $1$t00e9wFc$R/8X5130WvmJbgdhj7D/T/
- name: john
shell: /etc/cli.sh
password-hash: $1$t00e9wFc$R/8X5130WvmJbgdhj7D/T/
permission: read-write
clishcmd:
- set message banner msgvalue "Welcome to Check Point CloudGuard Edge" on
- set ui-settings use-custom-webui-logo true
- set ui-settings custom-webui-logo-url https://www.customer.com/
write_files:
- path: /opt/fw1/conf/custom_ui_logo.png
permissions: '0664'
owner: admin:root
encoding: b64
content: |
AQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQEBAQH/2wBDAQEBAQEBAQEBAQEBAQEBAQEBAQEB
5peaMhIa91kjG_THIS_IS_A_BASE_64_ENCRYPTED_JPG_Zm3I7ihjxrlw0pLNDneVDlrVc0pNFW
hxtDiqSmnDXRV_THIS_IS_JUST_AN_EXAMPLE_NOT_REQUIRED_sS+Mus+8s+7P8ivNyL+FY/l5P
+YrxlNn4ir7yr/NGYYf7Uv8Asf0eHxkzvYj+bHnzwIZF/fGh/wA26/6WJ4ylyf6X+lvm7GDH1g/w
K4D/ACq4f9GuHjMvP//Z+bHnzwIZF/fGh/wA26/6WJ4ylyf6X+lvm7GDH1g/wfGh/w8Asf0eHxkz
Yaml Option Table
Root Option |
Option |
Sub Option |
Data |
Note |
system |
|
|
|
|
|
hostname |
|
|
|
|
domainname |
|
|
|
|
management_mode |
|
local or central |
|
|
local_management |
|
|
|
|
|
identity_awareness |
true or false |
|
|
|
app_control |
true or false |
|
|
|
anti_virus |
true or false |
|
|
|
anti_bot |
true or false |
|
|
|
ips |
true or false |
|
|
|
threat_emulation |
true or false |
|
|
central_management |
|
|
|
|
|
address |
SMS IP address |
|
|
|
gateway_sic_key |
GW SIC key |
|
|
dns1 |
|
DNS1 IP address |
|
|
dns2 |
|
DNS2 IP address |
|
|
dns3 |
|
DNS3 IP address |
|
|
ntp1 |
|
|
|
|
|
address |
NTP1 IP Address |
|
|
ntp2 |
|
|
|
|
|
address |
NTP2 IP Address |
|
ssh_authorized_keys |
|
|
|
|
|
- ssh-rsa |
|
admin user SSH public key 1 |
|
|
- ssh-rsa |
|
admin user SSH public key 2 |
|
cpusers |
|
|
|
|
|
- name |
|
admin |
|
|
shell |
|
/bin/bash or /etc/cli.sh |
|
|
password-hash |
|
password hash |
|
|
- name |
|
example |
|
|
shell |
|
/bin/bash or /etc/cli.sh |
|
|
password-hash |
|
password-hash |
|
interfaces |
|
|
|
|
|
- name |
|
br0, 1, 2, WAN, DMZ, LAN1, 2, 3, etc. |
When set to brX creates a bridge group for later assignment |
|
|
ipv4-address |
dhcp or IP Address |
|
|
|
subnet-mask |
|
|
|
|
dns1 |
|
|
|
|
dns2 |
|
|
|
|
default-gw |
|
Sets default gateway IP address for WAN interface |
|
|
bridge |
br0, 1, 2, etc |
Assigns interface to bridge group |
vpn |
|
|
|
|
|
sites |
|
|
|
|
- peer_name |
|
vpn peer name |
|
|
|
peer_address |
vpn peer Ip address |
|
|
|
peer_encryption_domain_network |
vpn peer subnet |
|
|
|
peer_encryption_domain_subnet |
vpn peer subnet mask |
|
|
|
peer_shared_secret |
vpn peer shared secret |
|
clishcmd |
|
|
|
This section enables corner cases, any valid clish command is allowed |
|
- set message banner msgvalue "Welcome to Check Point CloudGuard Edge" on |
|
|
- set ui-settings use-custom-webui-logo true |
|
|
- set ui-settings custom-webui-logo-url https://www.example.com/ |
|
write_files |
|
|
|
This section enables logo and script upload |
|
- path: |
|
/opt/fw1/conf/custom_ui_logo.png |
|
|
|
permissions |
file permission |
|
|
|
owner |
file owner |
|
|
|
encoding |
file encoding |
|
|
|
content |
base64 encoded content |
|
runcmd |
|
|
|
This section enables corner cases |
|
- 'touch /home/admin/runcmd' |
|
|
|
|
|
|
|
|
Bash CG Edge Gateway user_data
# Management interface
add internet-connection interface WAN type static ipv4-address 10.100.0.5 subnet-mask 255.255.255.0 default-gw 10.100.0.1 conn-test-timeout 0 name Mgmt
OR
add internet-connection interface WAN type dhcp name Mgmt conn-test-timeout 0
THEN
set internet-connection Mgmt disable-nat on
set internet-connection Mgmt route-traffic-through-default-gateway false
# Internet Interfaces
add internet-connection interface LAN4 type dhcp name Internet1 conn-test-timeout 0
add internet-connection interface LAN5 type dhcp name Internet2 conn-test-timeout 0
OR
add internet-connection interface LAN4 type static ipv4-address 10.100.0.7 subnet-mask 255.255.255.0 default-gw 10.100.0.1 conn-test-timeout 0 name Internet1
add internet-connection interface LAN5 type static ipv4-address 10.100.0.8 subnet-mask 255.255.255.0 default-gw 10.100.0.1 conn-test-timeout 0 name Internet2
# Globals with local Management
set property first-time-wizard off
set admin-access interfaces WAN access allow
set admin-access allowed-ipv4-addresses any
set security-management mode locally-managed
set antispoofing advanced-settings global-activation "false"
set dhcp server interface WAN disable
set dhcp server interface DMZ disable
set dhcp server interface LAN1 disable
set dhcp server interface LAN2 disable
set dhcp server interface LAN3 disable
set dhcp server interface LAN4 disable
set dhcp server interface LAN5 disable
# DMZ Interface with multiple vlans on a bridge
add interface DMZ vlan 100
add interface DMZ vlan 101
add interface DMZ vlan 150
add interface DMZ vlan 151
set interface DMZ:100 ipv4-address 192.168.100.254 mask-length 24
set interface DMZ:101 ipv4-address 192.168.101.254 mask-length 24
add bridge name br0
set dhcp server interface br0 disable
set interface br0 ipv4-address 172.34.150.100 mask-length 24
set bridge br0 add member DMZ:150
set bridge br0 add member DMZ:151
# LAN1 Interface as trunk
add interface LAN1 vlan 200
add interface LAN1 vlan 201
add interface LAN1 vlan 250
add interface LAN1 vlan 251
set interface LAN1:200 ipv4-address 192.168.200.254 mask-length 24
set interface LAN1:201 ipv4-address 192.168.201.254 mask-length 24
add bridge name br1
set dhcp server interface br1 disable
set interface br1 ipv4-address 172.34.250.100 mask-length 24
set bridge br1 add member LAN1:250
set bridge br1 add member LAN1:251
ISO Creation
There are various tools to create an ISO: genisofs, mkisofs, and xorriso are the most common.
- bash_prompt:> genisoimage -output /tmp/myUserData-gw.iso -volid config-2 -joliet -r ~/cloud-init/myUserData/openstack.gw/
- bash_prompt:> mkisofs -r -V config-2 -o /tmp/myUserData-gw.iso /tmp/cloud-init/myUserData/openstack.gw/
- bash_prompt:> xorriso -as mkisofs -o /tmp/myUserData-gw.iso /tmp/cloud-init/myUserData/openstack.gw/
Applies To: