FWCloud allows you to centrally manage Linux-based firewalls that can be located anywhere. You can have your FWCloud console at the headquarters of your company and the firewalls managed from it scattered over remote locations throughout the world.
Therefore, you need a way to communicate your FWCloud console with the firewalls it manages to carry out actions on them such as loading the security policy, obtaining the network configuration, managing VPN configuration, blocking VPN connections, etc.
This FWCloud – Firewalls communication can be carried out in two ways:
SSH protocol is the simplest since it does not require you to carry out any installation on the firewall to be managed, but it has the disadvantage that you are using a service such as SSH that allows full access to the managed firewall. In addition to that, if you do not want to save the access credentials in FWCloud for security, every time you have to carry out some action on the firewall, you have to enter these credentials.
The communication option through
FWCloud-Agent is the most recommended, since it simplifies and optimizes communication with the managed firewall. It is a service that is installed on the firewall through which the FWCloud console carries out the necessary actions on the managed firewalls. This service is installed using the .deb or .rpm packages corresponding to the Linux distribution that you are using.
FWCloud-Agent improves security in the FWCloud – FireWalls interaction, since it does not require SSH credentials, instead of it an automatically generated during the package installation process in the firewall API Key is used. In addition, it is possible to restrict access to this service only to the IP of the FWCloud console.
Using FWCloud-Agent instead of SSH also means that you restrict the actions that can be done on the firewall only to those that the FWCloud-Agent service allows. That is, you are not using a general scope protocol like SSH that allows you to do much more than what is needed in the FWCloud – FireWalls communication.
It also optimizes and improves the interaction with the firewalls, since it is not necessary to establish an SSH connection every time you have to do something with the target firewall.
In addition, thanks to FWCloud-Agent you can do many more things that are not feasible through SSH communication, such as maintaining a history of the status of VPN connections.
FWCloud-Agent is a service that optimizes communication with firewalls managed from FWCloud, also improves security and allows additional functionalities
FWCloud-Agent is an application programmed in Rust, highly optimized and that requires very few resources to run on the firewall in which it is installed. Thanks to this, it is possible to run it on computers with very few hardware resources.
Installation is very simple, you just need to install our repositories and use the distribution tools to install new packages.
Let’s see an example of how to install it in Ubuntu/Debian distributions.
First installing the repository:
curl -s https://packagecloud.io/install/repositories/SOLTECSIS/FWCloud/script.deb.sh?any=true | sudo bash
We can now install packages from this new repository:
sudo apt install fwcloud-agent
Similarly we can also install it in Fedora/Red-Hat/CentOS distributions.
First we install the repository:
curl -s https://packagecloud.io/install/repositories/SOLTECSIS/FWCloud/script.rpm.sh?any=true | sudo bash
And then we use the installation tools for installing the package:
sudo yum install fwcloud-agent or sudo dnf install fwcloud-agent
As part of the installation process, a pair of self-signed keys are generated for secure communication with FWCloud and a random API Key, which is stored in the .env file inside the installation folder: /opt/fwcloud/agent
You will need this API Key to be able to connect the firewall in which you have just installed FWCloud-Agent with your FWCloud console. You can find out the API Key generated using the next command:
sudo grep "API_KEY" /opt/fwcloud/agent/.env
When editing or adding a new firewall you will have to select the FWCloud-Agent communication option and indicate in such configuration the API Key of the FWCloud-Agent server. This is process is detailed in Firewall section of this manual.
In the .env file you have the configuration options that you can customize explained as well as their default values.
Among these you have the ALLOWED_IPS option, which consists of a list of IPs separated by spaces by means of which you can restrict the IPs from which access to FWCloud-Agent will be allowed. In this list you can only put the IP of your FWCloud console to improve security.
In the /opt/fwcloud/agent/etc directory you have the files cert.pem and key.pem, generated as part of the installation process of the FWCloud-Agent package that constitute the self-signed certificate used to encrypt the communication between FWCloud and FWCloud-Agent .
In the /opt/fwcloud/agent/log directory you have the log file fwcloud-agent.log where you can see the logs issued by the FWCloud-Agent service. This file is managed by logrotate to prevent it from growing indefinitely.
You can manage the FWCloud-Agent service through systemctl, in order to stop, start and see its status.
sudo systemctl status fwcloud-agent ● fwcloud-agent.service – fwcloud-agent Loaded: loaded (/lib/systemd/system/fwcloud-agent.service; enabled; vendor preset: enabled) Active: active (running) since Tue 2021-11-16 13:07:43 UTC; 2h 9min ago Main PID: 34582 (fwcloud-agent) Tasks: 4 (limit: 1071) Memory: 1.0M CGroup: /system.slice/fwcloud-agent.service └─34582 /opt/fwcloud/agent/fwcloud-agent
# How it works
Once you have FWCloud-Agent installed in your firewall and connected to your FWCloud console, it is now possible to manage it. But how does the communication between your FWCloud console and the FWCloud-Agent service installed on your firewall work?
Such communication actually takes place between the FWCloud-API and the FWCloud-Agent service installed on the firewall. For example, when from FWCloud-UI you request to install the policy on a firewall, this request is relayed by FWCloud-API to the FWCloud-Agent on the firewall.
Just as the communication between FWCloud-UI and FWCloud-API is carried out through an API, the communication between FWCloud-API and FWCloud-Agent, is also carried out via an API, the FWCloud-Agent API.
To understand this better, let’s see an example of how you can communicate with the FWCloud-Agent API using the curl command.
curl -k -i -X PUT -H ‘X-API-Key: LofKtOxLjBRfxQqKhxLaG8xxPdVCuMSBhnGnYoUtuSBQx9xP0fPKPxE5xGHO40q8’ https://192.168.56.108:33033/api/v1/ping
You use the ping call of the FWCloud-Agent API to which it will respond with an HTTP 200 code if all goes well.
If you look at the URL https://192.168.56.108:33033/api/v1/ping that you use to communicate with the FWCloud-Agent you can see several things. You are using secure communication through HTTPS, for that reason the self-signed certificate that is generated during the installation process is necessary.
Next you have the IP (192.168.56.108) and TCP port (33033) through which you can communicate with FWCloud-Agent. And the path for the API call (/api/v1/ping) that defines the service you are requesting.
Keep in mind that the API Key that you are using in this example must be modified by the one generated in your FWCloud-Agent server.
Next you can see a small video demonstration of the procedure for installing and using FWCloud-Agent: