search

GoogleCloudPlatform / pubsec-declarative-toolkit

The GCP PubSec Declarative Toolkit is a collection of declarative solutions to help you on your Journey to Google Cloud. Solutions are designed using Config Connector and deployed using Config Controller.
Apache License 2.0
30 stars 26 forks source link

vdom configuration applied at startup is run once - partially applied - verify GCP version #849

Open fmichaelobrien opened 4 months ago

fmichaelobrien commented 4 months ago

7.2.4 AWS same 7.2.4 in GCP since march 2013 https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/project/hub-env/setters.yaml#L53

https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/160f630adacdaaac60a0d29da69859047d2a0482/solutions/project/hub-env/setters.yaml#L54

see example on the lab https://console.cloud.google.com/compute/instancesEdit/zones/us-central1-a/instances/fgtvm1-us-central1-a?project=qwiklabs-gcp-02-4492b93abb3a

ours https://github.com/GoogleCloudPlatform/pubsec-declarative-toolkit/blob/main/solutions/project/hub-env/setters.yaml#L62C5-L62C12

on the VM

config system global
    set hostname "fgt-ap-primary"
    set pre-login-banner enable
    set admintimeout 60
    set timezone 12
end
config system admin
    # AC-2(A) - The Fortigates/FortiOS comes with a default local `admin` account.
    edit "admin"
        # DO NOT modify this value, it will be updated with the value in the search-replace-config.yaml
        set password fgt-admin-password
    next
end
config system replacemsg admin "pre_admin-disclaimer-text"
    set buffer "Acceptable Use Policy
WARNING: This is a private computer system. Unauthorized access or use is prohibited and subject to prosecution and/or disciplinary action. All use of this system constitutes consent to monitoring at all times and users are not entitled to any expectation of privacy. If monitoring reveals possible evidence of violation of criminal statutes, this evidence and any other related information, including identification information about the user, may be provided to law enforcement officials. If monitoring reveals violations of security regulations or unauthorized use, employees who violate security regulations or make unauthorized use of this system are subject to appropriate disciplinary action."
end
config router static
    edit 10
        set device "port1"
        set gateway 172.31.200.1
    next
    edit 11
      set dst 172.31.200.0/24
      set device "port1"
      set gateway 172.31.200.1
    next
    edit 12
        set dst 35.191.0.0 255.255.0.0
        set comment "health check"
        set gateway 172.31.200.1
        set device "port1"
    next
    edit 13
        set dst 130.211.0.0 255.255.252.0
        set comment "health check"
        set gateway 172.31.200.1
        set device "port1"
    next
    edit 20
      set dst 172.31.201.1/32
      set device "port2"
    next
    edit 21
      set dst 172.31.201.0/24
      set device "port2"
      set gateway 172.31.201.1
    next
    edit 22
        set dst 35.191.0.0 255.255.0.0
        set comment "health check"
        set gateway 172.31.201.1
        set device "port2"
    next
    edit 23
        set dst 130.211.0.0 255.255.252.0
        set comment "health check"
        set gateway 172.31.201.1
        set device "port2"
    next
    edit 24
        set dst 10.0.0.0 255.0.0.0
        set comment "route to all spokes"
        set gateway 172.31.201.1
        set device "port2"
    next
    edit 30
        set dst 172.31.203.1/32
        set device "port3"
    next
    edit 31
      set dst 172.31.203.0/24
      set device "port3"
      set gateway 172.31.203.1
    next
end
config system probe-response
    set mode http-probe
    set http-probe-value OK
end
config system interface
    # AC-17(100) - The allowaccess setting which enables access to the fortigate is configured to only allow SSH and HTTPS on port4 (mgmt)
    edit port1
        set description "external"
        unset allowaccess
        set mode static
        set ip 172.31.200.10/32
    next
    edit port2
        set description "internal"
        unset allowaccess
        set mode static
        set ip 172.31.201.10/32
        set explicit-web-proxy enable
        set secondary-IP enable
        config secondaryip
            edit 1
                set ip 172.31.201.35 255.255.255.255
            next
        end
    next
    edit "port3"
        set description "transit"
        unset allowaccess
        set mode static
        set ip 172.31.203.10/32
    next
    edit "port4"
        set description "management"
        # AC-17(3) - HTTPS and SSH management access is only enabled on the mgmt interface
        set allowaccess ping https ssh fgfm
        set mode static
        set ip 172.31.202.10/32
    next
    edit "probe"
        set vdom "root"
        set description "health check probe"
        set allowaccess probe-response
        set ip 169.254.255.100 255.255.255.255
        set type loopback
    next
end
config system ha
    set group-name "fgt-ap-group"
    set mode a-p
    set hbdev "port4" 50
    # session-pickup has impact on cpu and may be disabled to improve performance
    set session-pickup enable
    set ha-mgmt-status enable
    config ha-mgmt-interfaces
        edit 1
            set interface "port4"
            set gateway 172.31.202.1
        next
    end
    set override enable
    set priority 200
    set unicast-hb enable
    set unicast-hb-peerip 172.31.202.11
    set unicast-hb-netmask 255.255.255.0
end
config system sdn-connector
    edit "gcp"
        set type gcp
        set ha-status enable
    next
end
config system dns
  set primary 169.254.169.254
  set protocol cleartext
  unset secondary
end
# Everything underneath this line will be synchronised to the secondary node with HA
# Explicit proxy for APPRZ and DATARZ workloads
config system settings
    set gui-explicit-proxy enable
end
config web-proxy explicit
    set status enable
    set http-incoming-port 8080
    set https-incoming-port 8080
end
# Internal Load balancers health check
## VIP
config firewall vip
      edit "ilb-healthcheck-vip"
        set extip 172.31.201.30
        set mappedip "169.254.255.100"
        set extintf "port2"
        set portforward enable
        set extport 8008
        set mappedport 8008
    next
    edit "ilb-proxy-healthcheck-vip"
        set extip 172.31.201.35
        set mappedip "169.254.255.100"
        set extintf "port2"
        set portforward enable
        set extport 8008
        set mappedport 8008
    next
end
## VIP Group
config firewall vipgrp
    edit "ilb-healthcheck-vipgrp"
        set interface "port2"
        set member "ilb-healthcheck-vip" "ilb-proxy-healthcheck-vip"
        set comment "This group contains VIP objects representing internal load balancers health checks. It is referenced in a policy forwarding traffic to the probe loopback interface"
    next
end
## Service
config firewall service custom
    edit "PROBE"
        set tcp-portrange 8008
    next
end
## Policy
config firewall policy
    edit 0
        set name "ilb healthcheck"
        set srcintf "port2"
        set dstintf "probe"
        set action accept
        set srcaddr "all"
        set dstaddr "ilb-healthcheck-vipgrp"
        set schedule "always"
        set service "PROBE"
        set comment "This policy forwards internal load balancers health checks to the probe loopback interface"
    next
end

example non-kcc version

{
    "bucket" : "ec2-fortigate-configuration-<VOTRE-SUFFIXE>",
    "region" : "ca-central-1",
    "license" : "/license.lic",
    "config" : "/config.txt"
}
has context menu

check script example https://github.com/fortinet/fortigate-tutorial-gcp/issues/1

fmichaelobrien commented 4 months ago

client version - partial

%{ if license_file != "" }
--==OCI==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="license"

${license_file}

%{ endif }
--==OCI==--