Firewall
217 views
Skip to first unread message
Christer Hemgren
May 30, 2015, 3:23:48 AM5/30/15
to networ...@googlegroups.com
Hello
We are running Cisco, checkpoint and fortigate and use each platforms mgmt system.
Now we thinking about sync Fw objects between systems to optimize fw rule change and operation.
Two of the platforms have API but limited doc.
Comments?
Regards
Christer Hemgren
We are running Cisco, checkpoint and fortigate and use each platforms mgmt system.
Now we thinking about sync Fw objects between systems to optimize fw rule change and operation.
Two of the platforms have API but limited doc.
Comments?
Regards
Christer Hemgren
Patrick Ogenstad
May 30, 2015, 3:47:44 AM5/30/15
to Christer Hemgren, networ...@googlegroups.com
Hi,
I'm actually creating Ansible modules for Cisco ASA using the REST API.
I have modules completed for network objects/object groups. Currently looking at service objects.
I haven't uploaded the code to Github yet but I can do that if you want to.
I have some code published for a new Python module using the REST API.
https://github.com/networklore/rasa
Regards
Patrick
> --
> You received this message because you are subscribed to the Google Groups "network.toCode()" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to networktocod...@googlegroups.com.
> To post to this group, send email to networ...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/networktocode/9ec551d7-7936-4519-ab16-6d87b8de1f47%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
I'm actually creating Ansible modules for Cisco ASA using the REST API.
I have modules completed for network objects/object groups. Currently looking at service objects.
I haven't uploaded the code to Github yet but I can do that if you want to.
I have some code published for a new Python module using the REST API.
https://github.com/networklore/rasa
Regards
Patrick
> You received this message because you are subscribed to the Google Groups "network.toCode()" group.
> To unsubscribe from this group and stop receiving emails from it, send an email to networktocod...@googlegroups.com.
> To post to this group, send email to networ...@googlegroups.com.
> To view this discussion on the web visit https://groups.google.com/d/msgid/networktocode/9ec551d7-7936-4519-ab16-6d87b8de1f47%40googlegroups.com.
> For more options, visit https://groups.google.com/d/optout.
Lindsay Hill
May 30, 2015, 4:19:47 AM5/30/15
to Christer Hemgren, networ...@googlegroups.com
I think you're going to have trouble with the Check Point firewalls, until they finally release R80. That release is supposed to give decent APIs, etc. OPSEC has been pretty tough to work with up until now. Mind you, if all you want to do is sync objects, you can probably do something with dbedit. Could be a bit ugly though.
I guess the alternative is to use something like Tufin or Algosec to talk to the firewalls, and then manage them via Tufin/Algosec. Tufin has an API, and I presume Algosec does too. But that does add another layer of cost, and may not meet your needs.
- Lindsay
Christer Hemgren
Ajay Chenampara
May 30, 2015, 7:41:36 AM5/30/15
to Lindsay Hill, Christer Hemgren, networ...@googlegroups.com
The more I see this line of discussion, the more convincing -IMHO- is the case for modeling devices using yang and leave that onus to the OEM. Provisioning services through a combination of YANG + NETCONF, can then be arbitrarily complex and handled by the network operators...
To view this discussion on the web visit https://groups.google.com/d/msgid/networktocode/CADhybzdRfQZzUbrMFLNekyXQMn4gUzqGqZEEnMcEsaVR6Mi9BA%40mail.gmail.com.
Christer Hemgren
May 30, 2015, 7:56:37 AM5/30/15
to networ...@googlegroups.com
Hello Patrick
I have try your github rasa and it works well.
The next release look nice.
Today we run prod asa in context mode and a relese with no API in this mode. We manage it using Cisco csm in a mode that overwrite other changes. As the csm XML API is a pain to work with compare to the exellent asa api we may drop csm. We have about 90 Fw context.
In this stage we want to read csm objects and write to fortigate manager.
After that we want to add and remove objects in both firewall manager.
Spotify have some fortigate code out as well that I need to check.
Thanks
Christer
I have try your github rasa and it works well.
The next release look nice.
Today we run prod asa in context mode and a relese with no API in this mode. We manage it using Cisco csm in a mode that overwrite other changes. As the csm XML API is a pain to work with compare to the exellent asa api we may drop csm. We have about 90 Fw context.
In this stage we want to read csm objects and write to fortigate manager.
After that we want to add and remove objects in both firewall manager.
Spotify have some fortigate code out as well that I need to check.
Thanks
Christer
Jason Edelman
May 30, 2015, 9:03:46 AM5/30/15
to Ajay Chenampara, Lindsay Hill, Christer Hemgren, networ...@googlegroups.com
Why would we want to leave it to the vendors?
To view this discussion on the web visit https://groups.google.com/d/msgid/networktocode/13906136-58D8-4468-9B11-17EA0E75AEA4%40gmail.com.
Ajay Chenampara
May 30, 2015, 9:37:02 AM5/30/15
to Jason Edelman, Lindsay Hill, Christer Hemgren, networ...@googlegroups.com
Hmmm.. Maybe I am not being very articulate. I see it as, the OEM, as the manufacturer of the equipment (and definer/decider of commands and features) to also be responsible for defining its data model(yang).
We as operators, simply use those commands today(manually). Instead of we can write our service templates as a yang model, and have something to map the services(now automated through our services data model) model to the device model, we would never have to deal with underlying equipment. Service model would always be vendor and protocol independent (eg: create a tenant in the Datacenter- vlans, fw rules, lb, vrfs)
Hth
Jason Edelman
May 30, 2015, 10:01:14 AM5/30/15
to Ajay Chenampara, Lindsay Hill, Christer Hemgren, networ...@googlegroups.com
Totally get it. It's definitely more optimistic than I am considering users (maybe yourself included) need cost effective solutions yesterday. This is why I like Ansible Tower - over time as we are even seeing on this thread, more integrations and modules emerge for each vendor and then the Tower API can be used as the vendor independent API.
Sounds like you are describing Tail-F though, but from a much broader product and platform perspective.
Nick Buraglio
May 30, 2015, 10:40:24 AM5/30/15
to networ...@googlegroups.com, Ajay Chenampara, Lindsay Hill, Christer Hemgren
My last job had a tool very similar to this for all L2 access switches, it was written well before the existing tools and any other commercial products like tail-f. It can be done, and it's not really new. We managed >50k edge ports with it and it is still in use today providing visualization, management and access control. The problem is as you described:
- APIs suck and are often minimized to SNMP write.
- OIDs are missing.
- Stuff is not open source
- Platforms are old
What we need is a tail-f-like solution that is open source or at least reasonably priced. I looked at the pricing for tail-f before Cisco swallowed them up and it was "reassuringly expensive".
To view this discussion on the web visit https://groups.google.com/d/msgid/networktocode/CA%2B_m3%2BaWWnar2dgb9veOV6NvM6EnGnZthPHOKFaLp%3D__wS90Kw%40mail.gmail.com.
Patrick Ogenstad
May 31, 2015, 4:13:55 AM5/31/15
to Christer Hemgren, networ...@googlegroups.com
Hi,
I've published the first Ansible modules to GitHub.
Currently there's code to handle network objects (in the cli 'object network', or 'object-group network') and a module to save the configuration. There's also an experimental module for 'object service'.
I haven't tried the XML API in CSM. But if you're just looking at reading the objects from the ASA using the CLI might be simpler.
A thing to keep in mind if you want to try out rasa is that it doesn't handle paging. I've just been playing with it using a small 5506 which only has a few test objects. I think the REST API is limited to return 100 objects per request, so paging will need to be implemented.
Best regards
Patrick
Christer
--
You received this message because you are subscribed to the Google Groups "network.toCode()" group.
To unsubscribe from this group and stop receiving emails from it, send an email to networktocod...@googlegroups.com.
To post to this group, send email to networ...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/networktocode/be57e417-f149-4a67-ac53-b4e94ace7036%40googlegroups.com.
Kirk Byers
May 31, 2015, 8:49:48 PM5/31/15
to networ...@googlegroups.com, christer...@gmail.com
Thanks Patrick.
Kirk
Christer Hemgren
Jun 15, 2015, 5:00:50 PM6/15/15
to networ...@googlegroups.com, christer...@gmail.com
Thanks Patrick
Both the rasa and ansible-cisco-asa works well on the virtual ASAv.
regards
@ChristerHemgren
Reply all
Reply to author
Forward
0 new messages