How to Modify AWS CloudFormation Templates to Retrieve the PAR File from a Control Center

Similar documents
Overview. Creating a Puppet Master

How to Configure a Remote Management Tunnel for Barracuda NG Firewalls

How to Configure a Remote Management Tunnel for an F-Series Firewall

"SecretAccessKey" : { "Description" : "Name of an existing EC2 KeyPair to enable SSH access to the instances", "Type" : "String"

NGF0502 AWS Student Slides

Deploying an Active Directory Forest

Pulse Connect Secure Virtual Appliance on Amazon Web Services

AWS Remote Access VPC Bundle

Ahead in the Cloud. Matt Wood TECHNOLOGY EVANGELIST

Lean & Mean on AWS: Cost-Effective Architectures. Constantin Gonzalez, Solutions Architect, AWS

CPM. Quick Start Guide V2.4.0

How to Configure Guest Access with the Ticketing System

19 Best Practices. for Creating Amazon Cloud Formation Templates

Driving DevOps Transformation in Enterprises

AWS London Loft: CloudFormation Workshop

Deliver Docker Containers Continuously on AWS. Philipp

How to Deploy the Barracuda NG Firewall in an Amazon Virtual Private Cloud

How to Deploy the Barracuda Security Gateway in the New Microsoft Azure Management Portal

DevOps Foundations : Infrastructure as Code

Cloudera s Enterprise Data Hub on the Amazon Web Services Cloud: Quick Start Reference Deployment October 2014

AWS Reference Architecture - CloudGen Firewall Auto Scaling Cluster

HySecure Quick Start Guide. HySecure 5.0

OpenVPN Access Server v1.3 System Administrator Guide. Rev 1.0

EdgeConnect for Amazon Web Services (AWS)

Amazon AppStream 2.0: SOLIDWORKS Deployment Guide

CPM Quick Start Guide V2.2.0

Example - Configuring a Site-to-Site IPsec VPN Tunnel

How to Configure Azure Route Tables (UDR) using Azure Portal and ARM

Automate All The Things. Software Defined Infrastructure with AWS CloudFormation, Docker and Jenkins

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1811

Kerberos Constrained Delegation Authentication for SEG V2. VMware Workspace ONE UEM 1810

How-to Guide: Tenable Nessus for Microsoft Azure. Last Updated: April 03, 2018

Deploying and Provisioning the Barracuda Web Application Firewall in the New Microsoft Azure Management Portal

Deploying the Cisco CSR 1000v on Amazon Web Services

AWS Service Catalog. Administrator Guide

How to Deploy Virtual Test Agents in OpenStack

Silver Peak EC-V and Microsoft Azure Deployment Guide

Lab Guide. Barracuda NextGen Firewall F-Series Microsoft Azure - NGF0501

Pexip Infinity and Amazon Web Services Deployment Guide

Configure Mobile and Remote Access

Configuring Administrative Operations

Check Point vsec for Microsoft Azure

Load Balancing Web Proxies / Filters / Gateways. Deployment Guide v Copyright Loadbalancer.org

Production Pivotal Cloud Foundry on VMware vsphere using Dell EMC XC Series Appliances or XC Core System Deployment Guide

Load Balancing Microsoft Remote Desktop Services. Deployment Guide v Copyright Loadbalancer.org, Inc

Installation and Configuration Document

Cloudera s Enterprise Data Hub on the AWS Cloud

Portal Gun Documentation

Colectica Workflow Deployment

How-to Guide: Tenable.io for Microsoft Azure. Last Updated: November 16, 2018

Barracuda NextGen Report Creator

USER GUIDE. Veritas NetBackup CloudFormation Template

SIOS DataKeeper Cluster Edition on the AWS Cloud

OpenVPN Access Server System Administrator Guide

DIGIPASS Authentication for Cisco ASA 5500 Series

How to Install Forcepoint NGFW in Amazon AWS TECHNICAL DOCUMENT

Infosys Information Platform. How-to Launch on AWS Marketplace Version 1.2.2

DIGIPASS Authentication for F5 BIG-IP

Load Balancing Bloxx Web Filter. Deployment Guide v Copyright Loadbalancer.org

Aimetis Symphony Mobile Bridge. 2.7 Installation Guide

Load Balancing FreePBX / Asterisk in AWS

Link Gateway Initial Configuration Manual

MaaS Integration for Baremetal Provisioning in Cloudstack

How to Configure Mobile VPN for Forcepoint NGFW TECHNICAL DOCUMENT

Configuring Administrative Operations

ACS 5.x: LDAP Server Configuration Example

Table of Contents About Ignotus AD Installer software... 2 Requirements for the Server Service... 2 Requirements for the Client Service...

<Partner Name> <Partner Product> RSA SECURID ACCESS Implementation Guide. Citrix NetScaler Gateway 12.0

Load Balancing For Clustered Barracuda CloudGen WAF Instances in the New Microsoft Azure Management Portal

Pexip Infinity and Amazon Web Services Deployment Guide

AppGate for AWS Step-by-Step Setup Guide. Last revised April 28, 2017

Alan Williams Principal Engineer alanwill on Twitter & GitHub

VMware Cloud on AWS Getting Started. 18 DEC 2017 VMware Cloud on AWS

Swift Web Applications on the AWS Cloud

McAfee Client Proxy Product Guide

How to Configure VNET peering with the F-Series Firewall

Using ANM With Virtual Data Centers

Configuring Dynamic VPN v2.0 Junos 10.4 and above

Installing or Upgrading ANM Virtual Appliance

KeyNexus Hyper-V Deployment Guide

Load Balancing Microsoft Remote Desktop Services. Deployment Guide v Copyright Loadbalancer.org

Deploy and Secure an Internet Facing Application with the Barracuda Web Application Firewall in Amazon Web Services

Accops HyWorks v3.0. Quick Start Guide. Last Update: 4/25/2017

Genesys Interaction Recording Solution Guide. Deploying SpeechMiner for GIR

VAM. Radius 2FA Value-Added Module (VAM) Deployment Guide

SOA Software Intermediary for Microsoft : Install Guide

Installing and Configuring vcloud Connector

Webthority can provide single sign-on to web applications using one of the following authentication methods:

Administrator Guide Administrator Guide

3) Click the Screen Sharing option and click connect to establish the session

Load Balancing Microsoft IIS. Deployment Guide v Copyright Loadbalancer.org

Microsoft Unified Access Gateway 2010

G806+H3C WSR realize VPN networking

Integration of Customer Instance with Shared Management

Configure CEM Controller on CentOS 6.9

Deploy the Firepower Management Center Virtual On the AWS Cloud

Remote Desktop Gateway on the AWS Cloud

Azure Marketplace. Getting Started Tutorial. Community Edition

Getting Started Guide. VMware NSX Cloud services

Azure Archival Installation Guide

Transcription:

How to Modify AWS CloudFormation Templates to Retrieve the PAR File from a Control Center If you are using the NextGen Control Center, you can modify your firewall's AWS CloudFormation template to retrieve the PAR file for the new F-Series Firewall Instance from the Control Center. The script authenticates either with CC admin credentials or a shared secret. Licenses that are already installed on PAYG firewall Instances are pushed to the Control Center before retrieving the PAR file. Firewalls using the BYOL images use the licenses configured on the Control Center. getpar command line parameters usage -a --address <address> Control Center IP address. -u --username <username> CC admin user used to connect to the Control Center -c --cluster <cluster> Cluster name -r --range <range> Range number -b --boxname <boxname> Firewall name. -d --destination <dest> Destination directory and filename for the par file. E.g., /opt/phion/update/box.par -s spoe Use Single Point of Entry to connect to the Control Center. -l --pushlic auto always never Configures if the licenses should be pushed to the Control Center before retrieving the PAR file. Before you begin Create an AWS CloudFormation template to deploy your F-Series Firewall. Step 1. Create the firewall configuration in the Control Center Create the F-Series Firewall configuration in the Control Center. For more information, see How to Add a new F-Series Firewall to the Control Center. Step 2. Configure the authentication The newly deployed firewall can authenticate either through a CC Admin account or with a shared key. The shared key is defined on a per-firewall level. CC Admin Authentication Create a CC admin and assign it an Administrative role with the following permissions: CC Configuration Permission Click the Get PAR File check box. For more information, see Control Center Admins and How to Configure Administrative Roles. Shared Key Authentication 1. Log in to the Control Center. 2. Go to your firewall > Box Properties. 3. In the left menu, click Operational. 4. In the left menu, expand Configuration Mode and click Switch to Advanced View. 5. Click Lock. 6. Enter the PAR File Retrieval Shared Key. 7. Click Send Changes and Activate. 1 / 5

Step 3. Add the parameters to the template You must add the parameters you need to the Parameters section of the template. 1. Add the following mandatory parameters to the parameter section of the template: CCIPAddress The IP address of your Control Center if it is directly reachable, or the IP address of the border firewall forwarding the traffic to the Control Center. Range The range number. Cluster The cluster name. FirewallName The name of the Firewall. 2. Add the authentication parameters: Control Center Admin: CCUser The CC admin. CCPassword The password for the CC admin. Shared Key Authentication: CCSharedKey The shared key used to authenticate to the Control Center. Click here to see the parameter definitions for shared key authentication... Shared parameters "CCIPAddress": { "Description": "IP Address or hostname of the Control Center", "Type": "String", "Default": "127.0.0.1" }, "Cluster": { "Description": "Case sensitive Control Center cluster name", "Type": "String" }, "Range": { "Description": "Control Center range number", "Type": "String" }, "FirewallName": { "Description": "Case sensitive name of the Firewall on the Control Center", "Type": "String" } Additional required parameters for Control Center authentication: "CCUser": { "Description": "CC admin username", "Type": "String", "Default": "" }, "CCPassword": { "Description": "CC admin user password", "Type": "String", "Default": "", "NoEcho": "true" }, Additional required parameters for shared key authentication: "CCSharedKey": { "Description": "shared key to retrieve PAR file", "Type": "String", "Default": "", "NoEcho": "true" }, Step 2. Modify the template to retrieve the PAR file Add a script to the userdata element of the template. Use the parameters defined above. 1. 2. Locate the Gateway section. Add the getparfile script to the UserData parameter with the desired authentication method: Control Center Admin: "Gateway": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": "ami- XXXXXXXX", "InstanceType": { "Ref": "InstanceType" }, "KeyName": { "Ref": "KeyName" }, "SecurityGroups" : [{ "Ref" : "NGSecurityGroup" }], "UserData": { "Fn::Base64": { "Fn::Join": [ "", [ "#!/bin/bash\n\n", "echo \"userdata\" >> /tmp/userdata.txt\n", "/opt/aws/bin/cfn-init -v --region ", { "Ref": "AWS::Region" }, " -s ", { "Ref": "AWS::StackName" }, " -r ", "Gateway\n", "/opt/aws/bin/cfn-hup-config -r", { "Ref": "AWS::Region" }, " -s ", { "Ref": 2 / 5

3. "AWS::StackName" }, "\n" ] ] } } }, "Metadata": { "AWS::CloudFormation::Init": { "configsets": { "default": [ "getparfile" ] }, "getparfile": { "files": { "/etc/cfn/hooks.d/test.conf": { "content": { "Fn::Join": [ "", [ "[testhook]\n", "triggers=post.add\n", "path=resources.gateway\n", "action=\"echo blabla > /tmp/hook.log\"\n", "runas=root" ]]}, "mode": "000644", "owner": "root", "group": "root" } }, "commands": { "retrievepar": { "command": { "Fn::Join": ["", [ "echo \"", { "Ref": "CCPassword" }, "\" /opt/phion/bin/getpar -a ", { "Ref": "CCIPAddress" }, " -u ", { "Ref": "CCUser" }, " -c ", { "Ref": "Cluster" }, " -r ", { "Ref": "Range" }, " -b ", { "Ref": "FirewallName" }, " -d /opt/phion/update/box.par -s", " --verbosity 10 ", " >> /tmp/getpar.log" ]] } } } } } } } Shared key authentication: "Gateway": { "Type": "AWS::EC2::Instance", "Properties": { "ImageId": "ami- XXXXXXXX", "InstanceType": { "Ref": "InstanceType" }, "KeyName": { "Ref": "KeyName" }, "SecurityGroups" : [{ "Ref" : "NGSecurityGroup" }], "UserData": { "Fn::Base64": { "Fn::Join": [ "", [ "#!/bin/bash\n\n", "echo \"userdata\" >> /tmp/userdata.txt\n", "/opt/aws/bin/cfn-init -v --region ", { "Ref": "AWS::Region" }, " -s ", { "Ref": "AWS::StackName" }, " -r ", "Gateway\n", "/opt/aws/bin/cfn-hup-config -r", { "Ref": "AWS::Region" }, " -s ", { "Ref": "AWS::StackName" }, "\n" ] ] } } }, "Metadata": { "AWS::CloudFormation::Init": { "configsets": { "default": [ "getparfile" ] }, "getparfile": { "files": { "/etc/cfn/hooks.d/test.conf": { "content": { "Fn::Join": [ "", [ "[testhook]\n", "triggers=post.add\n", "path=resources.gateway\n", "action=\"echo blabla > /tmp/hook.log\"\n", "runas=root" ]]}, "mode": "000644", "owner": "root", "group": "root" } }, "commands": { "retrievepar": { "command": { "Fn::Join": ["", [ "echo \"", { "Ref": "CCSharedKey" }, "\" /opt/phion/bin/getpar -a ", { "Ref": "CCIPAddress" }, " -c ", { "Ref": "Cluster" }, " -r ", { "Ref": "Range" }, " -b ", { "Ref": "FirewallName" }, " - d /opt/phion/update/box.par -s", " --verbosity 10 ", " >> /tmp/getpar.log" ]] } } } } } } } Save the template. Step 5. (optional) Allow access to the Control Center If the firewall VM cannot directly reach the Control Center, you must create a dynamic access rule on the border firewall. Using dynamic rules allows you to enable access only when deploying a new firewall. If SPoE is used, you must open port TCP 806. Action Select Dst NAT. Source If known, enter the public IP address of the Firewall, or select Internet. Service Create and select a service object for TCP 806. For more information, see Service Objects. Destination Enter the Point of Entry IP address of the border firewall. Redirect to Enter the IP address of the Control Center. Connection Method Select No SNAT. 3 / 5

Next steps Deploy the firewall via the AWS CloudFormation template. 4 / 5

Figures 5 / 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback