Skip to content

Latest commit

 

History

History
158 lines (123 loc) · 5.85 KB

README.md

File metadata and controls

158 lines (123 loc) · 5.85 KB

PHP-CLI SHELL for FIREWALL

New release will be only available on https://github.com/Renji-FR/PhpCliShell

This repository is the addon for PHP-CLI SHELL about FIREWALL (acl) service.
With this addon you can create ACLs (monosite, failover and fullmesh) and generate template for your firewall appliance.
It is possible to upload ACLs config file to firewall with SCP. For SCP, you can use an SSH bastion.

demo

For the moment, there are 3 templates:

  • Juniper JunOS
    there are 2 templates for Juniper JunOS: one formated with {} and one with set commands
  • Cisco ASA
    there are 2 templates for Cisco ASA: one for the firewall itself and one for VPN DAP (Dynamic Access Policies)
  • Web HTML

ACL monosite:

  • basic ACL, source(s), destination(s), no automation. For this ACL category you can not enable fullmesh option!

ACL failover:

  • without fullmesh option: failover ACL(s) will be automaticaly generated for all failover sites in inbound or outbound.
  • with fullmesh option: like without but source and destination of ACL will be isolated per zone to process automation.

You have to use base PHP-CLI SHELL project that is here: https://github.com/cloudwatt/php-cli-shell_base

INSTALLATION

APT PHP

Ubuntu only, you can get last PHP version from this PPA:
https://launchpad.net/~ondrej/+archive/ubuntu/php

  • add-apt-repository ppa:ondrej/php
  • apt update

You have to install a PHP version >= 7.1:

  • apt install php7.3-cli php7.3-mbstring php7.3-readline pphp7.3-soap php7.3-curl

For MacOS users which use PHP 7.3, there is an issue with PCRE. You have to add this configuration in your php.ini:

pcre.jit=0

To locate your php.ini, use this command: php -i | grep "Configuration File"

USE PHAR

Download last PHAR release and its key from releases

Print console help:
$ php php-cli-shell.phar --help

The PHAR contains all PHP-CLI SHELL components (Base, DCIM, IPAM and Firewall)

DEMO

demo

Start FIREWALL demo with command:
$ php php-cli-shell.phar firewall:application:demo

WIZARD

wizard

Create FIREWALL configuration with command:
$ php php-cli-shell.phar configuration:application:factory firewall
For more informations about configuration file, see 'CONFIGURATION FILE' section

Create FIREWALL launcher with command:
$ php php-cli-shell.phar launcher:application:factory firewall

USE SOURCE

REPOSITORIES

PHPIPAM (Optionnal)

If you have PHPIPAM and you want object name autocompletion, you have to perform these steps:

CONFIGURATION FILE

[env] is not used by PHP-CLI, it is for user when he has many environments or sites to managed

  • mv configurations/firewall.envA.json.example configurations/firewall.[env].json
  • vim configurations/firewall.[env].json
    • Adapt configuration to your network topology
    • Of course you can add more than two sites
    • Do not change topology attribute names: internet, onPremise, interSite, private
  • Optionnal
    • You can create user configuration files for base and firewall services to overwrite some configurations
      These files will be ignored for commits, so your user config files can not be overwrited by a futur release
    • mv configurations/firewall.envA.user.json.example configurations/firewall.[env].user.json
    • vim configurations/firewall.[env].user.json Change configuration like path or file
    • All *.user.json files are ignored by .gitignore
  • Juniper JunOS
    • In firewall.json, you can change the configuration push method:
     "templates": {
     	"juniper-junos_set": {
     		"updateMode": "replace"
     	}
     }
    Available modes: merge or replace
  • Cisco-ASA
    • Add this configuration in options section under sites to declare a global zone:
     "options": {
     	"globalZone": "global"
     }

PHP LAUNCHER FILE

  • mv firewall.php.example firewall.php
  • vim firewall.php
    • Change [IPAM_SERVER_KEY] with the key of your PHPIPAM server in configuration file
      You can add many PHPIPAM server, it is compatible multiple PHPIPAM
      If you have not PHPIPAM service, remove argument or keep it empty
      [env] is not used by PHP-CLI, it is for user when he has many environments or sites to managed
  • mv firewall.envA.php.example firewall.[env].php
  • vim firewall.[env].php
    • Change [env] with the name of your environment

EXECUTION

CREDENTIALS FILE

Change informations which are between []

  • vim credentialsFile
    • read -sr USER_PASSWORD_INPUT

      • export SSH_SYS_LOGIN=[YourSystemLoginHere]
      • export SSH_NET_LOGIN=[YourNetworkLoginHere]
      • export SSH_NET_PASSWORD=$USER_PASSWORD_INPUT
        Bastion authentication must be base on certificate

      PHPIPAM (Only if you use PHPIPAM service/addon) /!\ For security reason, use a read only account!

      • export IPAM_[IPAM_SERVER_KEY]_LOGIN=[YourLoginHere]
    • export IPAM_[IPAM_SERVER_KEY]_PASSWORD=$USER_PASSWORD_INPUT
      Change [IPAM_SERVER_KEY] with the key of your PHPIPAM server in configuration file

SHELL

Launch PHP-CLI Shell for FIREWALL service

  • source credentialsFile
  • php firewall.[env].php