Forcepoint NGFW to Any Cloud SD-WAN

Table of contents
  1. Forcepoint NGFW to Any Cloud SD-WAN
  2. Summary
  3. Demo
  4. Source Code
  5. Caveats
  6. Requirements
  7. Configure Forcepoint SMC
  8. Pull Docker Images And Start the Services
    1. Step 1: Download Docker Compose file
    2. Step 2: Launch Forcepoint Any SD-WAN Tool CLI GUI
  9. Forcepoint Any SD-WAN Tool Usage
    1. Step 1: Login Page For SMC API
    2. Step 2: Select Cloud Provider
    3. Step 3: Select FW Engines
    4. Step 4: Review The Selected FW Engines Clusters
    5. Step 5: Deployment Process
    6. Step 6: Close the tool GUI
    7. step 7: Stop All Service
  10. Troubleshooting
    1. Validate the prerequisites
    2. Check network connectivity
    3. Check dependencies are installed
    4. Check all components are configured and running properly
License

These contents are licensed under Apache License, Version 2.0. http://www.apache.org/licenses/LICENSE-2.0

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, THE SITE AND ITS CONTENT IS PROVIDED TO YOU ON AN “AS IS,” “AS AVAILABLE” AND “WHERE-IS” BASIS. ALL CONDITIONS, REPRESENTATIONS AND WARRANTIES WITH RESPECT TO THE SITE OR ITS CONTENT, WHETHER EXPRESS, IMPLIED, STATUTORY OR OTHERWISE, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, OR NON-INFRINGEMENT OF THIRD PARTY RIGHTS, ARE HEREBY DISCLAIMED

Document Revision
Version Date Author Notes
0.1 12 August 2021 Dlo Bagari First draft
0.2 24 August 2021 Neelima Rai Added Troubleshooting chapter
0.3 26 August 2021 Mattia Maggioli Review

Summary

This guide provides step by step instructions to use the Forcepoint Any Cloud SD-WAN Tool to deploy SD-WAN connectivity using Forcepoint NGFW, enabling both single and multi-cloud SD-WAN scenarios with any cloud provider supported by the tool.

The code and instructions provided enable system administrators to automatically:

  • Create redundant VPN tunnels (IPsec standard) from one or many NGFW engines controlled by Forcepoint Security Management Center
  • Connect VPN tunnels to selected cloud provider hubs.

It is assumed that SD-WAN resources of each cloud provider are already in place. If that’s not the case please follow the documentation of the relevant provider:

  • Azure: instructions to deploy Azure Virtual WAN click here
  • AWS: instructions to deploy AWS Transit Gateway click here

Demo

 

Source Code

fp-bd-any-sd-wan-tool-docker

Caveats

The integration described in this document was developed and tested with the following products:

  • Forcepoint NGFW 6.9.1
  • Forcepoint SMC 6.9.1
  • Golang 1.16
  • python 3.8
  • gRPC V3
  • Docker version 20.10.6
  • Docker Compose version 1.29.1

The following activities are out of the scope of this document and therefore left to the system administrator, as part of ordinary maintenance procedures to be put in place within the existing infrastructure.

  • configuration of appropriate hygiene procedures to handle logs produced during any step of the solution workflow
  • monitoring of the scripts, services, and applications involved in the solution

Requirements

This integration is provided as docker images which can run on a docker host on premise, or on any cloud-based docker service with network access to the SMC and Cloud Provider Hubs.

Configure Forcepoint SMC

  1. Sign into the SMC.

  2. Navigate to Configuration > Administration.

  3. Expand Access Rights and select API Clients.

  4. Right-click API Clients and select New API Client. This will open the API Client Properties.

  5. Add a name then click Generate Authentication Key.

  6. Store the authentication key in a safe location as it will be needed later on.

  7. Select the Permissions tab and choose Unrestricted Permissions (Superuser) using the radio button, then click OK.

  8. In the side menu go to Certificates and select TLS Credentials.

  9. Right-click TLS Credentials and select New TLS Credentials: enter a name for the certificate and enter the publicly accessible IP address into the Common Name [CN] field. Leave all other fields to the existing default values, the select Next >.

  10. On the next screen select the option Self-Sign then Finish.

  11. In the SMC header select Home then in the side menu select Others. Right-click Management Server and select Properties…

  12. Navigate to the SMC API tab and select Enable.

  13. From the Server Credentials section click the option Select… and from the Select Element windows select the TLS Credentials that were created earlier.

  14. From the Server TLS Cryptography Suite Set section, click the option Select and from the Select Element window select the option AES GCM Cryptographic Algorithms

    Click Select and then OK in the Management Server-Properties window when finished. Click Yes next.

Pull Docker Images And Start the Services

The following Docker images are used in this integration:

  • fp-any-wan-tool: a service to interact with Forcepoint Any SD-WAN Tool
  • fp-smc-api-grpc: a service to convert Forcepoint SMC Python library to gRPC API.

The solution described in this chapter requires

  • A Linux machine (Centos 7.3 recommended) with at least 20GB free disk space and 2 GB RAM. This machine will be referenced in the rest of this document as the docker-host machine.

  • Docker Engine must be installed on the docker-host machine, visit docker-installation-docs to install Docker Engine on docker-host

  • Docker-compose must be installed on the docker-host machine, visit docker-compose-installation-docs to install docker-compose on docker-host machine

Login to your docker-host machine with a user which has permissions to execute docker commands, and perform the following steps.

Step 1: Download Docker Compose file

  1. Download fp-bd-any-sd-wan-tool-docker.tar.gz file

  2. Decompress the fp-bd-any-sd-wan-tool-docker.tar.gz file with the following command:

    tar -zxvf fp-bd-any-sd-wan-tool-docker.tar.gz
    

    The output of the above command is a directory named fp-bd-any-sd-wan-tool-docker

  3. Use the following command and credentials to login to the Docker registry hosting the containers needed for this integration

    root@linux:~# docker login docker.frcpnt.com
    Username: fp-integrations
    Password: t1knmAkn19s
    
  4. Change your current directory to fp-bd-any-sd-wan-tool-docker

     cd fp-bd-any-sd-wan-tool-docker
    
  5. Start the smc-grp and sd-wan services

     docker-compose up -d
    

Step 2: Launch Forcepoint Any SD-WAN Tool CLI GUI

By executing the following command, the Forcepoint Any SD-WAN Tool CLI GUI will be displayed on your terminal docker-compose exec sd-wan sdwan run

Forcepoint Any SD-WAN Tool Usage

Step 1: Login Page For SMC API

Note: to paste text into the CLI GUI use ctrl+shift+v

  1. Enter your SMC API credentials and select a version for SMC API.

  2. Click on login, this will validate the entered credentials and communicate with SMC API, if there is an error, the error will be displayed.

  3. Once CLI Tool has successfully logged into the SMC API, click the Next button. A list of supported Cloud Providers will be listed.

Step 2: Select Cloud Provider

Select your target Cloud Provider, a login form will be displayed, enter the required information and click on Login. The provided information will be verified, and all required information from the Cloud Provider side will be downloaded into the CLI GUI environment. for example: if the target Cloud Provider is Azure, then all existing Azure Virtual Wan will be discovered and their VPN configurations will be downloaded.

Step 3: Select FW Engines

  1. In the FW Engines column:
    • select a FW Engines cluster by left click on it.
![](./media/wan5.PNG)
  • load all VPN Internal Gateways for the selected FW Engines cluster by right click on it.

  1. In the Engines VPN Endpoint column, choose a VPN Internal Gateway and select an endpoint from its endpoints list.

    Once you select an endpoint, a list of available Cloud Provider sites will be listed in the SD-WAN Sites column

  2. In the SD-WAN Sites column, choose a SD-WAN Site(for Azure) or a Customer Gateway(for AWS).

    Once you select a SD-WAN Site or Customer Gateway, the SMC Gateway Profile column will be filled with some optional settings.

  3. the SMC Gateway Profile(other options) column: - Select a profile for Gateway. the default is ‘all capabilities’ - Forcepoint Any SD-WAN Tool, automatically create a required VPN Profile for the selected Cloud Provider(‘Azure_vpn_profile’ for Azure, ‘AWS_vpn_profile’ for AWS), if you would like to use other VPN Profile for the selected Cloud Provider please select it from the list of the VPN profiles, otherwise leave the default selection.

If you need to select more FW Engines Cluster, repeat the steps in the Step 3, for each FW Engines Cluster.

Step 4: Review The Selected FW Engines Clusters

Once you have finished with Selecting FW Engines Clusters, Click on the Next Page button to display a Summary Page. The Summary page displays a tree of all selected FW Engines Clusters with their selected options. Click on the name of each option to expand it.

If you need to change any selected option or add more FW Engines Clusters, click on Previous Page

Step 5: Deployment Process

  • Once you are happy with selected options, click on Next Page button to display the Deployment Page

  • Click on Start Deployment button to start the deployment process. For each selected FW Engines Cluster a deployment process will start.

  • Wait until all deployments are completed. If any deployment fails, an error message will be displayed on the header section.

Step 6: Close the tool GUI

Once all deployments are completed, you will need to close the tool by clicking on Quit button, this process will logout the tool from any login process that was utilized during the usage of the tool.

step 7: Stop All Service

Execute the following command to stop the services:

```
docker-compose down
```

Note: during the process of selecting the options on the tool, all logs with level of INFO and ERROR are written to ‘/var/log/any-wan-logs’ on the docker host machine.

Troubleshooting

Follow these steps to identify issues impacting the normal operation of the integration described in this document.

Validate the prerequisites

Make sure the prerequisites described in the Caveats chapter are all satisfied:

  • Check the version of Forcepoint NGFW and SMC in use are listed as compatible

    Forcepoint NGFW 6.9.1
    Forcepoint SMC 6.9.1
    
  • The host machine should have Docker version 20.10.6 and Docker Compose version 1.29.1 installed

  • The docker host machine should meet the minimum hardware requirements of 2GB RAM, 20GB free storage

  • User needs permissions to execute docker commands

  • Check the user can download the required files with the link below:

    fp-bd-any-sd-wan-tool-docker

Check network connectivity

Make sure firewalls or other security appliances are not impacting the network connectivity necessary for the operation of all components involved in this integration:

  • Check the host machine has connectivity to the internet: execute the following command on the docker host machine:

    ping -c 2 www.aws.com

Once done check the result is similar to below:

PING www.aws.com (10.10.120.12) 56(84) bytes of data.
64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=179 ms
64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=181 ms
  • Check the host machine has connectivity to the SMC API: execute the following command on the docker host machine:

    ping -c 2 SMC-HOSTNAME

Once done check the result is similar to below:

PING SMC_HOSTNAME (10.10.120.12) 56(84) bytes of data.
64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=179 ms
64 bytes from 10.10.120.12 (10.10.120.12): icmp_seq=1 ttl=128 time=181 ms

Check dependencies are installed

Make sure the software dependencies needed by the components involved in this integration are installed:

  • Check the host machine has docker installed: Execute the following command on the host machine:

    docker info

Check the first few lines of the output are similar to below:

Client:
Debug Mode: false

Server:
Containers: 3
Running: 2
Paused: 0
Stopped: 1
Images: 3
 **Server Version: 19.03.5**
  • Check the host machine has docker-compose installed: Execute the following command on the host machine:

    docker-compose –version

Check the output is similar to below:

docker-compose version 1.29.1, build unknown**

Check all components are configured and running properly

Make sure the products and services involved in this integration are configured as expected and they are running:

  • Check the docker images are running with the following command:

    docker-compose ps
    

    Check the output is similar to the picture below