IBM Cloud Orchestrator: Content Pack for Juniper SRX … Cloud Orchestra tor Content P ack for Juniper SRX F irewall Content P ack for Juniper SRX F irewall IBM

IBM Cloud OrchestratorContent Pack for Juniper SRX Firewall

Content Pack for Juniper SRX Firewall

IBM

IBM Cloud OrchestratorContent Pack for Juniper SRX Firewall

Content Pack for Juniper SRX Firewall

IBM

NoteBefore using this information and the product it supports, read the information in “Notices” on page 29.

Contents

Preface . . . . . . . . . . . . . .. vAudience . . . . . . . . . . . . . .. v

Chapter 1. Introduction to firewall . .. 1Prepare the Juniper SRX . . . . . . . . .. 1

Juniper SRX objects - maximum limits . . . .. 1

Chapter 2. Content pack for Juniper SRXfirewall . . . . . . . . . . . . . .. 3Prerequisites . . . . . . . . . . . . .. 4Business objects . . . . . . . . . . . .. 4Integration services . . . . . . . . . . .. 10Coach view . . . . . . . . . . . . .. 13Schema for configuration template. . . . . .. 13Firewall scenarios . . . . . . . . . . .. 14

Registering a firewall host . . . . . . .. 15Business Process Definition . . . . . .. 15Human services . . . . . . . . . .. 15Integration service . . . . . . . . .. 15Registering a firewall host . . . . . .. 16

Creating a firewall interface . . . . . . .. 16Business Process Definition . . . . . .. 16Human services . . . . . . . . . .. 17Integration service . . . . . . . . .. 17

Delete a firewall interface. . . . . . . .. 17Business Process Definition . . . . . .. 17Human service . . . . . . . . . .. 18Integration service . . . . . . . . .. 18

Creating a firewall zone . . . . . . . .. 18Business Process Definition . . . . . .. 18Human services . . . . . . . . . .. 18

Integration service . . . . . . . . .. 19Deleting a firewall zone . . . . . . . .. 19

Business Process Definition . . . . . .. 19Human service . . . . . . . . . .. 19Integration service . . . . . . . . .. 20

Creating a firewall policy . . . . . . . .. 20Business Process Definition . . . . . .. 20Human services . . . . . . . . . .. 20Integration service . . . . . . . . .. 20

Modifying a firewall policy . . . . . . .. 21Business Process Definition . . . . . .. 21Human services . . . . . . . . . .. 21Integration service . . . . . . . . .. 21

Deleting a firewall policy . . . . . . . .. 21Business Process Definition . . . . . .. 21Human services . . . . . . . . . .. 22Integration service . . . . . . . . .. 22

Registering a custom operation . . . . . .. 22User tasks . . . . . . . . . . . . . .. 23

Creating a firewall interface . . . . . . .. 23Deleting a firewall interface . . . . . . .. 23Creating a firewall zone . . . . . . . .. 24Deleting the firewall zone . . . . . . .. 24Creating a firewall policy . . . . . . . .. 25Modifying a firewall policy . . . . . . .. 25Deleting a firewall policy . . . . . . . .. 26

Troubleshooting . . . . . . . . . . . .. 26

Notices . . . . . . . . . . . . .. 29

Trademarks and Service Marks . . .. 31

© Copyright IBM Corp. 2015 iii

iv IBM Cloud Orchestrator: Content Pack for Juniper SRX Firewall

Preface

This publication documents how to use the IBM Cloud Orchestrator Content Packfor Juniper SRX Firewall.

AudienceThis information is intended for content developers of IBM Cloud Orchestratorwho must use or customize the content pack for Juniper SRX Firewall.

© Copyright IBM Corp. 2015 v

vi IBM Cloud Orchestrator: Content Pack for Juniper SRX Firewall

Chapter 1. Introduction to firewall

A firewall controls the traffic between the project in the customer network and anyother entity outside that network. As an administrator, you must understand thefollowing firewall concepts:

Security zoneA security zone defines a boundary where traffic is subjected to policyrestrictions as it crosses to another region of the network. More specifically,a security zone is a collection of one or more network segments thatrequire the regulation of inbound and outbound traffic through policies.Zones always work in pairs, because the control is on the traffic thatmoves from one zone to another.

Firewall security policyA firewall security policy enforces rules for traffic in transit through it. Itincludes what traffic can pass through the firewall, and the actions thatmust take place on the traffic as it passes through the firewall. From theperspective of security policies, the traffic enters one security zone andexits another security zone.

Interface

An interface for a security zone can be thought of as a doorway throughwhich TCP/IP traffic can pass between one zone and another. In otherwords, a subnetwork must be bound to an interface to have a firewall,which manages the traffic that traverses the zone boundaries.

A security zone is assigned to each customer to control inbound andoutbound traffic from the virtual machines that are deployed in the subnetworks of the various projects. An untrusted network is created tomanage all the network segments that are not assigned to a singlecustomer. The untrusted network usually provides access to internet andother general services.

Prepare the Juniper SRXThere are different models or types of Juniper SRX Firewall devices.

The following requirements are necessary for you to prepare the Juniper SRXdevice for the firewall toolkit:v The Juniper SRX device must be accessible from the Business Process Manager

Process server.v The Juniper SRX device must have the basic configurations, such as Parent

Interfaces and untrust firewall zone.v The user must have SRX administrator rights to configure the device.

Juniper SRX objects - maximum limitsThe Juniper SRX Maximum Limits of "objects" table summarizes the maximumnumber of allowable firewall objects (security zones, policies, and so on) on thevarious SRX models. This list is provided as a guide only; for full and up-to-datedetails, see the respective data sheets on the Juniper website.

© Copyright IBM Corp. 2015 1

Table 1. Juniper SRX Maximum Limits of "objects"

SRX modelSecurity zones(maximum)

Security policies(maximum)

Virtual routers(maximum)

VLANs(maximum)

SRX100 10 384 3 16

SRX210 12 512 10 64

SRX220 24 2048 15 128

SRX240 32 4096 20 512

SRX650 128 8192 60 4096

SRX3400 256 40000 256 4096

SRX3600 256 40000 256 4096

SRX5600 256 80000 500 4096

SRX5800 512 80000 500 4096

2 IBM Cloud Orchestrator: Content Pack for Juniper SRX Firewall

Chapter 2. Content pack for Juniper SRX firewall

The SCOrchestrator_FirewallJuniper_Toolkit content pack supports the JuniperSRX 5600 firewall device through the Business Process Manager toolkit.

There are two different types of users who can work with this toolkit:v Administrator userv Normal user

Administrator user

The SCOrchestrator_FirewallJuniper_Toolkit has the following building blocks:v “Business objects” on page 4v “Integration services” on page 10v “Schema for configuration template” on page 13v Data modelv “Coach view” on page 13

All the custom operations have Business Process Definitions, human services, andintegration services. As an administrator, you can use or customize them from theBusiness Process Manager. The content pack includes the following scenarios:v “Registering a firewall host” on page 15v “Creating a firewall interface” on page 16v “Delete a firewall interface” on page 17v “Creating a firewall zone” on page 18v “Deleting a firewall zone” on page 19v “Creating a firewall policy” on page 20v “Modifying a firewall policy” on page 21v “Deleting a firewall policy” on page 21

The Administrator user must register the Business Process Definition and humanservices as self-service offerings in the user interface of IBM Cloud Orchestrator.

Normal user

The normal user can run these self-service offerings from the self service catalog ofIBM Cloud Orchestrator:v “Creating a firewall interface” on page 23v “Deleting a firewall interface” on page 23v “Creating a firewall zone” on page 24v “Deleting the firewall zone” on page 24v “Creating a firewall policy” on page 25v “Modifying a firewall policy” on page 25v “Deleting a firewall policy” on page 26

Remember: An administrator user can also run these operations from the userinterface of IBM Cloud Orchestrator.


Important: No other user must configure the device on which you run theseservices.

PrerequisitesSee the SCOrchestrator_Toolkit andSCOrchestrator_Scripting_Utilities_Toolkit within the firewall content pack.

Business objectsThe business objects that are used in the firewall content pack are listed with theirparameters.

FirewallHost

The FirewallHost represents a physical Juniper SRX firewall device in theenvironment.

Table 2. FirewallHost parameters

Parameters Data type Description Sample data

hostIp String IP address or hostname of the firewalldevice.

“172.30.1.1”

username String User name to log into the device.

"test"

password String Password for thespecified user name.

"***"

port Integer Port on whichconnection isestablished.

22

VirtualRouter

The VirtualRouter business object represents the virtual router that is configuredon the device.

Table 3. VirtualRouter parameters


name String Name of the virtualrouter.

test

description String Description of therouter.

“Test router”

ParentInterface

The ParentInterface business object represents the parent interfaces present on thedevice.

Table 4. ParentInterface parameters


name String Name of the parentinterface.

test


Table 4. ParentInterface parameters (continued)


description String Description of theparent interface.

“This is a test ParentInterface”

HostInboundTraffic

The HostInboundTraffic business object represents the system-services andprotocol data for a virtual host.

Table 5. HostInboundTraffic parameters


systemServices String System services thatare allowed for avirtual zone

“ping”

protocols String Protocols availablefor a virtual zone

“all”

FirewallZone

The FirewallZone business object represents the instance of the virtual zone that iscreated on the firewall device.

Table 6. FirewallZone parameters


zoneName String Name of the virtualzone .

“test”

hostInboundTraffic HostInboundTraffic Instance of theHostInboundTrafficbusiness object.

Instance of theHostInboundTrafficbusiness object

interfaces ZoneInterfaceList List ofZoneInterfaceListobject.

ZoneInterfaceList*

FirewallInterface

The FirewallInterface business object represents the instance of the virtualinterface that is created on the firewall device.

Table 7. FirewallInterface parameters


interfaceName String Name for theinterface that iscreated byconcatenating theparent interface andVLAN ID.

“ge-0/0/0.100”

description String Description for thevirtual interface.

“This is virtualinterface with vlanId100”

Chapter 2. Content pack for Juniper SRX firewall 5

Table 7. FirewallInterface parameters (continued)


zoneName String Zone to which thisinterface is added.

“TestZone”

parentInterface String Parent interface forthe new interface.

“ge-0/0/0”

vlanId String VlanId of thesubnetwork.

“100”

gatewayIp String Gateway IP of thesubnetwork.

“10.1.10.1”

subnetMask String SubnetMask of thesubnetwork.

“255.255.255.0”

virtualRouter String Virtual router name. “vRouter”

PolicyConditions

The PolicyConditions business object represents the address and applicationinformation of the firewall policy.

Table 8. PolicyConditions parameters


application String Name of the virtualapplication.

“test”

srcAddress String Source Address. “255.255.255.0”

destAddress String Destination address. “172.30.1.1”

action String Action that is set forthe policy.

"Permit"

condition String Condition that is setfor the policy.

"match"

PolicyOutput

The PolicyOutput business object represents output of the created firewall policy.

Table 9. PolicyOutput parameters


policy String Name of the policy “zone01-zone02-17-policy”

srcZone String Source Zone “zone01”

destZone String Destination Zone “zone02”

conditions PolicyConditions Conditions that areset for the policy

Instance ofPolicyConditionsbusiness object.

FirewallPolicy

The FirewallPolicy business object represents instance of the policy that is createdon the device.


Table 10. FirewallPolicy parameters

Parameters Data type Description

policyRequest CreatePolicyRequest Instance of theCreatePolicyRequest businessobject.

policyOutput PolicyOutput Instance of the PolicyOutputbusiness object.

ConfigureHostRequest

The ConfigureHostRequest business object represents a set of parameters that arerequired for configuring a host.

Table 11. ConfigureHostRequest parameters


firewallHost FirewallHost Instance of the FirewallHostbusiness object

configData ConfigurationData Contents of config.json filein JSON format

CreateZoneRequest

The CreateZoneRequest business object represents a set of parameters that arerequired to create a zone.

Table 12. CreateZoneRequest parameters


hostDetails FirewallHost Instance of theFirewallHost businessobject.

Instance of theFirewallHost businessobject

zoneName String Name of the Firewallzone.

“TestZone”

CreateInterfaceRequest

The CreateInterfaceRequest business object represents a set of parameters that arerequired to create an interface.

Table 13. CreateInterfaceRequest parameters


hostDetails FirewallHost Instance of theFirewallHost businessobject.


zoneName String Name of the Firewallzone.

“TestZone”

zoneName String Name of the Firewallzone

“TestZone”

parentInterface String Name of the ParentInterface

“ge-0/0/0”


Table 13. CreateInterfaceRequest parameters (continued)


vlanId String VlanId of thesubnetwork

“100”

gatewayId String Gateway IP of thesubnetwork

“10.1.10.1”

subnetMask String SubnetMask of thesubnetwork

“255.255.255.0”

virtualRouter String Name of the VirtualRouter

“vRouter”

CreatePolicyRequest

The CreatePolicyRequest business object represents a set of parameters that arerequired to create a policy.

Table 14. CreatePolicyRequest parameters


hostDetails FirewallHost Instance of theFirewallHost businessobject


srcZone String Name of the sourceFirewall zone

“Zone01”

destZone String Name of thedestination firewallzone

“Zone02”

srcSubnet String source subnetwork “192.168.1.1”

destSubnet String destinationsubnetwork

“10.1.10.1”

protocol String Protocol id of thenetwork protocol

"all", "tcp", "ip"

port String Port for which thepolicy is to be set

80 (HTTP port)

ModifyPolicyRequest

The ModifyPolicyRequest business object represents a set of parameters that arerequired to modify a policy.

Table 15. ModifyPolicyRequest parameters


policyRequest CreatePolicyRequest Instance of theCreatePolicyRequest businessobject

policyOutput PolicyOutput Instance of the PolicyOutputbusiness object


DeleteZoneRequest

The DeleteZoneRequest business object represents a set of parameters that arerequired to delete a zone.

Table 16. DeleteZoneRequest parameters




zoneName String Name of the Firewallzone

“TestZone”

DeleteInterfaceRequest

The DeleteInterfaceRequest business object represents a set of parameters that arerequired to delete an interface.

Table 17. DeleteInterfaceRequest parameters




firewallInterface FirewallInterface Instance of theFirewallInterfacebusiness object

“TestZone”

DeletePolicyRequest

The DeletePolicyRequest business object represents a set of parameters that arerequired to delete a policy.

Table 18. DeletePolicyRequest parameters


hostDetails FirewallHost Instance of the FirewallHostbusiness object

PolicyOutput PolicyOutput Instance of the PolicyOutputbusiness object

ConfigurationData

The ConfigurationData business object represents a set of configuration propertiesfrom the config.json file.

Table 19. ConfigurationData parameters


Device String IP address of thefirewall device

“10.1.1.1”

Description String Description of thedevice

“Juniper SRX5600Firewall “

Zones FirewallZone (List) List of firewall zones


Table 19. ConfigurationData parameters (continued)


ParentInterfaces ParentInterface (List) List of parentinterfaces

Interfaces FirewallInterface(List)

List of firewallinterfaces

VirtualRouters VirtualRouter List of virtual routers

FirewallProtocol

The FirewallProtocol business object contains the Id and the name of the protocol.

Table 20. FirewallProtocol parameters


protocolId Integer The Id of theprotocol

123

protocolName String The name of theprotocol

testprotocol

ZoneInterfaceList

The ZoneInterfaceList business object contains a list of parent interfaces andVLAN Ids for a zone interface.

Table 21. ZoneInterfaceList parameters


parentInterface String Name of the parentinterface

“ge-0/0/0”

vlanId Integer VLAN Id 100

Integration services

Integration services are used to implement the activities in a Business ProcessDefinition. It implements the required features when the Business ProcessDefinitions and the tasks within it are started.

CreateFirewallZone

The CreateFirewallZone service creates a firewall zone on the device.

Table 22. CreateFirewallZone parameters

Input CreateZoneRequest business object

On Success firewallZonejson (String)

Error Returned: CTJCA0901E, CTJCA0902E,CTJCA0903E,CTJCA0904E, CTJCA0905E,CTJCA0906E,CTJCA0907E, CTJCA0922E, CTJCA0929E


CreateFirewallInterface

The CreateFirewallInterface service creates a firewall interface on the device.

Table 23. CreateFirewallInterface parameters

Input CreateInterfaceRequest business object

On Success firewallInterfacejson (String)

Error Returned: CTJCA0901E, CTJCA0902E,CTJCA0903E,CTJCA0904E, CTJCA0905E,CTJCA0906E,CTJCA0907E, CTJCA0908E, CTJCA0910E,CTJCA0910E, CTJCA0911E, CTJCA0912E,CTJCA0924E, CTJCA0929E

CreateFirewallPolicy

The CreateFirewallPolicy service creates a firewall policy on the device.

Table 24. CreateFirewallPolicy parameters

Input CreatePolicyRequest business object

On Success policyOutputjson (String)

Error Returned: CTJCA0901E, CTJCA0902E,CTJCA0903E,CTJCA0904E, CTJCA0905E,CTJCA0906E,CTJCA0913E, CTJCA0914E, CTJCA0915E,CTJCA0916E, CTJCA0917E, CTJCA0926E,CTJCA0929E

DeleteFirewallZone

The DeleteFirewallZone service deletes the firewall zone that is created on thedevice.

Table 25. DeleteFirewallZone parameters

Input DeleteZoneRequest business object

On Success void

Error Returned: CTJCA0901E, CTJCA0902E,CTJCA0903E,CTJCA0904E, CTJCA0905E,CTJCA0906E,CTJCA0923E, CTJCA0929E

DeleteFirewallInterface

The DeleteFirewallInterface service deletes the firewall interface that is createdon the device.

Table 26. DeleteFirewallInterface parameters

Input DeleteInterfaceRequest business object

On Success void



DeleteFirewallPolicy

The DeleteFirewallPolicy service deletes the firewall policy that is created on thedevice.

Table 27. DeleteFirewallPolicy parameters

Input DeletePolicyRequest business object

On Success void


ModifyFirewallPolicy

The ModifyFirewallPolicy service modifies a firewall policy on the device.

Table 28. ModifyFirewallPolicy parameters

Input ModifyPolicyRequest business object

On Success policyOutputjson (String)

Error Returned: CTJCA0901E, CTJCA0902E,CTJCA0903E,CTJCA0904E, CTJCA0905E,CTJCA0906E,CTJCA0913E, CTJCA0914E, CTJCA0915E,CTJCA0916E, CTJCA0917E, CTJCA0918E,CTJCA0919E, CTJCA0920E, CTJCA0921E,CTJCA0927E, CTJCA0929E

GetFirewallHostDetails

The GetFirewallHostDetails returns firewall host information that corresponds tothe host IP that is passed.

Table 29. GetFirewallHostDetails parameters

Input hostIp (String)

On Success FirewallHost business object

Error Returned:

GetFirewallZoneDetails

The GetFirewallZoneDetails returns firewall zone information that corresponds tothe passed zone name and host.

Table 30. GetFirewallZoneDetails parameters

Input hostIp (String), zoneName (String)

On Success FirewallZone (Business Object)

Error Returned:


GetFirewallInterfaceDetails

The GetFirewallInterfaceDetails returns the firewall interface information thatcorresponds to the interface name and the host IP passed.

Table 31. GetFirewallInterfaceDetails parameters

Input hostIp (String), interfaceName (String)

On Success FirewallInterface business object

Error Returned:

GetFirewallPolicyRequestList

The GetFirewallPolicyRequestList service returns the list of firewall policyinformation that corresponds to the host IP that is passed.

Table 32. GetFirewallPolicyRequestList parameters

Input hostIp (String)

On Success CreatePolicyRequest (List) business object

Error Returned:

GetFirewallPolicyDetails

The GetFirewallPolicyDetails service returns the firewall policy information thatcorresponds to the policy URL that is passed.

Table 33. GetFirewallPolicyDetails parameters

Input policyUrl (String)

On Success FirewallPolicy business object

Error Returned:

Coach view

The FirewallPolicyListView coach displays a list of firewall polices in a tabularform. This coach view returns the selected firewall policy business object.

Table 34. FirewallPolicyListView variables

Input Output

Business Object: CreatePolicyRequest (List) Business Object: CreatePolicyRequest

Schema for configuration templateEach firewall device has a defined set of virtual zones, virtual interfaces, parentinterfaces, and virtual routers. When you register the host with IBM CloudOrchestrator, upload a config.json file, which contains details of thesewell-defined artifacts.

The schema for this config.json file is as follows:{"Device" : "9.100.100.1","Description" : "Junier Firewall SRX3600",


"Zones" : [{"zoneName" : "untrust","hostInboundTraffic" : {"systemServices" : "all","protocols" : "all"

},"interfaces" : [{"parentInterface" : "ge-0/0/0","vlanId" : "1"

},{"parentInterface" : "ge-0/0/3","vlanId" : "800"

}]}],

"ParentInterfaces" :[{"name" : "ge-0/0/0","description" : "Used for external connectivity"

},{"name" : "ge-0/0/1","description" : "Used for external connectivity"

},{"name" : "ge-0/0/2","description" : "Used for internal connectivity"

},{"name" : "ge-0/0/3","description" : "Used for internal connectivity"

}],"Interfaces" : [{

"interfaceName" : "ge-0/0/0.1","description" : "This is a virtual interface","zoneName" : "untrust""parentInterface" : "ge-0/0/0","vlanId" : "1","gatewayIp" : "192.168.1.1","subnetMask" : "255.255.255.0","virtualRouter" : "vRouter"

},{"interfaceName" : "ge-0/0/3.800","description" : "This is a virtual interface","zoneName" : "untrust""parentInterface" : "ge-0/0/3","vlanId" : "800","gatewayIp" : "10.1.10.1","subnetMask" : "255.255.255.0","virtualRouter" : "vRouter"

}"VirtualRouters" : [{

"name" : "vRouter","description" : " Virtual Router"

}]}

Firewall scenariosThe details of the Business Process Definition, human service, and integrationservices are provided for all the operations.


Important: You can perform the tasks mentioned in this section only as anadministrator.

The self-service offerings for network firewall are as follows:v “Registering a firewall host”v “Creating a firewall zone” on page 18v “Deleting a firewall zone” on page 19v “Creating a firewall interface” on page 16v “Delete a firewall interface” on page 17v “Creating a firewall policy” on page 20v “Modifying a firewall policy” on page 21v “Deleting a firewall policy” on page 21

Registering a firewall hostTo use a configured firewall device in IBM Cloud Orchestrator, you must registerthe device.

Business Process DefinitionThe Register Firewall Host Business Process Definition gets the input parameters,which are returned from the corresponding human service. It then converts thebusiness object to JSON format. The JSON format is stored in the IBM CloudOrchestrator storehouse.

Table 35. Input variables for Business Process Definition

Input variable Data type Description

operationContext OperationContext Contains all data that arerelated to the execution ofthis process.

inputParameterObject ConfigureHostRequest Instance of theConfigureHostRequestbusiness object. It containsthe data collected from thecoach of the human service.

Human servicesThe Register Firewall Host human service has a coach to collect the requiredinput information to configure a firewall device.

Table 36. Input variables for human service


operationContextId String Process ID

Table 37. Output variables for human service

Output variable Data type Description

outputParameterObject ConfigureHostRequest Instance of theConfigureHostRequestbusiness object

Integration serviceThe StoreConfigurationDataonStorehouse integration service stores theconfiguration data in the storehouse.


Table 38. Input variables for integration service

Input Variable Data type Description

configData ConfigurationData It contains the configurationdata and is of typeConfigurationData businessobject.

hostIp String It holds the IP address of thehost.

Registering a firewall hostYou can configure a firewall host from the user interface of IBM CloudOrchestrator.

Before you begin

Register this custom operation as a self-service offering in the user interface of theIBM Cloud Orchestrator. Here, the custom operation is registered as Register aFirewall Host.

Procedure1. Log in to the IBM Cloud Orchestrator UI.2. Click Self-Service.3. Click the category under which this offering is registered.4. Click Register a Firewall Host.5. Enter the details of the Firewall host:v Host IP (Device IP) - IP address of the firewall device for which you want to

create a host.v User name - user name of the privileged user to run commands on the

network firewall device.v Password - password of the privileged user to run commands on the

network firewall device.v Port - port on which the firewall device is configured.v Configuration template - import the configuration template (config.json

file) for that particular host.6. Click OK.

Creating a firewall interfaceInternal and external network interfaces can be assigned to a security zone.

Business Process DefinitionThe Create Firewall Interface Business Process Definition creates the interfacebased on the inputs that are gathered from the human service. Finally, it persiststhe zone data on the storehouse.



operationContext OperationContext Contains all data that arerelated to the execution ofthis process.


Table 39. Input variables for Business Process Definition (continued)


inputParameterObject CreateInterfaceRequest The information that areprovided by the humanservice are stored in thisvariable.

Human servicesThe Create Firewall Interface human service has a coach to get the details of thenew interface.





Output Variable Data type Description

outputParameterObject CreateInterfaceRequest Based on the input values,the CreateInterfaceRequestobject is generated.

Integration serviceThe CreateFirewallInterface integration service creates firewall interface on thedevice.

Apart from CreateFirewallInterface service, the following integration services areused:v GetFirewallZones - returns a list of firewall zones based on the host IP.v GetFirewallHostDetails - returns the details of the host.

Delete a firewall interfaceYou can delete a firewall interface that is created on a firewall host.

Business Process DefinitionThe Delete Firewall Interface Business Process Definition gets the inputparameters, which are returned from the corresponding human service. It thendeletes the virtual interface on the device and removes the interface entry from theIBM Cloud Orchestrator storehouse.



operationContext OperationContext Instance of theOperationContext

inputParameterObject DeleteInterfaceRequest Instance ofDeleteInterfaceRequestbusiness object. It containsthe data collected from thehuman service.


Human serviceThe Delete Firewall Interface human service has a coach to select a firewall hostand interface.




Table 44. Output variables for human Service


outputParameterObject DeleteInterfaceRequest Instance of theDeleteInterfaceRequestbusiness object.

Integration serviceThe DeleteFirewallInterface integration service deletes the firewall interface thatis created on the device.

Apart from DeleteFirewallInterface service, the following integration services areused:v GetFirewallHostDetails - returns the corresponding host details that are based

on the host IP that is passed from the human service.v GetFirewallInterfaceDetails - returns the firewall interface information that is

based on the interface name and host IP. It is passed from the human service.

Creating a firewall zoneA security zone is a collection of interfaces that define a security boundary.

Business Process DefinitionThe Create Firewall Zone Business Process Definition gets the values that areentered in the human service to create a zone. Finally, it persists the zone data onthe IBM Cloud Orchestrator Storehouse.



operationContext OperationContext Contains data that arerelated to the execution ofthis process.

inputParameterObject CreateZoneRequest The input parameters thatare gathered in the coach ofthe human service are storedin this variable.

Human servicesThe Create Firewall Zone human service has a coach to get the zone name andfirewall host.







outputParameterObject CreateZoneRequest Based on the input valuesfrom the coach, aCreateZoneRequest object isgenerated.

Integration serviceThe CreateFirewallZone integration service reads the business object and creates azone.

Apart from CreateFirewallZone service, GetFirewallHostDetails integrationservice is used to fetch the details of the host.

Deleting a firewall zoneYou can delete a firewall zone from the firewall device.

Business Process DefinitionThe Delete Firewall Zone Business Process Definition gets the input parameters,which are returned from the corresponding human service. It then deletes the zoneon the device and removes the zone entry from the IBM Cloud Orchestratorstorehouse.



operationContext OperationContext Instance of theOperationContext businessobject

inputPatameterObject DeleteZoneRequest Instance of theDeleteZoneRequest businessobject. It contains datacollected in the humanservice.

Human serviceThe Delete Firewall Zone human service has a coach to collect the requiredinformation to delete the firewall zone from the device.

Table 49. Input variable for Human Service



Table 50. Output variable for Human Service


outputPatameterObject DeleteZoneRequest Instance of theDeleteZoneRequest businessobject


Integration serviceThe DeleteFirewallZone integration service deletes the selected firewall zone fromthe device. Apart from DeleteFirewallZone, the GetFirewallZones integrationservice is used to fetch the list of firewall zones based on the zone name and thehost IP.

If a security zone has logical interfaces assigned to it, first delete the interfacesusing the 'Delete Interface' offering and then use the 'Delete Zone' offering todelete the zone.

Creating a firewall policyAfter the zones and interfaces are created, security policies are created to controltransit between the security zones.

Business Process DefinitionThe Create Firewall Policy Business Process Definition creates a policy based onthe policy details received from the human service.



operationContext OperationContext Contains data that is relatedto the execution of thisprocess.

inputParameterObject CreatePolicyRequest The input parameters thatare gathered in the coach ofthe human service are storedin this variable.

Human servicesThe Create Firewall Policy human service has a coach to gather details of a newfirewall policy.






outputParameterObject CreatePolicyRequest Based on the input values,the CreatePolicyRequestobject is generated.

Integration serviceThe CreateFirewallPolicy integration service reads the business object and createsa policy.

Apart from CreateFirewallPolicy service, the integration services used are asfollows:v GetFirewallZones - returns a list of firewall zones based on the selected host.v GetFirewallHostDetails - returns a firewall host information.


Modifying a firewall policyYou can modify a firewall policy that is available on a firewall instance.

Business Process DefinitionThe Modify Firewall Policy Business Process Definition modifies a firewall policybased on the updates made in the human service coach.



operationContext OperationContext Contains data that is relatedto the modification of thefirewall policy.

inputParameterObject ModifyPolicyRequest The input that is provided inthe human service are passedon to this variable.

Human servicesThe Modify Firewall Policy human service has a coach to modify the firewallpolicy.






outputParameterObject ModifyPolicyRequest Based on the input values,this ModifyPolicyRequestobject is generated.

Integration serviceThe ModifyFirewallPolicy integration service reads the business object andmodifies the policy.

Apart from the ModifyFirewallPolicy service, the following integration servicesare used:v GetFirewallPolicyList - returns a list of firewall policies.v GetFirewallHostDetails- returns the details of the firewall host.

Deleting a firewall policyYou can delete a firewall policy that is available on a firewall instance.

Business Process DefinitionThe Delete Firewall Policy Business Process Definition deletes the firewall policybased on the selection that is made in the human service coach.



operationContext OperationContext Contains all data that arerelated to the deletion of theFirewall policy.


Table 57. Input variables for Business Process Definition (continued)


inputParameterObject DeletePolicyRequest The input parameters thatare provided in the humanservice are stored in thisvariable.

Human servicesIn the Delete Firewall Policy human service has a coach to select the firewallpolicy for deletion.






outputParameterObject DeletePolicyRequest Based on the input values,this DeletePolicyRequestobject is generated.

Integration serviceThe DeleteFirewallPolicy integration service reads the business object to delete apolicy.

Apart from DeleteFirewallPolicy, the following integration services are used:v GetFirewallPolicyList - returns a list of firewall policies.v GetFirewallHostDetails - returns the details of the selected firewall host.

Registering a custom operationThe Business Process Definition and the human services of a custom operationmust be registered in the user interface of the IBM Cloud Orchestrator.

Custom operations can be registered as a self-service offering, event-triggeredaction, or user action. For more information about custom operation registration,see the following topics in the IBM Cloud Orchestrator section of the IBMKnowledge Center:v IBM Cloud Orchestrator > Managing orchestration workflows > Orchestration

workflows > Self-service offerings

v IBM Cloud Orchestrator > Managing orchestration workflows > Orchestrationworkflows > User actions

v IBM Cloud Orchestrator > Managing orchestration workflows > Orchestrationworkflows > Event-triggered actions

v IBM Cloud Orchestrator > Working with self-service > Managing self-service offerings

v IBM Cloud Orchestrator > Working with self-service > Using self-service

v IBM Cloud Orchestrator > Managing orchestration workflows > Working with BusinessProcess Manager > Making a process available as an orchestration action


User tasksAs a user, you can run these self-service offerings that are registered in IBM CloudOrchestrator by the administrator user.v “Creating a firewall interface”v “Deleting a firewall interface”v “Creating a firewall zone” on page 24v “Deleting the firewall zone” on page 24v “Creating a firewall policy” on page 25v “Modifying a firewall policy” on page 25v “Deleting a firewall policy” on page 26

Remember: You cannot run any of the self-service offerings unless you register thefirewall host. See “Registering a firewall host” on page 16.

Creating a firewall interfaceProcedure to create a firewall interface from the user interface of IBM CloudOrchestrator.

Before you begin

If you are a normal user, ensure that the administrator user has registered thiscustom operation as a self-service offering in the user interface of IBM CloudOrchestrator. Here, the custom operation is registered as Create a FirewallInterface.

Procedure1. Log in to the IBM Cloud Orchestrator UI.2. Click Self-Service.3. Click the category under which this operation is registered.4. Click Create a Firewall Interface .5. Enter the following details of the firewall interface:v Firewall host - select the IP address from a list of firewall devices.v Firewall zone - select the interface group name from the list of zones.

Interfaces are associated to zones.v Parent interface - select the name of the parent interface from a list of

interfaces.v Vlan Id - enter the ID of the VLAN.v Gateway IP - enter the IP address of the gateway.v Subnet mask - enter the 32-bit number to mask the IP address.v Virtual router - select the virtual router. Virtual routers are associated to

zones.6. Click Ok. A firewall interface is created and stored in the IBM Cloud

Orchestrator storehouse.

Deleting a firewall interfaceThe procedure to delete a firewall interface from the user interface of IBM CloudOrchestrator.


Before you begin

If you are a normal user, ensure that the administrator user has registered thiscustom operation as a self-service offering in the user interface of IBM CloudOrchestrator. Here, the custom operation is registered as Delete a FirewallInterface.

Procedure1. Log in to the IBM Cloud Orchestrator UI.2. Click the category under which this operation is registered.3. Click Self-Service.4. Click the category under which this operation is registered.5. Click Delete a Firewall Interface.6. Select the Firewall host and Interface from the list and click View Details. The

details of the interface and its network details are displayed.7. Click OK.

Creating a firewall zoneThe procedure to create a firewall zone from the user interface of IBM CloudOrchestrator.

Before you begin

If you are a normal user, ensure that the administrator user has registered thiscustom operation as a self-service offering in the user interface of IBM CloudOrchestrator. Here, the custom operation is registered as Create a Firewall Zone.

Procedure1. Log in to the IBM Cloud Orchestrator UI.2. Click Self-Service.3. Click the category under which this operation is registered.4. Click Create a Firewall Zone.5. Enter the following details of the firewall zone:v Zone name - enter the name of the zone.v Firewall host - select the firewall host from the list of firewall devices.

6. Click OK. A firewall zone is created and is stored in the storehouse.

Deleting the firewall zoneThe procedure to delete the firewall zone from the user interface of IBM CloudOrchestrator.

Before you begin

If you are a normal user, ensure that the administrator user has registered thiscustom operation as a self-service offering in the user interface of IBM CloudOrchestrator. Here, the custom operation is registered as Delete a Firewall Zone.

Procedure1. Log in to the IBM Cloud Orchestrator UI.2. Click Self-Service.


3. Click the category under which this operation is registered.4. Click Delete Firewall Zone.5. Select the Firewall host and Firewall zone from the list and click OK. The

selected zone is deleted from the host.

Creating a firewall policyThe procedure to create a firewall policy in the user interface of IBM CloudOrchestrator.

Before you begin

Note: Currently support exists only for creating a policy across two zones. It doesnot support policy creation with firewall rules "From Internet" and "To Internet".

If you are a normal user, ensure that the administrator user has registered thiscustom operation as a self-service offering in the user interface of IBM CloudOrchestrator. Here, the custom operation is registered as Create a FirewallPolicy.

Procedure1. Log in to the IBM Cloud Orchestrator UI.2. Click Self-Service.3. Click the category under which this operation is registered.4. Click Create Firewall Policy.5. Enter the following details of the Firewall policy:v Firewall host - select the firewall host from the list of firewall devices.v Policy type - select the policy type from the list.v Source zone - select the zone from which you want to set firewall rules.v Source subnet - enter the IP address of the subnet on which you want to set

the rules.v Destination zone - select the zone to which you want to set firewall rules.v Destination subnet - enter the ip address of the subnet on which you want

to set the policy.v Protocol - select the type of protocol.v Port number - enter the port number that will be used for communication

between source and destination.6. Click OK.

Modifying a firewall policyThe procedure to modify a firewall policy from the user interface of IBM CloudOrchestrator.

Before you begin

If you are a normal user, ensure that the administrator user has registered thiscustom operation as a self-service offering in the user interface of IBM CloudOrchestrator. Here, the custom operation is registered as Modify a FirewallPolicy.


Procedure1. Log in to the IBM Cloud Orchestrator UI.2. Click Self Service.3. Click the category under which this operation is registered.4. Click Modify a Firewall Policy.5. Select the Firewall host from the list and click Next. A list of policies that are

associated to the host is displayed.6. Select the firewall policy and click Next.7. Modify Source subnet, Destination subnet, and Port details.8. Click OK.

Deleting a firewall policyThe procedure to delete a firewall policy from the user interface of IBM CloudOrchestrator.

Before you begin

If you are a normal user, ensure that the administrator user has registered thiscustom operation as a self-service offering in the user interface of IBM CloudOrchestrator. Here, the custom operation is registered as Delete a FirewallPolicy.

Procedure1. Log in to the IBM Cloud Orchestrator UI.2. Click Self Service.3. Click the category under which this operation is registered.4. Click Delete Firewall Policy.5. Select the Firewall host from the list and click Next. A list of policies that are

associated to the host is displayed.6. Select the firewall policy and click Next.7. Verify the details of the selected policy and click OK.

TroubleshootingError messages are logged for all probable errors during deployment. If you areusing a locale other than English, change the locale preference for user 'tw_admin'and 'admin' in Business Process Manager.

The syntax of the error message is as follows: <Base error code>: <Detailederror code> : <Error message>

The base error codes for this content pack is CTJCA0900E.

For example,CTJCA0900E: CTJCA0901E : Host IP cannot be null or empty.

The table provides the list of all the error codes and their probable causes.

Table 60. Error codes and causes

Error code Description

CTJCA0901E HostIP cannot be null or empty.


Table 60. Error codes and causes (continued)

Error code Description

CTJCA0902E Username cannot be null or empty.

CTJCA0903E Password cannot be null or empty.

CTJCA0904E Port cannot be null or zero.

CTJCA0905E Cannot establish connection with thefirewall device.

CTJCA0906E Connection timed out.

CTJCA0907E Zonename cannot be null or empty.

CTJCA0908E GatewayIP cannot be null or empty.

CTJCA0909E SubnetMask cannot be null or empty.

CTJCA0910E ParentInterface cannot be null or empty.

CTJCA0911E VLANID cannot be null or empty.

CTJCA0912E VirtualRouter cannot be null or empty.

CTJCA0913E SourceZone cannot be null or empty.

CTJCA0914E Destination Zone cannot be null or empty.

CTJCA0915E Source Subnet cannot be null or empty.

CTJCA0916E Destination Subnet cannot be null or empty.

CTJCA0917E Protocol cannot be null or empty.

CTJCA0918E PolicyName cannot be null or empty.

CTJCA0919E Application cannot be null or empty.

CTJCA0920E SourceAddress cannot be null or empty.

CTJCA0921E DestinationAddress cannot be null or empty.

CTJCA0922E Create Firewall Zone request failed.

CTJCA0923E Delete Firewall Zone request failed.

CTJCA0924E Create Firewall Interface request failed.

CTJCA0925E Delete Firewall Interface request failed.

CTJCA0926E Create Firewall Policy request failed.

CTJCA0927E Delete Firewall Policy request failed.

CTJCA0928E Modify Firewall Policy request failed.

CTJCA0929E Input string is not in JSON format.

CTJCA0931E The Host IP does not match the DeviceIPAddress from the configuration file.

CTJCA0932E Zone with same name already exists.

CTJCA0933E Policy between the two zones for selectedprotocol already exists.

CTJCA0934E Login credentials for the host are invalid.

CTJCA0935E The host is invalid.



Notices

This information was developed for products and services offered in the U.S.A.

IBM® may not offer the products, services, or features discussed in this documentin other countries. Consult your local IBM representative for information on theproducts and services currently available in your area. Any reference to an IBMproduct, program, or service is not intended to state or imply that only that IBMproduct, program, or service may be used. Any functionally equivalent product,program, or service that does not infringe any IBM intellectual property right maybe used instead. However, it is the user's responsibility to evaluate and verify theoperation of any non-IBM product, program, or service.

IBM may have patents or pending patent applications covering subject matterdescribed in this document. The furnishing of this document does not grant youany license to these patents. You can send license inquiries, in writing, to:

IBM Director of LicensingIBM CorporationNorth Castle DriveArmonk, NY 10504-1785U.S.A.

For license inquiries regarding double-byte character set (DBCS) information,contact the IBM Intellectual Property Department in your country or sendinquiries, in writing, to:

Intellectual Property LicensingLegal and Intellectual Property LawIBM Japan Ltd.1623-14, Shimotsuruma, Yamato-shiKanagawa 242-8502 Japan

The following paragraph does not apply to the United Kingdom or any othercountry where such provisions are inconsistent with local law:INTERNATIONAL BUSINESS MACHINES CORPORATION PROVIDES THISPUBLICATION “AS IS” WITHOUT WARRANTY OF ANY KIND, EITHEREXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIEDWARRANTIES OF NON-INFRINGEMENT, MERCHANTABILITY OR FITNESSFOR A PARTICULAR PURPOSE. Some states do not allow disclaimer of express orimplied warranties in certain transactions, therefore, this statement may not applyto you.

This information could include technical inaccuracies or typographical errors.Changes are periodically made to the information herein; these changes will beincorporated in new editions of the publication. IBM may make improvementsand/or changes in the product(s) and/or the program(s) described in thispublication at any time without notice.

Any references in this information to non-IBM Web sites are provided forconvenience only and do not in any manner serve as an endorsement of those Websites. The materials at those Web sites are not part of the materials for this IBMproduct and use of those Web sites is at your own risk.


IBM may use or distribute any of the information you supply in any way itbelieves appropriate without incurring any obligation to you.

Licensees of this program who wish to have information about it for the purposeof enabling: (i) the exchange of information between independently createdprograms and other programs (including this one) and (ii) the mutual use of theinformation which has been exchanged, should contact:

IBM Corporation2Z4A/10111400 Burnet RoadAustin, TX 78758U.S.A.

Such information may be available, subject to appropriate terms and conditions,including in some cases, payment of a fee.

The licensed program described in this information and all licensed materialavailable for it are provided by IBM under terms of the IBM Customer Agreement,IBM International Program License Agreement, or any equivalent agreementbetween us.

Any performance data contained herein was determined in a controlledenvironment. Therefore, the results obtained in other operating environments mayvary significantly. Some measurements may have been made on development-levelsystems and there is no guarantee that these measurements will be the same ongenerally available systems. Furthermore, some measurements may have beenestimated through extrapolation. Actual results may vary. Users of this documentshould verify the applicable data for their specific environment.

Information concerning non-IBM products was obtained from the suppliers ofthose products, their published announcements or other publicly available sources.IBM has not tested those products and cannot confirm the accuracy ofperformance, compatibility or any other claims related to non-IBM products.Questions on the capabilities of non-IBM products should be addressed to thesuppliers of those products.

This information contains examples of data and reports used in daily businessoperations. To illustrate them as completely as possible, the examples include thenames of individuals, companies, brands, and products. All of these names arefictitious and any similarity to the names and addresses used by an actual businessenterprise is entirely coincidental.

If you are viewing this information softcopy, the photographs and colorillustrations may not appear.


Trademarks and Service Marks

IBM, the IBM logo, and ibm.com® are trademarks or registered trademarks ofInternational Business Machines Corporation in the United States, other countries,or both. If these and other IBM trademarked terms are marked on their firstoccurrence in this information with a trademark symbol (® or ™), these symbolsindicate U.S. registered or common law trademarks owned by IBM at the time thisinformation was published. Such trademarks may also be registered or commonlaw trademarks in other countries. A current list of IBM trademarks is available onthe Web at http://www.ibm.com/legal/copytrade.shtml.

Adobe, the Adobe logo, PostScript, and the PostScript logo are trademarks orregistered trademarks of Adobe Systems, Incorporated, in the United States and/orother countries.

Intel, the Intel logo, Intel Inside, the Intel Inside logo, Intel Centrino, the IntelCentrino logo, Celeron, Intel Xeon, Intel SpeedStep, Itanium, and Pentium aretrademarks or registered trademarks of Intel Corporation or its subsidiaries in theUnited States and other countries.

Java™ and all Java-based trademarks and logos are trademarks or registeredtrademarks of Oracle and/or its affiliates.

Linux is a registered trademark of Linus Torvalds in the United States, othercountries, or both.

Microsoft, Windows, Windows NT, and the Windows logo are trademarks ofMicrosoft Corporation in the United States, other countries, or both.

UNIX is a registered trademark of The Open Group in the United States and othercountries.


http://www.ibm.com/legal/copytrade.shtml


IBM®

Printed in USA

Documents

IBM Cloud Orchestrator: Content Pack for Juniper SRX … Cloud Orchestra tor Content P ack for Juniper SRX F irewall Content P ack for Juniper SRX F irewall IBM