AGENT

FWCloud allows you to centrally manage Linux-based firewalls that can be located anywhere. We can have our FWCloud console at the headquarters of our company and the firewalls managed from it scattered over remote locations throughout the world.

Therefore, we need a way to communicate our FWCloud console with the firewalls it manages to carry out actions on them such as loading the security policy, obtaining the network configuration, managing VPN configuration, blocking VPN connections, etc.

This FWCloud – FireWalls communication can be carried out in two ways:

  • SSH.
  • FWCloud-Agent.

Communication via SSH protocol is the simplest since it does not require us to carry out any installation on the firewall to be managed, but it has the disadvantage that we are using a service such as SSH that allows full access to the managed firewall. In addition to that, if we do not want to save the access credentials in FWCloud for security, every time we have to carry out some action on the firewall, we have to enter these credentials.

The communication option through FWCloud-Agent is the most recommended, since it simplifies and optimizes communication with the managed firewall. It is a service that is installed on the firewall through which the FWCloud console carries out the necessary actions on the managed firewalls. This service is installed using the .deb or .rpm packages corresponding to the Linux distribution that we are using.

FWCloud-Agent improves security in the FWCloud – FireWalls interaction, since it does not require SSH credentials, instead of it an automatically generated during the package installation process in the firewall API Key is used. In addition, it is possible to restrict access to this service only to the IP of the FWCloud console.

Using FWCloud-Agent instead of SSH also means that we restrict the actions that can be done on the firewall only to those that the FWCloud-Agent service allows. That is, we are not using a general scope protocol like SSH that allows us to do much more than what is needed in the FWCloud – FireWalls communication.

We also optimize and improve the interaction with the firewalls, since it is not necessary to establish an SSH connection every time we have to do something with the target firewall.

In addition, thanks to FWCloud-Agent we can do many more things that are not feasible through SSH communication, such as maintaining a history of the status of VPN connections.

FWCloud-Agent is a service that optimizes communication with firewalls managed from FWCloud, also improves security and allows additional functionalities

FWCloud-Agent installation

FWCloud-Agent is an application programmed in  Rust, highly optimized and that requires very few resources to run on the firewall in which it is installed. Thanks to this, it is possible to run it on computers with very few hardware resources.

Installation is very simple, you just have to download the appropriate .deb or .rpm package for your Linux distribution and install it.

For example, to install in Ubuntu or Debian we would have to download the package to our firewall, which we can do using the wget command as indicated below:

wget https://pkg.fwcloud.net/fwcloud-agent/deb/fwcloud-agent_1.0.0_amd64.deb

And then install the package with the command:

sudo dpkg -i fwcloud-agent_1.0.0_amd64.deb

As part of the installation process, a pair of self-signed keys are generated for secure communication with FWCloud and a random API Key, which is stored in the .env file inside the installation folder: /opt/fwcloud/agent

We will need this API Key to be able to connect the firewall in which we have just installed FWCloud-Agent with our FWCloud console. We can find out the API Key generated using the next command:

sudo grep "API_KEY" /opt/fwcloud/agent/.env

When we register the firewall we will have to select the FWCloud-Agent communication option and indicate in such configuration the API Key of the FWCloud-Agent server. This is process is detailed in the FWCloud-UI user manual.

In the .env file we have the configuration options that we can customize explained as well as their default values.

Among these we have the ALLOWED_IPS option, which consists of a list of IPs separated by spaces by means of which we can restrict the IPs from which access to FWCloud-Agent will be allowed. In this list we can only put the IP of our FWCloud console to improve security.

ALLOWED_IPS="10.10.10.1"

In the /opt/fwcloud/agent/etc directory we have the files cert.pem and key.pem, generated as part of the installation process of the FWCloud-Agent package that constitute the self-signed certificate used to encrypt the communication between FWCloud and FWCloud-Agent .

In the /opt/fwcloud/agent/log directory we have the log file fwcloud-agent.log where we can see the logs issued by the FWCloud-Agent service. This file is managed by logrotate to prevent it from growing indefinitely.

We can manage the FWCloud-Agent service through systemctl, in order to stop, start and see its status.

sudo systemctl status fwcloud-agent

fwcloud-agent.service – fwcloud-agent

     Loaded: loaded (/lib/systemd/system/fwcloud-agent.service; enabled; vendor preset: enabled)

     Active: active (running) since Tue 2021-11-16 13:07:43 UTC; 2h 9min ago

   Main PID: 34582 (fwcloud-agent)

      Tasks: 4 (limit: 1071)

     Memory: 1.0M

     CGroup: /system.slice/fwcloud-agent.service

             └─34582 /opt/fwcloud/agent/fwcloud-agentsudo 

How it works

Once we have FWCloud-Agent installed in our firewall and connected to our FWCloud console, it is now possible to manage it. But how does the communication between our FWCloud console and the FWCloud-Agent service installed on our firewall work?

Such communication actually takes place between the FWCloud-API and the FWCloud-Agent service installed on the firewall. For example, when from FWCloud-UI we request to install the policy on a firewall, this request is relayed by FWCloud-API to the FWCloud-Agent on the firewall.

Just as the communication between FWCloud-UI and FWCloud-API is carried out through an API, the communication between FWCloud-API and FWCloud-Agent, is also carried out via an API, the FWCloud-Agent API.

To understand this better, let’s see an example of how we can communicate with the FWCloud-Agent API using the curl command.

curl -k -i -X PUT -H ‘X-API-Key: LofKtOxLjBRfxQqKhxLaG8xxPdVCuMSBhnGnYoUtuSBQx9xP0fPKPxE5xGHO40q8’ https://192.168.56.108:33033/api/v1/ping

We use the ping call of the FWCloud-Agent API to which it will respond with an HTTP 200 code if all goes well.

If we look at the URL https://192.168.56.108:33033/api/v1/ping that we use to communicate with the FWCloud-Agent we can see several things. We are using secure communication through HTTPS, for that reason the self-signed certificate that is generated during the installation process is necessary.

Next we have the IP (192.168.56.108) and TCP port (33033) through which we can communicate with FWCloud-Agent. And the path for the API call (/api/v1/ping) that defines the service we are requesting.

Keep in mind that the API Key that we are using in this example must be modified by the one generated in our FWCloud-Agent server.