├── README.md
├── osm
├── README.md
├── ubuntu_vnf_src
│ ├── ubuntu_xenial_vnf
│ │ ├── README
│ │ ├── cloud_init
│ │ │ └── cloud_init.cfg
│ │ ├── icons
│ │ │ └── ubuntu-logo14.png
│ │ └── checksums.txt
│ ├── icons
│ │ └── ubuntu-logo14.png
│ ├── cloud_init
│ │ ├── apache_init.cfg
│ │ └── desktop_init.cfg
│ └── Makefile
├── fortimail
│ ├── fortimail_nsd
│ │ ├── checksums.txt
│ │ └── fortimail_nsd.yaml
│ ├── fortimail_vnfd
│ │ ├── scripts
│ │ │ ├── mode
│ │ │ ├── license
│ │ │ └── config
│ │ ├── charms
│ │ │ └── fortimail
│ │ │ │ ├── layer.yaml
│ │ │ │ ├── config.yaml
│ │ │ │ ├── README
│ │ │ │ ├── actions
│ │ │ │ ├── create-domain
│ │ │ │ ├── delete-domain
│ │ │ │ └── get-administrative-resource
│ │ │ │ ├── metadata.yaml
│ │ │ │ ├── actions.yaml
│ │ │ │ └── reactive
│ │ │ │ └── fortimail.py
│ │ ├── README
│ │ └── fortimail_vnfd.yaml
│ ├── compile_nsd.sh
│ └── compile_vnfd.sh
├── fortios_vnfd_src
│ ├── layers
│ │ └── fortios
│ │ │ ├── wheelhouse.txt
│ │ │ ├── layer.yaml
│ │ │ ├── README.md
│ │ │ ├── metadata.yaml
│ │ │ ├── config.yaml
│ │ │ ├── actions
│ │ │ ├── apiset
│ │ │ ├── sshcmd
│ │ │ └── confport
│ │ │ ├── actions.yaml
│ │ │ └── lib
│ │ │ └── charms
│ │ │ └── fortios.py
│ ├── icons
│ │ └── FortiGateVMLogo.png
│ ├── cloud_init
│ │ ├── fgt-mtu1456-10.10.txt
│ │ └── userdata.txt
│ ├── Makefile
│ └── scripts
│ │ ├── config-template.py
│ │ ├── testargpassing.py
│ │ └── testargpassjson.py
├── ping_vnfd.tar.gz
├── pong_vnfd.tar.gz
├── ping_pong_nsd.tar.gz
├── debconf.sh
├── lxd-bridge
├── FortigateApache_nsd.yaml
└── fortigate2net_nsd
│ └── fortigateconfed_nsd.yaml
├── fortios
├── README.md
├── apache_userdata.txt
├── apache_userdata_citycloud.txt
├── citycloud-env.yaml
├── minipoc-clean.sh
└── fos-user-data.txt
├── cloudify
├── README.md
├── fortigate-monitored
│ ├── __init__.py
│ ├── plugins
│ │ ├── __init__.py
│ │ └── plugin-fortigate-monitor
│ │ │ ├── __init__.py
│ │ │ ├── inst.py
│ │ │ ├── dev-requirements.txt
│ │ │ ├── README.md
│ │ │ ├── setup.py
│ │ │ ├── fortigate_monit
│ │ │ ├── __init__.py
│ │ │ └── cloudify_handler
│ │ │ │ ├── __init__.py
│ │ │ │ ├── format.py
│ │ │ │ └── cloudify.py
│ │ │ └── .gitignore
│ ├── inputs.yaml
│ ├── inputs-citycloud.yaml
│ ├── deploy.sh
│ ├── clean.sh
│ ├── types
│ │ ├── openstack-fortigate-types.yaml
│ │ └── fortigate-types.yaml
│ ├── README.md
│ └── test-cheatsheet.txt
├── fos-lifecycle
│ ├── plugins
│ │ └── __init__.py
│ ├── inputs-citycloud.yaml
│ ├── templates
│ │ ├── delete-group-template.yaml
│ │ ├── sdwan-rules.yaml
│ │ ├── create-group-template.yaml
│ │ ├── template.yaml
│ │ ├── remove-fortigate.yaml
│ │ └── add-fortigate.yaml
│ ├── clean.sh
│ └── deploy.sh
├── clean.sh
├── fortios-mini-poc
│ ├── inputs.yaml
│ ├── inputs-citycloud.yaml
│ └── test-cheatsheet.txt
├── fortigate-mini-poc
│ ├── inputs-citycloud.yaml
│ ├── inputs.yaml
│ └── test-cheatsheet.txt
├── openstack_config.template
├── openstack_configv3.template
└── cfy-lxc-mngr.template
├── fortigate
├── README.md
├── citycloud-nofloat.yaml
├── citycloud-env.yaml
├── ha
│ ├── example-nets.env
│ ├── README.md
│ └── example-fgcp.env
├── README-HA.md
├── apache_userdata_citycloud.txt
├── apache_userdata.txt
├── config.txt
├── citycloud-env-ha.yaml
├── minipoc-clean.sh
├── fos-user-data.txt
├── minipoc-add-floatings.sh
├── cloudinit_cdrom
│ └── start_fgt.sh
└── heat-add-floatings.patch
├── openstack
├── README.md
├── bleach-unused-floatingips.sh
├── unconfigure.sh
├── jumphost_userdata.txt
├── configure-openstack-floatings
├── ovh-jumphost.sh
└── configure-openstack
├── sdwan-secure
├── README.md
├── templates
│ ├── delete-group-template.yaml
│ ├── sdwan-rules.yaml
│ ├── create-group-template.yaml
│ ├── template.yaml
│ ├── remove-fortigate.yaml
│ └── add-fortigate.yaml
├── deploy.sh
├── inputs-citycloud.yaml
├── clean.sh
├── Lessons.md
├── test-cheatsheet.txt
└── types
│ ├── antmedia.yaml
│ └── openstack-types.yaml
├── .gitignore
├── Azure
├── hosts
├── votingApp.md
├── ingestCA.sh
├── FGT-FWB-VMs-2-Subnets
│ ├── README.md
│ ├── publicip-none.json
│ ├── vnet-existing.json
│ └── publicip-existing.json
├── EICAR.Dockerfile
├── cis-bench.md
├── docker-entrypoint.sh
├── AZ-Preview.txt
├── ConfigureK8SnodesCA.sh
├── ConfigureK8Sstorage.sh
├── Az-FGT-parameters.json
├── word-web-deployment.yml
├── FGT-snippets.conf
├── ConfigureK8SConnector.sh
├── voting-app.yaml
└── Dockerfile
├── docs
├── Advanced Examples
│ └── LCM.md
├── MANO
│ ├── OSM.md
│ ├── Openstack-Heat.md
│ └── Cloudify.md
├── index.md
├── Internals
│ ├── Citycloud.md
│ ├── Support-vms-collect.md
│ ├── README-DockerClient.md
│ └── About.md
├── mini-poc-asciio.txt
├── Fortimanager.md
├── mini-poc.md
└── Fortigate.md
├── fortimanager
├── fmg-userdata.txt
├── README.md
├── ovh-env.yaml
└── heat-fmg.yaml
├── fortiweb
├── fortiweb
│ ├── templates
│ │ ├── imagePsecret.yaml
│ │ ├── serviceaccount.yaml
│ │ ├── tests
│ │ │ └── test-connection.yaml
│ │ ├── service.yaml
│ │ ├── ingress.yaml
│ │ ├── NOTES.txt
│ │ ├── deployment.yaml
│ │ └── _helpers.tpl
│ ├── .helmignore
│ ├── Chart.yaml
│ └── values.yaml
├── fweb-cloudinit.sh
├── Dockerfile
├── defaut-conf.tmpl
├── fwb-nginx-service.json
├── Notes.md
├── fwb-conf.yaml
├── fwb-single.yaml
└── fwb-single-d0.yml
├── .gitmodules
├── openbaton
└── deploy.sh
├── docker-entrypoint.sh
├── mkdocs.yml
├── check-openstackclient
├── Dockerfile
└── helpers
├── vncfrommac-enable
└── ubuntu-vncfrommac
/README.md:
--------------------------------------------------------------------------------
1 | docs/quickstart.md
--------------------------------------------------------------------------------
/osm/README.md:
--------------------------------------------------------------------------------
1 | ../docs/docs/OSM.md
--------------------------------------------------------------------------------
/fortios/README.md:
--------------------------------------------------------------------------------
1 | ../docs/Fortigate.md
--------------------------------------------------------------------------------
/cloudify/README.md:
--------------------------------------------------------------------------------
1 | ../docs/MANO/Cloudify.md
--------------------------------------------------------------------------------
/cloudify/fortigate-monitored/__init__.py:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/cloudify/fos-lifecycle/plugins/__init__.py:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/fortigate/README.md:
--------------------------------------------------------------------------------
1 | ../docs/Fortigate.md
--------------------------------------------------------------------------------
/osm/ubuntu_vnf_src/ubuntu_xenial_vnf/README:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/cloudify/fortigate-monitored/plugins/__init__.py:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/openstack/README.md:
--------------------------------------------------------------------------------
1 | ../docs/Internals/Citycloud.md
--------------------------------------------------------------------------------
/sdwan-secure/README.md:
--------------------------------------------------------------------------------
1 | ../docs/Advanced Examples/SDWAN.md
--------------------------------------------------------------------------------
/fortios/apache_userdata.txt:
--------------------------------------------------------------------------------
1 | ../fortigate/apache_userdata.txt
--------------------------------------------------------------------------------
/cloudify/fortigate-monitored/plugins/plugin-fortigate-monitor/__init__.py:
--------------------------------------------------------------------------------
1 |
--------------------------------------------------------------------------------
/fortios/apache_userdata_citycloud.txt:
--------------------------------------------------------------------------------
1 | ../fortigate/apache_userdata_citycloud.txt
--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | # Created by .ignore support plugin (hsz.mobi)
2 | .idea/
3 | builds/
4 | deps/
--------------------------------------------------------------------------------
/osm/fortimail/fortimail_nsd/checksums.txt:
--------------------------------------------------------------------------------
1 | 884a4e664d4a006eb1df243e948ad553 fortimail_nsd.yaml
2 |
--------------------------------------------------------------------------------
/osm/fortios_vnfd_src/layers/fortios/wheelhouse.txt:
--------------------------------------------------------------------------------
1 | paramiko>=1.16.0,<1.17
2 | fortiosapi>=0.9.9
3 |
4 |
--------------------------------------------------------------------------------
/osm/fortimail/fortimail_vnfd/scripts/mode:
--------------------------------------------------------------------------------
1 | config system global
2 | set operation-mode server
3 | end
4 |
5 |
--------------------------------------------------------------------------------
/osm/ping_vnfd.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fortinet-solutions-cse/fortistacks/HEAD/osm/ping_vnfd.tar.gz
--------------------------------------------------------------------------------
/osm/pong_vnfd.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fortinet-solutions-cse/fortistacks/HEAD/osm/pong_vnfd.tar.gz
--------------------------------------------------------------------------------
/osm/ping_pong_nsd.tar.gz:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fortinet-solutions-cse/fortistacks/HEAD/osm/ping_pong_nsd.tar.gz
--------------------------------------------------------------------------------
/osm/fortios_vnfd_src/layers/fortios/layer.yaml:
--------------------------------------------------------------------------------
1 | includes: ['layer:basic']
2 | repo: 'https://osm.etsi.org/gerrit/osm/juju-charms'
3 |
--------------------------------------------------------------------------------
/Azure/hosts:
--------------------------------------------------------------------------------
1 | [fortigates]
2 | fgtaz ansible_user="fgtadmin" ansible_password="Fortin3t-aks"
3 |
4 | [fortigates:vars]
5 | ansible_network_os=fortios
--------------------------------------------------------------------------------
/cloudify/clean.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash -x
2 |
3 |
4 | lxc delete cfy-mngr --force
5 | rm -rf cfy_virtualenv
6 | rm -rf cloudify-manager-blueprints
7 |
--------------------------------------------------------------------------------
/docs/Advanced Examples/LCM.md:
--------------------------------------------------------------------------------
1 | # Lifecycle Scalabilty demo
2 |
3 | In this demo you will need a Fortimanager with VM metering and API access.
4 |
5 | # WIP
--------------------------------------------------------------------------------
/osm/ubuntu_vnf_src/icons/ubuntu-logo14.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fortinet-solutions-cse/fortistacks/HEAD/osm/ubuntu_vnf_src/icons/ubuntu-logo14.png
--------------------------------------------------------------------------------
/osm/fortios_vnfd_src/icons/FortiGateVMLogo.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fortinet-solutions-cse/fortistacks/HEAD/osm/fortios_vnfd_src/icons/FortiGateVMLogo.png
--------------------------------------------------------------------------------
/osm/ubuntu_vnf_src/ubuntu_xenial_vnf/cloud_init/cloud_init.cfg:
--------------------------------------------------------------------------------
1 | #cloud-config
2 | password: ubuntu
3 | chpasswd: { expire: False }
4 | ssh_pwauth: True
5 |
6 |
--------------------------------------------------------------------------------
/osm/fortimail/fortimail_vnfd/charms/fortimail/layer.yaml:
--------------------------------------------------------------------------------
1 | includes:
2 | - layer:basic
3 | - layer:vnfproxy
4 | repo: 'https://github.com/fortinet-solutions-cse/fortistacks.git'
5 |
--------------------------------------------------------------------------------
/osm/ubuntu_vnf_src/cloud_init/apache_init.cfg:
--------------------------------------------------------------------------------
1 | #cloud-config
2 | package_upgrade: true
3 | packages:
4 | - apache2
5 | chpasswd:
6 | list: |
7 | ubuntu:fortinet
8 | expire: False
--------------------------------------------------------------------------------
/osm/ubuntu_vnf_src/ubuntu_xenial_vnf/icons/ubuntu-logo14.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/fortinet-solutions-cse/fortistacks/HEAD/osm/ubuntu_vnf_src/ubuntu_xenial_vnf/icons/ubuntu-logo14.png
--------------------------------------------------------------------------------
/cloudify/fortios-mini-poc/inputs.yaml:
--------------------------------------------------------------------------------
1 | fos_image: 'fos56'
2 | fos_flavor: 'm1.small'
3 | ub_image: 'Trusty x86_64'
4 | ub_flavor: 'm1.small'
5 | mgmt_network_name: "mgmt"
6 | key_name: 'default'
7 |
--------------------------------------------------------------------------------
/cloudify/fortigate-monitored/inputs.yaml:
--------------------------------------------------------------------------------
1 | fos_image: 'fos56'
2 | fos_flavor: 'm1.small'
3 | ub_image: 'Trusty x86_64'
4 | ub_flavor: 'm1.small'
5 | mgmt_network_name: "mgmt"
6 | key_name: 'default'
7 |
--------------------------------------------------------------------------------
/fortimanager/fmg-userdata.txt:
--------------------------------------------------------------------------------
1 | config system admin user
2 | edit "admin"
3 | set password fortinet
4 | end
5 |
6 | config system admin user
7 | edit admin
8 | set rpc-permit read-write
9 | end
--------------------------------------------------------------------------------
/openstack/bleach-unused-floatingips.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash -ex
2 |
3 | # release all floating ip not in use (save $$)
4 | openstack floating ip list -f value -c "Floating IP Address" --status DOWN |xargs openstack floating ip delete
--------------------------------------------------------------------------------
/fortiweb/fortiweb/templates/imagePsecret.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Secret
3 | metadata:
4 | name: fwbregistrysecret
5 | type: kubernetes.io/dockerconfigjson
6 | data:
7 | .dockerconfigjson: {{ template "imagePullSecret" . }}
--------------------------------------------------------------------------------
/osm/ubuntu_vnf_src/ubuntu_xenial_vnf/checksums.txt:
--------------------------------------------------------------------------------
1 | dc9ed36cc49e37372a3e9a76e6ff447c cloud_init/cloud_init.cfg
2 | 94938a7cff091f8ca7db12d6a8c35aa7 icons/ubuntu-logo14.png
3 | 82b86379915ad986c6a2f72e85fdd76e ubuntu_xenial_vnfd.yaml
4 |
--------------------------------------------------------------------------------
/cloudify/fos-lifecycle/inputs-citycloud.yaml:
--------------------------------------------------------------------------------
1 | fos_image: 'fos64'
2 | fos_flavor: '1C-1GB-50GB'
3 | mgmt_network_name: "mgmt"
4 | key_name: 'cloudify'
5 | external_network_name: "ext-net"
6 | fmg_ip: "192.168.1.99"
7 | fmg_package: "LCM-Policy"
--------------------------------------------------------------------------------
/Azure/votingApp.md:
--------------------------------------------------------------------------------
1 | # inspired by Azure demo app
2 |
3 | ## Benchmark
4 | ```shell script
5 | ab -r -s 120 -c 500 -n 120000 -p vote.txt -T application/x-www-form-urlencoded -k http://10.40.0.67/
6 | ```
7 |
8 | with vote.txt containing: vote=Cats
--------------------------------------------------------------------------------
/cloudify/fortigate-monitored/inputs-citycloud.yaml:
--------------------------------------------------------------------------------
1 | fos_image: 'fos56'
2 | fos_flavor: '1C-1GB'
3 | ub_image: 'Ubuntu 16.04 Xenial Xerus'
4 | ub_flavor: '1C-1GB'
5 | mgmt_network_name: "mgmt"
6 | key_name: 'cfy'
7 | external_network_name: "ext-net"
--------------------------------------------------------------------------------
/cloudify/fortios-mini-poc/inputs-citycloud.yaml:
--------------------------------------------------------------------------------
1 | fos_image: 'fos56'
2 | fos_flavor: '1C-1GB'
3 | ub_image: 'Ubuntu 16.04 Xenial Xerus'
4 | ub_flavor: '1C-1GB'
5 | mgmt_network_name: "mgmt"
6 | key_name: 'default'
7 | external_network_name: "ext-net"
--------------------------------------------------------------------------------
/cloudify/fortigate-mini-poc/inputs-citycloud.yaml:
--------------------------------------------------------------------------------
1 | fos_image: 'fortigate'
2 | fos_flavor: '1C-1GB'
3 | ub_image: 'Ubuntu 16.04 Xenial Xerus'
4 | ub_flavor: '1C-1GB'
5 | mgmt_network_name: "mgmt"
6 | key_name: 'default'
7 | external_network_name: "ext-net"
--------------------------------------------------------------------------------
/cloudify/fortigate-monitored/deploy.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash -xe
2 |
3 | cfy blueprint upload blueprint.yaml
4 | cfy deployment create -b fortigate-monitored -i inputs-citycloud.yaml --skip-plugins-validation
5 | cfy executions start install -d fortigate-monitored
6 |
7 |
--------------------------------------------------------------------------------
/cloudify/openstack_config.template:
--------------------------------------------------------------------------------
1 | {
2 | "username": "$OS_USERNAME",
3 | "password": "$OS_PASSWORD",
4 | "tenant_name": "$OS_TENANT_NAME",
5 | "auth_url": "$OS_AUTH_URL",
6 | "region": "$OS_REGION_NAME",
7 | "custom_configuration": ""
8 | }
9 |
--------------------------------------------------------------------------------
/sdwan-secure/templates/delete-group-template.yaml:
--------------------------------------------------------------------------------
1 | api_calls:
2 | # first call
3 | - path: /dvmdb/adom/root/group/{{DEVICE_GROUP_NAME}}
4 | method: DELETE
5 | data:
6 | recoverable_code:
7 | nonrecoverable_code:
8 | response_translation: "response2"
9 |
--------------------------------------------------------------------------------
/cloudify/fos-lifecycle/templates/delete-group-template.yaml:
--------------------------------------------------------------------------------
1 | api_calls:
2 | # first call
3 | - path: /dvmdb/adom/root/group/{{DEVICE_GROUP_NAME}}
4 | method: DELETE
5 | data:
6 | recoverable_code:
7 | nonrecoverable_code:
8 | response_translation: "response2"
9 |
--------------------------------------------------------------------------------
/osm/fortimail/compile_nsd.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | if ! [ -d "devops" ]; then
4 | echo "Devops dir not present, cloning...."
5 | git clone https://osm.etsi.org/gerrit/osm/devops
6 | fi
7 |
8 | ./devops/descriptor-packages/tools/generate_descriptor_pkg.sh -t nsd -N fortimail_nsd
9 |
--------------------------------------------------------------------------------
/osm/fortimail/compile_vnfd.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | if ! [ -d "devops" ]; then
4 | echo "Devops dir not present, cloning...."
5 | git clone https://osm.etsi.org/gerrit/osm/devops
6 | fi
7 |
8 | ./devops/descriptor-packages/tools/generate_descriptor_pkg.sh -t vnfd -N fortimail_vnfd
9 |
--------------------------------------------------------------------------------
/fortigate/citycloud-nofloat.yaml:
--------------------------------------------------------------------------------
1 | # usage : openstack stack create --template heat-minipoc-nofloating.yaml -e citycloud-env.yaml mini-poc
2 | parameters:
3 | fgtimage: "fgt60"
4 | ubimage: "Ubuntu 16.04 Xenial Xerus"
5 | mgmt_net: "mgmt"
6 | vms_flavor: "1C-1GB"
7 | ub_nic2_name: "ens4"
--------------------------------------------------------------------------------
/cloudify/fortigate-monitored/plugins/plugin-fortigate-monitor/inst.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | #License upload using FORTIOSAPI from Github
3 |
4 | import setup.py
5 | import sys
6 | sys.argv[:] = ["install" ]
7 |
8 | if __name__ == '__main__':
9 | sys.argv[:] = "install"
10 | install()
--------------------------------------------------------------------------------
/fortigate/citycloud-env.yaml:
--------------------------------------------------------------------------------
1 | # usage : openstack stack create --template heat-minipoc.yaml -e citycloud-env.yaml mini-poc
2 | parameters:
3 | fgtimage: "fgt60"
4 | ubimage: "Ubuntu 16.04 Xenial Xerus"
5 | mgmt_net: "mgmt"
6 | public_net: "ext-net"
7 | vms_flavor: "1C-1GB"
8 | ub_nic2_name: "ens4"
--------------------------------------------------------------------------------
/osm/fortios_vnfd_src/layers/fortios/README.md:
--------------------------------------------------------------------------------
1 | # Charm using layers to configure fortios
2 |
3 | * ref: https://osm.etsi.org/wikipub/index.php/Creating_your_own_VNF_charm_(Release_Three)
4 |
5 | Unfortunately juju actions forbid to passthrough yaml or json directly
6 | As a workaround we create the primitives
--------------------------------------------------------------------------------
/sdwan-secure/deploy.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash -ex
2 | cfy blueprint upload -b acme acme-enterprise.yaml
3 | cfy deployment create --skip-plugins-validation acme -b acme -i inputs-citycloud.yaml
4 | cfy -v executions start -d acme install
5 | # openstack router set dc-router --route destination=10.20.20.0/24,gateway=10.40.40.254
--------------------------------------------------------------------------------
/cloudify/fos-lifecycle/clean.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash -x
2 |
3 | #Tearing down
4 | [ -z "$1" ] && myblueprint="lcm" || myblueprint=$1
5 | cfy executions start uninstall -d $myblueprint --force -p ignore_failure=true
6 | #sleep 6
7 | cfy deployments delete $myblueprint
8 | #sleep 2
9 | cfy blueprint delete $myblueprint
10 |
11 |
--------------------------------------------------------------------------------
/fortimanager/README.md:
--------------------------------------------------------------------------------
1 | # example cli to manually deploy:
2 |
3 |
4 | ```
5 | openstack server create --image "FMG642" fmg642 --flavor $OS_FLAVOR --nic net-id=mgmt,v4-fixed-ip=192.168.1.99 --block-device-mapping vdb=fmg-log1 --user-data fmg-userdata.txt --config-drive=true
6 | ```
7 |
8 | See the heat template for an example.
9 |
--------------------------------------------------------------------------------
/osm/fortimail/fortimail_vnfd/README:
--------------------------------------------------------------------------------
1 | This descriptor provides a VNFd for FortiMail VM
2 | Fortimail Version is 5.4
3 |
4 | Auxiliary log disk is just created by VIM with a size of 1 GB
5 | (not taken from predefined log disk)
6 |
7 | FortiMail is started up in server mode
8 | (check cloud-init if you want to switch to gateway mode)
9 |
--------------------------------------------------------------------------------
/sdwan-secure/inputs-citycloud.yaml:
--------------------------------------------------------------------------------
1 | fos_image: 'fortigate'
2 | fos_flavor: '1C-1GB-50GB'
3 | ub_image: 'Ubuntu 16.04 Xenial Xerus'
4 | ub_flavor: '2C-4GB-50GB'
5 | mgmt_network_name: "mgmt"
6 | key_name: 'cloudify'
7 | external_network_name: "ext-net"
8 | agent_user: "ubuntu"
9 | fmg_ip: "192.168.1.99"
10 | fmg_package: "default"
--------------------------------------------------------------------------------
/cloudify/fortigate-monitored/plugins/plugin-fortigate-monitor/dev-requirements.txt:
--------------------------------------------------------------------------------
1 | https://github.com/cloudify-cosmo/cloudify-dsl-parser/archive/master.zip
2 | https://github.com/cloudify-cosmo/cloudify-rest-client/archive/master.zip
3 | https://github.com/cloudify-cosmo/cloudify-plugins-common/archive/master.zip
4 | mock
5 | testtools
6 |
--------------------------------------------------------------------------------
/cloudify/fos-lifecycle/deploy.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash -ex
2 | cfy blueprint upload -b lcm blueprint.yaml
3 | cfy deployment create --skip-plugins-validation lcm -b lcm -i inputs-citycloud.yaml
4 | cfy -v executions start -d lcm install
5 |
6 | ## To scale
7 | #cfy executions start -d lcm scale --dry-run -p scalable_entity_name=fos_fips -p delta=2
--------------------------------------------------------------------------------
/fortios/citycloud-env.yaml:
--------------------------------------------------------------------------------
1 | # usage : openstack stack create --template heat-minipoc.yaml -e citycloud-env.yaml mini-poc
2 | parameters:
3 | fosimage: "fos568"
4 | ubimage: "Ubuntu 16.04 Xenial Xerus"
5 | mgmt_net: "mgmt"
6 | public_net: "ext-net"
7 | vms_flavor: "1C-1GB"
8 | ub_nic2_name: "ens4"
9 | fortimanager_ip: "10.210.40.40"
--------------------------------------------------------------------------------
/osm/fortimail/fortimail_vnfd/scripts/license:
--------------------------------------------------------------------------------
1 | -----BEGIN FE VM LICENSE-----
2 | QAAAANo9eSO0Ea3hUANNNVsli6R1xEdyzeUwuW6cu3ja0lPB0mAE/87Lzxi69WuMTUciC34a4Nal
3 | R9kWajXUiv/mlwtgAAAAdptMgiJ0mo/Cs+j92A6tmQKwHcftjOgiBN5bZMs2mmCcCBXuPSiQ6qHa
4 | jznSbsUb+VEzAZLo26f7HHiyXZ0I8HC9mKzD+ux0+iYTDU1LtzLAwye5A9bFPvMobCqOaIAt
5 | -----END FE VM LICENSE-----
6 |
--------------------------------------------------------------------------------
/openstack/unconfigure.sh:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env bash
2 |
3 | #Brutal way but easy and using 1 session (faster)
4 | ./bleach-unused-floatingips.sh
5 | cat << EOF | openstack
6 | router remove subnet provider-router mgmt_subnet
7 | router delete provider-router
8 | network delete mgmt
9 | keypair delete default
10 | keypair delete cloudify
11 | EOF
12 |
--------------------------------------------------------------------------------
/cloudify/fortigate-monitored/clean.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash -x
2 |
3 | cfy executions start uninstall -d fortigate-monitored || cfy executions start uninstall -d fortigate-monitored --force -p ignore_failure=true
4 |
5 | cfy deployments delete fortigate-monitored || cfy deployments delete fortigate-monitored force
6 | cfy blueprint delete fortigate-monitored
7 |
8 |
--------------------------------------------------------------------------------
/Azure/ingestCA.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # az vmss extension set --vmss-name my-vmss --name customScript --resource-group my-group \
3 | # --version 2.0 --publisher Microsoft.Azure.Extensions \
4 | # --settings '{"commandToExecute": "echo testing"}'
5 | echo $1 | base64 -d | sudo tee /usr/local/share/ca-certificates/Fortinet_CA_SSL.crt >/dev/null
6 | sudo update-ca-certificates
7 |
--------------------------------------------------------------------------------
/cloudify/openstack_configv3.template:
--------------------------------------------------------------------------------
1 | {
2 | "username": "$OS_USERNAME",
3 | "password": "$OS_PASSWORD",
4 | "project_name": "$OS_PROJECT_NAME",
5 | "auth_url": "$OS_AUTH_URL",
6 | "region": "$OS_REGION_NAME",
7 | "user_domain_name": "$OS_USER_DOMAIN_NAME",
8 | "project_domain_name": "$OS_PROJECT_DOMAIN_NAME",
9 | "custom_configuration": ""
10 | }
11 |
--------------------------------------------------------------------------------
/Azure/FGT-FWB-VMs-2-Subnets/README.md:
--------------------------------------------------------------------------------
1 | # Deploy single FortiGate VM with 2 NICs
2 |
3 |
4 | 
5 |
6 |
--------------------------------------------------------------------------------
/fortigate/ha/example-nets.env:
--------------------------------------------------------------------------------
1 | # usage : openstack stack create --template heat-nets.yaml -e example-nets.env networks-testers
2 | parameters:
3 | ubimage: "Ubuntu 16.04 Xenial Xerus"
4 | mgmt_net_name: "mgmt"
5 | vms_flavor: "1C-1GB"
6 | ub_nic2_name: "ens4"
7 | ssh-key-name: default
8 | north_net_name: "untrusted"
9 | south_net_name: "trusted"
10 | south2_net_name: "services"
11 |
--------------------------------------------------------------------------------
/fortimanager/ovh-env.yaml:
--------------------------------------------------------------------------------
1 | # usage : openstack stack create --template heat-minipoc.yaml -e citycloud-env.yaml mini-poc
2 | parameters:
3 | fmgimage: "FMG642"
4 | mgmt_net: "mgmt"
5 | vms_flavor: "s1-8"
6 | volume_size: 80
7 | volume_type_name: classic
8 | fortimanager_ip: "192.168.1.40"
9 | mgt_net_mask: "255.255.255.0"
10 | mgt_net_gateway: "192.168.1.1"
11 | mgt_net_mtu: 9000
12 |
--------------------------------------------------------------------------------
/osm/fortimail/fortimail_vnfd/charms/fortimail/config.yaml:
--------------------------------------------------------------------------------
1 | options:
2 | hostname:
3 | type: string
4 | default: ""
5 | description: "Hostname or IP of the fortimail"
6 | user:
7 | type: string
8 | default: admin
9 | description: "Username for fortimail admin"
10 | password:
11 | type: string
12 | default: ""
13 | description: "Password for fortimail admin"
14 |
--------------------------------------------------------------------------------
/sdwan-secure/templates/sdwan-rules.yaml:
--------------------------------------------------------------------------------
1 | api_calls:
2 | # first call
3 | - path: /dvmdb/adom/root/group/{{DEVICE_GROUP_NAME}}
4 | method: ADD
5 | data:
6 | name: "{{DEVICE_GROUP_NAME}}"
7 | desc: "{{DEVICE_GROUP_DESCRIPTION}}"
8 | os_type: "fos"
9 | type: "normal"
10 | recoverable_code:
11 | nonrecoverable_code:
12 | response_translation: "response1"
13 |
--------------------------------------------------------------------------------
/cloudify/fos-lifecycle/templates/sdwan-rules.yaml:
--------------------------------------------------------------------------------
1 | api_calls:
2 | # first call
3 | - path: /dvmdb/adom/root/group/{{DEVICE_GROUP_NAME}}
4 | method: ADD
5 | data:
6 | name: "{{DEVICE_GROUP_NAME}}"
7 | desc: "{{DEVICE_GROUP_DESCRIPTION}}"
8 | os_type: "fos"
9 | type: "normal"
10 | recoverable_code:
11 | nonrecoverable_code:
12 | response_translation: "response1"
13 |
--------------------------------------------------------------------------------
/sdwan-secure/clean.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash -x
2 |
3 | #Tearing down
4 | [ -z "$1" ] && myblueprint="sdwan-secure" || myblueprint=$1
5 | #openstack router unset dc-router --route destination=10.20.20.0/24,gateway=10.40.40.254
6 | cfy executions start uninstall -d $myblueprint --force -p ignore_failure=true
7 | sleep 2
8 | cfy deployments delete $myblueprint
9 | sleep 2
10 | cfy blueprint delete $myblueprint
11 |
12 |
--------------------------------------------------------------------------------
/sdwan-secure/templates/create-group-template.yaml:
--------------------------------------------------------------------------------
1 | api_calls:
2 | # first call
3 | - path: /dvmdb/adom/root/group/{{DEVICE_GROUP_NAME}}
4 | method: ADD
5 | data:
6 | name: "{{DEVICE_GROUP_NAME}}"
7 | desc: "{{DEVICE_GROUP_DESCRIPTION}}"
8 | os_type: "fos"
9 | type: "normal"
10 | recoverable_code:
11 | nonrecoverable_code:
12 | response_translation: "response1"
13 |
--------------------------------------------------------------------------------
/osm/fortios_vnfd_src/layers/fortios/metadata.yaml:
--------------------------------------------------------------------------------
1 | name: fortios
2 | maintainers:
3 | - Nicolas Thomas
4 | summary: Configuration proxy for fortios fortigate products
5 | series:
6 | - xenial
7 | - trusty
8 | description: |
9 | Proxy charm to configure through actions fortigate products
10 | fortios or fortigate, others might be added
11 | tags:
12 | - network
13 | - security
14 |
--------------------------------------------------------------------------------
/cloudify/fos-lifecycle/templates/create-group-template.yaml:
--------------------------------------------------------------------------------
1 | api_calls:
2 | # first call
3 | - path: /dvmdb/adom/root/group/{{DEVICE_GROUP_NAME}}
4 | method: ADD
5 | data:
6 | name: "{{DEVICE_GROUP_NAME}}"
7 | desc: "{{DEVICE_GROUP_DESCRIPTION}}"
8 | os_type: "fos"
9 | type: "normal"
10 | recoverable_code:
11 | nonrecoverable_code:
12 | response_translation: "response1"
13 |
--------------------------------------------------------------------------------
/fortiweb/fortiweb/templates/serviceaccount.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.serviceAccount.create -}}
2 | apiVersion: v1
3 | kind: ServiceAccount
4 | metadata:
5 | name: {{ include "fortiweb.serviceAccountName" . }}
6 | labels:
7 | {{- include "fortiweb.labels" . | nindent 4 }}
8 | {{- with .Values.serviceAccount.annotations }}
9 | annotations:
10 | {{- toYaml . | nindent 4 }}
11 | {{- end }}
12 | {{- end -}}
13 |
--------------------------------------------------------------------------------
/fortiweb/fweb-cloudinit.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash -ex
2 | # /data/config should be mounted
3 | # if TARGET_IP is set then add default rules
4 | # may think of generic rules with base64
5 | mkdir -p /data/config
6 | cp /templates/sys_* /data/config/
7 | [ "$TARGET_IP" == "none" ] || ( envsubst < templates/defaut-conf.tmpl >> /data/config/sys_domain.root.conf )
8 | cat /data/config/sys_domain.root.conf
9 | gzip /data/config/sys_domain.root.conf
--------------------------------------------------------------------------------
/sdwan-secure/templates/template.yaml:
--------------------------------------------------------------------------------
1 | api_calls:
2 | - path: /cli/global/system/admin/setting
3 | method: GET
4 | data:
5 | recoverable_code: ['access-banner', 0]
6 | nonrecoverable_code: ['access-banner', 1]
7 | response_translation:
8 |
9 | - path: /cli/global/system/admin/profile
10 | method: GET
11 | data:
12 | recoverable_codes: []
13 | nonrecoverable_codes: []
14 | response_translation:
15 |
--------------------------------------------------------------------------------
/.gitmodules:
--------------------------------------------------------------------------------
1 | [submodule "sdwan-secure/plugins/cloudify-fortimanager-plugin"]
2 | path = sdwan-secure/plugins/cloudify-fortimanager-plugin
3 | url = https://github.com/fortinet-solutions-cse/cloudify-fortimanager-plugin.git
4 | [submodule "cloudify/fos-lifecycle/plugins/cloudify-fortimanager-plugin"]
5 | path = cloudify/fos-lifecycle/plugins/cloudify-fortimanager-plugin
6 | url = https://github.com/fortinet-solutions-cse/cloudify-fortimanager-plugin.git
7 |
--------------------------------------------------------------------------------
/cloudify/fos-lifecycle/templates/template.yaml:
--------------------------------------------------------------------------------
1 | api_calls:
2 | - path: /cli/global/system/admin/setting
3 | method: GET
4 | data:
5 | recoverable_code: ['access-banner', 0]
6 | nonrecoverable_code: ['access-banner', 1]
7 | response_translation:
8 |
9 | - path: /cli/global/system/admin/profile
10 | method: GET
11 | data:
12 | recoverable_codes: []
13 | nonrecoverable_codes: []
14 | response_translation:
15 |
--------------------------------------------------------------------------------
/fortiweb/Dockerfile:
--------------------------------------------------------------------------------
1 | # Dockerfile for ingesting config to FWEB Docker
2 | FROM alpine
3 | LABEL maintainer="Nicolas Thomas " provider="Fortinet"
4 | #Update the az software repository inside the dockerfile with the 'RUN' command.
5 | RUN apk add gettext gzip bash && mkdir -p templates
6 | ENV TARGET_IP none
7 | COPY defaut-conf.tmpl sys_domain.root.conf sys_global.conf.gz templates/
8 | COPY fweb-cloudinit.sh /
9 | CMD ["fweb-cloudinit.sh"]
10 |
--------------------------------------------------------------------------------
/Azure/EICAR.Dockerfile:
--------------------------------------------------------------------------------
1 | # Dockerfile including EICAR test file to demo antivirus
2 | # docker build -t fortinetsolutioncse/ubuntu-eicar -f EICAR.Dockerfile .
3 | FROM ubuntu:18.04
4 | LABEL maintainer="Nicolas Thomas " provider="Fortinet"
5 | #check http://2016.eicar.org/86-0-Intended-use.html
6 | RUN (echo 'X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*' > /usr/local/bin/eicar)
7 | RUN chmod 755 /usr/local/bin/eicar
8 | CMD ["/bin/bash"]
9 |
--------------------------------------------------------------------------------
/osm/fortimail/fortimail_vnfd/charms/fortimail/README:
--------------------------------------------------------------------------------
1 | # Overview
2 |
3 | This charm will configure a domain in FortiMail. Other operations will come later
4 |
5 | # Usage
6 |
7 | juju deploy fortimail
8 |
9 | ## Known Limitations and Issues
10 |
11 | # Configuration
12 |
13 | # Contact Information
14 |
15 | Miguel Angel Muñoz González
16 |
17 | ## Upstream Project Name
18 |
19 | https://github.com/fortinet-solutions-cse/40ansible
20 |
21 |
--------------------------------------------------------------------------------
/fortiweb/fortiweb/.helmignore:
--------------------------------------------------------------------------------
1 | # Patterns to ignore when building packages.
2 | # This supports shell glob matching, relative path matching, and
3 | # negation (prefixed with !). Only one pattern per line.
4 | .DS_Store
5 | # Common VCS dirs
6 | .git/
7 | .gitignore
8 | .bzr/
9 | .bzrignore
10 | .hg/
11 | .hgignore
12 | .svn/
13 | # Common backup files
14 | *.swp
15 | *.bak
16 | *.tmp
17 | *.orig
18 | *~
19 | # Various IDEs
20 | .project
21 | .idea/
22 | *.tmproj
23 | .vscode/
24 |
--------------------------------------------------------------------------------
/sdwan-secure/Lessons.md:
--------------------------------------------------------------------------------
1 | ## Tried cvlc upload to antmedia
2 |
3 | For demos might want to broadcast a file with vlc:
4 | cvlc -vvv FILE016.MP4 --sout '#transcode{vcodec=h264,scale=Auto,width=1280,height=720,acodec=mp3,ab=128,channels=2,samplerate=44100}:std{access=rtmp,mux=ffmpeg{mux=flv},dst=rtmp://a.rtmp.youtube.com/live2/stream-name}'
5 | src: https://stackoverflow.com/questions/40428837/broadcasting-to-youtube-live-via-rtmp-using-vlc-from-terminal
6 |
7 | But does not work.
8 |
9 |
--------------------------------------------------------------------------------
/osm/fortios_vnfd_src/layers/fortios/config.yaml:
--------------------------------------------------------------------------------
1 | options:
2 | hostname:
3 | default: ""
4 | type: string
5 | description: Hostname or IP of the fortios or fortigate to connect to
6 | user:
7 | type: string
8 | default: admin
9 | description: Username for fortios
10 | password:
11 | type: string
12 | default: ""
13 | description: Password for fortios
14 | vdom:
15 | type: string
16 | default: root
17 | description: Vdom if different than root
18 |
--------------------------------------------------------------------------------
/fortiweb/fortiweb/templates/tests/test-connection.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Pod
3 | metadata:
4 | name: "{{ include "fortiweb.fullname" . }}-test-connection"
5 | labels:
6 | {{- include "fortiweb.labels" . | nindent 4 }}
7 | annotations:
8 | "helm.sh/hook": test-success
9 | spec:
10 | containers:
11 | - name: wget
12 | image: busybox
13 | command: ['wget']
14 | args: ['{{ include "fortiweb.fullname" . }}:{{ .Values.service.port }}']
15 | restartPolicy: Never
16 |
--------------------------------------------------------------------------------
/fortigate/ha/README.md:
--------------------------------------------------------------------------------
1 | # HA examples.
2 |
3 | You must create/update you env files.
4 |
5 |
6 | # Network and testers
7 |
8 | The file [[ heat-nets-ubuntu.yaml ]] is a template to deply 3 networks (in addition to mgmt) and 2 VMs connected to 2 different ones to have a test environment.
9 |
10 |
11 | openstack stack create --template heat-nets-ubuntu.yaml networks -e citycloud-nets.env
12 |
13 |
14 | # FGCP example
15 |
16 | openstack stack create --template heat-fgt-fgcp.yaml fgcp -e citycloud-fgcp.env
17 |
18 |
--------------------------------------------------------------------------------
/docs/MANO/OSM.md:
--------------------------------------------------------------------------------
1 | # OSM Rel5 installation /usage
2 |
3 | Source your openstack credentials files.
4 | On fortistacks it is in ~/nova.rc
5 | Then run
6 | ```bash
7 | ./osm-on-openstackvm
8 | ```
9 |
10 | login admin/fortinet
11 |
12 | # Then it is work in progress
13 |
14 | # OSM Release 2 version code
15 | cd apache_vnf_src ; make
16 | cd fortigate_vnfd_src; make
17 |
18 | You will create vnfd.tar.gz package you can upload in rift.io
19 | Then upload: FortigateApache_nsd.yaml
20 |
21 | # More on http://osm.etsi.org
22 |
23 |
--------------------------------------------------------------------------------
/osm/fortimail/fortimail_vnfd/scripts/config:
--------------------------------------------------------------------------------
1 | config system interface
2 | edit "port1"
3 | set ip 192.168.122.50/24
4 | set allowaccess ping ssh snmp http https telnet
5 | next
6 | end
7 |
8 | config system global
9 | set rest-api enable
10 | end
11 |
12 | config system global
13 | set pki-mode enable
14 | end
15 |
16 | config system route
17 | edit 1
18 | set gateway 192.168.122.1
19 | next
20 | end
21 |
22 | config system dns
23 | set primary 8.8.8.8
24 | set secondary 8.8.4.4
25 | end
26 |
27 |
--------------------------------------------------------------------------------
/osm/fortios_vnfd_src/layers/fortios/actions/apiset:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | import sys
3 | sys.path.append('lib')
4 |
5 | from charms.reactive import main
6 | from charms.reactive import set_state
7 | from charmhelpers.core.hookenv import action_fail
8 |
9 | """
10 | `set_state` only works here because it's flushed to disk inside the `main()`
11 | loop. remove_state will need to be called inside the action method.
12 | """
13 | set_state('actions.apiset')
14 |
15 | try:
16 | main()
17 | except Exception as e:
18 | action_fail(repr(e))
19 |
--------------------------------------------------------------------------------
/osm/fortios_vnfd_src/layers/fortios/actions/sshcmd:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | import sys
3 | sys.path.append('lib')
4 |
5 | from charms.reactive import main
6 | from charms.reactive import set_state
7 | from charmhelpers.core.hookenv import action_fail
8 |
9 | """
10 | `set_state` only works here because it's flushed to disk inside the `main()`
11 | loop. remove_state will need to be called inside the action method.
12 | """
13 | set_state('actions.sshcmd')
14 |
15 | try:
16 | main()
17 | except Exception as e:
18 | action_fail(repr(e))
19 |
--------------------------------------------------------------------------------
/openbaton/deploy.sh:
--------------------------------------------------------------------------------
1 |
2 | #!/usr/bin/env bash
3 | ## install docker
4 | #apt install docker.io
5 | #sudo adduser $USER docker
6 | #reboot
7 | # ref is https://openbaton.github.io/documentation/nfvo-installation-docker/
8 |
9 | #Start raabitmq
10 | docker run -d --hostname my-rabbit --name some-rabbit rabbitmq:3
11 | docker pull openbaton/standalone
12 | #switch to 8445 (conflict with lxd)
13 | docker run --name openbaton -d -h openbaton-rabbitmq -p 8080:8080 -p 5672:5672 -p 15672:15672 -p 8445:8443 -e RABBITMQ_BROKERIP=10.10.10.1 openbaton/standalone
14 |
--------------------------------------------------------------------------------
/osm/fortios_vnfd_src/layers/fortios/actions/confport:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | import sys
3 | sys.path.append('lib')
4 |
5 | from charms.reactive import main
6 | from charms.reactive import set_state
7 | from charmhelpers.core.hookenv import action_fail
8 |
9 | """
10 | `set_state` only works here because it's flushed to disk inside the `main()`
11 | loop. remove_state will need to be called inside the action method.
12 | """
13 | set_state('actions.conf-port')
14 |
15 | try:
16 | main()
17 | except Exception as e:
18 | action_fail(repr(e))
19 |
--------------------------------------------------------------------------------
/cloudify/fortigate-monitored/plugins/plugin-fortigate-monitor/README.md:
--------------------------------------------------------------------------------
1 | # Fortgate monitor Plugin
2 |
3 | Plugin to monitor multiple fortigate and push collected
4 | info directly to mq instead of relying on Diamond.
5 |
6 | Inspired by Diamond plugin.
7 |
8 | Designed to be run on a separate VM from Manager.
9 |
10 | Can try to use python-service and inotify to reread config
11 | Should do a config.d/ to use removal.
12 |
13 | Can output in a file same type of metrics as Diamond or install my Diamond here..
14 |
15 | The cloudify handler is diamond to mq
--------------------------------------------------------------------------------
/cloudify/fortigate-monitored/types/openstack-fortigate-types.yaml:
--------------------------------------------------------------------------------
1 | node_types:
2 |
3 | FortiosSecurityGroup:
4 | derived_from: cloudify.openstack.nodes.SecurityGroup
5 | security_group:
6 | default:
7 | name: fortios_security_group
8 | description: Allows http/https communication for API
9 | rules:
10 | default:
11 | - remote_ip_prefix: 0.0.0.0/0
12 | port: 443
13 | protocol: tcp
14 | - remote_ip_prefix: 0.0.0.0/0
15 | port: 80
16 | protocol: tcp
17 |
--------------------------------------------------------------------------------
/Azure/cis-bench.md:
--------------------------------------------------------------------------------
1 | # Run cis bench
2 |
3 | On every node:
4 | ```shell script
5 |
6 |
7 |
8 |
9 |
10 |
11 | curl https://omnitruck.chef.io/install.sh | sudo bash -s -- -P inspec
12 | for bench in dil docker kubernetes
13 | do
14 | inspec exec https://github.com/dev-sec/cis-${bench}-benchmark.git --chef-license=accept-silent --reporter json:output/${bench}-`uname -n`.json
15 | done
16 | ```
17 |
18 | Collect output json files.
19 | Then:
20 | # visual
21 | https://github.com/presidenten/dev-sec-cis-benchmarks
22 |
23 |
24 | All in one from vmware https://sonobuoy.io/
--------------------------------------------------------------------------------
/docker-entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # entrypoint runs at every start, allow to ingest CA as a Docker ENV variable or not (generic images)
3 | # ingest the trusted CA certificate from FGTCA environment variable which must be base64 version of the file 'base64 -w0'
4 | [ "$FGTCA" == "none" ] || (echo "$FGTCA"| base64 -d | sudo tee /usr/local/share/ca-certificates/Fortinet_CA_SSL.crt > /dev/null; sudo update-ca-certificates)
5 | # force PIP to use the system wide trusted CA
6 | [ "$FGTCA" == "none" ] || (echo "export PIP_CERT=/etc/ssl/certs/" | sudo tee /etc/profile > /dev/null)
7 | exec $@
--------------------------------------------------------------------------------
/fortigate/README-HA.md:
--------------------------------------------------------------------------------
1 | # Fortigate / Fortios on Openstack
2 |
3 | The official documentation for Fortigate fortios is available here:
4 | https://docs.fortinet.com/d/fortigate-fortios-vm-openstack-cookbook
5 |
6 |
7 | # Create key
8 | ssh-keygen -t ecdsa -b 521 -N "" -C "key for guestcse" -f guestcse
9 | openstack keypair create --public-key guestcse.pub guestcse
10 |
11 | # change envrionment file
12 |
13 | openstack stack create --template heat-ha-poc.yaml -e citycloud-env-ha.yaml ha-poc
14 | ### Following
15 | openstack stack event list ha-poc --follow
16 |
17 | ##
--------------------------------------------------------------------------------
/osm/fortimail/fortimail_vnfd/charms/fortimail/actions/create-domain:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | import sys
3 | sys.path.append('lib')
4 |
5 | from charms.reactive import main
6 | from charms.reactive import set_state
7 | from charmhelpers.core.hookenv import action_fail, action_name
8 |
9 | """
10 | `set_state` only works here because it's flushed to disk inside the `main()`
11 | loop. remove_state will need to be called inside the action method.
12 | """
13 | set_state('actions.{}'.format(action_name()))
14 |
15 | try:
16 | main()
17 | except Exception as e:
18 | action_fail(repr(e))
--------------------------------------------------------------------------------
/osm/fortimail/fortimail_vnfd/charms/fortimail/actions/delete-domain:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | import sys
3 | sys.path.append('lib')
4 |
5 | from charms.reactive import main
6 | from charms.reactive import set_state
7 | from charmhelpers.core.hookenv import action_fail, action_name
8 |
9 | """
10 | `set_state` only works here because it's flushed to disk inside the `main()`
11 | loop. remove_state will need to be called inside the action method.
12 | """
13 | set_state('actions.{}'.format(action_name()))
14 |
15 | try:
16 | main()
17 | except Exception as e:
18 | action_fail(repr(e))
--------------------------------------------------------------------------------
/sdwan-secure/templates/remove-fortigate.yaml:
--------------------------------------------------------------------------------
1 | api_calls:
2 |
3 | # first call
4 | - path: /dvmdb/device/
5 | method: GET
6 | recoverable_code:
7 | nonrecoverable_code:
8 | response_translation: "response1"
9 |
10 | # first call
11 | - path: /dvm/cmd/del/device
12 | method: EXECUTE
13 | data:
14 | adom: root
15 | flags: [ "create_task", "nonblocking" ]
16 | device: "{{fgt_name}}"
17 | ### not enough need to be able to get the device id somewhere.
18 | recoverable_code:
19 | nonrecoverable_code:
20 | response_translation: "response2"
21 |
--------------------------------------------------------------------------------
/osm/fortimail/fortimail_vnfd/charms/fortimail/actions/get-administrative-resource:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python3
2 | import sys
3 | sys.path.append('lib')
4 |
5 | from charms.reactive import main
6 | from charms.reactive import set_state
7 | from charmhelpers.core.hookenv import action_fail, action_name
8 |
9 | """
10 | `set_state` only works here because it's flushed to disk inside the `main()`
11 | loop. remove_state will need to be called inside the action method.
12 | """
13 | set_state('actions.{}'.format(action_name()))
14 |
15 | try:
16 | main()
17 | except Exception as e:
18 | action_fail(repr(e))
--------------------------------------------------------------------------------
/cloudify/fos-lifecycle/templates/remove-fortigate.yaml:
--------------------------------------------------------------------------------
1 | api_calls:
2 |
3 | # first call
4 | - path: /dvmdb/device/
5 | method: GET
6 | recoverable_code:
7 | nonrecoverable_code:
8 | response_translation: "response1"
9 |
10 | # first call
11 | - path: /dvm/cmd/del/device
12 | method: EXECUTE
13 | data:
14 | adom: root
15 | flags: [ "create_task", "nonblocking" ]
16 | device: "{{fgt_name}}"
17 | ### not enough need to be able to get the device id somewhere.
18 | recoverable_code:
19 | nonrecoverable_code:
20 | response_translation: "response2"
21 |
--------------------------------------------------------------------------------
/fortigate/apache_userdata_citycloud.txt:
--------------------------------------------------------------------------------
1 | #cloud-config for citycloud using new schema ens
2 | chpasswd:
3 | list: |
4 | ubuntu:fortinet
5 | expire: False
6 | write_files:
7 | - content: |
8 | # Enable dhcp on ens4 some use the new schema
9 | auto ens4
10 | iface ens4 inet dhcp
11 | path: /etc/network/interfaces.d/51-ens4.cfg
12 | package_upgrade: true
13 | packages:
14 | - apache2-utils
15 | - apache2
16 | - tcpdump
17 | - iperf3
18 | power_state:
19 | delay: "now"
20 | mode: reboot
21 | message: Rebooting to ensure network conf
22 | timeout: 10
23 | condition: True
24 |
--------------------------------------------------------------------------------
/fortigate/apache_userdata.txt:
--------------------------------------------------------------------------------
1 | #cloud-config for local openstack with Ubuntu using eth scheme
2 | chpasswd:
3 | list: |
4 | ubuntu:fortinet
5 | expire: False
6 | write_files:
7 | - content: |
8 | # Enable dhcp on eth1 some use the new schema
9 | auto eth1
10 | iface eth1 inet dhcp
11 | path: /etc/network/interfaces.d/51-eth1.cfg
12 | package_upgrade: true
13 | packages:
14 | - apache2-utils
15 | - apache2
16 | - tcpdump
17 | - iperf3
18 | power_state:
19 | delay: "now"
20 | mode: reboot
21 | message: Rebooting to ensure network conf
22 | timeout: 10
23 | condition: True
24 |
--------------------------------------------------------------------------------
/osm/ubuntu_vnf_src/cloud_init/desktop_init.cfg:
--------------------------------------------------------------------------------
1 | #cloud-config
2 | package_upgrade: true
3 | packages:
4 | - xfce4
5 | chpasswd:
6 | list: |
7 | ubuntu:fortinet
8 | expire: False
9 |
--------------------------------------------------------------------------------
/osm/fortios_vnfd_src/cloud_init/fgt-mtu1456-10.10.txt:
--------------------------------------------------------------------------------
1 | #cloud-config
2 | config system interface
3 | edit "port1"
4 | set mode dhcp
5 | set allowaccess ping https ssh http snmp fgfm
6 | set mtu-override enable
7 | set mtu 1456
8 | next
9 | edit "port2"
10 | set mode dhcp
11 | set allowaccess ping
12 | set mtu-override enable
13 | set mtu 1456
14 | next
15 | end
16 |
17 | config router static
18 | edit 1
19 | set gateway 192.168.16.1
20 | set device "port1"
21 | next
22 | end
23 |
24 | config system dns
25 | set primary 10.10.10.1
26 | unset secondary
27 | end
28 | config sys global
29 | set hostname fgt
30 | end
31 |
--------------------------------------------------------------------------------
/Azure/docker-entrypoint.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # entrypoint runs at every start, allow to ingest CA as a Docker ENV variable or not (generic images)
3 | # ingest the trusted CA certificate from FGTCA environment variable which must be base64 version of the file 'base64 -w0'
4 | [ "$FGTCA" == "none" ] || (echo "$FGTCA"| base64 -d | sudo tee /usr/local/share/ca-certificates/Fortinet_CA_SSL.crt > /dev/null)
5 | # do a forced refresh of all CA to help in case of mounting the local share from volume
6 | sudo update-ca-certificates --fresh
7 | # force PIP to use the system wide trusted CA
8 | [ "$FGTCA" == "none" ] || (echo "export PIP_CERT=/etc/ssl/certs/" | sudo tee /etc/profile > /dev/null)
9 | exec $@
--------------------------------------------------------------------------------
/fortiweb/fortiweb/templates/service.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: {{ include "fortiweb.fullname" . }}
5 | labels:
6 | {{- include "fortiweb.labels" . | nindent 4 }}
7 | spec:
8 | type: {{ .Values.service.type }}
9 | ports:
10 | - port: {{ .Values.service.port }}
11 | targetPort: http
12 | protocol: TCP
13 | name: http
14 | - port: {{ .Values.service.portssl }}
15 | targetPort: https
16 | protocol: TCP
17 | name: https
18 | - port: {{ .Values.service.gui }}
19 | targetPort: gui
20 | protocol: TCP
21 | name: gui
22 | selector:
23 | {{- include "fortiweb.selectorLabels" . | nindent 4 }}
24 |
--------------------------------------------------------------------------------
/cloudify/fortigate-monitored/plugins/plugin-fortigate-monitor/setup.py:
--------------------------------------------------------------------------------
1 | from setuptools import setup
2 |
3 | setup(
4 | name='fortigate-monitor',
5 | version='0.1',
6 | author='Fortinet',
7 | author_email='nthomas@fortinet.com',
8 | description='Cloudify Fortigates monitoring plugin using mq diretly',
9 | packages=['fortigate_monit', 'cloudify_handler'],
10 | package_data={
11 | 'fortigate_monit': ['resources/fgtmonit.py']
12 | },
13 | license='LICENSE',
14 | install_requires=['cloudify-plugins-common>=4.0',
15 | 'ConfigObj==5.0.6',
16 | 'psutil==2.1.1',
17 | 'fortiosapi',
18 | 'service'],
19 | )
20 |
--------------------------------------------------------------------------------
/cloudify/fortigate-mini-poc/inputs.yaml:
--------------------------------------------------------------------------------
1 | fos_image: 'fgt54'
2 | fos_flavor: 'm1.small'
3 | ub_image: 'Trusty x86_64'
4 | ub_flavor: 'm1.small'
5 | mgmt_network_name: "mgmt"
6 | key_name: 'default'
7 | fortimanagerip: '10.210.8.25'
8 | fortigate_license: ''' -----BEGIN FGT VM LICENSE-----
9 | XXXxxxXXxxxxXXXXXXXXxxxXXxxxxXXXXXXXXxxxXXxxxxXXXXXXXXxxxXXXXXxxxXXxxxxXXXXX
10 | XXXxxxXXxxxxXXXXXXXXxxxXXxxxxXXXXXXXXxxxXXxxxxXXXXXXXXxxxXXXXXxxxXXxxxxXXXXX
11 | XXXxxxXXxxxxXXXXXXXXxxxXXxxxxXXXXXXXXxxxXXxxxxXXXXXXXXxxxXXXXXxxxXXxxxxX
12 | -----END FGT VM LICENSE----- '''
13 | #keystone_password: 'fortinet'
14 | #keystone_tenant_name: 'admin'
15 | #keystone_url: 'http://10.10.10.26:5000/v2.0/'
16 | #keystone_username: 'admin'
17 | #region: 'RegionOne'
18 |
--------------------------------------------------------------------------------
/openstack/jumphost_userdata.txt:
--------------------------------------------------------------------------------
1 | #cloud-config for citycloud using new schema ens
2 | chpasswd:
3 | list: |
4 | ubuntu:fortinet
5 | expire: False
6 | write_files:
7 | - content: |
8 | # Config ens4 (mgmt)
9 | network:
10 | version: 2
11 | renderer: networkd
12 | ethernets:
13 | ens4:
14 | dhcp4: true
15 | dhcp4-overrides:
16 | use-routes: false
17 | path: /etc/netplan/60-ens4.yaml
18 | package_upgrade: true
19 | packages:
20 | - zile
21 | - git
22 | - byobu
23 | power_state:
24 | delay: "now"
25 | mode: reboot
26 | message: Rebooting to ensure network conf
27 | timeout: 10
28 | condition: True
29 |
--------------------------------------------------------------------------------
/cloudify/fortios-mini-poc/test-cheatsheet.txt:
--------------------------------------------------------------------------------
1 | #RAW list of usefull commands while debugging
2 |
3 | #all in one
4 | cfy install blueprint.yaml -i inputs-citycloud.yaml
5 |
6 |
7 | cfy upload blueprint blueprint.yaml
8 | cfy deployment create -b fortios-mini-poc -i inputs-citycloud.yaml
9 | cfy deployments update fortios-mini-poc -p blueprint.yaml -i inputs-citycloud.yaml
10 | #Then install works too.
11 | cfy executions start install -d fortios-mini-poc
12 |
13 | #Tearing down
14 | cfy executions start uninstall -d fortios-mini-poc
15 | cfy executions start uninstall -d fortios-mini-poc --force -p ignore_failure=true
16 | cfy deployments delete fortios-mini-poc
17 | cfy deployments delete fortios-mini-poc force
18 | cfy blueprint delete fortios-mini-poc
19 |
20 |
--------------------------------------------------------------------------------
/cloudify/fortigate-monitored/plugins/plugin-fortigate-monitor/fortigate_monit/__init__.py:
--------------------------------------------------------------------------------
1 | #########
2 | # Copyright (c) 2014 GigaSpaces Technologies Ltd. All rights reserved
3 | #
4 | # Licensed under the Apache License, Version 2.0 (the "License");
5 | # you may not use this file except in compliance with the License.
6 | # You may obtain a copy of the License at
7 | #
8 | # http://www.apache.org/licenses/LICENSE-2.0
9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # * See the License for the specific language governing permissions and
14 | # * limitations under the License.
15 |
--------------------------------------------------------------------------------
/cloudify/fortigate-monitored/plugins/plugin-fortigate-monitor/fortigate_monit/cloudify_handler/__init__.py:
--------------------------------------------------------------------------------
1 | #########
2 | # Copyright (c) 2014 GigaSpaces Technologies Ltd. All rights reserved
3 | #
4 | # Licensed under the Apache License, Version 2.0 (the "License");
5 | # you may not use this file except in compliance with the License.
6 | # You may obtain a copy of the License at
7 | #
8 | # http://www.apache.org/licenses/LICENSE-2.0
9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # * See the License for the specific language governing permissions and
14 | # * limitations under the License.
15 |
--------------------------------------------------------------------------------
/fortiweb/defaut-conf.tmpl:
--------------------------------------------------------------------------------
1 |
2 | config server-policy server-pool
3 | edit "K8S-default"
4 | set flag 1
5 | set server-pool-id 9504000004522990961
6 | config pserver-list
7 | edit 1
8 | set ip ${TARGET_IP}
9 | next
10 | end
11 | next
12 | end
13 |
14 | config server-policy vserver
15 | edit "K8S-default"
16 | config vip-list
17 | edit 1
18 | set interface port1
19 | next
20 | end
21 | next
22 | end
23 |
24 | config server-policy policy
25 | edit "K8S-default"
26 | set vserver K8S-default
27 | set service HTTP
28 | set web-protection-profile "Inline Standard Protection"
29 | set replacemsg Predefined
30 | set server-pool K8S-default
31 | config http-content-routing-list
32 | end
33 | next
34 | end
35 |
--------------------------------------------------------------------------------
/fortiweb/fwb-nginx-service.json:
--------------------------------------------------------------------------------
1 | {
2 | "kind": "Service",
3 | "apiVersion": "v1",
4 | "metadata": {
5 | "name": "fwbnginx",
6 | "namespace": "default",
7 | "labels": {
8 | "app": "fwbnginx"
9 | }
10 | },
11 | "spec": {
12 | "ports": [
13 | {
14 | "name": "80-80",
15 | "protocol": "TCP",
16 | "port": 80,
17 | "targetPort": 80,
18 | "nodePort": 31489
19 | },
20 | {
21 | "name": "43-43",
22 | "protocol": "TCP",
23 | "port": 43,
24 | "targetPort": 43,
25 | "nodePort": 31490
26 | }
27 | ],
28 | "selector": {
29 | "app": "fwbnginx"
30 | },
31 | "type": "NodePort",
32 | "sessionAffinity": "None",
33 | "externalTrafficPolicy": "Cluster"
34 | },
35 | }
--------------------------------------------------------------------------------
/osm/fortios_vnfd_src/cloud_init/userdata.txt:
--------------------------------------------------------------------------------
1 | #FOS VM Config File >5.6.3
2 | config sys global
3 | set hostname fos-vm
4 | end
5 | config system interface
6 | edit port1
7 | set mode dhcp
8 | next
9 | edit port2
10 | set mode dhcp
11 | next
12 | end
13 | config system dns
14 | set primary 8.8.8.8
15 | end
16 | config firewall policy
17 | edit 1
18 | set name "Allow any any"
19 | set srcintf "any"
20 | set dstintf "any"
21 | set srcaddr "all"
22 | set dstaddr "all"
23 | set action accept
24 | set schedule "always"
25 | set service "ALL"
26 | set nat enable
27 | next
28 | end
29 | config system central-management
30 | set include-default-servers disable
31 | set type fortimanager
32 | set fmg 10.210.10.25
33 | config server-list
34 | edit 1
35 | set server-type update rating
36 | set server-address 10.210.10.25
37 | end
38 | end
39 |
--------------------------------------------------------------------------------
/osm/fortimail/fortimail_vnfd/charms/fortimail/metadata.yaml:
--------------------------------------------------------------------------------
1 | name: fortimail
2 | summary: Secure Email Gateway and Server with security features from Fortinet
3 | maintainer: Miguel Angel Munoz
4 | description: |
5 | FortiMail is a top-rated secure email gateway that
6 | stops volume-based and targeted cyber threats to
7 | help secure the dynamic enterprise attack surface,
8 | prevents the loss of sensitive data and helps maintain
9 | compliance with regulations. High performance
10 | physical and virtual appliances deploy on-site or in
11 | the public cloud to serve any size organization —
12 | from small businesses to carriers, service providers,
13 | and large enterprises.
14 | tags:
15 | - network
16 | - security
17 | - web_server
18 | series:
19 | - trusty
20 | - xenial
21 |
22 |
--------------------------------------------------------------------------------
/osm/fortimail/fortimail_vnfd/charms/fortimail/actions.yaml:
--------------------------------------------------------------------------------
1 | create-domain:
2 | description: Creates a new domain
3 | params:
4 | domain:
5 | type: string
6 | description: Name of the domain
7 | fallbackhost:
8 | type: string
9 | description: Secondary host for the domain
10 | port:
11 | type: int
12 | description: Port for incoming requests
13 | required: [domain]
14 | delete-domain:
15 | description: Removes a domain
16 | params:
17 | domain:
18 | type: string
19 | description: Name of the domain
20 | required: [domain]
21 | get-administrative-resource:
22 | description: Gets information about indicated administrative resource
23 | params:
24 | resource:
25 | type: string
26 | description: Indicator of the resource to be fetched.
27 | required: [resource]
28 |
--------------------------------------------------------------------------------
/sdwan-secure/test-cheatsheet.txt:
--------------------------------------------------------------------------------
1 | #RAW list of usefull commands while debugging
2 |
3 | cfy secret create fgt_license -f ../../fortigate/FGT.lic
4 |
5 |
6 | #all in one
7 | cfy install blueprint.yaml -i inputs-citycloud.yaml
8 |
9 |
10 | cfy upload blueprint blueprint.yaml
11 | cfy deployment create -b cloudify-ftnt-sdwan -i inputs-citycloud.yaml
12 | cfy deployments update cloudify-ftnt-sdwan -p blueprint.yaml -i inputs-citycloud.yaml
13 |
14 |
15 |
16 | #Then install works too.
17 | cfy executions start install -d cloudify-ftnt-sdwan
18 |
19 | #Tearing down
20 | cfy executions start uninstall -d cloudify-ftnt-sdwan
21 | cfy executions start uninstall -d cloudify-ftnt-sdwan --force -p ignore_failure=true
22 | cfy deployments delete cloudify-ftnt-sdwan
23 | cfy deployments delete cloudify-ftnt-sdwan force
24 | cfy blueprint delete cloudify-ftnt-sdwan
25 |
26 |
--------------------------------------------------------------------------------
/cloudify/fortigate-mini-poc/test-cheatsheet.txt:
--------------------------------------------------------------------------------
1 | #RAW list of usefull commands while debugging
2 |
3 | cfy secret create fgt_license -f ../../fortigate/FGT.lic
4 |
5 |
6 | #all in one
7 | cfy install blueprint.yaml -i inputs-citycloud.yaml
8 |
9 |
10 | cfy upload blueprint blueprint.yaml
11 | cfy deployment create -b fortigate-mini-poc -i inputs-citycloud.yaml
12 | cfy deployments update fortigate-mini-poc -p blueprint.yaml -i inputs-citycloud.yaml
13 |
14 |
15 |
16 | #Then install works too.
17 | cfy executions start install -d fortigate-mini-poc
18 |
19 | #Tearing down
20 | cfy executions start uninstall -d fortigate-mini-poc
21 | cfy executions start uninstall -d fortigate-mini-poc --force -p ignore_failure=true
22 | cfy deployments delete fortigate-mini-poc
23 | cfy deployments delete fortigate-mini-poc force
24 | cfy blueprint delete fortigate-mini-poc
25 |
26 |
--------------------------------------------------------------------------------
/fortigate/config.txt:
--------------------------------------------------------------------------------
1 | #Fortigate VM Config File
2 | config system admin
3 | edit "admin"
4 | set password fortinet
5 | end
6 | config system interface
7 | edit port1
8 | set mode dhcp
9 | set allowaccess ping https ssh http snmp fgfm
10 | set defaultgw enable
11 | next
12 | edit port2
13 | set mode dhcp
14 | set allowaccess ping
15 | set defaultgw disable
16 | next
17 | edit port3
18 | set mode dhcp
19 | set allowaccess ping
20 | set defaultgw disable
21 | next
22 | end
23 |
24 | config system dns
25 | set primary 8.8.8.8
26 | end
27 |
28 | config firewall policy
29 | edit 1
30 | set name "Allow any any"
31 | set srcintf "any"
32 | set dstintf "any"
33 | set srcaddr "all"
34 | set dstaddr "all"
35 | set action accept
36 | set schedule "always"
37 | set service "ALL"
38 | set nat enable
39 | next
40 | end
41 |
--------------------------------------------------------------------------------
/osm/debconf.sh:
--------------------------------------------------------------------------------
1 | LC_ALL=C
2 | debconf-set-selections <<< "lxd lxd/bridge-empty-error boolean true"
3 | debconf-set-selections <<< "lxd lxd/bridge-name string lxdbr0"
4 | debconf-set-selections <<< "lxd lxd/bridge-ipv6 string false"
5 | debconf-set-selections <<< "lxd lxd/bridge-ipv4 string true"
6 | debconf-set-selections <<< "lxd lxd/bridge-ipv4-nat string true"
7 | debconf-set-selections <<< "lxd lxd/bridge-ipv4-dhcp-first string 10.10.10.10"
8 | debconf-set-selections <<< "lxd lxd/bridge-ipv4-address string 10.10.10.1"
9 | debconf-set-selections <<< "lxd lxd/bridge-ipv4-dhcp-last string 10.10.11.253"
10 | debconf-set-selections <<< "lxd lxd/bridge-ipv4-netmask string 23"
11 | debconf-set-selections <<< "lxd lxd/setup-bridge string true"
12 | debconf-set-selections <<< "lxd lxd/bridge-ipv4-dhcp-leases string 510"
13 | debconf-set-selections <<< "lxd lxd/update-profile string false"
14 |
--------------------------------------------------------------------------------
/docs/MANO/Openstack-Heat.md:
--------------------------------------------------------------------------------
1 | # Openstack Heat
2 |
3 | Deploy the mini-poc scenario only using heat template. Read the yaml for details.
4 |
5 | # Deploy
6 | cli deploy
7 | ```
8 | $ openstack stack create --template heat-minipoc.yaml mini-poc
9 | ```
10 | on citycloud or with specific inputs file adapted to your NFVi provider
11 | ```
12 | openstack stack create --template heat-minipoc.yaml mini-poc -e citycloud-env.yaml
13 | ```
14 |
15 | The heat template is self contained you can also deploy using the heat gui.
16 |
17 | # Floating ips
18 |
19 | There is no floating ip usage by default to make the example more generic.
20 | On public openstack you can apply [floating.patch]() with ```patch < .patch```
21 | ##follow
22 | to follow execution:
23 | ```openstack stack event list mini-poc --follow
24 | ```
25 | To see the resutls IPs
26 | ```openstack stack show mini-poc -c outputs```
--------------------------------------------------------------------------------
/cloudify/fortigate-monitored/README.md:
--------------------------------------------------------------------------------
1 | # cloudify-diamond-fortiget-extension
2 | An extension to the diamond plugin that adds support for Fortigate monitoring.
3 |
4 | ## Usage
5 |
6 | Fortigate does not allow agent installation (we are the firewall not an app).
7 | So plugin must run on manager and use the fortinet API.
8 |
9 | Inspired by [Diamond SNMP Integration](http://getcloudify.org/guide/3.2/reference-diamond-snmp-integration.html)
10 |
11 |
12 | Work in progress does not work yet (diamond installation issue)
13 | ## Ref documentation for development
14 | [Create your plugin](http://docs.getcloudify.org/4.2.0/plugins/creating-your-own-plugin/)
15 |
16 | [plugin specs](http://docs.getcloudify.org/4.2.0/blueprints/spec-plugins/)
17 |
18 | [Using plugin](http://docs.getcloudify.org/4.2.0/plugins/using-plugins/)
19 |
20 | Goal is to create an automated transit : (http://cookbook.fortinet.com/fgsp-expert-56/)
--------------------------------------------------------------------------------
/fortiweb/fortiweb/Chart.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v2
2 | name: fortiweb
3 | description: Helm chart for single fortiweb
4 |
5 | # A chart can be either an 'application' or a 'library' chart.
6 | #
7 | # Application charts are a collection of templates that can be packaged into versioned archives
8 | # to be deployed.
9 | #
10 | type: application
11 |
12 | # This is the chart version. This version number should be incremented each time you make changes
13 | # to the chart and its templates, including the app version.
14 | # Versions are expected to follow Semantic Versioning (https://semver.org/)
15 | version: 0.5.2
16 |
17 | # This is the version number of the application being deployed. This version number should be
18 | # incremented each time you make changes to the application. Versions are not expected to
19 | # follow Semantic Versioning. They should reflect the version the application is using.
20 | appVersion: 6.3.7
21 |
--------------------------------------------------------------------------------
/cloudify/cfy-lxc-mngr.template:
--------------------------------------------------------------------------------
1 | #############################
2 | # Provider specific Inputs
3 | #############################
4 |
5 | # The public IP of the manager to which the CLI will connect.
6 | public_ip: '$LXCmIP'
7 |
8 | # The manager's private IP address. This is the address which will be used by the
9 | # application hosts to connect to the Manager's fileserver and message broker.
10 | private_ip: '$LXCmIP'
11 |
12 | # SSH user used to connect to the manager
13 | ssh_user: 'root'
14 |
15 | # SSH key path used to connect to the manager
16 | ssh_key_filename: '$HOME/.ssh/id_rsa'
17 |
18 | admin_username: 'admin'
19 | admin_password: 'fortinet'
20 |
21 | # These allow to override specific validation values
22 | # NOTE: We do not recommend changing these values unless you know exactly
23 | # what you're doing.
24 | minimum_required_total_physical_memory_in_mb: 750
25 | #minimum_required_available_disk_space_in_gb: 5
26 |
--------------------------------------------------------------------------------
/Azure/AZ-Preview.txt:
--------------------------------------------------------------------------------
1 |
2 | # Reference :https://docs.microsoft.com/en-us/azure/aks/private-clusters
3 | # Install the aks-preview extension
4 | az extension add --name aks-preview
5 |
6 | az feature register --name AKSPrivateLinkPreview --namespace Microsoft.ContainerService
7 | # check it is
8 | az feature list -o tsv --query "[?contains(name, 'Microsoft.ContainerService/AKSPrivateLinkPreview')].{Name:name,State:properties.state}"
9 |
10 | #Then
11 | az provider register --namespace Microsoft.ContainerService
12 | az provider register --namespace Microsoft.Network
13 | az provider register --namespace Microsoft.Kubernetes
14 |
15 | # Check namespaces
16 | for ns in Microsoft.ContainerService Microsoft.Network Microsoft.Kubernetes
17 | do
18 | az provider show -n $ns -o tsv --query "{Name:namespace,State:registrationState}"
19 | done
20 |
21 |
22 | #all together
23 | https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/aks/use-network-policies.md
--------------------------------------------------------------------------------
/cloudify/fortigate-monitored/plugins/plugin-fortigate-monitor/.gitignore:
--------------------------------------------------------------------------------
1 | # Byte-compiled / optimized / DLL files
2 | __pycache__/
3 | *.py[cod]
4 |
5 | # C extensions
6 | *.so
7 |
8 | # Distribution / packaging
9 | .Python
10 | env/
11 | bin/
12 | build/
13 | develop-eggs/
14 | dist/
15 | eggs/
16 | lib/
17 | lib64/
18 | parts/
19 | sdist/
20 | var/
21 | *.egg-info/
22 | .installed.cfg
23 | *.egg
24 |
25 | # Installer logs
26 | pip-log.txt
27 | pip-delete-this-directory.txt
28 |
29 | # Unit test / coverage reports
30 | htmlcov/
31 | .tox/
32 | .coverage
33 | .cache
34 | nosetests.xml
35 | coverage.xml
36 |
37 | # Translations
38 | *.mo
39 |
40 | # Mr Developer
41 | .mr.developer.cfg
42 | .project
43 | .pydevproject
44 |
45 | # Rope
46 | .ropeproject
47 |
48 | # Django stuff:
49 | *.log
50 | *.pot
51 |
52 | # Sphinx documentation
53 | docs/_build/
54 |
55 | *.iml
56 |
57 | *COMMIT_MSG
58 |
59 | # QuickBuild
60 | .qbcache/
61 |
62 | # InteliJ
63 | .idea/
64 | .noseids
65 |
--------------------------------------------------------------------------------
/cloudify/fortigate-monitored/test-cheatsheet.txt:
--------------------------------------------------------------------------------
1 | #RAW list of usefull commands while debugging
2 |
3 | #all in one
4 | cfy install blueprint.yaml -i inputs-citycloud.yaml
5 |
6 |
7 | cfy blueprint upload blueprint.yaml
8 | cfy deployment create -b fortigate-monitored -i inputs-citycloud.yaml
9 | cfy deployments update fortigate-monitored -p blueprint.yaml -i inputs-citycloud.yaml
10 | #Then install works too.
11 |
12 | cfy executions start install -d fortigate-monitored
13 |
14 |
15 | cfy deployment create -b fortigate-monitored -i inputs-citycloud.yaml --skip-plugins-validation
16 | cfy executions start install -d fortigate-monitored --skip-plugins-validation
17 | #Tearing down
18 | cfy executions start uninstall -d fortigate-monitored
19 |
20 | cfy executions start uninstall -d fortigate-monitored -p ignore_failure=true
21 | cfy executions start uninstall -d fortigate-monitored --force -p ignore_failure=true
22 |
23 |
24 | cfy deployments delete fortigate-monitored
25 | cfy deployments delete fortigate-monitored force
26 | cfy blueprint delete fortigate-monitored
27 |
28 |
--------------------------------------------------------------------------------
/fortigate/ha/example-fgcp.env:
--------------------------------------------------------------------------------
1 | # usage : openstack stack create --template heat-fgt-fcgcp.yaml -e example-fgcp.env fgcp-poc
2 | parameters:
3 | fgtimage: "fortigate643"
4 | mgmt_net_name: "mgmt"
5 | fgt_flavor: "1C-1GB"
6 | ssh-key-name: default
7 | north_net_name: "untrusted"
8 | south_net_name: "trusted"
9 | south2_net_name: "services"
10 | fgta_license: |
11 | -----BEGIN FGT VM LICENSE-----
12 | xXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXA
13 | xXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXA
14 | xXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdE
15 | -----END FGT VM LICENSE-----
16 |
17 | fgtb_license: |
18 | -----BEGIN FGT VM LICENSE-----
19 | xXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXA
20 | xXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXA
21 | xXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdExXxxXAbCdE
22 | -----END FGT VM LICENSE-----
23 |
--------------------------------------------------------------------------------
/docs/index.md:
--------------------------------------------------------------------------------
1 | # Fortistacks
2 |
3 |
4 | Fortistacks is a collection of examples, scripts and documentation to use [Fortinet](http://fortinet.com) products in
5 | Clouds/NFV and fully automated environments.
6 |
7 | Initial focus is on OpenStack, more to come.
8 |
9 | ## Using fortistacks
10 |
11 | * [quickstart](quickstart.md) - Go straigth to environment setup.
12 | * [mini-poc](mini-poc.md) - The default deployment example explained.
13 | * [fortigate](Fortigate.md) - Scripts, heat templates and doc for fortigate.
14 |
15 | ## Kubernetes
16 |
17 | * [Azure Kubernetes Service](Kubernetes/AKS-Private-secured.md) - Kubernetes protection step by step
18 |
19 | ## Advanced examples
20 |
21 | * [Life Cycle Management](Advanced Examples/LCM.md) - Scalability and complete lifecycle management.
22 |
23 | ## Videos
24 | A youtube playlist will contain follow along video to be hands on [Fortistacks](https://www.youtube.com/playlist?list=PL78t125b9Q2YWfB4nre9NRTrerA-awaSo)
25 |
26 | ## Internals, adapting examples to your environment
27 | * [Docker client](Internals/README-DockerClient.md) - Docker usage explanation.
28 |
29 |
--------------------------------------------------------------------------------
/fortigate/citycloud-env-ha.yaml:
--------------------------------------------------------------------------------
1 | # usage : openstack stack create --template heat-ha-minipoc.yaml -e citycloud-env-ha.yaml ha-poc
2 | parameters:
3 | fgtimage: "fgt60"
4 | ubimage: "Ubuntu 16.04 Xenial Xerus"
5 | mgmt_net: "mgmt"
6 | public_net: "ext-net"
7 | vms_flavor: "1C-1GB"
8 | ub_nic2_name: "ens4"
9 | ssh-key-name: "guestcse"
10 | fgta_license: |
11 | -----BEGIN FGT VM LICENSE-----
12 | XXXXxxXXxXXxXXXXxXXXXXXxxXXxXXxXXXXxXXXXXXxxXXxXXxXXXXxXXXXXXxxX
13 | XXXXxxXXxXXxXXXXxXXXXXXxxXXxXXxXXXXxXXXXXXxxXXxXXxXXXXxXXXXXXxxX
14 | XXXXxxXXxXXxXXXXxXXXXXXxxXXxXXxXXXXxXXXXXXxxXXxXXxXXXXxXXXXXXxxX
15 | XXXXxxXXxXXxXXXXxXXXXXXxxXXxXX
16 | -----END FGT VM LICENSE-----
17 |
18 | fgtb_license: |
19 | -----BEGIN FGT VM LICENSE-----
20 | XXXXxxXXxXXxXXXXxXXXXXXxxXXxXXxXXXXxXXXXXXxxXXxXXxXXXXxXXXXXXxxX
21 | XXXXxxXXxXXxXXXXxXXXXXXxxXXxXXxXXXXxXXXXXXxxXXxXXxXXXXxXXXXXXxxX
22 | XXXXxxXXxXXxXXXXxXXXXXXxxXXxXXxXXXXxXXXXXXxxXXxXXxXXXXxXXXXXXxxX
23 | XXXXxxXXxXXxXXXXxXXXXXXxxXXxXX
24 | -----END FGT VM LICENSE-----
--------------------------------------------------------------------------------
/osm/ubuntu_vnf_src/Makefile:
--------------------------------------------------------------------------------
1 | # Copyright 2015 Fortinet, Inc.
2 | #
3 | # All Rights Reserved
4 | #
5 | # Licensed under the Apache License, Version 2.0 (the "License"); you may
6 | # not use this file except in compliance with the License. You may obtain
7 | # a copy of the License at
8 | #
9 | # http://www.apache.org/licenses/LICENSE-2.0
10 | #
11 | # Unless required by applicable law or agreed to in writing, software
12 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
13 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
14 | # License for the specific language governing permissions and limitations
15 | # under the License.
16 | #
17 |
18 | BUILD_DIR = ubuntu16.04_vnfd
19 |
20 | all: $(BUILD_DIR)/%
21 |
22 | clean:
23 | -@ $(RM) -rf $(BUILD_DIR)
24 |
25 | $(BUILD_DIR)/%:
26 | rm -rf $(BUILD_DIR)/*
27 | mkdir -p $(BUILD_DIR)
28 | cp -rf cloud_init icons *.yaml $(BUILD_DIR)
29 | cd $(BUILD_DIR); find * -type f | xargs md5sum > checksums.txt; cd ..
30 | tar czf ../$(BUILD_DIR).tar.gz $(BUILD_DIR)
31 | rm -rf $(BUILD_DIR)/
32 | echo "../$(BUILD_DIR).tar.gz ready to be on-boarded"
33 |
--------------------------------------------------------------------------------
/Azure/ConfigureK8SnodesCA.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash -e
2 | #
3 | # Configure Fortigate Kubernetes connector
4 | #
5 | # Authors: Nicolas Thomss
6 | #
7 | # Be sure to have login (az login) first
8 | [ $# == 1 ] || echo "Must pass CA file as argument"
9 | [ -f $1 ] || echo "Argument $1 must be a file "
10 | echo "collecting information on Azure"
11 |
12 | GROUP_NAME="fortistacks-aks"
13 | export FGTCA=$(base64 $1 -w0) # or -b0 on MacOS
14 | CLUSTER_RESOURCE_GROUP=$(az aks show --resource-group $GROUP_NAME --name secure-aks --query nodeResourceGroup -o tsv)
15 | SCALE_SET_NAME=$(az vmss list --resource-group $CLUSTER_RESOURCE_GROUP --query [0].name -o tsv)
16 |
17 | az vmss extension set --resource-group $CLUSTER_RESOURCE_GROUP --vmss-name $SCALE_SET_NAME \
18 | --version 2.0 --publisher Microsoft.Azure.Extensions --name CustomScript \
19 | --protected-settings "{\"commandToExecute\": \"echo $FGTCA| base64 -d > /usr/local/share/ca-certificates/Fortinet_CA_SSL.crt ; update-ca-certificates --fresh; service docker restart \"}"
20 |
21 | az vmss update-instances --instance-ids '*' \
22 | --resource-group $CLUSTER_RESOURCE_GROUP \
23 | --name $SCALE_SET_NAME
--------------------------------------------------------------------------------
/fortios/minipoc-clean.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # #######
4 | # Copyright (c) 2016 Fortinet All rights reserved
5 | # Author: Nicolas Thomas nthomas_at_fortinet.com
6 | #
7 | # Licensed under the Apache License, Version 2.0 (the "License");
8 | # you may not use this file except in compliance with the License.
9 | # You may obtain a copy of the License at
10 | #
11 | # http://www.apache.org/licenses/LICENSE-2.0
12 | #
13 | # Unless required by applicable law or agreed to in writing, software
14 | # distributed under the License is distributed on an "AS IS" BASIS,
15 | # * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 | # * See the License for the specific language governing permissions and
17 | # * limitations under the License.
18 |
19 | set -x
20 |
21 | #if nova access not set then get them from nova.rc
22 | if [ -x "$OS_AUTH_URL" ]; then
23 | echo "get the Openstack access from ~/nova.rc"
24 | . ~/nova.rc
25 | fi
26 |
27 | cat << EOF | openstack
28 | server delete trafleft
29 | server delete trafright
30 | server delete fos64
31 |
32 |
33 |
34 | port delete left1
35 | port delete right1
36 | network delete left
37 | network delete right
38 |
39 | EOF
40 |
41 |
42 |
--------------------------------------------------------------------------------
/fortiweb/fortiweb/templates/ingress.yaml:
--------------------------------------------------------------------------------
1 | {{- if .Values.ingress.enabled -}}
2 | {{- $fullName := include "fortiweb.fullname" . -}}
3 | {{- $svcPort := .Values.service.port -}}
4 | {{- if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
5 | apiVersion: networking.k8s.io/v1beta1
6 | {{- else -}}
7 | apiVersion: extensions/v1beta1
8 | {{- end }}
9 | kind: Ingress
10 | metadata:
11 | name: {{ $fullName }}
12 | labels:
13 | {{- include "fortiweb.labels" . | nindent 4 }}
14 | {{- with .Values.ingress.annotations }}
15 | annotations:
16 | {{- toYaml . | nindent 4 }}
17 | {{- end }}
18 | spec:
19 | {{- if .Values.ingress.tls }}
20 | tls:
21 | {{- range .Values.ingress.tls }}
22 | - hosts:
23 | {{- range .hosts }}
24 | - {{ . | quote }}
25 | {{- end }}
26 | secretName: {{ .secretName }}
27 | {{- end }}
28 | {{- end }}
29 | rules:
30 | {{- range .Values.ingress.hosts }}
31 | - host: {{ .host | quote }}
32 | http:
33 | paths:
34 | {{- range .paths }}
35 | - path: {{ . }}
36 | backend:
37 | serviceName: {{ $fullName }}
38 | servicePort: {{ $svcPort }}
39 | {{- end }}
40 | {{- end }}
41 | {{- end }}
42 |
--------------------------------------------------------------------------------
/docs/MANO/Cloudify.md:
--------------------------------------------------------------------------------
1 | # Cloudify
2 |
3 | The goal here is to give you a working and configured Cloudify to be able to use the Fortinet Examples.
4 | If you already have yours just go straight to the examples in the sub directories.
5 |
6 |
7 | ## Get Cloudfiy on Openstack.
8 |
9 | Assume you have a working environment or go to [About](../quickstart.md)
10 | Run
11 | ```bash
12 | cd cloudify/
13 | ./manager-on-openstackvm
14 | ```
15 |
16 | This script will:
17 |
18 | * find a Centos image
19 | * install the Cloduify CLI in your ubuntu environment (Docker or native)
20 | * if needed create a cloudify ssh key for access and push it to manager (for cloudify Agents)
21 | * Install and configure Cloudify manager for your environment.
22 | * Set the admin password to fortinet
23 |
24 | Using a browser go to the floatingip of Cloudify manager
25 |
26 | ## Quick usage example
27 | ```shell
28 | cd fortigate-mini-poc
29 | ```
30 | Add your license:
31 | ```shell
32 | cfy secret create fgt_license -f ../../fortigate/FGT.lic
33 | cfy install blueprint.yaml -i inputs-citycloud.yaml
34 | ```
35 |
36 | ## More examples
37 |
38 | There is more examples using Cloudify in cloudify subdirectory or in secure-sdwan directory.
39 | More in Advanced Examples of this doc.
40 |
--------------------------------------------------------------------------------
/mkdocs.yml:
--------------------------------------------------------------------------------
1 | # mkdocs.yml -- MkDocs configuration, all *.md files relative to docs/
2 | site_name: Forti Stacks
3 | repo_url: 'https://github.com/fortinet-solutions-cse/fortistacks'
4 | edit_uri: edit/master/docs
5 | site_description: 'Multiple ready to use demo examples of automated Fortinet deployments.'
6 | extra:
7 | favicon: 'https://fortinet.com/favicon.ico'
8 | social:
9 | - type: 'github'
10 | link: 'https://github.com/fortinet-solutions-cse/fortistacks'
11 | theme: readthedocs
12 | nav:
13 | - Home: 'index.md'
14 | - Quickstart: 'quickstart.md'
15 | - Minipoc: 'mini-poc.md'
16 | - Fortigate: 'Fortigate.md'
17 | - Other Fortinet VMs:
18 | - Fortimanager: 'Fortimanager.md'
19 | - Kubernetes:
20 | - AKS: 'Kubernetes/AKS-Private-secured.md'
21 | - MANO:
22 | - Cloudify: 'MANO/Cloudify.md'
23 | - osm.etsi.org: 'MANO/OSM.md'
24 | - Openstack Heat: 'MANO/Openstack-Heat.md'
25 | - Advanced examples:
26 | - Lifecycle Management: 'Advanced Examples/LCM.md'
27 | - SDWAN playground: 'Advanced Examples/SDWAN.md'
28 | - Internals:
29 | - Fortistacks: 'Internals/About.md'
30 | - Public Openstack: 'Internals/Citycloud.md'
31 | - Docker client: 'Internals/README-DockerClient.md'
32 | - Collect support information: 'Internals/Support-vms-collect.md'
33 |
34 |
--------------------------------------------------------------------------------
/docs/Internals/Citycloud.md:
--------------------------------------------------------------------------------
1 | # Public OpenStack
2 |
3 | After lot of experiments and tries we recommend using Citycloud as a public openstack for testing Fortinet products.
4 | The scripts and demo availbale here are compatible with private openstacks or Citycloud.
5 | They can easily be adapted to other environment. Pull request appreciated.
6 |
7 |
8 | ## CityCloud
9 |
10 | Once you created an account on
11 | Go to https://citycontrolpanel.com/openstack#openstack_api_access line with user there a wheel on the right you can
12 | download rc file to get cli access
13 | Download your credentials in a openstack.rc type of file. (Name does not matter)
14 |
15 | Add the following to your .rc file:
16 | ```shell
17 | export OS_FLAVOR=1C-1GB
18 | export EXT_NET=ext-net
19 | ```
20 | List of Regions: "Sto2 Lon1 Fra1 Buf1 La1 Kna1"
21 |
22 | ### Limitations
23 |
24 | - No horizon gui (for now) but a Gui
25 | - Can't create your own flavors (not a problem)
26 |
27 | ### Spending
28 | To keep your cost down we provide a script to destroy ressources automatically:
29 | ````shell
30 | cd public-openstack
31 | ./unconfigure.sh
32 | ````
33 |
34 | ## Cloud images
35 |
36 | For fortigate/fortios go to https://support.fortinet.com and download the last fortigate VM image.
37 | Those scripts start with 5.6.3 (previous version may work)
38 |
--------------------------------------------------------------------------------
/check-openstackclient:
--------------------------------------------------------------------------------
1 | #!/bin/bash -e
2 | #
3 | # fortinet Check openstack client
4 | # Copyright (C) 2016 Fortinet Ltd.
5 | #
6 | # Authors: Nicolas Thomss
7 | #
8 | # This program is free software: you can redistribute it and/or modify
9 | # it under the terms of the GNU General Public License as published by
10 | # the Free Software Foundation, version 3 of the License.
11 | #
12 | # This program is distributed in the hope that it will be useful,
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 | # GNU General Public License for more details.
16 | #
17 | # You should have received a copy of the GNU General Public License
18 | # along with this program. If not, see .
19 |
20 |
21 | # checking openstack cli is recent enough using sort -V .
22 |
23 | OSCLI_VER=`openstack --version 2>&1 | sed -e "s/openstack //g"`
24 | read -r -d '' VAR << EOM || true
25 | 3.0
26 | $OSCLI_VER
27 | EOM
28 |
29 | CHECKED_VER=`echo "$VAR" | sort -V|tail -1`
30 |
31 | if [ "$CHECKED_VER" == "3.0" ]; then
32 | echo "please upgrade python-openstackclient to a newer version"
33 | exit 2
34 | else
35 | echo "openstack client seem recent enough"
36 | exit 0
37 | fi
38 |
--------------------------------------------------------------------------------
/Dockerfile:
--------------------------------------------------------------------------------
1 | #Docker to develop/try Ansible module for Fortigate
2 | #build cmd:
3 | # docker build --force-rm -t fortinetsolutioncse/fortistacks-cli:2.0 .
4 | # For "official build" need acces to the docker registry.
5 | # docker build --force-rm -t fortistacks-cli .
6 | #
7 | FROM ubuntu:18.04
8 | LABEL maintainer="Nicolas Thomas "
9 | #Update the Ubuntu software repository inside the dockerfile with the 'RUN' command.
10 | RUN apt-get update && apt-get -y upgrade
11 | ENV DEBIAN_FRONTEND=noninteractive
12 | RUN apt-get -y install git python-pip wget zile byobu bash sudo python-virtualenv wget git cloud-image-utils \
13 | python-openstackclient sudo python-heatclient software-properties-common apt-transport-https \
14 | bash-completion software-properties-common vim bash-completion
15 | RUN apt-get clean
16 |
17 | RUN groupadd -r ubuntu && useradd -g ubuntu -G adm,sudo ubuntu -m -p fortinet -s /bin/bash && \
18 | echo "ubuntu ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/99-nopasswd && chmod 640 /etc/sudoers.d/99-nopasswd
19 | # if FGTCA is set
20 | # must create a base64 env with the CA in it: FGTCA=$(base64 Fortinet_CA_SSL.crt -w0)
21 | # and run with -e FGTCA
22 | ENV FGTCA none
23 | COPY docker-entrypoint.sh /usr/local/bin/
24 | ENTRYPOINT [ "/usr/local/bin/docker-entrypoint.sh"]
25 | USER ubuntu
26 | CMD [ "/bin/bash"]
27 |
--------------------------------------------------------------------------------
/osm/fortios_vnfd_src/layers/fortios/actions.yaml:
--------------------------------------------------------------------------------
1 | confport:
2 | description: Configure an ethernet interface.
3 | params:
4 | port:
5 | type: string
6 | description: Device name, e.g. port1
7 | ip:
8 | type: string
9 | description: Network range to assign to the interface
10 | netmask:
11 | type: string
12 | description: Netmask on this port
13 | default: 255.255.255.0
14 | mtu:
15 | type: string
16 | description: Override default mtu
17 | required: [port,ip]
18 | apiset:
19 | description: set a rule using the RestAPI with https:///api/v2/cmdb/name/path
20 | params:
21 | name:
22 | type: string
23 | path:
24 | type: string
25 | parameters:
26 | type: string
27 | description: json formated string set of parameters to be set on fortios
28 | sshcmd:
29 | description: set a rule using ssh
30 | params:
31 | commands:
32 | type: string
33 | description: string with the list of cmd as on the cli off fortios lines can be separated by \n
34 | overconfig:
35 | description: set a rule using ssh
36 | params:
37 | template:
38 | type: file
39 | description: File with the Jinja2 template representing the change of configuration
40 | keysvalue:
41 | type: string
42 | description: Key value string key=value separated with commas
--------------------------------------------------------------------------------
/docs/Internals/Support-vms-collect.md:
--------------------------------------------------------------------------------
1 | # Script to ease support
2 |
3 | Exchanging with persons in the field we realize that collecting ALL the ressources related to a VM can be complex/time
4 | consuming.
5 |
6 | We created this [support-vms-info.py](https://github.com/fortinet-solutions-cse/fortistacks/blob/master/openstack/support-vms-info.py) which works on any openstack VM.
7 |
8 | Syntax
9 | ```bash
10 | usage: support-vms-info.py [-h] [--verbosity] [-o [OUTFILE]] N [N ...]
11 |
12 | positional arguments:
13 | N names of the VM to collect infos from
14 |
15 | optional arguments:
16 | -h, --help show this help message and exit
17 | --verbosity show verbose msg of the openstack-client library
18 | -o [OUTFILE], --outfile [OUTFILE]
19 | specify an output file instead of stdout
20 | ```
21 |
22 | Source your openstack credentials and give a list of instances names or IDs.
23 |
24 | The script will output on stdout (or file) a json with all the details of the related ressources.
25 | This includes:
26 | * ports
27 | * networks, subnet
28 | * console_output
29 | * metadata
30 | * image
31 | * flavor
32 | * security groups
33 | * volume
34 |
35 | # requirements
36 |
37 | It you can run the openstack cli this script should work.
38 | Need to source your openstack .rc, i.e. have environment variable setup properly.
39 |
--------------------------------------------------------------------------------
/osm/lxd-bridge:
--------------------------------------------------------------------------------
1 | # WARNING: This file is generated by a debconf template!
2 | # It is recommended to update it by using "dpkg-reconfigure -p medium lxd"
3 |
4 | # Whether to setup a new bridge or use an existing one
5 | USE_LXD_BRIDGE="true"
6 |
7 | # Bridge name
8 | # This is still used even if USE_LXD_BRIDGE is set to false
9 | # set to an empty value to fully disable
10 | LXD_BRIDGE="lxdbr0"
11 |
12 | # Update the "default" LXD profile
13 | UPDATE_PROFILE="true"
14 |
15 | # Path to an extra dnsmasq configuration file
16 | LXD_CONFILE=""
17 |
18 | # DNS domain for the bridge
19 | LXD_DOMAIN="lxd"
20 |
21 | # IPv4
22 | ## IPv4 address (e.g. 10.0.8.1)
23 | LXD_IPV4_ADDR="10.10.10.1"
24 |
25 | ## IPv4 netmask (e.g. 255.255.255.0)
26 | LXD_IPV4_NETMASK="255.255.254.0"
27 |
28 | ## IPv4 network (e.g. 10.0.8.0/24)
29 | LXD_IPV4_NETWORK="10.10.10.0/23"
30 |
31 | ## IPv4 DHCP range (e.g. 10.0.8.2,10.0.8.254)
32 | LXD_IPV4_DHCP_RANGE="10.10.10.10,10.10.10.253"
33 |
34 | ## IPv4 DHCP number of hosts (e.g. 250)
35 | LXD_IPV4_DHCP_MAX="500"
36 |
37 | ## NAT IPv4 traffic
38 | LXD_IPV4_NAT="true"
39 |
40 | # IPv6
41 | ## IPv6 address (e.g. 2001:470:b368:4242::1)
42 | LXD_IPV6_ADDR=""
43 |
44 | ## IPv6 CIDR mask (e.g. 64)
45 | LXD_IPV6_MASK=""
46 |
47 | ## IPv6 network (e.g. 2001:470:b368:4242::/64)
48 | LXD_IPV6_NETWORK=""
49 |
50 | ## NAT IPv6 traffic
51 | LXD_IPV6_NAT="false"
52 |
53 | # Run a minimal HTTP PROXY server
54 | LXD_IPV6_PROXY="false"
--------------------------------------------------------------------------------
/docs/mini-poc-asciio.txt:
--------------------------------------------------------------------------------
1 |
2 | ===========================================================
3 | | | Management/floating ips |
4 | | | |
5 | .----v-----. | |
6 | | trafleft | | |
7 | | Ubuntu | | |
8 | '----------' | |
9 | | | |
10 | v | |
11 | .-,( ),-. .-----v-----. .-,( ),-. |
12 | .-( )-. | Fortigate | .-( )-. |
13 | ( left )----->| vm |--->( right ) |
14 | '-( ).-' '-----------' '-( ).-' |
15 | '-.( ).-' '-.( ).-' |
16 | <-------. |
17 | | v
18 | .-----------.
19 | | trafright |
20 | | Ubuntu |
21 | '-----------'
22 |
--------------------------------------------------------------------------------
/fortigate/minipoc-clean.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | # #######
4 | # Copyright (c) 2016 Fortinet All rights reserved
5 | # Author: Nicolas Thomas nthomas_at_fortinet.com
6 | #
7 | # Licensed under the Apache License, Version 2.0 (the "License");
8 | # you may not use this file except in compliance with the License.
9 | # You may obtain a copy of the License at
10 | #
11 | # http://www.apache.org/licenses/LICENSE-2.0
12 | #
13 | # Unless required by applicable law or agreed to in writing, software
14 | # distributed under the License is distributed on an "AS IS" BASIS,
15 | # * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16 | # * See the License for the specific language governing permissions and
17 | # * limitations under the License.
18 |
19 | set -x
20 |
21 | #if nova access not set then get them from nova.rc
22 | if [ -x "$OS_AUTH_URL" ]; then
23 | echo "get the Openstack access from ~/nova.rc"
24 | . ~/nova.rc
25 | fi
26 |
27 | echo "deleting VMs, ports and networks may raise errors (floating for expl)"
28 | echo "please check if actually cleaning before logging a bug"
29 |
30 | cat << EOF | openstack
31 | server delete trafleft
32 | server delete trafright
33 | server delete fortigate
34 |
35 |
36 | port delete left1
37 | port delete right1
38 | network delete left
39 | network delete right
40 |
41 | EOF
42 | # release all floating ip not in use (save $$)
43 | openstack floating ip list -f value -c "Floating IP Address" --status DOWN |xargs openstack floating ip delete
44 |
--------------------------------------------------------------------------------
/osm/fortios_vnfd_src/Makefile:
--------------------------------------------------------------------------------
1 | # Copyright 2015 Fortinet, Inc.
2 | #
3 | # All Rights Reserved
4 | #
5 | # Licensed under the Apache License, Version 2.0 (the "License"); you may
6 | # not use this file except in compliance with the License. You may obtain
7 | # a copy of the License at
8 | #
9 | # http://www.apache.org/licenses/LICENSE-2.0
10 | #
11 | # Unless required by applicable law or agreed to in writing, software
12 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
13 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
14 | # License for the specific language governing permissions and limitations
15 | # under the License.
16 | #
17 |
18 | BUILD_DIR = fortios_vnfd
19 |
20 | CHARMS:= fortios
21 | CHARM_SRC_DIR := layers
22 | CHARM_BUILD_DIR := $(BUILD_DIR)/charms
23 |
24 | CHARM_SRC_DIRS := $(addprefix $(CHARM_SRC_DIR)/, $(CHARMS))
25 | CHARM_BUILD_DIRS := $(addprefix $(CHARM_BUILD_DIR)/, $(CHARMS))
26 |
27 | all: $(CHARM_BUILD_DIRS)
28 |
29 | clean:
30 | -@ $(RM) -rf $(CHARM_BUILD_DIR)
31 |
32 | $(CHARM_BUILD_DIR)/%: $(CHARM_SRC_DIR)/%
33 | rm -rf $(BUILD_DIR)/*
34 | export LC_ALL=C; charm build -o $(BUILD_DIR) $<
35 | cp -rf cloud_init *.yaml icons scripts $(BUILD_DIR)
36 | mv $(BUILD_DIR)/builds $(BUILD_DIR)/charms
37 | rm -rf $(BUILD_DIR)/deps
38 | cd $(BUILD_DIR); find * -type f | xargs md5sum > checksums.txt; cd ..
39 | tar czf ../fortios_vnfd.tar.gz $(BUILD_DIR)
40 | # rm -rf $(BUILD_DIR)/*
41 | echo "fortios_vnfd.tar.gz ready to be on-boarded"
42 |
--------------------------------------------------------------------------------
/fortigate/fos-user-data.txt:
--------------------------------------------------------------------------------
1 | config system interface
2 | edit mgmt
3 | set mode dhcp
4 | set allowaccess ping https ssh http snmp fgfm
5 | set defaultgw enable
6 | next
7 | edit port1
8 | set mode dhcp
9 | set allowaccess ping
10 | set defaultgw disable
11 | next
12 | edit port2
13 | set mode dhcp
14 | set allowaccess ping
15 | set defaultgw disable
16 | next
17 | end
18 | config system dns
19 | set primary 8.8.8.8
20 | end
21 | config firewall policy
22 | edit 1
23 | set name "Allow any any"
24 | set srcintf "any"
25 | set dstintf "any"
26 | set srcaddr "all"
27 | set dstaddr "all"
28 | set action accept
29 | set schedule "always"
30 | set service "ALL"
31 | set nat enable
32 | next
33 | end
34 | config system central-management
35 | set include-default-servers disable
36 | set type fortimanager
37 | set fmg 192.168.1.99
38 | config server-list
39 | edit 1
40 | set server-type update rating
41 | set server-address 192.168.1.99
42 | end
43 | end
44 |
--------------------------------------------------------------------------------
/Azure/ConfigureK8Sstorage.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash -e
2 | #
3 | # Configure Fortigate Kubernetes connector
4 | #
5 | # Authors: Nicolas Thomss
6 | #
7 | # Be sure to have login (az login) first
8 |
9 | # src: https://github.com/MicrosoftDocs/azure-docs/blob/master/articles/aks/azure-files-volume.md
10 | # create a share Azurefile (cheaper ?) to try to share CA certificates to pods.
11 |
12 | AKS_PERS_STORAGE_ACCOUNT_NAME=fortistacksstorage
13 | AKS_PERS_RESOURCE_GROUP=fortistacks-aks
14 | AKS_PERS_LOCATION=westeurope
15 | AKS_PERS_SHARE_NAME=aksshares
16 |
17 |
18 | # Create a storage account
19 | az storage account create -n $AKS_PERS_STORAGE_ACCOUNT_NAME -g $AKS_PERS_RESOURCE_GROUP -l $AKS_PERS_LOCATION --sku Standard_LRS
20 |
21 | # Export the connection string as an environment variable, this is used when creating the Azure file share
22 | export AZURE_STORAGE_CONNECTION_STRING=$(az storage account show-connection-string -n $AKS_PERS_STORAGE_ACCOUNT_NAME -g $AKS_PERS_RESOURCE_GROUP -o tsv)
23 |
24 | # Create the file share
25 | az storage share create -n $AKS_PERS_SHARE_NAME --connection-string $AZURE_STORAGE_CONNECTION_STRING
26 |
27 | # Get storage account key
28 | STORAGE_KEY=$(az storage account keys list --resource-group $AKS_PERS_RESOURCE_GROUP --account-name $AKS_PERS_STORAGE_ACCOUNT_NAME --query "[0].value" -o tsv)
29 |
30 | # Echo storage account name and key
31 | echo Storage account name: $AKS_PERS_STORAGE_ACCOUNT_NAME
32 | echo Storage account key: $STORAGE_KEY
33 |
34 | kubectl create secret generic azure-secret --from-literal=azurestorageaccountname=$AKS_PERS_STORAGE_ACCOUNT_NAME --from-literal=azurestorageaccountkey=$STORAGE_KEY
35 |
--------------------------------------------------------------------------------
/cloudify/fos-lifecycle/templates/add-fortigate.yaml:
--------------------------------------------------------------------------------
1 | api_calls:
2 | # first call
3 | - path: /dvm/cmd/discover/device
4 | method: EXECUTE
5 | data:
6 | device:
7 | adm_pass: "{{fgt_password}}"
8 | adm_usr: "{{fgt_user}}"
9 | ip: "{{fgt_ip}}"
10 | recoverable_code: [ -20042 -20015 ]
11 | nonrecoverable_code:
12 | response_translation: "response1"
13 |
14 | - path: /dvm/cmd/add/device
15 | method: EXECUTE
16 | data:
17 | adom: root
18 | flags: [ create_task, log_dev ]
19 | device:
20 | adm_pass: "{{fgt_password}}"
21 | adm_usr: "{{fgt_user}}"
22 | desc: "LCM managed Fortios"
23 | ip: "{{fgt_ip}}"
24 | "device action" : "promote_unreg"
25 | name: "{{fgt_name}}"
26 | mgmt_mode: "fmg"
27 | recoverable_code:
28 | nonrecoverable_code:
29 | response_translation: "response1"
30 |
31 | ## set the license metering
32 | - path: /dvmdb/device/{{fgt_name}}
33 | method: SET
34 | data:
35 | foslic_type: "regular"
36 | foslic_utm: [ "fw","av", "app", "url", "ips"]
37 | recoverable_code:
38 | nonrecoverable_code:
39 | response_translation: "response1"
40 |
41 |
42 |
43 | - path: /securityconsole/install/package
44 | method: EXECUTE
45 | data:
46 | adom: root
47 | dev_rev_comments": "TOSCA package installed by fortimanager"
48 | flags: [ "cp_all_objs", "copy_assigned_pkg" ]
49 | pkg: "{{fmg_package}}"
50 | scope:
51 | name: "{{fgt_name}}"
52 | vdom: "root"
53 | recoverable_code:
54 | nonrecoverable_code:
55 | response_translation: "response1"
56 |
57 | #
--------------------------------------------------------------------------------
/fortiweb/fortiweb/templates/NOTES.txt:
--------------------------------------------------------------------------------
1 | 1. Get the application URL by running these commands:
2 | {{- if .Values.ingress.enabled }}
3 | {{- range $host := .Values.ingress.hosts }}
4 | {{- range .paths }}
5 | http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ . }}
6 | {{- end }}
7 | {{- end }}
8 | {{- else if contains "NodePort" .Values.service.type }}
9 | export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "fortiweb.fullname" . }})
10 | export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
11 | echo http://$NODE_IP:$NODE_PORT
12 | {{- else if contains "LoadBalancer" .Values.service.type }}
13 | NOTE: It may take a few minutes for the LoadBalancer IP to be available.
14 | You can watch the status of by running 'kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "fortiweb.fullname" . }}'
15 | export SERVICE_IP=$(kubectl get svc --namespace {{ .Release.Namespace }} {{ include "fortiweb.fullname" . }} --template "{{"{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}"}}")
16 | echo http://$SERVICE_IP:{{ .Values.service.port }}
17 | {{- else if contains "ClusterIP" .Values.service.type }}
18 | export POD_NAME=$(kubectl get pods --namespace {{ .Release.Namespace }} -l "app.kubernetes.io/name={{ include "fortiweb.name" . }},app.kubernetes.io/instance={{ .Release.Name }}" -o jsonpath="{.items[0].metadata.name}")
19 | echo "Visit http://127.0.0.1:8080 to use your application"
20 | kubectl --namespace {{ .Release.Namespace }} port-forward $POD_NAME 8080:80
21 | {{- end }}
22 |
--------------------------------------------------------------------------------
/sdwan-secure/templates/add-fortigate.yaml:
--------------------------------------------------------------------------------
1 | api_calls:
2 | # first call
3 | - path: /dvm/cmd/discover/device
4 | method: EXECUTE
5 | data:
6 | adom: root
7 | device:
8 | adm_pass: "{{fgt_password}}"
9 | adm_usr: "{{fgt_user}}"
10 | ip: "{{fgt_ip}}"
11 | recoverable_code: [ -20042 -20015 ]
12 | nonrecoverable_code:
13 | response_translation: "response1"
14 |
15 | - path: /dvm/cmd/add/device
16 | method: EXECUTE
17 | data:
18 | adom: root
19 | flags: [ "create_task" ]
20 | device:
21 | adm_pass: "{{fgt_password}}"
22 | adm_usr: "{{fgt_user}}"
23 | desc: "LCM managed Fortios"
24 | ip: "{{fgt_ip}}"
25 | meta fields:
26 | "Company/Organization": "Fortinet"
27 | "Country": "France"
28 | name: "{{fgt_name}}"
29 | mgmt_mode: "fmg"
30 | recoverable_code:
31 | nonrecoverable_code:
32 | response_translation: "response1"
33 |
34 | ## set the license metering
35 | - path: /dvmdb/device/{{fgt_name}}
36 | method: SET
37 | data:
38 | foslic_type: "regular"
39 | foslic_utm: [ "fw","av", "app", "url", "ips"]
40 | recoverable_code:
41 | nonrecoverable_code:
42 | response_translation: "response1"
43 |
44 |
45 |
46 | - path: /securityconsole/install/package
47 | method: EXECUTE
48 | data:
49 | adom: root
50 | dev_rev_comments": "TOSCA package installed by fortimanager"
51 | flags: [ "cp_all_objs", "copy_assigned_pkg" ]
52 | pkg: "{{fmg_package}}"
53 | scope:
54 | name: "{{fgt_name}}"
55 | vdom: "root"
56 | recoverable_code:
57 | nonrecoverable_code:
58 | response_translation: "response1"
59 |
60 | #
--------------------------------------------------------------------------------
/sdwan-secure/types/antmedia.yaml:
--------------------------------------------------------------------------------
1 | ###########################################################
2 | # This file containes node type / relationship definitions
3 | # for installing, configuring and managing an antmedia
4 | # instance.
5 | ###########################################################
6 |
7 | node_types:
8 |
9 | cloudify.nodes.AntMedia:
10 | derived_from: cloudify.nodes.ApplicationServer
11 | properties:
12 | install_url:
13 | description: The url where to find antmedia
14 | type: string
15 | default: "https://github.com/ant-media/Ant-Media-Server/releases/download/ams-v1.4.1/ant-media-server-community-1.4.1-180813_1533.zip
16 | "
17 | interfaces:
18 | cloudify.interfaces.lifecycle:
19 | create: scripts/antmedia/install-ubuntu.sh
20 |
21 | cloudify.nodes.MonitoredAntmedia:
22 | derived_from: cloudify.nodes.AntMedia
23 | # interfaces:
24 |
25 | # ###########################################################
26 | # # Notice that this node defines an additional collector
27 | # # to collect data on the antmedia instance.
28 | # # Also notice that in the URL, port 9000 is used. If you
29 | # # choose to change this port on the antmedia node template,
30 | # # this URL should be updated as well.
31 | # ###########################################################
32 |
33 | # cloudify.interfaces.monitoring:
34 | # start:
35 | # implementation: diamond.diamond_agent.tasks.add_collectors
36 | # inputs:
37 | # collectors_config:
38 | # default:
39 | # antmediaCollector:
40 | # config:
41 | # url: http://127.0.0.1:9000/antmedia_stats;csv
42 |
43 |
--------------------------------------------------------------------------------
/helpers/vncfrommac-enable:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # #######
3 | # Copyright (c) 2016 Fortinet All rights reserved
4 | # Author: Nicolas Thomas nthomas_at_fortinet.com
5 | #
6 | # Licensed under the Apache License, Version 2.0 (the "License");
7 | # you may not use this file except in compliance with the License.
8 | # You may obtain a copy of the License at
9 | #
10 | # http://www.apache.org/licenses/LICENSE-2.0
11 | #
12 | # Unless required by applicable law or agreed to in writing, software
13 | # distributed under the License is distributed on an "AS IS" BASIS,
14 | # * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 | # * See the License for the specific language governing permissions and
16 | # * limitations under the License.
17 |
18 | ######
19 | ## run this script in shell (not X) on an ubuntu machine to enable screen sharing with the default vnc client on macos
20 | ## pasword is fortinet
21 | #####
22 |
23 | export LC_ALL=C
24 | ## avoid warnings about utf-8 for macusers
25 |
26 | ## TODO switch to dconf https://askubuntu.com/questions/1039587/screen-sharing-option-missing-from-ubuntu-18-04-vino-installed
27 |
28 | desktop()
29 | {
30 |
31 | export DISPLAY=:0
32 |
33 | # for broken clients like rdp/Macos
34 | gsettings set org.gnome.Vino require-encryption false
35 | gsettings set org.gnome.Vino vnc-password Zm9ydGluZXQ=
36 | gsettings set org.gnome.Vino use-upnp true
37 | gsettings set org.gnome.Vino notify-on-connect false
38 | gsettings set org.gnome.Vino prompt-enabled false
39 | gsettings set org.gnome.Vino authentication-methods "['vnc']"
40 | gsettings set org.gnome.Vino enabled true || echo "you must enable screen sharing manually in the GUI"
41 |
42 | }
43 |
44 |
45 | desktop
46 |
47 |
48 |
--------------------------------------------------------------------------------
/osm/fortimail/fortimail_vnfd/charms/fortimail/reactive/fortimail.py:
--------------------------------------------------------------------------------
1 | from charms.reactive import when, when_not, set_state
2 |
3 |
4 | @when_not('fortimail.installed')
5 | def install_fortimail():
6 | # Do your setup here.
7 | #
8 | # If your charm has other dependencies before it can install,
9 | # add those as @when() clauses above., or as additional @when()
10 | # decorated handlers below
11 | #
12 | # See the following for information about reactive charms:
13 | #
14 | # * https://jujucharms.com/docs/devel/developer-getting-started
15 | # * https://github.com/juju-solutions/layer-basic#overview
16 | #
17 | set_state('fortimail.installed')
18 |
19 |
20 | @when('actions.create-domain')
21 | def create_domain():
22 | err = ''
23 | try:
24 | cmd = ""
25 | result, err = charms.sshproxy._run(cmd)
26 | except:
27 | action_fail('command failed:' + err)
28 | else:
29 | action_set({'outout': result})
30 | finally:
31 | remove_flag('actions.create-domain')
32 |
33 | @when('actions.delete-domain')
34 | def create_domain():
35 | err = ''
36 | try:
37 | cmd = ""
38 | result, err = charms.sshproxy._run(cmd)
39 | except:
40 | action_fail('command failed:' + err)
41 | else:
42 | action_set({'outout': result})
43 | finally:
44 | remove_flag('actions.delete-domain')
45 |
46 | @when('actions.get-administrative-resource')
47 | def get_administrative_resource():
48 | err = ''
49 | try:
50 | cmd = ""
51 | result, err = charms.sshproxy._run(cmd)
52 | except:
53 | action_fail('command failed:' + err)
54 | else:
55 | action_set({'outout': result})
56 | finally:
57 | remove_flag('actions.get-administrative-resource')
58 |
--------------------------------------------------------------------------------
/fortios/fos-user-data.txt:
--------------------------------------------------------------------------------
1 | config system interface
2 | edit mgmt
3 | set mode dhcp
4 | set allowaccess ping https ssh http snmp fgfm
5 | set defaultgw enable
6 | next
7 | edit port1
8 | set mode dhcp
9 | set allowaccess ping
10 | set defaultgw disable
11 | next
12 | edit port2
13 | set mode dhcp
14 | set allowaccess ping
15 | set defaultgw disable
16 | next
17 | end
18 | config system dns
19 | set primary 8.8.8.8
20 | end
21 | config firewall policy
22 | edit 1
23 | set name "Allow any any"
24 | set srcintf "any"
25 | set dstintf "any"
26 | set srcaddr "all"
27 | set dstaddr "all"
28 | set action accept
29 | set schedule "always"
30 | set service "ALL"
31 | set nat enable
32 | next
33 | end
34 | config system central-management
35 | set include-default-servers disable
36 | set type fortimanager
37 | set fmg 192.168.1.99
38 | config server-list
39 | edit 1
40 | set server-type update rating
41 | set server-address 192.168.1.99
42 | end
43 | end
44 | # warning changing the password trigger a reboot
45 | config system admin
46 | edit "admin"
47 | set password fortinet
48 | next
49 | end
--------------------------------------------------------------------------------
/helpers/ubuntu-vncfrommac:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | # #######
3 | # Copyright (c) 2016 Fortinet All rights reserved
4 | # Author: Nicolas Thomas nthomas_at_fortinet.com
5 | #
6 | # Licensed under the Apache License, Version 2.0 (the "License");
7 | # you may not use this file except in compliance with the License.
8 | # You may obtain a copy of the License at
9 | #
10 | # http://www.apache.org/licenses/LICENSE-2.0
11 | #
12 | # Unless required by applicable law or agreed to in writing, software
13 | # distributed under the License is distributed on an "AS IS" BASIS,
14 | # * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 | # * See the License for the specific language governing permissions and
16 | # * limitations under the License.
17 |
18 | ######
19 | ## run this script in shell (not X) on an ubuntu machine to enable screen sharing with the default vnc client on macos
20 | ## pasword is fortinet
21 | #####
22 |
23 | export LC_ALL=C
24 | ## avoid warnings about utf-8 for macusers
25 |
26 |
27 | desktop()
28 | {
29 | # auto login
30 | cat << EOF | sudo tee /etc/lightdm/lightdm.conf.d/50-autolog.conf
31 | [SeatDefaults]
32 | autologin-user=$USER
33 | EOF
34 | sudo systemctl restart lightdm.service
35 | sleep 12
36 | export DISPLAY=:0
37 | gsettings set org.gnome.Vino enabled true
38 | # for broken clients like rdp/Macos
39 | gsettings set org.gnome.Vino require-encryption false
40 | gsettings set org.gnome.Vino vnc-password Zm9ydGluZXQ=
41 | gsettings set org.gnome.Vino use-upnp true
42 | gsettings set org.gnome.Vino notify-on-connect false
43 | gsettings set org.gnome.Vino prompt-enabled false
44 | gsettings set org.gnome.Vino authentication-methods "['vnc']"
45 | sudo systemctl restart lightdm.service
46 |
47 | }
48 |
49 |
50 | desktop
51 |
52 |
53 |
54 |
--------------------------------------------------------------------------------
/docs/Internals/README-DockerClient.md:
--------------------------------------------------------------------------------
1 | # Fortistacks client on Docker (any macine)
2 |
3 | Using a Docker image will require that you already have access to an Openstack.
4 |
5 | ## Quick start
6 |
7 | Copy your .rc file with the openstack credentials in fortistacks folder.
8 |
9 | From fortistacks folder:
10 | ```shell
11 | docker run -v $PWD:/fortistacks/ -v $HOME/.ssh:/home/ubuntu/.ssh/ --rm -i --name fortistacks-cli -h fortistacks-cli -t fortinetsolutioncse/fortistacks-cli
12 | ```
13 | Or adapt to your folder layout.
14 | If you want to persist this Docker:
15 | ```shell
16 | docker run -v $PWD:/fortistacks/ -v $HOME/.ssh:/home/ubuntu/.ssh/ -i --name fortistacks-cli -h fortistacks-cli -t fortinetsolutioncse/fortistacks-cli
17 | ```
18 | Then your Docker is not removed after your stop and you can log, attach again. Refer to Docker documentation.
19 |
20 | Once started cd /fortistacks/ and simply source your RC-file than you get from https://citycontrolpanel.com/openstack#openstack_api_access (link in the parameters of the user)
21 | Be sure to add:
22 | ```shell
23 | export OS_FLAVOR=1C-1GB
24 | export EXT_NET=ext-net
25 | ```
26 | At the end of your RC-file first.
27 |
28 | ## Advanced protection
29 | If (like me) you have a middlebox in need for decryption for advanced protection.
30 | Download your middlebox Certificate authority in the folder and name it: ```Fortinet_CA_SSL.cer```
31 |
32 | Then run
33 | ```bash
34 | docker build -f middlebox.Dockerfile --force-rm -t my-fortistacks-cli .
35 | ```
36 | Simply change the name of your docker:
37 | ```shell
38 | docker run -v $PWD:/fortistacks/ -v $HOME/.ssh:/home/ubuntu/.ssh/ --rm -i --name my-fortistacks-cli -h my-fortistacks-cli -t my-fortistacks-cli
39 | ```
40 |
41 | ## Hackers/curious
42 | Check Dockerfile in this folder to see how it is done.
43 |
44 | ```shell
45 | $ docker run -v $PWD:/fortistacks/ -v $HOME/.ssh:/home/ubuntu/.ssh/ --rm -i --name fortistacks-cli -h fortistacks-cli -t fortistacks-cli
46 | ```
47 |
48 |
--------------------------------------------------------------------------------
/osm/fortimail/fortimail_nsd/fortimail_nsd.yaml:
--------------------------------------------------------------------------------
1 | nsd:nsd-catalog:
2 | nsd:nsd:
3 | id: "a44305f8-0983-4593-ae0f-1d512bdf696c"
4 | name: "fortimail-nsd"
5 | vendor: "fortinet"
6 | version: "1.0"
7 | vld:
8 | -
9 | id: "mgmtvld-1"
10 | name: "mgmtvld-1"
11 | mgmt-network: "true"
12 | vnfd-connection-point-ref:
13 | -
14 | member-vnf-index-ref: 1
15 | vnfd-id-ref: "ae516bde-92cc-4988-ae68-44592d4c1d82"
16 | vnfd-connection-point-ref: "mgmt"
17 | -
18 | id: "vld-2"
19 | name: "vld-2"
20 | mgmt-network: "false"
21 | vnfd-connection-point-ref:
22 | -
23 | member-vnf-index-ref: 1
24 | vnfd-id-ref: "ae516bde-92cc-4988-ae68-44592d4c1d82"
25 | vnfd-connection-point-ref: "incoming"
26 | -
27 | id: "vld-3"
28 | name: "vld-3"
29 | mgmt-network: "false"
30 | vnfd-connection-point-ref:
31 | -
32 | member-vnf-index-ref: 1
33 | vnfd-id-ref: "ae516bde-92cc-4988-ae68-44592d4c1d82"
34 | vnfd-connection-point-ref: "outgoing"
35 | constituent-vnfd:
36 | -
37 | member-vnf-index: 1
38 | vnfd-id-ref: "ae516bde-92cc-4988-ae68-44592d4c1d82"
39 | start-by-default: "true"
40 | meta: "{\"containerPositionMap\":{\"1\":{\"top\":210,\"left\":240,\"right\":490,\"bottom\":265,\"width\":250,\"height\":55},\"a44305f8-0983-4593-ae0f-1d512bdf696c\":{\"top\":30,\"left\":135,\"right\":385,\"bottom\":85,\"width\":250,\"height\":55},\"vld-1\":{\"top\":255,\"left\":165,\"right\":415,\"bottom\":293,\"width\":250,\"height\":38},\"mgmtvld-1\":{\"top\":135,\"left\":240,\"right\":490,\"bottom\":173,\"width\":250,\"height\":38},\"vld-2\":{\"top\":315,\"left\":10,\"right\":260,\"bottom\":353,\"width\":250,\"height\":38},\"vld-3\":{\"top\":315,\"left\":450,\"right\":700,\"bottom\":353,\"width\":250,\"height\":38}}}"
41 |
--------------------------------------------------------------------------------
/cloudify/fortigate-monitored/types/fortigate-types.yaml:
--------------------------------------------------------------------------------
1 | node_types:
2 |
3 | FortigateCollector:
4 | derived_from: cloudify.nodes.Compute # "fake compute"
5 | properties:
6 | install_agent:
7 | default: false
8 | diamond_config:
9 | default:
10 | interval: 30
11 | interfaces:
12 | cloudify.interfaces.monitoring_agent:
13 | install:
14 | executor: host_agent
15 | implementation: diamond.diamond_agent.tasks.install
16 | inputs:
17 | diamond_config:
18 | default: { get_property: [SELF, diamond_config] }
19 | start:
20 | executor: host_agent
21 | implementation: diamond.diamond_agent.tasks.start
22 | stop:
23 | executor: host_agent
24 | implementation: diamond.diamond_agent.tasks.stop
25 | uninstall:
26 | executor: host_agent
27 | implementation: diamond.diamond_agent.tasks.uninstall
28 |
29 | cloudify.interfaces.lifecycle:
30 | configure:
31 | executor: host_agent
32 | implementation: scripts/install_requirements.sh
33 |
34 | cloudify.interfaces.monitoring:
35 | start:
36 | implementation: diamond.diamond_agent.tasks.add_collectors
37 | executor: host_agent
38 | inputs:
39 | collectors_config:
40 | default:
41 | fortiosProxyCollector:
42 | path: collectors/fortiosgate.py
43 | config: { get_attribute: [SELF, fortios_collector_config ] }
44 |
45 | relationships:
46 | cloudify.relationships.monitors:
47 | derived_from: cloudify.relationships.depends_on
48 | source_interfaces:
49 | cloudify.interfaces.relationship_lifecycle:
50 | preconfigure:
51 | implementation: scripts/append_diamond_conf.py
52 | executor: host_agent
53 | inputs:
54 | vdom:
55 | default: 'root'
56 | description: "default vdom"
57 |
--------------------------------------------------------------------------------
/openstack/configure-openstack-floatings:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #
3 | # fortinet-configure-openstack
4 | # Copyright (C) 2016 Fortinet Ltd.
5 | #
6 | # Authors: Nicolas Thomss
7 | #
8 | # This program is free software: you can redistribute it and/or modify
9 | # it under the terms of the GNU General Public License as published by
10 | # the Free Software Foundation, version 3 of the License.
11 | #
12 | # This program is distributed in the hope that it will be useful,
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 | # GNU General Public License for more details.
16 | #
17 | # You should have received a copy of the GNU General Public License
18 | # along with this program. If not, see .
19 |
20 | set -ex
21 |
22 |
23 | cat << EOF
24 | This script configure the following on openstack:
25 | - a router between mgmt and external network for floating ip
26 | EOF
27 |
28 | #PKGS=" python-keystone python-neutronclient python-novaclient python-glanceclient python-openstackclient python-heatclient"
29 | #dpkg -l $PKGS > /dev/null || sudo apt install -y $PKGS
30 |
31 | NEUTRON_EXT_NET_NAME="ext-net"
32 |
33 | # Determine the tenant id for the configured tenant name.
34 |
35 |
36 | #Create mgmt network for neutron for tenant VMs
37 | openstack network show mgmt > /dev/null 2>&1 || (echo "you must have set a mgmt network first"; exit 2)
38 |
39 | #Create router for external network and mgmt network
40 | openstack router show provider-router > /dev/null 2>&1 || openstack router create provider-router
41 | ROUTER_ID=`openstack router show provider-router -c id -f value`
42 |
43 | EXTERNAL_NETWORK_ID=`openstack network show $NEUTRON_EXT_NET_NAME -c id -f value`
44 | openstack router set --external-gateway $EXTERNAL_NETWORK_ID provider-router || true
45 | ### make it always ok to have it indempodent.
46 | openstack router add subnet provider-router mgmt_subnet || true
47 |
48 |
49 |
--------------------------------------------------------------------------------
/osm/FortigateApache_nsd.yaml:
--------------------------------------------------------------------------------
1 | nsd:nsd-catalog:
2 | nsd:
3 | - constituent-vnfd:
4 | - member-vnf-index: '1'
5 | start-by-default: 'true'
6 | vnfd-id-ref: fortigate
7 | - member-vnf-index: '2'
8 | start-by-default: 'true'
9 | vnfd-id-ref: apache
10 | id: 3d4a16f0-63e0-4e92-8cd3-cec64c2eaeed
11 | ip-profiles:
12 | - ip-profile-params:
13 | dhcp-params:
14 | enabled: 'true'
15 | gateway-address: 172.27.1.254
16 | ip-version: ipv4
17 | subnet-address: 172.27.1.0/24
18 | name: in
19 | - ip-profile-params:
20 | dhcp-params:
21 | enabled: 'true'
22 | gateway-address: 10.40.10.254
23 | ip-version: ipv4
24 | subnet-address: 10.40.10.0/24
25 | name: out
26 | name: Fortigate Apache
27 | service-primitive:
28 | - name: sshcmd
29 | parameter:
30 | - data-type: STRING
31 | mandatory: 'true'
32 | name: commands
33 | version: '0.1'
34 | vld:
35 | - id: '19102'
36 | ip-profile-ref: in
37 | name: vld-2
38 | provider-network:
39 | overlay-type: GRE
40 | vnfd-connection-point-ref:
41 | - member-vnf-index-ref: '1'
42 | vnfd-connection-point-ref: fortigate/cp2
43 | vnfd-id-ref: fortigate
44 | - member-vnf-index-ref: '2'
45 | vnfd-connection-point-ref: apache/cp0
46 | vnfd-id-ref: apache
47 | - id: b0d7a
48 | ip-profile-ref: out
49 | name: vld-1
50 | provider-network:
51 | overlay-type: GRE
52 | vnfd-connection-point-ref:
53 | - member-vnf-index-ref: '1'
54 | vnfd-connection-point-ref: fortigate/cp3
55 | vnfd-id-ref: fortigate
56 |
--------------------------------------------------------------------------------
/Azure/Az-FGT-parameters.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentParameters.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "location": {
6 | "value": "westeurope"
7 | },
8 | "adminUsername": {
9 | "value": "fgtadmin"
10 | },
11 | "adminPassword": {
12 | "value": "Fortin3t-aks"
13 | },
14 | "FortiGateName": {
15 | "value": "fgtAKS"
16 | },
17 | "FortiGateImageSKU": {
18 | "value": "fortinet_fg-vm_payg"
19 | },
20 | "instanceType": {
21 | "value": "Standard_D2_v2"
22 | },
23 | "publicIPNewOrExistingOrNone": {
24 | "value": "new"
25 | },
26 | "publicIPAddressNameFGT": {
27 | "value": "fgtaz"
28 | },
29 | "publicIPAddressNameFWB": {
30 | "value": "fwbaz"
31 | },
32 | "publicIPResourceGroup": {
33 | "value": "fortistacks-aks"
34 | },
35 | "publicIPAddressType": {
36 | "value": "Dynamic"
37 | },
38 | "vnetNewOrExisting": {
39 | "value": "new"
40 | },
41 | "vnetName": {
42 | "value": "fortistacks-Vnet"
43 | },
44 | "vnetResourceGroup": {
45 | "value": "fortistacks-aks"
46 | },
47 | "vnetAddressPrefix": {
48 | "value": "172.27.40.0/22"
49 | },
50 | "PublicSubName": {
51 | "value": "publicsnet"
52 | },
53 | "PublicSubPrefix": {
54 | "value": "172.27.40.0/26"
55 | },
56 | "fortiWebIPSub1": {
57 | "value": "172.27.40.61"
58 | },
59 | "fortiGateIP1": {
60 | "value": "172.27.40.62"
61 | },
62 | "TransitSubName": {
63 | "value": "transitsnet"
64 | },
65 | "TransitSubPrefix": {
66 | "value": "172.27.40.64/26"
67 | },
68 | "fortiGateIP2": {
69 | "value": "172.27.40.126"
70 | },
71 | "fortiWebIPSub2": {
72 | "value": "172.27.40.125"
73 | },
74 | "fortinetTags": {
75 | "value": {
76 | "provider": "6EB3B02F-50E5-4A3E-8CB8-2E129258317D"
77 | }
78 | }
79 | }
80 | }
81 |
82 |
83 |
--------------------------------------------------------------------------------
/fortiweb/Notes.md:
--------------------------------------------------------------------------------
1 | # Notes about docker/Helm K8S on testing FWEB in K8S
2 |
3 | ## Image
4 | ```shell script
5 | docker login fortistackscontainerregistry.azurecr.io -u 00000000-0000-0000-0000-000000000000 -p eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjZLQUM6RUVIUDpUVlpGOk5CNEg6VjdCRzoyQlc0OkxWQk46MlhJWjpWVzNWOlA0RTI6N09GMzpFQlpMIn0.eyJqdGkiOiJmYzkzMWE3YS05MjNhLTQxNzctYjBmOS1jOWY2M2ZkNjg3ZTciLCJzdWIiOiJudGhvbWFzQGF6dXJlc3RvcmVmb3J0aW5ldC5vbm1pY3Jvc29mdC5jb20iLCJuYmYiOjE2MDQ1NjM1MDQsImV4cCI6MTYwNDU3NTIwNCwiaWF0IjoxNjA0NTYzNTA0LCJpc3MiOiJBenVyZSBDb250YWluZXIgUmVnaXN0cnkiLCJhdWQiOiJmb3J0aXN0YWNrc2NvbnRhaW5lcnJlZ2lzdHJ5LmF6dXJlY3IuaW8iLCJ2ZXJzaW9uIjoiMS4wIiwiZ3JhbnRfdHlwZSI6InJlZnJlc2hfdG9rZW4iLCJ0ZW5hbnQiOiI5NDJiODBjZC0xYjE0LTQyYTEtOGRjZi00YjIxZGVjZTYxYmEiLCJwZXJtaXNzaW9ucyI6eyJhY3Rpb25zIjpbInJlYWQiLCJ3cml0ZSIsImRlbGV0ZSJdLCJub3RBY3Rpb25zIjpudWxsfSwicm9sZXMiOltdfQ.k6w1f4VhjBmgKbA-Wb6gJ_b3Xu5rGTV3VMeEwgWFE19G1Ey_-5LbOueY4pDihZ-D0B4rIET-Fen_iJREVQ8-tZLZSLqSLWEUDW6PLwP6jps4z4XfX4kM7GX_oZvGTkZPnQpr580Z5MhlRV3N5ObmrOm1m7rTnEo_6qO4f_kEVBD1NuPCDdUrFaf_AWaUvLVkcG6mrLRXnxvCgvINieTC1P9CPMn6QdsmfkzOGTFP_P_HvB4gJi7xmHNwes-AkVJb4D7p1vzgvhLWWzSuRxW_sKmu8hjX9-jaMPcvLidyOwh2lfnC__UFX02_cFCquSuFY4AkWys3Uk8-JNeUZyMGKg
6 | unzip ~/Downloads/FWB_DOCKER-v600-build1102-FORTINET.out.docker.zip
7 | cd image-docker-64/
8 | docker build -t fortistackscontainerregistry.azurecr.io/fortiweb:6.3.7 .
9 | docker push fortistackscontainerregistry.azurecr.io/fortiweb:6.3.7
10 | ```
11 |
12 |
13 | Create the secret with the license file in it:
14 | ```shell script
15 | kubectl create secret generic fwblicense --from-file=./vm.lic
16 | ```
17 | Must be named vm.lic
18 |
19 | Use fwb-single-d0.yml for a full day0+license example
20 | ##Storage
21 | ```yaml
22 | volumeMounts:
23 | - mountPath: "/var/my-app/id_rsa"
24 | subPath: id_rsa
25 | name: ssh-key
26 | readOnly: true
27 | volumes:
28 | - name: ssh-key
29 | secret:
30 | secretName: ssh-key
31 | items:
32 | - key: id_rsa
33 | path: id_rsa
34 | ```
--------------------------------------------------------------------------------
/openstack/ovh-jumphost.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash -xe
2 | # #######
3 | # Copyright (c) 2019 Fortinet All rights reserved
4 | # Author: Nicolas Thomas nthomas_at_fortinet.com
5 | #
6 | # Licensed under the Apache License, Version 2.0 (the "License");
7 | # you may not use this file except in compliance with the License.
8 | # You may obtain a copy of the License at
9 | #
10 | # http://www.apache.org/licenses/LICENSE-2.0
11 | #
12 | # Unless required by applicable law or agreed to in writing, software
13 | # distributed under the License is distributed on an "AS IS" BASIS,
14 | # * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 | # * See the License for the specific language governing permissions and
16 | # * limitations under the License.
17 |
18 |
19 | # this create a jumphost on ovh
20 |
21 | #if nova access not set then get them from nova.rc
22 | if [ -x $OS_AUTH_URL ]; then
23 | echo "get the Openstack access from ~/nova.rc"
24 | . ~/nova.rc
25 | fi
26 |
27 | #if EXT_NET variable not set use default (allow to have it as param from the .rc file)
28 | [ -x $EXT_NET ] && EXT_NET=Ext-Net
29 | [ -x $OS_FLAVOR ] && OS_FLAVOR=s1-2
30 | [ -x $UB_IMAGE ] && UB_IMAGE="Ubuntu 18.04"
31 |
32 | [ -f jumphost_userdata.txt ] || (echo " you must have create a user-data file see README"; exit 2)
33 |
34 | UB_USERDATA=jumphost_userdata.txt
35 |
36 | #Push image if needed
37 | openstack image show "$UB_IMAGE" > /dev/null 2>&1 || (echo " can not find $UB_IMAGE image"; exit 2)
38 |
39 | #Create left network for tenant VMs with a route to right network
40 | openstack network show mgmt > /dev/null 2>&1 || (echo " No mgmt network defined run ./configure-openstack script"; exit 2)
41 |
42 |
43 | if (openstack server show jumphost > /dev/null 2>&1 );then
44 | echo "jumphost already installed"
45 | else
46 | openstack server create --image "$UB_IMAGE" jumphost --key-name default --security-group default --flavor $OS_FLAVOR --user-data $UB_USERDATA --network $EXT_NET --network mgmt --wait
47 | fi
48 |
49 | echo "Jumphost details :"
50 | openstack server list --instance-name jumphost
--------------------------------------------------------------------------------
/fortigate/minipoc-add-floatings.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash -e
2 | # #######
3 | # Copyright (c) 2016 Fortinet All rights reserved
4 | # Author: Nicolas Thomas nthomas_at_fortinet.com
5 | #
6 | # Licensed under the Apache License, Version 2.0 (the "License");
7 | # you may not use this file except in compliance with the License.
8 | # You may obtain a copy of the License at
9 | #
10 | # http://www.apache.org/licenses/LICENSE-2.0
11 | #
12 | # Unless required by applicable law or agreed to in writing, software
13 | # distributed under the License is distributed on an "AS IS" BASIS,
14 | # * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15 | # * See the License for the specific language governing permissions and
16 | # * limitations under the License.
17 |
18 |
19 | # this script add floating ips directed to the management port of the VMs
20 | # this comes as an add on to minipoc-deploy.sh which does not contain floating anymore
21 | # for better usuability in private clouds.
22 |
23 |
24 |
25 | #if nova access not set then get them from nova.rc
26 | if [ -x $OS_AUTH_URL ]; then
27 | echo "get the Openstack access from ~/nova.rc"
28 | . ~/nova.rc
29 | fi
30 | #if EXT_NET variable not set use default (allow to have it as param from the .rc file)
31 | [ -x $EXT_NET ] && EXT_NET=ext_net
32 |
33 | [ -x $VMS ] && VMS="fortigate trafleft trafright"
34 | for VM in $VMS
35 | do
36 | # return 1 or 2 IP if floating is on
37 | MGMT_IPS=`openstack server show $VM -f value -c addresses| awk -F'; ' '/mgmt=/{sub(/.*mgmt=/, ""); {print $1}}'`
38 | FLOAT_IP=`echo $MGMT_IPS |awk -F ', ' '{print $2}'`
39 | if [ -z $FLOAT_IP ]
40 | then
41 | MGMT_IP=`echo $MGMT_IPS |awk -F ', ' '{print $1}'`
42 | MGMT_PORT=` openstack port list --fixed-ip subnet=mgmt_subnet,ip-address=$MGMT_IP -f value -c id`
43 | FLOAT_IP=`openstack floating ip create $EXT_NET --port $MGMT_PORT -f value -c floating_ip_address`
44 | #openstack server add floating ip $VM $FLOAT_IP
45 | echo "$VM is associated to $FLOAT_IP"
46 | else
47 | echo "$VM is already associated to $FLOAT_IP"
48 | fi
49 | done
50 |
--------------------------------------------------------------------------------
/docs/Fortimanager.md:
--------------------------------------------------------------------------------
1 | # Frotimanager on Openstack
2 |
3 | Ref: [docs.fortinet.com](https://docs.fortinet.com/vm/kvm/fortimanager/6.2/fortimanager-vm-on-kvm/6.2.0/681012/about-fortimanager-vm-on-kvm)
4 |
5 | Get FMG_VM64_KVM-v6-build0205-FORTINET.out.kvm.zip or later from https://support.fortinet.com
6 | unzip it
7 |
8 | ```
9 | openstack image create --disk-format qcow2 --container-format bare "FMG" --file fmg.qcow2
10 |
11 | openstack volume create --size 80 fmg-log1
12 |
13 | export OS_FLAVOR="2C-4GB"
14 | openstack server create --image "FMG" fmg60 --key-name default --security-group default \
15 | --flavor $OS_FLAVOR --nic net-id=mgmt,v4-fixed-ip=192.168.1.99 --block-device-mapping vdb=fmg-log1
16 |
17 | ```
18 |
19 | You should have minimum changes if configuring mgmtB as 192.168.1.0/24 which is the default network Fortimanager is on.
20 |
21 | You then need to update your interface to the openstack one (no dhcp)
22 | ```shell
23 | openstack server list
24 | +--------------------------------------+-------+--------+---------------------------------+-----------+--------+
25 | | ID | Name | Status | Networks | Image | Flavor |
26 | +--------------------------------------+-------+--------+---------------------------------+-----------+--------+
27 | | 42c2fd39-b27a-4111-b6fd-5e7c81626c52 | FMG | ACTIVE | mgmt=192.168.1.99, 77.81.7.183 | FMG 6.0.2 | 2C-4GB |
28 | +--------------------------------------+-------+--------+---------------------------------+-----------+--------+
29 | ```
30 |
31 | It is up to you to connect or not a floating ip.
32 |
33 | Adapt to your IP and gateway:
34 |
35 |
36 | Log to the console (vnc on openstack), user admin no passwd.
37 | ```bash
38 | config system interface
39 | edit port1
40 | set ip 192.168.1.99 255.255.255.0
41 | end
42 | config system route
43 | edit 1
44 | set device "port1"
45 | set gateway 192.168.1.1
46 | #must match your network mtu# set mtu 1400
47 | end
48 | ```
49 |
50 | # API access
51 | You must run the followin cli on FMG to be able to use the API
52 | ```bash
53 | config system admin user
54 | edit admin
55 | set rpc-permit read-write
56 | end
57 | ```
--------------------------------------------------------------------------------
/Azure/word-web-deployment.yml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: Service
3 | metadata:
4 | name: db
5 | labels:
6 | app: words-db
7 | spec:
8 | ports:
9 | - port: 5432
10 | targetPort: 5432
11 | name: db
12 | selector:
13 | app: words-db
14 | clusterIP: None
15 | ---
16 | apiVersion: apps/v1beta1
17 | kind: Deployment
18 | metadata:
19 | name: db
20 | labels:
21 | app: words-db
22 | spec:
23 | template:
24 | metadata:
25 | labels:
26 | app: words-db
27 | spec:
28 | containers:
29 | - name: db
30 | image: dockersamples/k8s-wordsmith-db
31 | ports:
32 | - containerPort: 5432
33 | name: db
34 | ---
35 | apiVersion: v1
36 | kind: Service
37 | metadata:
38 | name: words
39 | labels:
40 | app: words-api
41 | spec:
42 | ports:
43 | - port: 8080
44 | targetPort: 8080
45 | name: api
46 | selector:
47 | app: words-api
48 | clusterIP: None
49 | ---
50 | apiVersion: apps/v1beta1
51 | kind: Deployment
52 | metadata:
53 | name: words
54 | labels:
55 | app: words-api
56 | spec:
57 | replicas: 5
58 | template:
59 | metadata:
60 | labels:
61 | app: words-api
62 | spec:
63 | containers:
64 | - name: words
65 | image: dockersamples/k8s-wordsmith-api
66 | ports:
67 | - containerPort: 8080
68 | name: api
69 | ---
70 | apiVersion: v1
71 | kind: Service
72 | metadata:
73 | name: web
74 | labels:
75 | app: words-web
76 | annotations:
77 | service.beta.kubernetes.io/azure-load-balancer-internal: "true"
78 | spec:
79 | ports:
80 | - port: 8081
81 | targetPort: 80
82 | name: web
83 | selector:
84 | app: words-web
85 | type: LoadBalancer
86 | ---
87 | apiVersion: apps/v1beta1
88 | kind: Deployment
89 | metadata:
90 | name: web
91 | labels:
92 | app: words-web
93 | spec:
94 | template:
95 | metadata:
96 | labels:
97 | app: words-web
98 | spec:
99 | containers:
100 | - name: web
101 | image: dockersamples/k8s-wordsmith-web
102 | ports:
103 | - containerPort: 80
104 | name: words-web
105 |
--------------------------------------------------------------------------------
/cloudify/fortigate-monitored/plugins/plugin-fortigate-monitor/fortigate_monit/cloudify_handler/format.py:
--------------------------------------------------------------------------------
1 | #########
2 | # Copyright (c) 2014 GigaSpaces Technologies Ltd. All rights reserved
3 | #
4 | # Licensed under the Apache License, Version 2.0 (the "License");
5 | # you may not use this file except in compliance with the License.
6 | # You may obtain a copy of the License at
7 | #
8 | # http://www.apache.org/licenses/LICENSE-2.0
9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # * See the License for the specific language governing permissions and
14 | # * limitations under the License.
15 |
16 | import json
17 |
18 |
19 | def jsonify(metric):
20 | deployment_id = metric.getPathPrefix()
21 | host, node_name, node_id = metric.host.split('.')
22 | name = metric.getCollectorPath()
23 | raw_metric_path = metric.getMetricPath()
24 | path = raw_metric_path.replace('.', '_')
25 | metric_value = float(metric.value)
26 | metric_type = metric.metric_type
27 | time = metric.timestamp
28 | service = '.'.join([
29 | deployment_id,
30 | node_name,
31 | node_id,
32 | name,
33 | raw_metric_path
34 | ])
35 |
36 | output = {
37 | # Node instance id
38 | 'node_id': node_id,
39 |
40 | # Node id
41 | 'node_name': node_name,
42 |
43 | # Deployment id
44 | 'deployment_id': deployment_id,
45 |
46 | # Metric name (e.g. cpu)
47 | 'name': name,
48 |
49 | # Sub-metric name (e.g. avg)
50 | 'path': path,
51 |
52 | # The actual metric value
53 | 'metric': metric_value,
54 |
55 | # Metric unit
56 | 'unit': '',
57 |
58 | # Metric type (gauge, counter, etc...)
59 | 'type': metric_type,
60 |
61 | # Host instance id
62 | 'host': host,
63 |
64 | # The full metric name (
65 | # e.g. deployment_id.node_id.node_instance_id.metric)
66 | 'service': service,
67 |
68 | # epoch timestamp of the metric
69 | 'time': time,
70 | }
71 | return json.dumps(output)
72 |
--------------------------------------------------------------------------------
/Azure/FGT-snippets.conf:
--------------------------------------------------------------------------------
1 | config firewall address
2 | edit "AKSaccess_range"
3 | set type iprange
4 | set comment "VPN: AKSaccess "
5 | set start-ip 172.27.20.12
6 | set end-ip 172.27.20.32
7 | next
8 | edit "K8Svnet"
9 | set subnet 10.40.0.0 255.255.0.0
10 | next
11 | edit "Transit"
12 | set subnet 172.27.40.64 255.255.255.192
13 | next
14 | end
15 |
16 | config firewall addrgrp
17 | edit "K8S"
18 | set member "K8Svnet" "Transit"
19 | next
20 | end
21 |
22 |
23 | config user local
24 | edit "aks"
25 | set type password
26 | set passwd Fortin3t-aks
27 | next
28 | end
29 | config user group
30 | edit "VPN"
31 | set member "aks"
32 | next
33 | end
34 |
35 | config vpn ipsec phase1-interface
36 | edit "AKSaccess"
37 | type dynamic
38 | interface "port1"
39 | mode aggressive
40 | peertype any
41 | net-device enable
42 | mode-cfg enable
43 | proposal aes128-sha256 aes256-sha256 aes128-sha1 aes256-sha1
44 | dpd on-idle
45 | comments "VPN: AKSaccess (Created by VPN wizard)"
46 | wizard-type dialup-forticlient
47 | xauthtype auto
48 | ipv4-start-ip 172.27.20.12
49 | ipv4-end-ip 172.27.20.32
50 | dns-mode auto
51 | save-password enable
52 | client-keep-alive enable
53 | psksecret Fortin3t-aks
54 | dpd-retryinterval 60
55 | next
56 | end
57 |
58 | config vpn ipsec phase2-interface
59 | edit "AKSaccess"
60 | set phase1name "AKSaccess"
61 | set proposal aes128-sha1 aes256-sha1 aes128-sha256 aes256-sha256 aes128gcm aes256gcm chacha20poly1305
62 | set comments "VPN: AKSaccess (Created by VPN wizard)"
63 | next
64 | end
65 |
66 | config firewall policy
67 | edit 3
68 | set name "vpn_AKSaccess_remote"
69 | set srcintf "AKSaccess"
70 | set dstintf "port2"
71 | set srcaddr "AKSaccess_range"
72 | set dstaddr "K8Svnet" "Transit"
73 | set action accept
74 | set schedule "always"
75 | set service "ALL"
76 | set fsso disable
77 | set groups "VPN"
78 | set comments "VPN: AKSaccess (Created by VPN wizard)"
79 | set nat enable
80 | next
81 | end
82 |
83 | ##Policies
84 |
--------------------------------------------------------------------------------
/Azure/ConfigureK8SConnector.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash -e
2 | #
3 | # Configure Fortigate Kubernetes connector
4 | #
5 | # Authors: Nicolas Thomss
6 | #
7 | # Be sure to have login (az login) first
8 |
9 | [ -f $1 ]
10 | export FGTCA=$(base64 Fortinet_AKS_CA.cer -w0) # or -b0 on MacOS
11 | GROUP_NAME="fortistacks-aks"
12 | CLUSTER_RESOURCE_GROUP=$(az aks show --resource-group $GROUP_NAME --name secure-aks --query nodeResourceGroup -o tsv)
13 | SCALE_SET_NAME=$(az vmss list --resource-group $CLUSTER_RESOURCE_GROUP --query [0].name -o tsv)
14 |
15 | az vmss extension set --resource-group $CLUSTER_RESOURCE_GROUP --vmss-name $SCALE_SET_NAME \
16 | --version 2.0 --publisher Microsoft.Azure.Extensions --name CustomScript \
17 | --protected-settings "{\"commandToExecute\": \"echo $FGTCA| base64 -d > /usr/local/share/ca-certificates/Fortinet_CA_SSL.crt ; update-ca-certificates --fresh\"}"
18 |
19 | az vmss update-instances --instance-ids '*' \
20 | --resource-group $CLUSTER_RESOURCE_GROUP \
21 | --name $SCALE_SET_NAME
22 | echo "collecting information on Azure"
23 | GROUP_NAME="fortistacks-aks"
24 | AKS_RESOURCE_GROUP=$(az aks show --resource-group $GROUP_NAME --name secure-aks --query nodeResourceGroup -o tsv)
25 | KAPI_ID=`az network private-endpoint show --name kube-apiserver --resource-group $AKS_RESOURCE_GROUP --query "networkInterfaces[0].id" -o tsv`
26 | KAPI_IP=`az network nic show --ids $KAPI_ID --query "ipConfigurations[0].privateIpAddress" -o tsv`
27 |
28 | kubectl -n kube-system create serviceaccount fortigate || true
29 | kubectl create clusterrolebinding add-on-cluster-admin --clusterrole=view --serviceaccount=kube-system:fortigate || true
30 | TOKEN=$(kubectl get secrets -o jsonpath="{.items[?(@.metadata.annotations['kubernetes\.io/service-account\.name']=='fortigate')].data.token}" -n kube-system | base64 -d)
31 |
32 | FGTAZIP=`az network public-ip show --name fgtaz --resource-group $GROUP_NAME --query ipAddress -o tsv`
33 |
34 | echo "configure your Kubernetes SDN connector with the following cli on https://$FGTAZIP"
35 | cat <| vm |--->( right ) |
30 | '-( ).-' '-----------' '-( ).-' |
31 | '-.( ).-' '-.( ).-' |
32 | <-------. |
33 | | v
34 | .-----------.
35 | | trafright |
36 | | Ubuntu |
37 | '-----------'
38 |
39 |
40 | The goal is to offer an easy access to all parts and being able to experiment with Fortinet products on Openstack.
41 | There is little explanations are all the code is available. We may put explanations in comments though.
42 |
43 | This same result is then achieved with different tools: script, heat template, cloudify blueprint, osm VNFd.
44 |
45 | You must understand Fortigate deployment after this, please go to [Fortigate](Fortigate.md)
--------------------------------------------------------------------------------
/fortiweb/fortiweb/templates/_helpers.tpl:
--------------------------------------------------------------------------------
1 | {{/* vim: set filetype=mustache: */}}
2 | {{/*
3 | Expand the name of the chart.
4 | */}}
5 | {{- define "fortiweb.name" -}}
6 | {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
7 | {{- end -}}
8 |
9 | {{/*
10 | Create a default fully qualified app name.
11 | We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
12 | If release name contains chart name it will be used as a full name.
13 | */}}
14 | {{- define "fortiweb.fullname" -}}
15 | {{- if .Values.fullnameOverride -}}
16 | {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
17 | {{- else -}}
18 | {{- $name := default .Chart.Name .Values.nameOverride -}}
19 | {{- if contains $name .Release.Name -}}
20 | {{- .Release.Name | trunc 63 | trimSuffix "-" -}}
21 | {{- else -}}
22 | {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
23 | {{- end -}}
24 | {{- end -}}
25 | {{- end -}}
26 |
27 | {{/*
28 | Create chart name and version as used by the chart label.
29 | */}}
30 | {{- define "fortiweb.chart" -}}
31 | {{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
32 | {{- end -}}
33 |
34 | {{/*
35 | Common labels
36 | */}}
37 | {{- define "fortiweb.labels" -}}
38 | helm.sh/chart: {{ include "fortiweb.chart" . }}
39 | {{ include "fortiweb.selectorLabels" . }}
40 | {{- if .Chart.AppVersion }}
41 | app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
42 | {{- end }}
43 | app.kubernetes.io/managed-by: {{ .Release.Service }}
44 | {{- end -}}
45 |
46 | {{/*
47 | Selector labels
48 | */}}
49 | {{- define "fortiweb.selectorLabels" -}}
50 | app.kubernetes.io/name: {{ include "fortiweb.name" . }}
51 | app.kubernetes.io/instance: {{ .Release.Name }}
52 | {{- end -}}
53 |
54 | {{/*
55 | Create the name of the service account to use
56 | */}}
57 | {{- define "fortiweb.serviceAccountName" -}}
58 | {{- if .Values.serviceAccount.create -}}
59 | {{ default (include "fortiweb.fullname" .) .Values.serviceAccount.name }}
60 | {{- else -}}
61 | {{ default "default" .Values.serviceAccount.name }}
62 | {{- end -}}
63 | {{- end -}}
64 |
65 | {{/*
66 | From https://helm.sh/docs/howto/charts_tips_and_tricks/
67 | */}}
68 | {{- define "imagePullSecret" }}
69 | {{- with .Values.imageCredentials }}
70 | {{- printf "{\"auths\":{\"%s\":{\"username\":\"%s\",\"password\":\"%s\",\"email\":\"%s\",\"auth\":\"%s\"}}}" .registry .username .password .email (printf "%s:%s" .username .password | b64enc) | b64enc }}
71 | {{- end }}
72 | {{- end }}
--------------------------------------------------------------------------------
/fortigate/cloudinit_cdrom/start_fgt.sh:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 |
3 | #************************************************
4 | #
5 | # Use this script to start a FortiGate VM with
6 | # LibVirt, no VIM required.
7 | # This has support for cloud init, see below how
8 | # to build cdrom with proper content
9 | #
10 | # ************************************************
11 |
12 | #************************************************
13 | # Check Fortigate VM existence
14 | #************************************************
15 |
16 | if [ -z "$1" ]; then
17 | echo "Need location of Fortigate image"
18 | exit -1
19 | fi
20 | result=$(file $1)
21 | if [[ $result == *"QEMU QCOW Image (v2)"* ]]; then
22 | echo "Supplied Fortigate image is in: $1"
23 | FORTIGATE_QCOW2=$1
24 | else
25 | echo "Supplied Fortigate image does not look a qcow2 file"
26 | exit -1
27 | fi
28 | if [[ "$(realpath $FORTIGATE_QCOW2)" == "$(pwd)/fortios.qcow2" ]]; then
29 | echo "FortiGate image can not be named fortios.qcow2 in this directory. Choose different location/name"
30 | exit -1
31 | fi
32 |
33 | export SF2_NAME=fortigate
34 | export SF2_IP_ADMIN=192.168.122.40
35 | export SF2_IP=192.168.70.40
36 | export SF2_IP2=192.168.80.40
37 | export SF2_MAC_ADMIN=08:00:27:4c:22:40
38 | export SF2_MAC=08:00:27:4c:70:40
39 | export SF2_MAC2=08:00:27:4c:80:40
40 |
41 | rm -f fortios.qcow2
42 | rm -rf cfg-drv-fgt
43 | rm -rf ${SF2_NAME}-cidata.iso
44 |
45 | cp ${FORTIGATE_QCOW2} ./fortios.qcow2
46 |
47 | mkdir -p cfg-drv-fgt/openstack/latest/
48 | mkdir -p cfg-drv-fgt/openstack/content/
49 |
50 | cat >cfg-drv-fgt/openstack/content/0000 < Put your license here
53 | -----END FGT VM LICENSE-----
54 | EOF
55 |
56 | cat >cfg-drv-fgt/openstack/latest/user_data <","user":"admin","passwd":"", \
21 | "port2":"",
22 | "port3":"",
23 | "port4":"",
24 | "port5":""
25 | }'
26 |
27 | To test directly:
28 | ./config-template.py -d '{"host":"10.10.10.14","user":"admin","passwd":"", \
29 | "port2":"10.0.2.2",
30 | "port3":"10.0.3.3",
31 | "port4":"10.0.4.4",
32 | "port5":"10.0.5.5"}'
33 |
34 | ./config-template.py -d '{"host": "10.10.10.24", "user": "admin", "passwd": "", "port2": "10.0.2.2", "port3": "10.0.3.3","port4": "10.0.4.4","port5": "10.0.5.5"}'
35 |
36 |
37 | '''
38 |
39 |
40 | from fortigateconf import FortiOSConf
41 | import argparse
42 | parser = argparse.ArgumentParser()
43 |
44 | parser.add_argument('-d', '--my-dict', type=str)
45 | args = parser.parse_args()
46 |
47 | import json
48 | import logging
49 | formatter = logging.Formatter(
50 | '%(asctime)s %(name)-12s %(levelname)-8s %(message)s')
51 | logger = logging.getLogger('fortinetconflib')
52 | hdlr = logging.FileHandler('/var/tmp/config-template.log')
53 | hdlr.setFormatter(formatter)
54 | logger.addHandler(hdlr)
55 | logger.setLevel(logging.DEBUG)
56 |
57 |
58 |
59 |
60 | print (args.my_dict)
61 | d = json.loads(args.my_dict)
62 |
63 | fgt = FortiOSConf()
64 | fgt.login(d['host'],d['user'],d['passwd'])
65 |
66 | for p in ["port2", "port3", "port4"]:
67 | print (p)
68 | ip= d[p] + " 255.255.255.0"
69 | data = {
70 | "name": p,
71 | "mode": "static",
72 | "ip": ip,
73 | "allowaccess":"ping",
74 | "vdom":"root"
75 | }
76 | fgt.set('system','interface', vdom="root", data=data)
77 |
78 | fgt.logout()
79 |
80 |
81 |
--------------------------------------------------------------------------------
/Azure/FGT-FWB-VMs-2-Subnets/vnet-existing.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "location": {
6 | "type": "string",
7 | "metadata": {
8 | "description": "Location"
9 | }
10 | },
11 | "vnetName": {
12 | "type": "string",
13 | "metadata": {
14 | "description": "Virtual Network name (e.g. vnet-haivision)"
15 | }
16 | },
17 | "vnetResourceGroup": {
18 | "type": "string",
19 | "metadata": {
20 | "description": "Virtual Network Resource Group"
21 | }
22 | },
23 | "vnetAddressPrefix": {
24 | "type": "string",
25 | "metadata": {
26 | "description": "Virtual Network Address Prefix (i.e. CIDR)"
27 | }
28 | },
29 | "OutsideSubnetName": {
30 | "type": "string",
31 | "metadata": {
32 | "description": "Server will be deployed into this subnet within the Virtual Network"
33 | }
34 | },
35 | "subnet1AddressPrefix": {
36 | "type": "string",
37 | "metadata": {
38 | "description": "Virtual Network subnet Address Prefix (i.e. CIDR)"
39 | }
40 | },
41 | "DMZSubnetName": {
42 | "type": "string",
43 | "metadata": {
44 | "description": "Server will be deployed into this subnet within the Virtual Network"
45 | }
46 | },
47 | "subnet2AddressPrefix": {
48 | "type": "string",
49 | "metadata": {
50 | "description": "Virtual Network subnet Address Prefix (i.e. CIDR)"
51 | }
52 | },
53 | "routeTable1Name": {
54 | "type": "string"
55 | },
56 | "routeTable2Name": {
57 | "type": "string"
58 | },
59 | "FortinetTags": {
60 | "type": "object"
61 | }
62 | },
63 | "variables": {
64 | "vnetID": "[resourceId(parameters('vnetResourceGroup'), 'Microsoft.Network/virtualNetworks', parameters('vnetName'))]",
65 | "subnet1ID": "[concat(variables('vnetID'),'/subnets/',parameters('OutsideSubnetName'))]",
66 | "subnet2ID": "[concat(variables('vnetID'),'/subnets/',parameters('DMZSubnetName'))]",
67 | "routeTable1Id": "[resourceId('Microsoft.Network/routeTables',parameters('routeTable1Name'))]",
68 | "routeTable2Id": "[resourceId('Microsoft.Network/routeTables',parameters('routeTable2Name'))]",
69 | "apiVer": "2015-06-15"
70 | },
71 | "resources": [
72 | ],
73 | "outputs": {
74 | "subnet1ID": {
75 | "value": "[variables('subnet1ID')]",
76 | "type": "string"
77 | },
78 | "subnet2ID": {
79 | "value": "[variables('subnet2ID')]",
80 | "type": "string"
81 | }
82 | }
83 | }
84 |
--------------------------------------------------------------------------------
/fortigate/heat-add-floatings.patch:
--------------------------------------------------------------------------------
1 | --- heat-minipoc.yaml 2019-09-17 09:47:13.000000000 +0000
2 | +++ heat-minipoc-floating.yaml 2019-09-17 09:47:13.000000000 +0000
3 | @@ -3,6 +3,8 @@
4 | #$ openstack stack create --template heat-minipoc.yaml mini-poc
5 | # on citycloud or with specific inputs file
6 | # openstack stack create --template heat-minipoc.yaml mini-poc -e citycloud-env.yaml
7 | +# You can also updte with the floatings
8 | +# openstack stack update --existing --template heat-minipoc-floating.yaml mini-poc -e citycloud-env.yaml
9 | ####
10 | # to follow execution:
11 | # openstack stack event list mini-poc --follow
12 | @@ -13,10 +15,10 @@
13 |
14 | description: >
15 | HOT template to create 2 neutron networks, 2 generic VMs a Fortios VM
16 | - in between. No floating ip in this one assume you have direct access (or jump server)
17 | + in between and floating ip for every server.
18 | Used for experimenting (actual traffic) of Fortigate in an openstack environment.
19 |
20 | -
21 | +
22 | parameters:
23 | fgtimage:
24 | type: string
25 | @@ -36,6 +38,10 @@
26 | default: "mgmt"
27 | constraints:
28 | - custom_constraint: neutron.network
29 | + public_net:
30 | + type: string
31 | + description: External network for floating ips
32 | + default: "ext_net"
33 | vms_flavor:
34 | type: string
35 | description: Flavor of the VMs
36 | @@ -234,15 +240,32 @@
37 | - network: { get_param: mgmt_net }
38 | - network: { get_resource: right_net }
39 |
40 | + ubr_floating_ip:
41 | + type: OS::Neutron::FloatingIP
42 | + properties:
43 | + floating_network: { get_param: public_net }
44 | + port_id: {get_attr: [ubright, addresses, {get_param: mgmt_net}, 0, port]}
45 | +
46 | + ubl_floating_ip:
47 | + type: OS::Neutron::FloatingIP
48 | + properties:
49 | + floating_network: { get_param: public_net }
50 | + port_id: {get_attr: [ubleft, addresses, {get_param: mgmt_net}, 0, port]}
51 | + # explicit port association instead of server
52 | +
53 | + fgt_floating_ip:
54 | + type: OS::Neutron::FloatingIP
55 | + properties:
56 | + floating_network: { get_param: public_net }
57 | + port_id: { get_resource: fgt_mgmt_port }
58 |
59 | -
60 | outputs:
61 | fgt-mgmt-ip:
62 | description: IP address to access of the FGT
63 | - value: { get_attr: [fgt, networks, {get_param: mgmt_net}, 0] }
64 | + value: { get_attr: [ fgt_floating_ip, floating_ip_address ] }
65 | left-info:
66 | description: IP address to access left ubuntu machine
67 | - value: { get_attr: [ubleft, networks, {get_param: mgmt_net}, 0] }
68 | + value: { get_attr: [ ubl_floating_ip, floating_ip_address ] }
69 | right-info:
70 | description: IP address to access right ubuntu machine
71 | - value: { get_attr: [ubright, networks, {get_param: mgmt_net}, 0] }
72 | + value: { get_attr: [ ubr_floating_ip, floating_ip_address ] }
73 |
--------------------------------------------------------------------------------
/osm/fortios_vnfd_src/scripts/testargpassing.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # Copyright 2017 Fortinet, Inc.
3 | #
4 | # All Rights Reserved
5 | #
6 | # Licensed under the Apache License, Version 2.0 (the "License"); you may
7 | # not use this file except in compliance with the License. You may obtain
8 | # a copy of the License at
9 | #
10 | # http://www.apache.org/licenses/LICENSE-2.0
11 | #
12 | # Unless required by applicable law or agreed to in writing, software
13 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
14 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
15 | # License for the specific language governing permissions and limitations
16 | # under the License.
17 | #
18 | ''' This script must be called with the following patern
19 | ./config-template.py -d \
20 | '{"host":"","user":"admin","passwd":"", \
21 | "port2":"",
22 | "port3":"",
23 | "port4":"",
24 | "port5":""
25 | }'
26 |
27 | To test directly:
28 | ./config-template.py -d '{"host":"10.10.10.14","user":"admin","passwd":"", \
29 | "port2":"10.0.2.2",
30 | "port3":"10.0.3.3",
31 | "port4":"10.0.4.4",
32 | "port5":"10.0.5.5"}'
33 |
34 | ./config-template.py -d '{"host": "10.10.10.24", "user": "admin", "passwd": "", "port2": "10.0.2.2", "port3": "10.0.3.3","port4": "10.0.4.4","port5": "10.0.5.5"}'
35 |
36 |
37 | '''
38 |
39 |
40 | from fortigateconf import FortiOSConf
41 | import argparse
42 | parser = argparse.ArgumentParser()
43 |
44 | parser.add_argument('-s', '--my-str', type=str)
45 | args = parser.parse_args()
46 |
47 | import json
48 | import logging
49 | formatter = logging.Formatter(
50 | '%(asctime)s %(name)-12s %(levelname)-8s %(message)s')
51 | logger = logging.getLogger('fortinetconflib')
52 | hdlr = logging.FileHandler('/var/tmp/config-template.log')
53 | hdlr.setFormatter(formatter)
54 | logger.addHandler(hdlr)
55 | logger.setLevel(logging.DEBUG)
56 |
57 |
58 | mystr= args.my_str.replace('\n',"\\")
59 |
60 | print ("arg receivd : %s" % mystr)
61 |
62 | strasList = mystr.split("\\")
63 | #strasList = mystr.splitlines()
64 |
65 | eachInASeparateLine="""
66 | {}
67 | """.format("\n".join(strasList).strip())
68 |
69 | print (eachInASeparateLine)
70 |
71 | fgt = FortiOSConf()
72 |
73 | '''
74 | fgt.login('10.10.10.24','admin','')
75 |
76 | for p in ["port2", "port3", "port4"]:
77 | print (p)
78 | ip= d[p] + " 255.255.255.0"
79 | data = {
80 | "name": p,
81 | "mode": "static",
82 | "ip": ip,
83 | "allowaccess":"ping",
84 | "vdom":"root"
85 | }
86 | # fgt.set('system','interface', vdom="root", data=data)
87 | '''
88 | fgt.ssh(eachInASeparateLine,'10.10.10.24','admin','')
89 |
90 |
91 |
92 |
--------------------------------------------------------------------------------
/openstack/configure-openstack:
--------------------------------------------------------------------------------
1 | #!/bin/bash
2 | #
3 | # fortinet-configure-openstack
4 | # Copyright (C) 2016 Fortinet Ltd.
5 | #
6 | # Authors: Nicolas Thomss
7 | #
8 | # This program is free software: you can redistribute it and/or modify
9 | # it under the terms of the GNU General Public License as published by
10 | # the Free Software Foundation, version 3 of the License.
11 | #
12 | # This program is distributed in the hope that it will be useful,
13 | # but WITHOUT ANY WARRANTY; without even the implied warranty of
14 | # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
15 | # GNU General Public License for more details.
16 | #
17 | # You should have received a copy of the GNU General Public License
18 | # along with this program. If not, see .
19 |
20 | set -ex
21 |
22 | cat << EOF
23 | This script configure the following on openstack:
24 | - a network and subnet called mgmt
25 | - a keypair called default using ~/.ssh/id_rsa.pub
26 | - security group called default globally open.
27 | EOF
28 |
29 |
30 | #PKGS=" python-keystone python-neutronclient python-novaclient python-glanceclient python-openstackclient python-heatclient"
31 | #dpkg -l $PKGS > /dev/null || sudo apt install -y $PKGS
32 |
33 |
34 |
35 | NEUTRON_FIXED_NET_CIDR="192.168.1.0/24"
36 | NEUTRON_DNS="8.8.8.8"
37 |
38 | # Determine the tenant id for the configured tenant name.
39 |
40 | echo "Configuring Openstack Neutron"
41 |
42 | #Create mgmt network for neutron for tenant VMs
43 | openstack network show mgmt > /dev/null 2>&1 || openstack network create mgmt
44 | openstack subnet show mgmt_subnet > /dev/null 2>&1 || openstack subnet create mgmt_subnet --network mgmt --subnet-range $NEUTRON_FIXED_NET_CIDR --dns-nameserver $NEUTRON_DNS --dhcp
45 | SUBNET_ID=$(openstack subnet show mgmt_subnet | grep " id" | awk '{print $4}')
46 |
47 | #Configure the default security group to allow ICMP and SSH
48 | openstack security group rule create --proto icmp default || echo "should have been created already"
49 |
50 | ##make wide open
51 | openstack security group rule create --ingress --ethertype IPv4 --remote-ip 0.0.0.0/0 default|| echo "should have been created already"
52 | openstack security group rule create --ingress --ethertype IPv4 --remote-ip 0.0.0.0/0 --protocol udp default|| echo "should have been created already"
53 |
54 | openstack security group rule create --ingress --ethertype IPv6 --remote-ip ::/0 --protocol tcp default|| echo "should have been created already"
55 | openstack security group rule create --ingress --ethertype IPv6 --remote-ip ::/0 --protocol udp default|| echo "should have been created already"
56 |
57 |
58 | #Upload a default SSH key (TODO call the key fortistacks to allow both from laptop and form jumphost)
59 | openstack keypair create --public-key ~/.ssh/id_rsa.pub default || echo "asssuming key is already uploaded"
60 |
61 |
62 |
63 |
--------------------------------------------------------------------------------
/osm/fortios_vnfd_src/scripts/testargpassjson.py:
--------------------------------------------------------------------------------
1 | #!/usr/bin/env python
2 | # Copyright 2017 Fortinet, Inc.
3 | #
4 | # All Rights Reserved
5 | #
6 | # Licensed under the Apache License, Version 2.0 (the "License"); you may
7 | # not use this file except in compliance with the License. You may obtain
8 | # a copy of the License at
9 | #
10 | # http://www.apache.org/licenses/LICENSE-2.0
11 | #
12 | # Unless required by applicable law or agreed to in writing, software
13 | # distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
14 | # WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
15 | # License for the specific language governing permissions and limitations
16 | # under the License.
17 | #
18 | ''' This script must be called with the following patern
19 | ./config-template.py -d \
20 | '{"host":"","user":"admin","passwd":"", \
21 | "port2":"",
22 | "port3":"",
23 | "port4":"",
24 | "port5":""
25 | }'
26 |
27 | To test directly:
28 | ./config-template.py -d '{"host":"10.10.10.14","user":"admin","passwd":"", \
29 | "port2":"10.0.2.2",
30 | "port3":"10.0.3.3",
31 | "port4":"10.0.4.4",
32 | "port5":"10.0.5.5"}'
33 |
34 | ./config-template.py -d '{"host": "10.10.10.24", "user": "admin", "passwd": "", "port2": "10.0.2.2", "port3": "10.0.3.3","port4": "10.0.4.4","port5": "10.0.5.5"}'
35 |
36 |
37 | '''
38 |
39 |
40 | from fortigateconf import FortiOSConf
41 | import argparse
42 | parser = argparse.ArgumentParser()
43 |
44 | parser.add_argument('-s', '--my-str', type=str)
45 | args = parser.parse_args()
46 |
47 | import json, pprint
48 | import logging
49 | formatter = logging.Formatter(
50 | '%(asctime)s %(name)-12s %(levelname)-8s %(message)s')
51 | logger = logging.getLogger('fortinetconflib')
52 | hdlr = logging.FileHandler('/var/tmp/config-template.log')
53 | hdlr.setFormatter(formatter)
54 | logger.addHandler(hdlr)
55 | logger.setLevel(logging.DEBUG)
56 | pp = pprint.PrettyPrinter(indent=4)
57 |
58 | mystr= args.my_str
59 |
60 | print ("arg receivd : %s" % mystr)
61 | commands = mystr.split("\\n")
62 | # multi line is accepted with \n to separate then converted because juju does not allow advanced types like list or json :(
63 | mydata={}
64 | for line in commands:
65 | key=line.split(":")[0].strip()
66 | value=line.split(":")[1].strip()
67 | mydata[key]=value
68 |
69 | pp.pprint (mydata)
70 | '''
71 | strjson="""{
72 | {},
73 | \}""".format("\n".join(commands))
74 |
75 |
76 | print (strjson)
77 |
78 |
79 | '''
80 |
81 | data = {
82 | # "action" : "add",
83 | "seq-num" :"8",
84 | "dst": "10.10.30.0 255.255.255.0",
85 | "device": "port2",
86 | "gateway": "192.168.40.254",
87 | }
88 | pp.pprint(data)
89 |
90 |
--------------------------------------------------------------------------------
/Azure/voting-app.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: azure-vote-back
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: azure-vote-back
10 | template:
11 | metadata:
12 | labels:
13 | app: azure-vote-back
14 | spec:
15 | nodeSelector:
16 | "beta.kubernetes.io/os": linux
17 | containers:
18 | - name: azure-vote-back
19 | image: redis
20 | resources:
21 | requests:
22 | cpu: 100m
23 | memory: 128Mi
24 | limits:
25 | cpu: 250m
26 | memory: 256Mi
27 | ports:
28 | - containerPort: 6379
29 | name: redis
30 | ---
31 | apiVersion: v1
32 | kind: Service
33 | metadata:
34 | name: azure-vote-back
35 | spec:
36 | ports:
37 | - port: 6379
38 | selector:
39 | app: azure-vote-back
40 | ---
41 | apiVersion: apps/v1
42 | kind: Deployment
43 | metadata:
44 | name: azure-vote-front
45 | spec:
46 | replicas: 5
47 | selector:
48 | matchLabels:
49 | app: azure-vote-front
50 | template:
51 | metadata:
52 | labels:
53 | app: azure-vote-front
54 | spec:
55 | nodeSelector:
56 | "beta.kubernetes.io/os": linux
57 | containers:
58 | - name: azure-vote-front
59 | image: microsoft/azure-vote-front:v1
60 | resources:
61 | requests:
62 | cpu: 100m
63 | memory: 128Mi
64 | limits:
65 | cpu: 150m
66 | memory: 156Mi
67 | ports:
68 | - containerPort: 80
69 | env:
70 | - name: REDIS
71 | value: "azure-vote-back"
72 | ---
73 | apiVersion: v1
74 | kind: Service
75 | metadata:
76 | name: azure-vote-front
77 | labels:
78 | app: azure-vote-front
79 | annotations:
80 | service.beta.kubernetes.io/azure-load-balancer-internal: "true"
81 | spec:
82 | type: LoadBalancer
83 | # may try nodeport type to see if works better for K8S connector
84 | ports:
85 | - port: 80
86 | selector:
87 | app: azure-vote-front
88 | ---
89 | apiVersion: autoscaling/v1
90 | kind: HorizontalPodAutoscaler
91 | metadata:
92 | name: azure-vote-back-hpa
93 | spec:
94 | maxReplicas: 10 # define max replica count
95 | minReplicas: 1 # define min replica count
96 | scaleTargetRef:
97 | apiVersion: apps/v1
98 | kind: Deployment
99 | name: azure-vote-back
100 | targetCPUUtilizationPercentage: 50 # target CPU utilization
101 |
102 |
103 | apiVersion: autoscaling/v1
104 | kind: HorizontalPodAutoscaler
105 | metadata:
106 | name: azure-vote-front-hpa
107 | spec:
108 | maxReplicas: 40
109 | minReplicas: 2
110 | scaleTargetRef:
111 | apiVersion: apps/v1
112 | kind: Deployment
113 | name: azure-vote-front
114 | targetCPUUtilizationPercentage: 60 # target CPU utilization
--------------------------------------------------------------------------------
/Azure/FGT-FWB-VMs-2-Subnets/publicip-existing.json:
--------------------------------------------------------------------------------
1 | {
2 | "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#",
3 | "contentVersion": "1.0.0.0",
4 | "parameters": {
5 | "location": {
6 | "type": "string",
7 | "metadata": {
8 | "description": "Location"
9 | }
10 | },
11 | "publicIPAddressResourceGroup": {
12 | "type": "string",
13 | "metadata": {
14 | "description": "Resource Group"
15 | }
16 | },
17 | "publicIPAddressName": {
18 | "type": "string",
19 | "metadata": {
20 | "description": "Public IP Address Name"
21 | }
22 | },
23 | "publicIPAddressType": {
24 | "type": "string",
25 | "metadata": {
26 | "description": "Public IP Address Type (e.g. Static or Dynamic)"
27 | }
28 | },
29 | "VMName": {
30 | "type": "string",
31 | "metadata": {
32 | "description": "FortiGate name"
33 | }
34 | },
35 | "VNetName": {
36 | "type": "string",
37 | "metadata": {
38 | "description": "FortiGate name"
39 | }
40 | },
41 | "FGPubFacingAddress": {
42 | "type": "string",
43 | "metadata": {
44 | "description": "Outside address of FortiGate"
45 | }
46 | },
47 | "subnet1Ref": {
48 | "type": "string",
49 | "metadata": {
50 | "description": "subnet 1 reference ID"
51 | }
52 | },
53 | "network_NIC_fg11_Name": {
54 | "type": "string",
55 | "metadata": {
56 | "description": "NIC0 interface name"
57 | }
58 | },
59 | "FortinetTags": {
60 | "type": "object"
61 | }
62 | },
63 | "variables": {
64 | "publicIPID": "[resourceId(parameters('publicIPAddressResourceGroup'), 'Microsoft.Network/publicIPAddresses', parameters('publicIPAddressName'))]",
65 | "apiVer": "2015-06-15"
66 | },
67 | "resources": [
68 | {
69 | "apiVersion": "[variables('apiVer')]",
70 | "tags": {
71 | "provider": "[toUpper(parameters('FortinetTags').provider)]"
72 | },
73 | "type": "Microsoft.Network/networkInterfaces",
74 | "name": "[parameters('network_NIC_fg11_Name')]",
75 | "location": "[parameters('location')]",
76 | "properties": {
77 | "ipConfigurations": [
78 | {
79 | "name": "ipconfig1",
80 | "properties": {
81 | "privateIPAllocationMethod": "Static",
82 | "privateIPAddress": "[parameters('FGPubFacingAddress')]",
83 | "subnet": {
84 | "id": "[parameters('subnet1Ref')]"
85 | },
86 | "publicIPAddress": {
87 | "id": "[variables('publicIPID')]"
88 | }
89 | }
90 | }
91 | ],
92 | "enableIPForwarding": true
93 | }
94 | }
95 | ],
96 | "outputs": {
97 | }
98 | }
99 |
--------------------------------------------------------------------------------
/fortiweb/fwb-conf.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: PersistentVolumeClaim
3 | metadata:
4 | name: azure-managed-disk
5 | spec:
6 | accessModes:
7 | - ReadWriteOnce
8 | storageClassName: default
9 | resources:
10 | requests:
11 | storage: 5Gi
12 | ---
13 | apiVersion: apps/v1
14 | kind: Deployment
15 | metadata:
16 | name: fortiweb-conf
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: fortiweb-conf
22 | # strategy is supposed to ensure 1 single conf server
23 | strategy:
24 | type: Recreate
25 | template:
26 | metadata:
27 | labels:
28 | app: fortiweb-conf
29 | spec:
30 | nodeSelector:
31 | "beta.kubernetes.io/os": linux
32 | restartPolicy: Always
33 | containers:
34 | - name: fweb
35 | image: fortistackscontainerregistry.azurecr.io/fortinet/fweb
36 | command: ["/bin/docker_init"]
37 | securityContext:
38 | capabilities:
39 | add: ["NET_ADMIN", "NET_RAW", "SYS_TIME", "SYS_PTRACE" ]
40 | # allowPrivilegeEscalation: true
41 | privileged: true
42 | resources:
43 | requests:
44 | cpu: 0.5
45 | memory: 2048Mi
46 | limits:
47 | cpu: 2
48 | memory: 4096Mi
49 | env:
50 | # Define the environment variable
51 | - name: SWARM_ENV
52 | value: "yes"
53 | # - name: FWB_ADMIN_PASSWORD
54 | # value: "Fortin3t"
55 | ports:
56 | - containerPort: 8
57 | name: mgmt
58 | - containerPort: 43
59 | name: gui
60 | - containerPort: 996
61 | name: mgmt6
62 | - containerPort: 997
63 | name: mgmt7
64 | volumeMounts:
65 | - mountPath: /data/config/
66 | name: fwbconfig
67 | - mountPath: /data/etc/vmware/vm.lic
68 | subPath: vm.lic
69 | name: licenseconfig
70 | volumes:
71 | - name: licenseconfig
72 | secret:
73 | secretName: fwblicense
74 | items:
75 | - key: vm.lic
76 | path: vm.lic
77 | - name: fwbconfig
78 | persistentVolumeClaim:
79 | claimName: azure-managed-disk
80 | ---
81 | apiVersion: v1
82 | kind: Service
83 | metadata:
84 | name: fortiweb-conf
85 | labels:
86 | app: fortiweb-conf
87 | annotations:
88 | service.beta.kubernetes.io/azure-load-balancer-internal: "true"
89 | spec:
90 | type: LoadBalancer
91 | # may try nodeport type to see if works better for K8S connector
92 | ports:
93 | - name: mgmt
94 | port: 8
95 | targetPort: 8
96 | - name: gui
97 | port: 8443
98 | targetPort: 43
99 | - name: mgmt6
100 | port: 996
101 | targetPort: 996
102 | - name: mgmt7
103 | port: 997
104 | targetPort: 997
105 | selector:
106 | app: fortiweb-conf
107 |
108 | ### Volume attach fails node VM too small https://docs.microsoft.com/en-us/azure/aks/concepts-storage
109 | ##can redo config for the fortiweb workers
110 |
--------------------------------------------------------------------------------
/sdwan-secure/types/openstack-types.yaml:
--------------------------------------------------------------------------------
1 |
2 | node_types:
3 |
4 | ###########################################################
5 | # We define a type that inherits openstack's default
6 | # server, and adds monitoring capabillities on top of it.
7 | ###########################################################
8 |
9 | nodecellar.nodes.MonitoredServer:
10 | derived_from: cloudify.openstack.nodes.Server
11 | properties:
12 | agent_config:
13 | default:
14 | install_method: init_script
15 | user: { get_input: agent_user }
16 | port: 22
17 | key: { get_secret: agent_key_private }
18 | #network: mgmt_network
19 | ##
20 | server:
21 | default:
22 | key_name: 'cloudify'
23 | image_name: { get_input: ub_image }
24 | flavor_name: { get_input: ub_flavor }
25 | interfaces:
26 | cloudify.interfaces.lifecycle:
27 | create:
28 | implementation: openstack.nova_plugin.server.create
29 | inputs:
30 | args:
31 | default:
32 | image: { get_input: ub_image }
33 | flavor: { get_input: ub_flavor }
34 | userdata: { get_attribute: [ cloudify_host_cloud_config, cloud_config ] }
35 |
36 | ###########################################################
37 | # We are infact telling cloudify to install a diamond
38 | # monitoring agent on the server.
39 | #
40 | # (see https://github.com/BrightcoveOS/Diamond)
41 | ###########################################################
42 |
43 | cloudify.interfaces.monitoring_agent:
44 | install:
45 | implementation: diamond.diamond_agent.tasks.install
46 | inputs:
47 | diamond_config:
48 | default:
49 | interval: 1
50 | start: diamond.diamond_agent.tasks.start
51 | stop: diamond.diamond_agent.tasks.stop
52 | uninstall: diamond.diamond_agent.tasks.uninstall
53 |
54 | ###########################################################
55 | # Adding some collectors. These collectors are necessary
56 | # for the Cloudify UI to display the deafult metrics.
57 | ###########################################################
58 |
59 | cloudify.interfaces.monitoring:
60 | start:
61 | implementation: diamond.diamond_agent.tasks.add_collectors
62 | inputs:
63 | collectors_config:
64 | default:
65 | CPUCollector: {}
66 | MemoryCollector: {}
67 | LoadAverageCollector: {}
68 | DiskUsageCollector:
69 | config:
70 | devices: x?vd[a-z]+[0-9]*$
71 | NetworkCollector: {}
72 | ProcessResourcesCollector:
73 | config:
74 | enabled: true
75 | unit: B
76 | measure_collector_time: true
77 | cpu_interval: 0.5
78 | process:
79 | node:
80 | name: node
81 |
--------------------------------------------------------------------------------
/docs/Internals/About.md:
--------------------------------------------------------------------------------
1 | # Fortistacks details
2 |
3 | Please check [Fortistacks 2.0](quickstart.md) for a global explanation.
4 |
5 | #Scripts
6 |
7 | The fortistacks scripts/examples are built to be indempotent, you can re-run them without duplicating the result.
8 |
9 | The scripts are made to run on an Ubuntu with sudo access. We provide the Docker image for a pre-determined environment.
10 | You are free to adapt, run on other environement (those are mainly bash/python), but please reproduce with the Docker
11 | image before raiing a bug.
12 |
13 |
14 | See the [Dockerclient](README-Dockerclient.md) for running on external Openstack on any client.
15 |
16 | # Working Examples
17 |
18 | In every folder under the overall project you will find examples you can use directly with your customed build Stack
19 | (Openstack and/or MANO). In theory only the parameter file should be changed.
20 |
21 |
22 | ## What you will find here
23 |
24 | In the different directories you will find the following parts, read the README in each folder for details:
25 |
26 | - openstack This section will configure you CityCloud openstack to work with this project.
27 |
28 | - fortigate/fortios Those are very similar only the fortigate/fortios are highlighted. Target is at least 5.6.3 or 5.4.5 which makes config_drive optionnal. There is script in bash(read it to see the cli) and heat templates
29 |
30 | - cloudify In this folder you will deploy a Cloudify-manager (on lxc locally or vm if public) autoconfigure for using opentack then have the blueprint to use it.
31 |
32 | - osm In this folder you will deploy an OpenSource MANO instance (on lxc locally or vm if public) autoconfigure for using opentack then have the descriptors to use it.
33 |
34 | - fortistacks Script to turn a vanilla Ubuntu with empty partition into a system ready for fortistack. Can be ignored if using public or your own openstack.
35 |
36 | ## What do you need (choices)
37 |
38 | - An Openstack:
39 | - Public ($) use Citycloud: create and account and go to public-openstack folder
40 | - Private create you own and go to ubuntu-openstack folder
41 |
42 | - Fortigate/fortios images check fortigate and fortios folder for scripted and heat examples.
43 | - MANO:
44 | - Cloudify folder depending on you openstack choice deploy manager then use the blueprints.
45 | - OSM/Rift.io same as above
46 |
47 | This project is opensource and based under Apachev2 license. Every contribution is supposed to respect that. Don't put your company IP in here .. it is bad.
48 |
49 |
50 | ## Videos
51 |
52 | A youtube playlist will contain follow along video to be hands on [Fortistacks](https://www.youtube.com/playlist?list=PL78t125b9Q2YWfB4nre9NRTrerA-awaSo)
53 |
54 | ## Previous versions
55 | For stable versions of this project refer to :
56 |
57 | https://github.com/fortinet-solutions-cse/fortistacks/releases to find
58 | the release you like. The master branch will evolve continuously.
59 |
60 | Fortistacks1.2 on Public openstack : https://youtu.be/Zp6CCEbJiUU
61 |
62 | If you want to install your own openstack and use the same (on 1 machine) refer to
63 | Fortistacks1.1 https://youtu.be/0y38B61FTSk the video applies to version 1.2.
64 |
65 |
--------------------------------------------------------------------------------
/fortiweb/fortiweb/values.yaml:
--------------------------------------------------------------------------------
1 | # Default values for fortiweb.
2 | # This is a YAML-formatted file.
3 | # Declare variables to be passed into your templates.
4 |
5 | replicaCount: 1
6 |
7 | image:
8 | repository: fortistackscontainerregistry.azurecr.io/fortiweb
9 | pullPolicy: IfNotPresent
10 |
11 | imagePullSecrets: [ {"name:", "fwbregistrysecret"} ]
12 | nameOverride: ""
13 | fullnameOverride: ""
14 |
15 | serviceAccount:
16 | # Specifies whether a service account should be created
17 | create: false
18 | # Annotations to add to the service account
19 | annotations: {}
20 | # The name of the service account to use.
21 | # If not set and create is true, a name is generated using the fullname template
22 | name:
23 |
24 | podSecurityContext: {}
25 | # fsGroup: 2000
26 |
27 | securityContext: {}
28 | # capabilities:
29 | # drop:
30 | # - ALL
31 | # readOnlyRootFilesystem: true
32 | # runAsNonRoot: true
33 | # runAsUser: 1000
34 |
35 | service:
36 | type: NodePort
37 | port: 80
38 | portssl: 443
39 | gui: 43
40 |
41 | ingress:
42 | enabled: false
43 | annotations: {}
44 | # kubernetes.io/ingress.class: nginx
45 | # kubernetes.io/tls-acme: "true"
46 | hosts:
47 | - host: chart-example.local
48 | paths: []
49 | tls: []
50 | # - secretName: chart-example-tls
51 | # hosts:
52 | # - chart-example.local
53 |
54 | resources:
55 | # We usually recommend not to specify default resources and to leave this as a conscious
56 | # choice for the user. This also increases chances charts run on environments with little
57 | # resources, such as Minikube. If you do want to specify resources, uncomment the following
58 | # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
59 | limits:
60 | cpu: 2
61 | memory: 4096Mi
62 | requests:
63 | cpu: 200m
64 | memory: 500Mi
65 |
66 | nodeSelector: {}
67 |
68 | tolerations: []
69 |
70 | affinity: {}
71 |
72 |
73 | # from https://helm.sh/docs/howto/charts_tips_and_tricks/
74 | imageCredentials:
75 | registry: fortistackscontainerregistry.azurecr.io
76 | username: 00000000-0000-0000-0000-000000000000
77 | password: eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6IjZLQUM6RUVIUDpUVlpGOk5CNEg6VjdCRzoyQlc0OkxWQk46MlhJWjpWVzNWOlA0RTI6N09GMzpFQlpMIn0.eyJqdGkiOiJmYzkzMWE3YS05MjNhLTQxNzctYjBmOS1jOWY2M2ZkNjg3ZTciLCJzdWIiOiJudGhvbWFzQGF6dXJlc3RvcmVmb3J0aW5ldC5vbm1pY3Jvc29mdC5jb20iLCJuYmYiOjE2MDQ1NjM1MDQsImV4cCI6MTYwNDU3NTIwNCwiaWF0IjoxNjA0NTYzNTA0LCJpc3MiOiJBenVyZSBDb250YWluZXIgUmVnaXN0cnkiLCJhdWQiOiJmb3J0aXN0YWNrc2NvbnRhaW5lcnJlZ2lzdHJ5LmF6dXJlY3IuaW8iLCJ2ZXJzaW9uIjoiMS4wIiwiZ3JhbnRfdHlwZSI6InJlZnJlc2hfdG9rZW4iLCJ0ZW5hbnQiOiI5NDJiODBjZC0xYjE0LTQyYTEtOGRjZi00YjIxZGVjZTYxYmEiLCJwZXJtaXNzaW9ucyI6eyJhY3Rpb25zIjpbInJlYWQiLCJ3cml0ZSIsImRlbGV0ZSJdLCJub3RBY3Rpb25zIjpudWxsfSwicm9sZXMiOltdfQ.k6w1f4VhjBmgKbA-Wb6gJ_b3Xu5rGTV3VMeEwgWFE19G1Ey_-5LbOueY4pDihZ-D0B4rIET-Fen_iJREVQ8-tZLZSLqSLWEUDW6PLwP6jps4z4XfX4kM7GX_oZvGTkZPnQpr580Z5MhlRV3N5ObmrOm1m7rTnEo_6qO4f_kEVBD1NuPCDdUrFaf_AWaUvLVkcG6mrLRXnxvCgvINieTC1P9CPMn6QdsmfkzOGTFP_P_HvB4gJi7xmHNwes-AkVJb4D7p1vzgvhLWWzSuRxW_sKmu8hjX9-jaMPcvLidyOwh2lfnC__UFX02_cFCquSuFY4AkWys3Uk8-JNeUZyMGKg
78 | email: tregistry@azureacr.org
79 | # use: az acr login -n fortistacksContainerRegistry --expose-token
80 |
--------------------------------------------------------------------------------
/Azure/Dockerfile:
--------------------------------------------------------------------------------
1 | # Dockerfile for azure cli, ansible and kubectl with optionnal SSL inspection.
2 | # build cmd:
3 | # on MacOS
4 | # docker build --build-arg FGTCA_BUILD=$(base64 Fortinet_CA_SSL.cer -b0) --pull -t fortinetsolutioncse/az-aks-cli .
5 | #on Linux
6 | # docker build --build-arg FGTCA_BUILD=$(base64 Fortinet_CA_SSL.cer -w0) --pull -t az-aks-cli .
7 |
8 | #was FROM mcr.microsoft.com/azure-cli but completion do not work well on microsoft image
9 | FROM ubuntu:18.04
10 | LABEL maintainer="Nicolas Thomas " provider="Fortinet"
11 | #Update the az software repository inside the dockerfile with the 'RUN' command.
12 |
13 | RUN apt-get update
14 | ARG FGTCA_BUILD
15 | ENV DEBIAN_FRONTEND=noninteractive
16 | ENV FGTCA none
17 | RUN apt-get install -y ca-certificates curl apt-transport-https lsb-release gnupg python3-pip software-properties-common
18 | #build arg to allow ssl inspect during build must create a base64 env with the CA in it: export FGTCA=$(base64 Fortinet_CA_SSL.crt -w0)
19 | #RUN [ $FGTCA_BUILD = "none"] || (echo "${FGTCA_BUILD}"| base64 -d > /usr/local/share/ca-certificates/Fortinet_CA_SSL.crt; update-ca-certificates)
20 | RUN (echo "${FGTCA_BUILD}"| base64 -d > /usr/local/share/ca-certificates/Fortinet_CA_SSL.crt; update-ca-certificates)
21 | COPY docker-entrypoint.sh /usr/local/bin/
22 | ENTRYPOINT [ "/usr/local/bin/docker-entrypoint.sh"]
23 |
24 |
25 | RUN curl -sL https://packages.microsoft.com/keys/microsoft.asc | apt-key add -
26 | #| gpg --dearmor > /etc/apt/trusted.gpg.d/microsoft.asc.gpg > /dev/null
27 | RUN AZ_REPO=$(lsb_release -cs); echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" > /etc/apt/sources.list.d/azure-cli.list
28 | RUN curl -sL https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
29 | RUN curl https://packages.microsoft.com/config/ubuntu/18.04/packages-microsoft-prod.deb -o packages-microsoft-prod.deb ; dpkg -i packages-microsoft-prod.deb
30 | RUN echo "deb https://apt.kubernetes.io/ kubernetes-xenial main" > /etc/apt/sources.list.d/kubernetes.list
31 | RUN add-apt-repository universe
32 | RUN apt-get update && (apt-get -y install bash-completion kubectl openssh-client apache2-utils jq azure-cli sudo wget zile byobu ccze powershell)&& \
33 | kubectl completion bash >/etc/bash_completion.d/kubectl
34 | # Must use python3 or the fortios ansible modules do not work
35 | RUN pip3 --no-cache-dir install ansible
36 | # see https://galaxy.ansible.com/fortinet/fortios
37 | RUN ansible-galaxy collection install fortinet.fortios
38 | RUN export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt ;az extension add --name aks-preview
39 | RUN groupadd -r az && useradd -g az -G adm,sudo az -m -p fortinet -s /bin/bash && \
40 | echo "az ALL=(ALL) NOPASSWD:ALL" > /etc/sudoers.d/99-nopasswd && chmod 640 /etc/sudoers.d/99-nopasswd; \
41 | echo "export REQUESTS_CA_BUNDLE=/etc/ssl/certs/ca-certificates.crt " >> ~az/.bashrc ; \
42 | echo 'export PS1="\u@\h:\w $"'>> ~az/.bashrc ; chown az:az ~az/.bashrc
43 | RUN apt-get -y upgrade && apt-get clean
44 | # remove the CA used during build and rely on ENV at runtime avoid allowing access in non wanted places
45 | RUN rm -f /usr/local/share/ca-certificates/Fortinet_CA_SSL.crt && update-ca-certificates
46 | USER az
47 | CMD ["/bin/bash"]
48 |
--------------------------------------------------------------------------------
/fortiweb/fwb-single.yaml:
--------------------------------------------------------------------------------
1 | apiVersion: v1
2 | kind: PersistentVolumeClaim
3 | metadata:
4 | name: azure-managed-disk-single
5 | spec:
6 | accessModes:
7 | - ReadWriteOnce
8 | storageClassName: default
9 | resources:
10 | requests:
11 | storage: 5Gi
12 | ---
13 | apiVersion: apps/v1
14 | kind: Deployment
15 | metadata:
16 | name: fortiweb-single
17 | spec:
18 | replicas: 1
19 | selector:
20 | matchLabels:
21 | app: fortiweb-single
22 | # strategy is supposed to ensure 1 single conf server
23 | strategy:
24 | type: Recreate
25 | template:
26 | metadata:
27 | labels:
28 | app: fortiweb-single
29 | spec:
30 | nodeSelector:
31 | "beta.kubernetes.io/os": linux
32 | restartPolicy: Always
33 | containers:
34 | - name: fweb
35 | image: fortistackscontainerregistry.azurecr.io/fortinet/fweb
36 | command: ["/bin/docker_init"]
37 | securityContext:
38 | capabilities:
39 | add: ["NET_ADMIN", "NET_RAW", "SYS_TIME", "SYS_PTRACE" ]
40 | # allowPrivilegeEscalation: true
41 | # privileged: true
42 | resources:
43 | requests:
44 | cpu: 0.5
45 | memory: 2048Mi
46 | limits:
47 | cpu: 2
48 | memory: 4096Mi
49 | env:
50 | # Define the environment variable
51 | - name: FWB_ADMIN_PASSWORD
52 | value: "Fortin3t"
53 | # of course can be replaced by a secret
54 | ports:
55 | - containerPort: 8
56 | name: mgmt
57 | - containerPort: 43
58 | name: gui
59 | - containerPort: 996
60 | name: mgmt6
61 | - containerPort: 997
62 | name: mgmt7
63 | - containerPort: 80
64 | name: http
65 | - containerPort: 443
66 | name: https
67 | volumeMounts:
68 | - mountPath: /data/config/
69 | name: fwbconfig
70 | - mountPath: /data/etc/vmware/vm.lic
71 | subPath: vm.lic
72 | name: licenseconfig
73 | volumes:
74 | - name: licenseconfig
75 | secret:
76 | secretName: fwblicense2
77 | items:
78 | - key: vm.lic
79 | path: vm.lic
80 | - name: fwbconfig
81 | persistentVolumeClaim:
82 | claimName: azure-managed-disk-single
83 | ---
84 | apiVersion: v1
85 | kind: Service
86 | metadata:
87 | name: fortiweb-single
88 | labels:
89 | app: fortiweb-single
90 | annotations:
91 | service.beta.kubernetes.io/azure-load-balancer-internal: "true"
92 | spec:
93 | type: LoadBalancer
94 | # may try nodeport type to see if works better for K8S connector
95 | ports:
96 | - port: 80
97 | name: http
98 | - port: 443
99 | name: https
100 | - name: mgmt
101 | port: 8008
102 | targetPort: 8
103 | - name: gui
104 | port: 8443
105 | targetPort: 43
106 | - name: mgmt6
107 | port: 996
108 | targetPort: 996
109 | - name: mgmt7
110 | port: 997
111 | targetPort: 997
112 | selector:
113 | app: fortiweb-single
114 |
115 | ### Volume attach fails node VM too small https://docs.microsoft.com/en-us/azure/aks/concepts-storage
116 | ##can redo config for the fortiweb workers
117 |
--------------------------------------------------------------------------------
/cloudify/fortigate-monitored/plugins/plugin-fortigate-monitor/fortigate_monit/cloudify_handler/cloudify.py:
--------------------------------------------------------------------------------
1 | #########
2 | # Copyright (c) 2014 GigaSpaces Technologies Ltd. All rights reserved
3 | #
4 | # Licensed under the Apache License, Version 2.0 (the "License");
5 | # you may not use this file except in compliance with the License.
6 | # You may obtain a copy of the License at
7 | #
8 | # http://www.apache.org/licenses/LICENSE-2.0
9 | #
10 | # Unless required by applicable law or agreed to in writing, software
11 | # distributed under the License is distributed on an "AS IS" BASIS,
12 | # * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
13 | # * See the License for the specific language governing permissions and
14 | # * limitations under the License.
15 |
16 | # Absolute imports required to import cloudify.constants due to naming of this
17 | # file
18 | from __future__ import absolute_import
19 |
20 | from time import sleep
21 |
22 | from cloudify import (
23 | broker_config,
24 | cluster,
25 | utils,
26 | )
27 | from diamond.handler.rabbitmq_topic import rmqHandler
28 | try:
29 | import pika
30 | except ImportError:
31 | pika = None
32 |
33 | from cloudify_handler.format import jsonify
34 |
35 |
36 | class CloudifyHandler(rmqHandler):
37 |
38 | def _bind(self):
39 | """
40 | Create socket and bind (we override the default implementation
41 | to set auto_delete=True)
42 | """
43 | credentials = pika.PlainCredentials(self.user, self.password)
44 |
45 | ssl_enabled = broker_config.broker_ssl_enabled
46 |
47 | ssl_options = utils.internal.get_broker_ssl_options(
48 | ssl_enabled=ssl_enabled,
49 | cert_path=broker_config.broker_cert_path,
50 | )
51 | # Get the cluster host if applicable
52 | cluster_settings = cluster.get_cluster_amqp_settings()
53 | broker_host = cluster_settings.get(
54 | 'amqp_host',
55 | broker_config.broker_hostname
56 | )
57 |
58 | params = pika.ConnectionParameters(credentials=credentials,
59 | host=broker_host,
60 | virtual_host=self.vhost,
61 | port=self.port,
62 | ssl=ssl_enabled,
63 | ssl_options=ssl_options)
64 |
65 | self.connection = pika.BlockingConnection(params)
66 | self.channel = self.connection.channel()
67 | self.channel.exchange_declare(exchange=self.topic_exchange,
68 | exchange_type="topic",
69 | auto_delete=True,
70 | durable=False,
71 | internal=False)
72 |
73 | def process(self, metric):
74 | if not pika:
75 | return
76 |
77 | try:
78 | self.channel.basic_publish(
79 | exchange=self.topic_exchange,
80 | routing_key=metric.getPathPrefix(),
81 | body=jsonify(metric))
82 |
83 | except Exception: # Rough connection re-try logic.
84 | self.log.info(
85 | "Failed publishing to rabbitMQ. Attempting reconnect")
86 | self._bind()
87 | sleep(3)
88 |
--------------------------------------------------------------------------------
/osm/fortigate2net_nsd/fortigateconfed_nsd.yaml:
--------------------------------------------------------------------------------
1 | nsd:nsd-catalog:
2 | nsd:nsd:
3 | - nsd:constituent-vnfd:
4 | - nsd:member-vnf-index: '2'
5 | nsd:start-by-default: 'true'
6 | nsd:vnfd-id-ref: 0ff939dc-97ca-11e6-be38-0250bd176e03
7 | - nsd:member-vnf-index: '3'
8 | nsd:start-by-default: 'true'
9 | nsd:vnfd-id-ref: 0ff9bef2-97ca-11e6-be38-0250bd176e03
10 | - nsd:member-vnf-index: '4'
11 | nsd:start-by-default: 'true'
12 | nsd:vnfd-id-ref: cc532bfa-1042-4df6-b577-462a676d3461
13 | nsd:id: 5f3b61f9-6182-4fb9-a796-b2ea80745d9e
14 | nsd:initial-config-primitive:
15 | - nsd:name: initial-config-primitive-1
16 | nsd:seq: '1'
17 | nsd:input-parameter-xpath:
18 | - nsd:xpath: /nsd:nsd-catalog/nsd:nsd/nsd:vendor
19 | nsd:ip-profiles:
20 | - nsd:description: external
21 | nsd:ip-profile-params:
22 | nsd:dhcp-params:
23 | nsd:enabled: 'true'
24 | nsd:dns-server:
25 | - nsd:address: 8.8.8.8
26 | nsd:gateway-address: 10.10.40.254
27 | nsd:ip-version: ipv4
28 | nsd:subnet-address: 10.10.40.0/24
29 | nsd:name: ext
30 | - nsd:description: internal
31 | nsd:ip-profile-params:
32 | nsd:dhcp-params:
33 | nsd:enabled: 'true'
34 | nsd:gateway-address: 10.10.42.1
35 | nsd:ip-version: ipv4
36 | nsd:subnet-address: 10.10.42.0/24
37 | nsd:name: int
38 | nsd:name: 'Full test '
39 | nsd:service-primitive:
40 | - nsd:name: fortigateconf
41 | nsd:parameter:
42 | - nsd:data-type: STRING
43 | nsd:mandatory: 'false'
44 | nsd:name: hostname
45 | nsd:vnf-primitive-group:
46 | - nsd:member-vnf-index-ref: '1'
47 | nsd:primitive:
48 | - nsd:index: '1'
49 | nsd:name: primitive-1
50 | nsd:vnfd-name: fortigate
51 | nsd:vendor: Fortinet
52 | nsd:vld:
53 | - nsd:id: 1ec9b
54 | nsd:ip-profile-ref: int
55 | nsd:name: vld-1
56 | nsd:provider-network:
57 | nsd:overlay-type: GRE
58 | nsd:type: ELAN
59 | nsd:vnfd-connection-point-ref:
60 | - nsd:member-vnf-index-ref: '3'
61 | nsd:vnfd-connection-point-ref: pong_vnfd/cp0
62 | nsd:vnfd-id-ref: 0ff9bef2-97ca-11e6-be38-0250bd176e03
63 | - nsd:member-vnf-index-ref: '4'
64 | nsd:vnfd-connection-point-ref: fortigate/cp3
65 | nsd:vnfd-id-ref: cc532bfa-1042-4df6-b577-462a676d3461
66 | - nsd:id: c3e94
67 | nsd:ip-profile-ref: ext
68 | nsd:name: vld-2
69 | nsd:provider-network:
70 | nsd:overlay-type: GRE
71 | nsd:type: ELAN
72 | nsd:vnfd-connection-point-ref:
73 | - nsd:member-vnf-index-ref: '2'
74 | nsd:vnfd-connection-point-ref: ping_vnfd/cp0
75 | nsd:vnfd-id-ref: 0ff939dc-97ca-11e6-be38-0250bd176e03
76 | - nsd:member-vnf-index-ref: '4'
77 | nsd:vnfd-connection-point-ref: fortigate/cp2
78 | nsd:vnfd-id-ref: cc532bfa-1042-4df6-b577-462a676d3461
79 |
--------------------------------------------------------------------------------
/fortiweb/fwb-single-d0.yml:
--------------------------------------------------------------------------------
1 | apiVersion: apps/v1
2 | kind: Deployment
3 | metadata:
4 | name: fortiweb-single
5 | spec:
6 | replicas: 1
7 | selector:
8 | matchLabels:
9 | app: fortiweb-single
10 | # strategy is supposed to ensure 1 single conf server
11 | strategy:
12 | type: Recreate
13 | template:
14 | metadata:
15 | labels:
16 | app: fortiweb-single
17 | spec:
18 | nodeSelector:
19 | "beta.kubernetes.io/os": linux
20 | restartPolicy: Always
21 | containers:
22 | - name: fweb
23 | image: fortistackscontainerregistry.azurecr.io/fortinet/fweb
24 | command: ["/bin/docker_init"]
25 | securityContext:
26 | capabilities:
27 | add: ["NET_ADMIN", "NET_RAW", "SYS_TIME", "SYS_PTRACE" ]
28 | # allowPrivilegeEscalation: true
29 | # privileged: true
30 | resources:
31 | requests:
32 | cpu: 0.5
33 | memory: 2048Mi
34 | limits:
35 | cpu: 2
36 | memory: 4096Mi
37 | env:
38 | # Define the environment variable
39 | - name: FWB_ADMIN_PASSWORD
40 | value: "Fortin3t"
41 | # of course can be replaced by a secret
42 | ports:
43 | - containerPort: 8
44 | name: mgmt
45 | - containerPort: 43
46 | name: gui
47 | - containerPort: 996
48 | name: mgmt6
49 | - containerPort: 997
50 | name: mgmt7
51 | - containerPort: 80
52 | name: http
53 | - containerPort: 443
54 | name: https
55 | volumeMounts:
56 | - mountPath: /data/config/
57 | name: fwbconfig
58 | - mountPath: /data/etc/vmware/vm.lic
59 | subPath: vm.lic
60 | name: licenseconfig
61 | initContainers:
62 | - name: day0
63 | image: fortistackscontainerregistry.azurecr.io/fortinet/fwb-d0
64 | command: ["/fweb-cloudinit.sh"]
65 | env:
66 | # Define the environment variable
67 | - name: TARGET_IP
68 | value: "10.40.0.32"
69 | # should find
70 |
71 | volumeMounts:
72 | - name: fwbconfig
73 | mountPath: /data/config
74 | volumes:
75 | - name: licenseconfig
76 | secret:
77 | secretName: fwblicense2
78 | items:
79 | - key: vm.lic
80 | path: vm.lic
81 | - name: fwbconfig
82 | emptyDir: {}
83 | # persistentVolumeClaim:
84 | # claimName: azure-managed-disk-single
85 | ---
86 | apiVersion: v1
87 | kind: Service
88 | metadata:
89 | name: fortiweb-single
90 | labels:
91 | app: fortiweb-single
92 | annotations:
93 | service.beta.kubernetes.io/azure-load-balancer-internal: "true"
94 | spec:
95 | type: LoadBalancer
96 | # may try nodeport type to see if works better for K8S connector
97 | ports:
98 | - port: 80
99 | name: http
100 | - port: 443
101 | name: https
102 | - name: mgmt
103 | port: 8008
104 | targetPort: 8
105 | - name: gui
106 | port: 8443
107 | targetPort: 43
108 | - name: mgmt6
109 | port: 996
110 | targetPort: 996
111 | - name: mgmt7
112 | port: 997
113 | targetPort: 997
114 | selector:
115 | app: fortiweb-single
116 |
117 | ### Volume attach fails node VM too small https://docs.microsoft.com/en-us/azure/aks/concepts-storage
118 | ##can redo config for the fortiweb workers
119 |
--------------------------------------------------------------------------------
/osm/fortimail/fortimail_vnfd/fortimail_vnfd.yaml:
--------------------------------------------------------------------------------
1 | vnfd:vnfd-catalog:
2 | vnfd:vnfd:
3 | - rw-vnfd:meta: '{"containerPositionMap":{"ae516bde-92cc-4988-ae68-44592d4c1d82":{"top":30,"left":255,"right":505,"bottom":85,"width":250,"height":55},"ae516bde-92cc-4988-ae68-44592d4c1d82/vdu-1":{"top":130,"left":260,"right":510,"bottom":185,"width":250,"height":55},"ae516bde-92cc-4988-ae68-44592d4c1d82/fortimail-vdu":{"top":135,"left":330,"right":580,"bottom":190,"width":250,"height":55},"ae516bde-92cc-4988-ae68-44592d4c1d82/vdu-2":{"top":135,"left":630,"right":880,"bottom":190,"width":250,"height":55},"ae516bde-92cc-4988-ae68-44592d4c1d82/fortimail-logs-vdu":{"top":130,"left":635,"right":885,"bottom":185,"width":250,"height":55}}}'
4 | vnfd:connection-point:
5 | - vnfd:id: incoming
6 | vnfd:name: incoming
7 | vnfd:port-security-enabled: 'false'
8 | vnfd:short-name: incoming
9 | vnfd:type: VPORT
10 | - vnfd:id: mgmt
11 | vnfd:name: mgmt
12 | vnfd:type: VPORT
13 | - vnfd:id: outgoing
14 | vnfd:name: outgoing
15 | vnfd:port-security-enabled: 'false'
16 | vnfd:short-name: outgoing
17 | vnfd:type: VPORT
18 | vnfd:description: FortiMail VNF descriptor
19 | vnfd:id: ae516bde-92cc-4988-ae68-44592d4c1d82
20 | vnfd:name: FortiMail
21 | vnfd:service-function-chain: UNAWARE
22 | vnfd:short-name: fortimail
23 | vnfd:vdu:
24 | - vnfd:count: '1'
25 | vnfd:guest-epa:
26 | vnfd:cpu-pinning-policy: ANY
27 | vnfd:id: fortimail-vdu
28 | vnfd:image: fortimail
29 | vnfd:interface:
30 | - rw-vnfd:floating-ip-needed: 'false'
31 | vnfd:external-connection-point-ref: incoming
32 | vnfd:name: incoming
33 | vnfd:type: EXTERNAL
34 | vnfd:virtual-interface:
35 | vnfd:type: VIRTIO
36 | - rw-vnfd:floating-ip-needed: 'false'
37 | vnfd:external-connection-point-ref: outgoing
38 | vnfd:name: outgoing
39 | vnfd:type: EXTERNAL
40 | vnfd:virtual-interface:
41 | vnfd:type: VIRTIO
42 | - rw-vnfd:floating-ip-needed: 'true'
43 | vnfd:external-connection-point-ref: mgmt
44 | vnfd:name: mgmt
45 | vnfd:type: EXTERNAL
46 | vnfd:virtual-interface:
47 | vnfd:type: OM-MGMT
48 | vnfd:name: fortimail-vdu
49 | vnfd:supplemental-boot-data:
50 | vnfd:boot-data-drive: 'false'
51 | vnfd:vm-flavor:
52 | rw-vnfd:vm-flavor-name: fortinet
53 | vnfd:memory-mb: '2096'
54 | vnfd:storage-gb: '3'
55 | vnfd:vcpu-count: '2'
56 | vnfd:volumes:
57 | - vnfd:name: volumes-1
58 | vnfd:size: '1'
59 | vnfd:vendor: Fortinet
60 | vnfd:version: '5.4'
61 | vnfd:vnf-configuration:
62 | juju:
63 | charm:fortimail
64 | config-primitive:
65 | - name: create-domain
66 | parameter:
67 | - name: domain
68 | data-type: STRING
69 | default-value: 'example-domain'
70 | - name: fallbackhost
71 | data-type: STRING
72 | default-value: 'localhost'
73 | - name: port
74 | data-type: int
75 | default-value: 25
76 |
77 |
--------------------------------------------------------------------------------
/docs/Fortigate.md:
--------------------------------------------------------------------------------
1 | # Fortigate / Fortios on Openstack
2 |
3 | This doc refers to fortigate or fortios folders in the project.
4 |
5 | The official documentation for Fortigate fortios is available here:
6 | https://docs.fortinet.com/d/fortigate-fortios-vm-openstack-cookbook
7 |
8 | # Fortigate/Fortios image
9 |
10 | Get the image tagged for KVM from [https://support.fortinet.com](https://support.fortinet.com) unzip and put the
11 | fortios.qcow2 file in this directory. Fortios for metering contact your Fortinet rep.
12 |
13 | # Image upload
14 | If using ```minipoc-deploy.sh``` you can skip this part.
15 |
16 | You can upload fortios.qcow2 to Openstack Glance (images) or check the following example
17 | ````bash
18 | openstack image create --disk-format qcow2 --container-format bare "fortigate" --file fortios.qcow2
19 | ````
20 |
21 | # Fortios
22 |
23 | Fortios is a Fortigate (same functionnality) using metering for license (cloud native).
24 | Differences are:
25 | - No license file but a Fortimanager acting as metering
26 | - A first port called mgmt instead of port1
27 | - Contact Fortinet rep for details
28 | - fortigate or fortios unziped image file is fortios.qcow2
29 |
30 | # Cloud-init
31 |
32 | In order to use [minipoc-deploy.sh](minipoc-deploy.sh) you MUST create a fgt-userdata.txt
33 |
34 | Fortigate user_data is in the Fortinet cli style and license file can be passed in a multi-mime part file.
35 |
36 | Sending the license as a file is supported by Fortigate meanwhile some openstack environment limit the size of the file
37 | that can be pass and Fortinet licenses file can be large.
38 | Use multi-mime in that case.
39 |
40 | ## no license
41 | In that case simply copy [confg.txt](config.txt) like this:
42 | ````bash
43 | $ cp config.txt fgt-userdata.txt
44 | ````
45 | ## With license
46 | Assume you license file is called FGT.lic
47 | Do
48 | ```bash
49 | $ write-mime-multipart -o fgt-userdata.txt config.txt FGT.lic
50 | ```
51 | ## Fortios
52 | In that case simply copy [fos-user-data.txt](fos-user-data.txt ) like this:
53 | ````bash
54 | $ cp fos-user-data.txt fgt-userdata.txt
55 | ````
56 |
57 |
58 | #Mini-poc as a script
59 |
60 | With fortios.qcow2 and fgt-userdata.txt ready simply run:
61 | ```bash
62 | $ ./minipoc-deploy.sh
63 | ```
64 |
65 | This [script](minipoc-deploy.sh) is imdepotent, verbose by default and contain all the specific openstack command to deploy and connect a
66 | Fortigate. It is provided as an example to understand the integration point between Openstack and Fortigate.
67 |
68 | Please read it for details and to find the openstack commands related to fortigate.
69 |
70 | If you don't have an image of fortigate already on Openstack, the script will take fortios.qcow2 in the running folder
71 | and upload.
72 |
73 | Options:
74 | * You can set ``` export FGT_IMAGE_NAME="myname" ``` to change the image name. It is recommended to add this to your
75 | openstack .rc file
76 |
77 | ## Access your deployment
78 | * To access your environment use a jump host or network access to your management network.
79 | * Use floating ips in that case [script](minipoc-add-floatings.sh) will add the floating ips to your VMs.
80 | (same behavior as before)
81 |
82 | # Port security
83 |
84 | When used as a forwarding/NAT device Fortigate/Fortios need to get a port in promiscuous mode.
85 | This is the port security disable parameter you can find in scripts and templates.
86 |
87 | The allowed addrress pairs can be used to replace port-security disabled.
88 |
89 | The examples in this folder are here to show you directly how to configure Fortigate on Cloud environment.
90 |
91 | # Day1/2
92 |
93 | Configuration is a critical part of firewalls and security.
94 |
95 | Fortinet provides APIs on all our products to configure them.
96 | Ask an account on https://fndn.fortinet.com to know more and check our other github projects.
97 |
--------------------------------------------------------------------------------
/fortimanager/heat-fmg.yaml:
--------------------------------------------------------------------------------
1 | heat_template_version: 2016-04-08
2 | ## cli deploy
3 | #$ openstack stack create --template heat-fmg.yaml fmg
4 | # on ovh or with specific inputs file
5 | # openstack stack create --template heat-fmg.yaml fmg -e ovh-env.yaml
6 | ####
7 | # to follow execution:
8 | # openstack stack event list fmg --follow
9 | #
10 | # To see the resutls IPs
11 | # openstack stack show fmg -c outputs
12 |
13 |
14 | description: >
15 | HOT template to create deploy 1 FMG with cloud-init
16 | on existing network
17 |
18 |
19 | parameters:
20 | fmgimage:
21 | type: string
22 | description: Fortimanager image name
23 | default: "FMG642"
24 | constraints:
25 | - custom_constraint: glance.image
26 | mgmt_net:
27 | type: string
28 | description: management network on which Fortimanager will be deployed
29 | default: "mgmt"
30 | constraints:
31 | - custom_constraint: neutron.network
32 | vms_flavor:
33 | type: string
34 | description: Flavor of the VMs
35 | default: "m1.small"
36 | constraints:
37 | - custom_constraint: nova.flavor
38 | volume_type_name:
39 | type: string
40 | description: Name of new volume type to be created.
41 | default: classic
42 | volume_size:
43 | type: number
44 | description: Size of the volume to be created.
45 | default: 30
46 | constraints:
47 | - range: { min: 1, max: 1024 }
48 | description: must be between 1 and 1024 Gb.
49 | fortimanager_ip:
50 | type: string
51 | mgt_net_mask:
52 | type: string
53 | default: "255.255.255.0"
54 | mgt_net_gateway:
55 | type: string
56 | mgt_net_mtu:
57 | type: number
58 | default: 1500
59 |
60 |
61 | resources:
62 | fmg_config:
63 | type: OS::Heat::SoftwareConfig
64 | properties:
65 | group: ungrouped
66 | config:
67 | str_replace:
68 | template: |
69 | config system admin user
70 | edit "admin"
71 | set password fortinet
72 | end
73 | config system interface
74 | edit port1
75 | set ip $fortimanager_ip $mgt_net_mask
76 | set mtu $mgt_net_mtu
77 | end
78 | config system route
79 | edit 1
80 | set device "port1"
81 | set gateway $mgt_net_gateway
82 | end
83 | config system admin user
84 | edit admin
85 | set rpc-permit read-write
86 | end
87 | params:
88 | { $fortimanager_ip: { get_param: fortimanager_ip } ,
89 | $mgt_net_mask: { get_param: mgt_net_mask } ,
90 | $mgt_net_gateway: { get_param: mgt_net_gateway },
91 | $mgt_net_mtu: { get_param: mgt_net_mtu } }
92 |
93 | fmg_port:
94 | type: OS::Neutron::Port
95 | properties:
96 | network_id: { get_param: mgmt_net }
97 | fixed_ips:
98 | - ip_address: { get_param: fortimanager_ip }
99 |
100 |
101 | fmg_log_volume:
102 | type: OS::Cinder::Volume
103 | properties:
104 | size: { get_param: volume_size }
105 | volume_type: { get_param: volume_type_name }
106 |
107 | fmg_log_volume_attachment:
108 | type: OS::Cinder::VolumeAttachment
109 | properties:
110 | volume_id: { get_resource: fmg_log_volume }
111 | instance_uuid: { get_resource: fmg }
112 |
113 | fmg:
114 | type: OS::Nova::Server
115 | properties:
116 | image: { get_param: fmgimage }
117 | flavor: { get_param: vms_flavor }
118 | user_data: { get_resource: fmg_config}
119 | name: fortimanager
120 | user_data_format: RAW
121 | config_drive: true
122 | networks:
123 | - port: { get_resource: fmg_port }
124 |
125 |
126 | outputs:
127 | fmg-mgmt-ip:
128 | description: IP address to access of the fmg
129 | value: { get_attr: [fmg, networks, {get_param: mgmt_net}, 0] }
130 |
--------------------------------------------------------------------------------