Blogs

Meetup: Puppet Development Kit and Managing a FortiGate Firewall

Written by Dennis Verdonschot | Oct 26, 2018 3:17:00 PM

Last January we hosted a fruitful meetup about Puppet. We discovered the features of the new Puppet Development Kit (PDK) and walked through an interesting way to manage a FortiGate firewall with Puppet.

The new Puppet Development Kit (PDK)

Kevin van Reeuwijk from Puppet kickstarted the first topic. He showed how easy it is to start developing a new Puppet module using the PDK. The PDK enables us to develop Puppet modules while using best practices and using the new integrated tools (Rspec) that allow you to test and publish the high-quality modules to the Puppet Forge.

Test your code, convert existing modules

Kevin showed us the possibilities of the PDK when creating new modules. The tools integrated within the PDK enable you to take a previously developed module and convert it to a module that is compatible with the PDK, using the PDK convert command-line tool.

The future of PDK

The launch of PDK is just a start. The backlog is full of interesting things like PDK-enabled container images for TravisCI, GitlabCI, and AppVeyor, and the possibility to build and publish to the Forge. Watch the whole presentation here or download the new PDK directly via your yum-based / apt-based package repositories or puppet.com if you use Mac or Windows.

Managing your FortiGate firewall policies, using our Puppet module.

Mark presented the difficulties of firewall management. He first drafted the outlines comparing your firewall at home to an enterprise firewall that manages over 15 zones and 1,500 rules / policies, and is subject to up to 1,000 changes a year. Secondly, he described the tough process of determining his approach to managing all those changes, and how he implemented this approach in the FortiGate Puppet module.

Developing the module

It was important to determine what would be automated. FortiGate firewalls are such complex devices, it would take months of full-time development to develop a module that manages every single aspect of it. There were lots of technical difficulties with regard to Puppet type naming and sequencing of firewall policies. For example, when you first block your TCP connections and then allow HTTPS, the second policy would not have any effect.

Simplifying management with higher-level types

Mark showed how the management of FortiGate is being simplified for end users. In addition to creating Puppet resource types that manage individual policies, Mark demonstrated what he calls “composite” types. These higher-level (defined) types allow end users to manage firewall policies on application or node-group level, stripping away the need to specify all policies on a node-to-node or subnet-to-subnet basis. These composite types could be compared to security groups in Amazon Web Services or Microsoft Azure.

Watch and try it yourself

We received positive reactions from the attendants. Want to receive more information? Leave your email address and we’ll make sure to share the presentation with you.