vSRX + K2 On-Premises

Instructions for deploying vSRX with K2 On-Premises Platform.

Goal

Deploy vSRX in a VPC, K2 On-Prem Portal and K2 Agents on EC2 Instances in that VPC via cloudformation template.

Prerequisites

Make sure to have docker included in your AMI if you are deploying the Docker version of the K2 agent (recommended).
Register at k2io.net to obtain license to use K2 On-Prem Portal.
Make sure to have Juniper vSRX subscribed on AWS marketplace
- Click on the link to checkout different vSRX offerings and subscribe as per your use case in case if you don’t have existing subscription
  - Pay As You Go : https://aws.amazon.com/marketplace/pp/prodview-z7jcugjx442hw?ref_=unifiedsearch
  - Bring Your Own License : https://aws.amazon.com/marketplace/pp/prodview-3ztwjuhn2wceq?ref_=unifiedsearch
- Obtain AMIId in the AMIs tab in the EC2 service after subscribing to vSRX.

Steps

Part 1: K2 OnPrem Portal

STEP 1: Setup Configuration :

Update the following parameters from the sample yml below
- General Parameters
  - KeyName : Name of an existing EC2 KeyPair to enable SSH access to the instance.
  - AllowedSshIpAddress :Source IP address (CIDR notation) from which SSH to k2cloud instance is allowed.
  - AllowedAddress :Source IP address (CIDR notation) from which any access to k2cloud instance is allowed.
  - InstanceType: Specify instance type, by default it is m5.2xlarge and we recommend the same.
  - SSHLocation: Source IP address (CIDR notation) from which any access to k2cloud instance is allowed.

Copy the sample yml below with updated parameters into your EC2 CFT yml

Parameters:
  KeyName:
    Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
    Default: cftwest1 #Configurable Section1
    Type: AWS::EC2::KeyPair::KeyName
    ConstraintDescription: must be the name of an existing EC2 KeyPair.
  AllowedAddress:
    Description: Source IP address (CIDR notation) from which any access to vSRXs is allowed
    Type: String
    Default: 0.0.0.0/0
  InstanceType:
    Description: WebServer EC2 instance type
    Type: String
    Default: m5.2xlarge
    AllowedValues: [t2.nano, t2.micro, t2.small, t2.medium, t2.large, t2.xlarge, t2.2xlarge,
      t3.nano, t3.micro, t3.small, t3.medium, t3.large, t3.xlarge, t3.2xlarge,
      m4.large, m4.xlarge, m4.2xlarge, m4.4xlarge, m4.10xlarge,
      m5.large, m5.xlarge, m5.2xlarge, m5.4xlarge,
      c5.large, c5.xlarge, c5.2xlarge, c5.4xlarge, c5.9xlarge,
      g3.8xlarge,
      r5.large, r5.xlarge, r5.2xlarge, r5.4xlarge,
      i3.xlarge, i3.2xlarge, i3.4xlarge, i3.8xlarge,
      d2.xlarge, d2.2xlarge, d2.4xlarge, d2.8xlarge]
    ConstraintDescription: must be a valid EC2 instance type.
  SSHLocation:
    Description: The IP address range that can be used to SSH to the EC2 instances
    Type: String
    MinLength: 9
    MaxLength: 18
    Default: 0.0.0.0/0
    AllowedPattern: (\d{1,3})\.(\d{1,3})\.(\d{1,3})\.(\d{1,3})/(\d{1,2})
    ConstraintDescription: must be a valid IP CIDR range of the form x.x.x.x/x.
############################ K2 Configuration #1 Ends Here ############################

Step 2: K2Cloud AMI Configuration:

Update Mappings part of k2cloud cloudformation template
- Make sure you have AMI Ids ready after subscription to k2cloud offering on AWS marketplace.
- Specify AMI Id for respective region, for now you can give AMI Id for particular region and move to the next step.

Mappings:
  K2CloudAMIEC2:
    us-east-1:
      CentOS7: ami-0dd3922502962f0ae
    us-west-2:
      CentOS7: ami-b55a51cc
    us-west-1:
      CentOS7: ami-027956be094a99d30
    eu-west-1:
      CentOS7: ami-f1978897
    eu-central-1:
      CentOS7: ami-0e258161
    ap-northeast-1:
      CentOS7: ami-5c9a933b
    ap-southeast-1:
      CentOS7: ami-cb981aa8
    ap-southeast-2:
      CentOS7: ami-9a3322f9

Step 3: K2Cloud Deployment

It includes following components
- Launch K2Cloud instance from k2cloud AMI specified above
- IAM role for S3 Access
- S3 bucket creation for backup and restore purposes.

Resources:
  S3Bucket:
    Type: 'AWS::S3::Bucket'
    Properties:
      BucketName: k2cloud-backup

  EC2InstanceProfile:
    Type: AWS::IAM::InstanceProfile
    Properties:
      Path: /
      Roles: [!Ref 'EC2Role']

  # Role for the EC2 hosts.
  EC2Role:
    Type: AWS::IAM::Role
    Properties:
      AssumeRolePolicyDocument:
        Statement:
        - Effect: Allow
          Principal:
            Service: [ec2.amazonaws.com]
          Action: ['sts:AssumeRole']
      Path: /
      Policies:
      - PolicyName: k2cloud-policy
        PolicyDocument:
          Statement:
          - Effect: Allow
            Action:
              - 's3:AbortMultipartUpload'
              - 's3:GetBucketLocation'
              - 's3:GetObject'
              - 's3:ListBucket'
              - 's3:ListBucketMultipartUploads'
              - 's3:PutObject'
            Resource:
              - arn:aws:s3:::k2cloud-backup
              - arn:aws:s3:::k2cloud-backup/*

  EC2Instance:
    Type: AWS::EC2::Instance
    Properties:
      ImageId: !FindInMap
        - K2CloudAMIEC2
        - !Ref 'AWS::Region'
        - CentOS7
      InstanceType: !Ref 'InstanceType'
      SecurityGroupIds: [{ "Fn::GetAtt" : ["InstanceSecurityGroup", "GroupId"] }]
      KeyName: !Ref 'KeyName'
      IamInstanceProfile: !Ref 'EC2InstanceProfile'
      BlockDeviceMappings:
      - DeviceName: "/dev/sda1"
        Ebs:
          VolumeType: "gp2"
          DeleteOnTermination: true
          VolumeSize: 200
      #SubnetId: !Ref PublicSubnet1
      Tags:
        - Key: Name
          Value: Test
  InstanceSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
      GroupDescription: Enable SSH access via port 22
      SecurityGroupIngress:
      - IpProtocol: tcp
        FromPort: 22
        ToPort: 22
        CidrIp: !Ref 'SSHLocation'
      - IpProtocol: tcp
        FromPort: 80
        ToPort: 80
        CidrIp: !Ref AllowedAddress
      - IpProtocol: tcp
        FromPort: 8080
        ToPort: 8080
        CidrIp: !Ref AllowedAddress
      - IpProtocol: tcp
        FromPort: 443
        ToPort: 443
        CidrIp: !Ref AllowedAddress

Step 4 : Run the template

Using AWS Console

Using AWS Cli For e.g.

aws cloudformation create-stack --region ${REGION_NAME} --stack-name ${PROVIDE_STACKNAME_HERE} --template-body file://${PROVIDE_TEMPLATE_NAME}

Example Command is below

aws cloudformation create-stack --region us-west-1 --stack-name ec2-k2 --template-body file

Part 2: vSRX installation (This is a sample and you should use your own vSRX installation CFT)

STEP 1: vSRX Configuration :

Update the following parameters in the sample yml below
- General Parameters
  - KeyName : Name of an existing EC2 KeyPair to enable SSH access to the instance.
  - AllowedSshIpAddress : Source IP address (CIDR notation) from which SSH to vSRXs is allowed.
  - AllowedAddress : Source IP address (CIDR notation) from which any access to vSRXs is allowed.
  - TerminationProtection: Enable termination protection on the VSRX EC2 instances to avoid accidential VSRX termination?.
- vSRX Parameters
  - VpcCidr : CIDR block for vSRX VPC.
  - PubSubnet1 : Address range for vSRX VPC management subnet.
  - PubSubnet2 : Address range for vSRX VPC data subnet to be created in AZ1.
  - PriSubnet1 : Address range for vSRX VPC private subnet to be created in AZ1.
  - VSRXType : Virtual machine size required for VSRX instances.
- AMIID Mappings
  - Mappings : Update the mappings and specify the AMI Id for vSRX.

Copy the sample yml below and update the parameters and use them in final yml

  KeyName:
    Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
    Default: cft #Configurable Section1
    Type: AWS::EC2::KeyPair::KeyName
    ConstraintDescription: must be the name of an existing EC2 KeyPair.
  AllowedSshIpAddress:
    Description: Source IP address (CIDR notation) from which SSH to vSRXs is allowed
    Type: String
    Default: 0.0.0.0/0
  AllowedAddress:
    Description: Source IP address (CIDR notation) from which any access to vSRXs is allowed
    Type: String
    Default: 0.0.0.0/0
############################ Juniper Configuration #1 Starts Here  ############################
  TerminationProtection:
    Description: >-
      Enable termination protection on the VSRX EC2 instances to avoid
      accidential VSRX termination?
    Type: String
    Default: 'No'
    AllowedValues:
      - 'Yes'
      - 'No'
  VpcCidr:
    Description: CIDR block for vSRX VPC.
    Type: String
    Default: 200.0.0.0/16
  PubSubnet1:
    Description: Address range for vSRX VPC management subnet.
    Type: String
    Default: 200.0.254.0/24
  PubSubnet2:
    Description: Address range for vSRX VPC data subnet to be created in AZ1.
    Type: String
    Default: 200.0.1.0/24
  PriSubnet1:
    Description: Address range for vSRX VPC private subnet to be created in AZ1.
    Type: String
    Default: 200.0.2.0/24
  VSRXType:
    Description: Virtual machine size required for VSRX instances.
    Type: String
    Default: C4.Xlarge
    AllowedValues:
      - C4.Xlarge
Mappings:
  JunipervSRXAMI: #Configurable Section7
    us-east-1:
      byol: ami-40058d3a
    us-east-2:
      byol: ami-e6a18983
    us-west-2:
      byol: ami-cddd71b5
    us-west-1:
      byol: ami-04283cf0a2bf7c17c
    ca-central-1:
      byol: ami-ab04bbcf
    eu-west-1:
      byol: ami-2117ff58
    eu-west-2:
      byol: ami-d76f7eb3
    eu-central-1:
      byol: ami-f8fd7f97
    ap-south-1:
      byol: ami-26f68e49
    ap-southeast-1:
      byol: ami-c5a331a6
    ap-southeast-2:
      byol: ami-14c1de77
    ap-northeast-1:
      byol: ami-02729164
    ap-northeast-2:
      byol: ami-2bbe6745
    sa-east-1:
      byol: ami-0656216a
  vSRXInstance:
    C4.Xlarge:
      Type: c4.xlarge
      Bandwidth: '500000'

Step 2: Installation of vSRX :

Following CFT yml will include :
- vSRX Network Infrastructure Provisioning
- vSRX EC2 Instance Provisioning

Conditions:
  EnableTerm: !Equals
    - !Ref TerminationProtection
    - 'Yes'
Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: Juniper VSRX Configuration
        Parameters:
          - VSRXType
          - KeyName
          - TerminationProtection
      - Label:
          default: Network Configuration
        Parameters:
          - VpcCidr
          - AllowedSshIpAddress
          - PubSubnet1
          - PubSubnet2
          - PriSubnet1
    ParameterLabels:
      AllowedSshIpAddress:
        default: Allowed IP Address to SSH from
      VpcCidr:
        default: vSRX VPC CIDR Block
      PubSubnet1:
        default: vSRX1- Management Subnet Network
      PubSubnet2:
        default: vSRX1- Data Subnet Network
      PriSubnet1:
        default: vSRX1- Private Subnet
      VSRXType:
        default: vSRX Instance Size
      KeyName:
        default: SSH Key to access VSRX
      TerminationProtection:
        default: Enable Termination Protection
Resources:
  vSRXVPC:
    Type: 'AWS::EC2::VPC'
    Properties:
      CidrBlock: !Ref VpcCidr
      Tags:
        - Key: Name
          Value: vSRX VPC
  VPCPubSub11:
    Type: 'AWS::EC2::Subnet'
    Properties:
      VpcId: !Ref vSRXVPC
      CidrBlock: !Ref PubSubnet1
      MapPublicIpOnLaunch: false #Can be removed not Necessary
      AvailabilityZone: !Select
        - '0'
        - !GetAZs ''
      Tags:
        - Key: Network
          Value: Public
        - Key: Name
          Value: vSRX VPC Management Subnet 1
  VPCPubSub12:
    Type: 'AWS::EC2::Subnet'
    Properties:
      VpcId: !Ref vSRXVPC
      CidrBlock: !Ref PubSubnet2
      AvailabilityZone: !Select
        - '0'
        - !GetAZs ''
      Tags:
        - Key: Network
          Value: Public
        - Key: Name
          Value: vSRX VPC Data Subnet 1
  VPCPriSub11:
    Type: 'AWS::EC2::Subnet'
    Properties:
      VpcId: !Ref vSRXVPC
      CidrBlock: !Ref PriSubnet1
      AvailabilityZone: !Select
        - '0'
        - !GetAZs ''
      Tags:
        - Key: Network
          Value: Private
        - Key: Name
          Value: vSRX VPC Private Subnet 1
  IGW:
    Type: 'AWS::EC2::InternetGateway'
    Properties:
      Tags:
        - Key: Name
          Value: vSRX VPC IGW
  IGWToInternet:
    Type: 'AWS::EC2::VPCGatewayAttachment'
    Properties:
      VpcId: !Ref vSRXVPC
      InternetGatewayId: !Ref IGW
  VPCPublicRouteTable:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Ref vSRXVPC
      Tags:
        - Key: Network
          Value: Public
        - Key: Name
          Value: vSRX VPC
  VPCPublicRoute:
    Type: 'AWS::EC2::Route'
    Properties:
      RouteTableId: !Ref VPCPublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref IGW
  VPCPrivateRouteTable:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Ref vSRXVPC
      Tags:
        - Key: Network
          Value: Private
        - Key: Name
          Value: vSRX VPCPrivateRouteTable
  S3Endpoint:
    Type: 'AWS::EC2::VPCEndpoint'
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal: '*'
            Action:
              - 's3:*'
            Resource:
              - '*'
      RouteTableIds:
        - !Ref VPCPublicRouteTable
        - !Ref VPCPrivateRouteTable
      ServiceName: !Join
        - ''
        - - com.amazonaws.
          - !Ref 'AWS::Region'
          - .s3
      VpcId: !Ref vSRXVPC
  VPCPubSubnetRouteTableAssociation1:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref VPCPubSub11
      RouteTableId: !Ref VPCPublicRouteTable
  VPCPubSubnetRouteTableAssociation2:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref VPCPubSub12
      RouteTableId: !Ref VPCPublicRouteTable
  vSRXInterface11:
    Type: 'AWS::EC2::NetworkInterface'
    Properties:
      Description: vSRXManagementInterface1
      PrivateIpAddress: 200.0.254.154
      SourceDestCheck: false
      GroupSet:
        - !Ref VSRXSecurityGroup
      SubnetId: !Ref VPCPubSub11
  vSRXInterface12:
    Type: 'AWS::EC2::NetworkInterface'
    Properties:
      Description: vSRXRevenueInterface1
      PrivateIpAddress: 200.0.1.11
      SourceDestCheck: false
      GroupSet:
        - !Ref VSRXSecurityGroup
      SubnetId: !Ref VPCPubSub12
  vSRXInterface13:
    Type: 'AWS::EC2::NetworkInterface'
    Properties:
      Description: vSRXPrivateInterface1
      PrivateIpAddress: 200.0.2.22
      SourceDestCheck: false
      GroupSet:
        - !Ref VSRXSecurityGroup
      SubnetId: !Ref VPCPriSub11
  vSRXEip11:
    Type: 'AWS::EC2::EIP'
    Properties:
      Domain: vpc
      Tags:
        - Key: Name
          Value: ManagementElasticIP
  vSRXEip12:
    Type: 'AWS::EC2::EIP'
    Properties:
      Domain: vpc
      Tags:
        - Key: Name
          Value: RevenueDataElasticIP
  AssociateEIP11:
    Type: 'AWS::EC2::EIPAssociation'
    Properties:
      AllocationId: !GetAtt
        - vSRXEip11
        - AllocationId
      NetworkInterfaceId: !Ref vSRXInterface11
  AssociateEIP12:
    Type: 'AWS::EC2::EIPAssociation'
    Properties:
      AllocationId: !GetAtt
        - vSRXEip12
        - AllocationId
      NetworkInterfaceId: !Ref vSRXInterface12
  VpcvSRXEC2Instance1:
    Type: 'AWS::EC2::Instance'
    Metadata:
      Comment1: Launch Juniper VSRX1
    Properties:
      InstanceType: !FindInMap
        - vSRXInstance
        - !Ref VSRXType
        - Type
      KeyName: !Ref KeyName
      DisableApiTermination: !If
        - EnableTerm
        - true
        - false
      ImageId: !FindInMap
        - JunipervSRXAMI
        - !Ref 'AWS::Region'
        - byol
#https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-network-iface-embedded.html
      NetworkInterfaces:
        - NetworkInterfaceId: !Ref vSRXInterface11
          DeviceIndex: '0'
        - NetworkInterfaceId: !Ref vSRXInterface12
          DeviceIndex: '1'
        - NetworkInterfaceId: !Ref vSRXInterface13
          DeviceIndex: '2'
      Tags:
        - Key: Name
          Value: Juniper VSRX Instance
    DependsOn: IGW
  VPCPrivateRoute:
    Type: 'AWS::EC2::Route'
    Properties:
      RouteTableId: !Ref VPCPrivateRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      NetworkInterfaceId: !Ref vSRXInterface13
  VPCPriSubnetRouteTableAssociation1:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref VPCPriSub11
      RouteTableId: !Ref VPCPrivateRouteTable
  VSRXSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: VSRX Security Group Rules
      VpcId: !Ref vSRXVPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: !Ref AllowedSshIpAddress
        - IpProtocol: icmp
          FromPort: 8
          ToPort: -1
          CidrIp: !Ref AllowedSshIpAddress
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: !Ref AllowedAddress
        - IpProtocol: tcp
          FromPort: 8080
          ToPort: 8080
          CidrIp: !Ref AllowedAddress
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: !Ref AllowedAddress
      SecurityGroupEgress:
        - IpProtocol: '-1'
          FromPort: 0
          ToPort: 65535
          CidrIp: 0.0.0.0/0
Outputs:
  VSRXInstanceId:
    Description: The name of the VSRX Instance created
    Value: !Ref VpcvSRXEC2Instance1
  VPCId:
    Description: The name of the VPCID of VPC created
    Value: !Ref vSRXVPC
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'vSRXVPC' ] ]
  PublicSubnetId11:
    Description: The name of the SubnetId of VPC created
    Value: !Ref VPCPubSub11
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'VPCPubSub11' ] ]
  PublicSubnetId12:
    Description: The name of the SubnetId of VPC created
    Value: !Ref VPCPubSub12
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'VPCPubSub12' ] ]
  PrivateSubnetId11:
    Description: The name of the SubnetId of VPC created
    Value: !Ref VPCPriSub11
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'VPCPriSub11' ] ]
  VSRXSecurityGroup:
    Description: The name of the SubnetId of VPC created
    Value: !Ref VSRXSecurityGroup
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'VSRXSecurityGroup' ] ]
  VSRXIPAddress:
    Description: Management IP Address for VSRX
    Value: !GetAtt
      - VpcvSRXEC2Instance1
      - PublicIp
  ManagementIP:
    Description: The name of the VPCID of VPC created
    Value: !Ref vSRXEip11
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'ManagementElasticIP' ] ]
  RevenueIP:
    Description: The name of the VPCID of VPC created
    Value: !Ref vSRXEip12
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'RevenueDataElasticIP' ] ]

Step 3: Once your template is ready and valid, Run it via EC2 console or AWS CLI

Commands to run

Using AWS Console

Using AWS Cli For e.g.

aws cloudformation create-stack --region ${REGION_NAME} --stack-name ${PROVIDE_STACKNAME_HERE} --template-body file://${PROVIDE_TEMPLATE_NAME}

Example Command is below

aws cloudformation create-stack --region us-west-1 --stack-name k2-vSRX --template-body file

Step 4: Create policy shell script as per your use case and apply them on vSRX instance, for more details checkout the Complete Example.

Part 3: Installation of K2 agents on EC2 instances

Step 1: K2-SaaS Setup on EC2 instance where Web application runs:

Update the following parameters from the sample yml below

General Parameters
- KeyName : Name of an existing EC2 KeyPair to enable SSH access to the Ec2 instance.
- InstanceType : WebServer EC2 instance type.
K2 Parameters
- k2IsDocker : Set docker or non docker install of K2 agents, true for docker install and vice versa.
- k2IsPrivileged : Set privileged mode installation of K2 agents, true for privileged mode and vice versa.
- k2VersionNumber : Set the K2 agents version for download for e.g. 1.10.10
- k2CustomerId : Set your K2 customer Id for e.g. 1101
- k2TempToken : Set the temp token for K2 agents tarball download, You can get it from K2 Manager UI.
- k2CloudIP : Provide here K2 On Prem Portal Elastic IP obtained after cft deployment in part1.
AMIID Mappings
- Mappings : Update the mappings and specify the AMI Id for K2 Demo Instance.

AWSTemplateFormatVersion: 2010-09-09
Description: >-
  (K20001) - This template creates a Juniper vSRX instance along with Instance where
  Vulnerable application along with k2 agents is installed ***NOTE*** You must
  first subscribe to the appropriate Juniper VSRX marketplace AMI from the
  before you launch this template.
Parameters:
  ParentStackName:
    Description: Name of Parent Stack which is vSRX Stack Name as this cloudformation template will reuse some resources from vsrx stack like vpc, subnets.
    Default: vsrx #Configurable Section1
    Type: String
  KeyName:
    Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
    Default: cft #Configurable Section2
    Type: AWS::EC2::KeyPair::KeyName
    ConstraintDescription: must be the name of an existing EC2 KeyPair.
############################ K2 Configuration #1 Starts Here  ############################
  InstanceType:
    Description: WebServer EC2 instance type
    Type: String
    Default: t2.medium
    AllowedValues: [t2.nano, t2.micro, t2.small, t2.medium, t2.large, t2.xlarge, t2.2xlarge,
      t3.nano, t3.micro, t3.small, t3.medium, t3.large, t3.xlarge, t3.2xlarge,
      m4.large, m4.xlarge, m4.2xlarge, m4.4xlarge, m4.10xlarge,
      m5.large, m5.xlarge, m5.2xlarge, m5.4xlarge,
      c5.large, c5.xlarge, c5.2xlarge, c5.4xlarge, c5.9xlarge,
      g3.8xlarge,
      r5.large, r5.xlarge, r5.2xlarge, r5.4xlarge,
      i3.xlarge, i3.2xlarge, i3.4xlarge, i3.8xlarge,
      d2.xlarge, d2.2xlarge, d2.4xlarge, d2.8xlarge]
    ConstraintDescription: must be a valid EC2 instance type.
  k2IsDocker:
    Type: String
    Default: "true" #Configurable Section2
    Description: If you want to install k2 agent in docker mode then set this parameter
                 to true otherwise if in non docker mode then set it to false.
    AllowedValues:
      ["true",
      "false"]
  k2CloudIP:
    Type: String
    Default: "k2io.net" #Configurable Section2 # Use In general "k2io.net"
    Description: Public IP of K2Cloud
  # k2IsPrivileged:
  #   Type: String
  #   Default: "false" #Configurable Section3
  #   Description: If you want to install k2 agent in privileged mode then set this parameter
  #                to true otherwise if in non privileged mode then set it to false.
  #   AllowedValues:
  #     ["true",
  #     "false"]
  k2VersionNumber:
    Type: String
    Default: "1.10.14" #Configurable Section4
    Description: Version of K2 agents
  k2CustomerId:
    Type: String
    Default: "910"
    Description: Provide your customer id as provided in k2 portal.
  k2TempToken:
    Type: String
    Default: "65470008664519211083609100231891391175" #Configurable Section5
    Description: Temp token to install k2 agents tarball.
############################ K2 Configuration #1 Ends Here ############################
Mappings:
  EC2AMI: #Configurable Section6
    us-east-1:
      AMIId: ami-0dd3922502962f0ae
    us-east-2:
      AMIId: ami-0dd3922502962f0ae
    us-west-2:
      AMIId: ami-b55a51cc
    us-west-1:
      #AMIId: ami-05db5717b629827c2
      AMIId: ami-0c09e97d0e404cb51
    eu-west-1:
      AMIId: ami-f1978897
    eu-central-1:
      AMIId: ami-0e258161
    ap-northeast-1:
      AMIId: ami-5c9a933b
    ap-southeast-1:
      AMIId: ami-cb981aa8
    ap-southeast-2:
      AMIId: ami-9a3322f9

Step 2: Installation of K2 Agents on the EC2 instance

Following CFT yml will include :

CFN Helper Scripts provisioning
K2 Agents Installation

Resources:
  vSRXInterface14:
    Type: 'AWS::EC2::NetworkInterface'
    Properties:
      Description: vSRXPrivateInterface1
      PrivateIpAddress: 200.0.2.44
      SourceDestCheck: false
      GroupSet:
        - Fn::ImportValue:
            !Join [':', [!Ref 'ParentStackName', 'VSRXSecurityGroup']]
      SubnetId:
        Fn::ImportValue:
          !Join [':', [!Ref 'ParentStackName', 'VPCPriSub11']]
  DemoInstance:
    Type: AWS::EC2::Instance
    Metadata:
############################ K2 Configuration #2 Starts Here  ############################
      AWS::CloudFormation::Init:
        configSets:
          ascending:
            - cfn_init_configuration
            - k2_install
            - k2_demo_app
        cfn_init_configuration:
          files:
             '/etc/cfn/cfn-hup.conf':
               content: !Sub |
                 [main]
                 stack=${AWS::StackId}
                 region=${AWS::Region}
                 interval=1
               mode: '000400'
               owner: root
               group: root
             '/lib/systemd/system/cfn-hup.service':
                content: |
                  [Unit]
                  Description=cfn-hup daemon
                  [Service]
                  Type=simple
                  ExecStart=/opt/aws/bin/cfn-hup
                  Restart=always
                  [Install]
                  WantedBy=multi-user.target
          commands:
            01enable_cfn_hup:
              command:
                systemctl enable cfn-hup.service
            02start_cfn_hup:
              command:
                systemctl start cfn-hup.service
        k2_install:
          files:
            /tmp/k2tmpinstall.sh:
              content: !Sub |
                #!/bin/bash
                sudo wget -O vm-all.zip '${k2CloudIP}/centralmanager/api/v1/help/installers/${k2VersionNumber}/download/${k2CustomerId}/${k2TempToken}/vm-all.zip?isDocker=${k2IsDocker}&groupName=PRODUCTION&agentDeploymentEnvironment=PRODUCTION&pullPolicyRequired=false'
                sudo unzip vm-all.zip
                sudo chown -R root:root k2install
                sudo chmod 755 k2install
                cd k2install
                sudo bash k2install.sh -i prevent-web
              mode: "000777"
              owner: "root"
              group: "root"
          commands:
            k2command:
              command: bash /tmp/k2tmpinstall.sh > /tmp/k2out.log 2>&1
              cwd: /tmp/
        k2_demo_app:
          commands:
            demoapp:
              command: docker run -v /opt/k2-ic:/opt/k2-ic -itd -p 8080:8080 -e JAVA_OPTS=" -javaagent:/opt/k2-ic/K2-JavaAgent-1.0.0-jar-with-dependencies.jar" --name k2-demo-application k2cyber/ic-test-application:single-container-application
              cwd: /tmp/
    Properties:
      NetworkInterfaces:
        - NetworkInterfaceId: !Ref vSRXInterface14
          DeviceIndex: '0'
      UserData:
        Fn::Base64: !Sub |
          #!/bin/bash
          # count=70
          # while [[ $count -ne 0 ]] ; do
          #       ping -c 1 8.8.8.8
          #       rc=$?
          #       if [[ $rc -eq 0 ]] ; then
          #         ((count = 1))
          #       fi
          #       ((count = count - 1))
          #       sleep 10
          # done
          # if [[ $rc -eq 0 ]] ; then
          #  echo `say The internet is back up.` > /tmp/connected.out
          # else
          #  echo `say Timeout.` > /tmp/timeout.out
          # fi
          distribution=`cat /etc/os-release | grep -w NAME | awk -F= '{print $2}' | tr -d '"'`
          if [[ -z $distribution ]]; then
            distribution=`cat /etc/*release | head -1 | awk -F' ' '{print $1}' | tr -d '"'`
            version_id=`cat /etc/*release | head -1 | awk -F' ' '{print $3}' | tr -d '"'`
          fi
          if [[ ($distribution == "Ubuntu") ]]; then
              apt-get update -y
              apt-get install -y python-setuptools
              apt-get install -y wget
              apt-get install -y unzip
          elif [[ (($distribution == "Fedora" ) || ($distribution == "CentOS Linux") || ( $distribution == "Red Hat Enterprise Linux Server") || ($distribution == "Red Hat Enterprise Linux") || ($distribution == "Amazon Linux") || ($distribution == "Amazon Linux AMI")) ]]; then
              yum update -y
              yum install -y python-setuptools
              yum install -y wget
              yum install -y unzip
          else
            echo "Didn't Update and not able to install prereqs"
          fi
          mkdir -p /opt/aws/bin
          wget https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz
          python -m easy_install --script-dir /opt/aws/bin aws-cfn-bootstrap-latest.tar.gz > /tmp/cfn-install.log 2>&1
          /opt/aws/bin/cfn-init -vvv --stack ${AWS::StackName} --resource DemoInstance -c ascending --region ${AWS::Region} > /tmp/cfn-init.log 2>&1
          /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource DemoInstance --region ${AWS::Region} > /tmp/cfn-signal.log 2>&1
############################ K2 Configuration #2 Ends Here  ############################
# Below Parts will come from customer
      ImageId: !FindInMap
        - EC2AMI
        - !Ref 'AWS::Region'
        - AMIId
      InstanceType: !Ref 'InstanceType'
      KeyName: !Ref 'KeyName'
      BlockDeviceMappings:
      - DeviceName: "/dev/sda1"
        Ebs:
          VolumeType: "gp2"
          DeleteOnTermination: true
          VolumeSize: 200
      Tags:
        - Key: Name
          Value: K2Agent with Vulnerable Application

Outputs:
  InstanceId:
    Description: InstanceId of the newly created EC2 instance
    Value: !Ref 'DemoInstance'
  AZ:
    Description: Availability Zone of the newly created EC2 instance
    Value: !GetAtt [DemoInstance, AvailabilityZone]

Step 3: Once your template is ready and valid, Run it via EC2 console or AWS CLI

Commands to run

Using AWS Console

Using AWS Cli For e.g.

aws cloudformation create-stack --region ${REGION_NAME} --stack-name ${PROVIDE_STACKNAME_HERE} --template-body file://${PROVIDE_TEMPLATE_NAME}

Example Command is below

aws cloudformation create-stack --region us-west-1 --stack-name k2-vSRX --template-body file://test.yml

Step 4: Verification
- Two EIPs will be attached to vSRX Instance
  - Revenue Data EIP : A Revenue port is used for traffic processing. You can access the vulnerable app through revenue data elastic ip of vsrx instance (http://${REVENUE_DATA_IP}:8080).
    SSH to secondary instance behind vSRX instance using revenue data ip.
  - Management EIP : The management interface is preconfigured with the AWS Elastic IP and default route. You can login to vSRX instance using Management IP and verify all the vSRX policies are set fine.
    Login to vSRX instance
    Go to configuration mode
    configure
    Check all the security policies applied to vSRX instance
    show security policies
Step 5: Attack Detection
- On the Vulnerable Application, there is broad category of attacks availible, you can launch one of the attacks like File based, Remote code, SQL Injection etc.
- Access K2 SaaS portal (https://k2io.net/centralmanager ) and sign in with your username and password.
- Attack detected would be shown in the attacks tab of K2 SaaS portal.

Part 4 : Configure vSRX policies using K2Manager

Step 1 : Open Firewall Integration

Go to Settings tab and go to Firewall Integration in dropdown list of Settings.

Firewall | K2 Portal

Step 2 : Add a new Firewall Configuration Rule

Add a new Firewall Configuration Rule

Click on + on right side of the Firewall Integration view to add new firewall configuration
Configure the following attributes:
- Firewall IP : vSRX controller IP
- Username: SSH user (Used to SSH to vSRX controller instance)
- Password: SSH password (Used to SSH to vSRX controller instance)
- Update Interval: Periodic interval at which the xSRX controller pulls the information from K2
- SNAT Enabled: True (For static NAT)

Step 3 : Add Blocking List Configurations

Step 4 : Add Allowed List Configurations

Complete Template Example

Make sure Part 1 of step is done to install K2 Portal On-Premises.

This complete example is combination of Part2, Part3 and Part4 of steps mentioned above.

Following steps will show how to deploy vSRX in a VPC and K2 Agents on EC2 Instances in that VPC via cloudformation template.

Cloudformation Template :

Setup and Configure parameters in below template as per you environment :

KeyName : Name of an existing EC2 KeyPair to enable SSH access to the instance.
AllowedSshIpAddress : Source IP address (CIDR notation) from which SSH to vSRXs is allowed.
AllowedAddress : Source IP address (CIDR notation) from which any access to vSRXs is allowed.
TerminationProtection: Enable termination protection on the VSRX EC2 instances to avoid accidential VSRX termination?.
VpcCidr : CIDR block for vSRX VPC.
PubSubnet1 : Address range for vSRX VPC management subnet.
PubSubnet2 : Address range for vSRX VPC data subnet to be created in AZ1.
PriSubnet1 : Address range for vSRX VPC private subnet to be created in AZ1.
VSRXType : Virtual machine size required for VSRX instances.
K2DemoInstanceType : WebServer EC2 instance type.
k2IsDocker : Set docker or non docker install of K2 agents, true for docker install and vice versa.
k2IsPrivileged : Set privileged mode installation of K2 agents, true for privileged mode and vice versa.
k2VersionNumber : Set the K2 agents version for download for e.g. 1.10.10
k2CustomerId : Set your K2 customer Id for e.g. 1101
k2TempToken : Set the temp token for K2 agents tarball download, You can get it from K2 Manager UI.
Mappings : Update the mappings and specify the AMI Id for vSRX and k2demo machine respectively

VSRX.yml


AWSTemplateFormatVersion: 2010-09-09
Description: >-
  (K20001) - This template creates a Juniper vSRX instance along with Instance where
  Vulnerable application along with k2 agents is installed ***NOTE*** You must
  first subscribe to the appropriate Juniper VSRX marketplace AMI from the
  before you launch this template.
Parameters:
  KeyName:
    Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
    Default: cft #Configurable Section1
    Type: AWS::EC2::KeyPair::KeyName
    ConstraintDescription: must be the name of an existing EC2 KeyPair.
  AllowedSshIpAddress:
    Description: Source IP address (CIDR notation) from which SSH to vSRXs is allowed
    Type: String
    Default: 0.0.0.0/0
  AllowedAddress:
    Description: Source IP address (CIDR notation) from which any access to vSRXs is allowed
    Type: String
    Default: 0.0.0.0/0
############################ Juniper Configuration #1 Starts Here  ############################
  TerminationProtection:
    Description: >-
      Enable termination protection on the VSRX EC2 instances to avoid
      accidential VSRX termination?
    Type: String
    Default: 'No'
    AllowedValues:
      - 'Yes'
      - 'No'
  VpcCidr:
    Description: CIDR block for vSRX VPC.
    Type: String
    Default: 200.0.0.0/16
  PubSubnet1:
    Description: Address range for vSRX VPC management subnet.
    Type: String
    Default: 200.0.254.0/24
  PubSubnet2:
    Description: Address range for vSRX VPC data subnet to be created in AZ1.
    Type: String
    Default: 200.0.1.0/24
  PriSubnet1:
    Description: Address range for vSRX VPC private subnet to be created in AZ1.
    Type: String
    Default: 200.0.2.0/24
  VSRXType:
    Description: Virtual machine size required for VSRX instances.
    Type: String
    Default: C4.Xlarge
    AllowedValues:
      - C4.Xlarge
Conditions:
  EnableTerm: !Equals
    - !Ref TerminationProtection
    - 'Yes'
Metadata:
  'AWS::CloudFormation::Interface':
    ParameterGroups:
      - Label:
          default: Juniper VSRX Configuration
        Parameters:
          - VSRXType
          - KeyName
          - TerminationProtection
      - Label:
          default: Network Configuration
        Parameters:
          - VpcCidr
          - AllowedSshIpAddress
          - PubSubnet1
          - PubSubnet2
          - PriSubnet1
    ParameterLabels:
      AllowedSshIpAddress:
        default: Allowed IP Address to SSH from
      VpcCidr:
        default: vSRX VPC CIDR Block
      PubSubnet1:
        default: vSRX1- Management Subnet Network
      PubSubnet2:
        default: vSRX1- Data Subnet Network
      PriSubnet1:
        default: vSRX1- Private Subnet
      VSRXType:
        default: vSRX Instance Size
      KeyName:
        default: SSH Key to access VSRX
      TerminationProtection:
        default: Enable Termination Protection
Mappings:
  JunipervSRXAMI: #Configurable Section7
    us-east-1:
      byol: ami-40058d3a
    us-east-2:
      byol: ami-e6a18983
    us-west-2:
      byol: ami-cddd71b5
    us-west-1:
      byol: ami-04283cf0a2bf7c17c
    ca-central-1:
      byol: ami-ab04bbcf
    eu-west-1:
      byol: ami-2117ff58
    eu-west-2:
      byol: ami-d76f7eb3
    eu-central-1:
      byol: ami-f8fd7f97
    ap-south-1:
      byol: ami-26f68e49
    ap-southeast-1:
      byol: ami-c5a331a6
    ap-southeast-2:
      byol: ami-14c1de77
    ap-northeast-1:
      byol: ami-02729164
    ap-northeast-2:
      byol: ami-2bbe6745
    sa-east-1:
      byol: ami-0656216a
  vSRXInstance:
    C4.Xlarge:
      Type: c4.xlarge
      Bandwidth: '500000'
Resources:
  vSRXVPC:
    Type: 'AWS::EC2::VPC'
    Properties:
      CidrBlock: !Ref VpcCidr
      Tags:
        - Key: Name
          Value: vSRX VPC
  VPCPubSub11:
    Type: 'AWS::EC2::Subnet'
    Properties:
      VpcId: !Ref vSRXVPC
      CidrBlock: !Ref PubSubnet1
      MapPublicIpOnLaunch: false #Can be removed not Necessary
      AvailabilityZone: !Select
        - '0'
        - !GetAZs ''
      Tags:
        - Key: Network
          Value: Public
        - Key: Name
          Value: vSRX VPC Management Subnet 1
  VPCPubSub12:
    Type: 'AWS::EC2::Subnet'
    Properties:
      VpcId: !Ref vSRXVPC
      CidrBlock: !Ref PubSubnet2
      AvailabilityZone: !Select
        - '0'
        - !GetAZs ''
      Tags:
        - Key: Network
          Value: Public
        - Key: Name
          Value: vSRX VPC Data Subnet 1
  VPCPriSub11:
    Type: 'AWS::EC2::Subnet'
    Properties:
      VpcId: !Ref vSRXVPC
      CidrBlock: !Ref PriSubnet1
      AvailabilityZone: !Select
        - '0'
        - !GetAZs ''
      Tags:
        - Key: Network
          Value: Private
        - Key: Name
          Value: vSRX VPC Private Subnet 1
  IGW:
    Type: 'AWS::EC2::InternetGateway'
    Properties:
      Tags:
        - Key: Name
          Value: vSRX VPC IGW
  IGWToInternet:
    Type: 'AWS::EC2::VPCGatewayAttachment'
    Properties:
      VpcId: !Ref vSRXVPC
      InternetGatewayId: !Ref IGW
  VPCPublicRouteTable:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Ref vSRXVPC
      Tags:
        - Key: Network
          Value: Public
        - Key: Name
          Value: vSRX VPC
  VPCPublicRoute:
    Type: 'AWS::EC2::Route'
    Properties:
      RouteTableId: !Ref VPCPublicRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      GatewayId: !Ref IGW
  VPCPrivateRouteTable:
    Type: 'AWS::EC2::RouteTable'
    Properties:
      VpcId: !Ref vSRXVPC
      Tags:
        - Key: Network
          Value: Private
        - Key: Name
          Value: vSRX VPCPrivateRouteTable
  S3Endpoint:
    Type: 'AWS::EC2::VPCEndpoint'
    Properties:
      PolicyDocument:
        Version: 2012-10-17
        Statement:
          - Effect: Allow
            Principal: '*'
            Action:
              - 's3:*'
            Resource:
              - '*'
      RouteTableIds:
        - !Ref VPCPublicRouteTable
        - !Ref VPCPrivateRouteTable
      ServiceName: !Join
        - ''
        - - com.amazonaws.
          - !Ref 'AWS::Region'
          - .s3
      VpcId: !Ref vSRXVPC
  VPCPubSubnetRouteTableAssociation1:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref VPCPubSub11
      RouteTableId: !Ref VPCPublicRouteTable
  VPCPubSubnetRouteTableAssociation2:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref VPCPubSub12
      RouteTableId: !Ref VPCPublicRouteTable
  vSRXInterface11:
    Type: 'AWS::EC2::NetworkInterface'
    Properties:
      Description: vSRXManagementInterface1
      PrivateIpAddress: 200.0.254.154
      SourceDestCheck: false
      GroupSet:
        - !Ref VSRXSecurityGroup
      SubnetId: !Ref VPCPubSub11
  vSRXInterface12:
    Type: 'AWS::EC2::NetworkInterface'
    Properties:
      Description: vSRXRevenueInterface1
      PrivateIpAddress: 200.0.1.11
      SourceDestCheck: false
      GroupSet:
        - !Ref VSRXSecurityGroup
      SubnetId: !Ref VPCPubSub12
  vSRXInterface13:
    Type: 'AWS::EC2::NetworkInterface'
    Properties:
      Description: vSRXPrivateInterface1
      PrivateIpAddress: 200.0.2.22
      SourceDestCheck: false
      GroupSet:
        - !Ref VSRXSecurityGroup
      SubnetId: !Ref VPCPriSub11
  vSRXEip11:
    Type: 'AWS::EC2::EIP'
    Properties:
      Domain: vpc
      Tags:
        - Key: Name
          Value: ManagementElasticIP
  vSRXEip12:
    Type: 'AWS::EC2::EIP'
    Properties:
      Domain: vpc
      Tags:
        - Key: Name
          Value: RevenueDataElasticIP
  AssociateEIP11:
    Type: 'AWS::EC2::EIPAssociation'
    Properties:
      AllocationId: !GetAtt
        - vSRXEip11
        - AllocationId
      NetworkInterfaceId: !Ref vSRXInterface11
  AssociateEIP12:
    Type: 'AWS::EC2::EIPAssociation'
    Properties:
      AllocationId: !GetAtt
        - vSRXEip12
        - AllocationId
      NetworkInterfaceId: !Ref vSRXInterface12
  VpcvSRXEC2Instance1:
    Type: 'AWS::EC2::Instance'
    Metadata:
      Comment1: Launch Juniper VSRX1
    Properties:
      # UserData:
      #   Fn::Base64:
      #     #!/bin/bash
      #     sleep 180
      #     configure
      #     set interfaces ge-0/0/0 unit 0 family inet address 200.0.1.11/24
      #     set interfaces ge-0/0/1 unit 0 family inet address 200.0.2.22/24
      #     set security zones security-zone untrust host-inbound-traffic system-services https
      #     set security zones security-z0one untrust host-inbound-traffic system-services ssh
      #     set security zones security-zone untrust host-inbound-traffic system-services http
      #     set security zones security-zone untrust host-inbound-traffic system-services ping
      #     set security zones security-zone untrust interfaces ge-0/0/0.0
      #     set security zones security-zone trust host-inbound-traffic system-services https
      #     set security zones security-zone trust host-inbound-traffic system-services ssh
      #     set security zones security-zone trust host-inbound-traffic system-services ping
      #     set security zones security-zone trust host-inbound-traffic system-services http
      #     set security zones security-zone trust interfaces ge-0/0/1.0
      #     set security policies from-zone untrust to-zone trust policy access-from-internet-to-server match source-address any
      #     set security policies from-zone untrust to-zone trust policy access-from-internet-to-server match destination-address any
      #     set security policies from-zone untrust to-zone trust policy access-from-internet-to-server match application any
      #     set security policies from-zone untrust to-zone trust policy access-from-internet-to-server then permit
      #     set security policies from-zone trust to-zone untrust policy access-from-server-to-internet match source-address any
      #     set security policies from-zone trust to-zone untrust policy access-from-server-to-internet match destination-address any
      #     set security policies from-zone trust to-zone untrust policy access-from-server-to-internet match application any
      #     set security policies from-zone trust to-zone untrust policy access-from-server-to-internet then permit
      #     set security nat source rule-set UNTRUST_TO_TRUST_SOURCE_NAT from zone untrust
      #     set security nat source rule-set UNTRUST_TO_TRUST_SOURCE_NAT to zone trust
      #     set security nat source rule-set UNTRUST_TO_TRUST_SOURCE_NAT rule U_TO_T_SOURCE_NAT_IPV4 match source-address 0.0.0.0/0
      #     set security nat source rule-set UNTRUST_TO_TRUST_SOURCE_NAT rule U_TO_T_SOURCE_NAT_IPV4 match destination-address 0.0.0.0/0
      #     set security nat source rule-set UNTRUST_TO_TRUST_SOURCE_NAT rule U_TO_T_SOURCE_NAT_IPV4 then source-nat interface
      #     set security nat source rule-set TRUST_TO_UNTRUST_SOURCE_NAT from zone trust
      #     set security nat source rule-set TRUST_TO_UNTRUST_SOURCE_NAT to zone untrust
      #     set security nat source rule-set TRUST_TO_UNTRUST_SOURCE_NAT rule T_TO_U_SOURCE_NAT_IPV4 match source-address 0.0.0.0/0
      #     set security nat source rule-set TRUST_TO_UNTRUST_SOURCE_NAT rule T_TO_U_SOURCE_NAT_IPV4 match destination-address 0.0.0.0/0
      #     set security nat source rule-set TRUST_TO_UNTRUST_SOURCE_NAT rule T_TO_U_SOURCE_NAT_IPV4 then source-nat interface
      #     set security nat destination pool DEST_NAT_TARGET_10_0_253_46 address 200.0.2.44/32
      #     set security nat destination rule-set INCOMING_ON_GE_0_DEST_NAT from interface ge-0/0/0.0
      #     set security nat destination rule-set INCOMING_ON_GE_0_DEST_NAT rule DEST_NAT_2_240 match destination-address 200.0.1.11/32
      #     set security nat destination rule-set INCOMING_ON_GE_0_DEST_NAT rule DEST_NAT_2_240 match destination-port 80
      #     set security nat destination rule-set INCOMING_ON_GE_0_DEST_NAT rule DEST_NAT_2_240 match destination-port 22
      #     set security nat destination rule-set INCOMING_ON_GE_0_DEST_NAT rule DEST_NAT_2_240 match destination-port 443
      #     set security nat destination rule-set INCOMING_ON_GE_0_DEST_NAT rule DEST_NAT_2_240 match destination-port 8080
      #     set security nat destination rule-set INCOMING_ON_GE_0_DEST_NAT rule DEST_NAT_2_240 match destination-port 9090
      #     set security nat destination rule-set INCOMING_ON_GE_0_DEST_NAT rule DEST_NAT_2_240 then destination-nat pool DEST_NAT_TARGET_10_0_253_46
      #     set routing-instances fwdd_vr instance-type virtual-router
      #     set routing-instances fwdd_vr interface ge-0/0/0.0
      #     set routing-instances fwdd_vr interface ge-0/0/1.0
      #     set routing-instances fwdd_vr routing-options static route 0.0.0.0/0 next-hop 200.0.1.1
      #     commit
      InstanceType: !FindInMap
        - vSRXInstance
        - !Ref VSRXType
        - Type
      KeyName: !Ref KeyName
      DisableApiTermination: !If
        - EnableTerm
        - true
        - false
      ImageId: !FindInMap
        - JunipervSRXAMI
        - !Ref 'AWS::Region'
        - byol
#https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-properties-ec2-network-iface-embedded.html
      NetworkInterfaces:
        - NetworkInterfaceId: !Ref vSRXInterface11
          DeviceIndex: '0'
        - NetworkInterfaceId: !Ref vSRXInterface12
          DeviceIndex: '1'
        - NetworkInterfaceId: !Ref vSRXInterface13
          DeviceIndex: '2'
      Tags:
        - Key: Name
          Value: Juniper VSRX Instance
    DependsOn: IGW
  VPCPrivateRoute:
    Type: 'AWS::EC2::Route'
    Properties:
      RouteTableId: !Ref VPCPrivateRouteTable
      DestinationCidrBlock: 0.0.0.0/0
      NetworkInterfaceId: !Ref vSRXInterface13
  VPCPriSubnetRouteTableAssociation1:
    Type: 'AWS::EC2::SubnetRouteTableAssociation'
    Properties:
      SubnetId: !Ref VPCPriSub11
      RouteTableId: !Ref VPCPrivateRouteTable
  VSRXSecurityGroup:
    Type: 'AWS::EC2::SecurityGroup'
    Properties:
      GroupDescription: VSRX Security Group Rules
      VpcId: !Ref vSRXVPC
      SecurityGroupIngress:
        - IpProtocol: tcp
          FromPort: 22
          ToPort: 22
          CidrIp: !Ref AllowedSshIpAddress
        - IpProtocol: icmp
          FromPort: 8
          ToPort: -1
          CidrIp: !Ref AllowedSshIpAddress
        - IpProtocol: tcp
          FromPort: 80
          ToPort: 80
          CidrIp: !Ref AllowedAddress
        - IpProtocol: tcp
          FromPort: 8080
          ToPort: 8080
          CidrIp: !Ref AllowedAddress
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: !Ref AllowedAddress
      SecurityGroupEgress:
        - IpProtocol: '-1'
          FromPort: 0
          ToPort: 65535
          CidrIp: 0.0.0.0/0
Outputs:
  VSRXInstanceId:
    Description: The name of the VSRX Instance created
    Value: !Ref VpcvSRXEC2Instance1
  VPCId:
    Description: The name of the VPCID of VPC created
    Value: !Ref vSRXVPC
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'vSRXVPC' ] ]
  PublicSubnetId11:
    Description: The name of the SubnetId of VPC created
    Value: !Ref VPCPubSub11
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'VPCPubSub11' ] ]
  PublicSubnetId12:
    Description: The name of the SubnetId of VPC created
    Value: !Ref VPCPubSub12
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'VPCPubSub12' ] ]
  PrivateSubnetId11:
    Description: The name of the SubnetId of VPC created
    Value: !Ref VPCPriSub11
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'VPCPriSub11' ] ]
  VSRXSecurityGroup:
    Description: The name of the SubnetId of VPC created
    Value: !Ref VSRXSecurityGroup
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'VSRXSecurityGroup' ] ]
  VSRXIPAddress:
    Description: Management IP Address for VSRX
    Value: !GetAtt
      - VpcvSRXEC2Instance1
      - PublicIp
  ManagementIP:
    Description: The name of the VPCID of VPC created
    Value: !Ref vSRXEip11
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'ManagementElasticIP' ] ]
  RevenueIP:
    Description: The name of the VPCID of VPC created
    Value: !Ref vSRXEip12
    Export:
      Name: !Join [ ':', [ !Ref 'AWS::StackName', 'RevenueDataElasticIP' ] ]

vsrx-policies.sh

# ssh -i "/mnt/c/Users/dell/Downloads/cftwest1.pem" ec2-user@13.57.70.243 < /mnt/e/Projects/install/cloudformation/ec2/vsrx-policies.sh
configure
set interfaces ge-0/0/0 unit 0 family inet address 200.0.1.11/24
set interfaces ge-0/0/1 unit 0 family inet address 200.0.2.22/24
set security zones security-zone untrust host-inbound-traffic system-services https
set security zones security-zone untrust host-inbound-traffic system-services ssh
set security zones security-zone untrust host-inbound-traffic system-services http
set security zones security-zone untrust host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0
set security zones security-zone trust host-inbound-traffic system-services https
set security zones security-zone trust host-inbound-traffic system-services ssh
set security zones security-zone trust host-inbound-traffic system-services ping
set security zones security-zone trust host-inbound-traffic system-services http
set security zones security-zone trust interfaces ge-0/0/1.0
set security policies from-zone untrust to-zone trust policy access-from-internet-to-server match source-address any
set security policies from-zone untrust to-zone trust policy access-from-internet-to-server match destination-address any
set security policies from-zone untrust to-zone trust policy access-from-internet-to-server match application any
set security policies from-zone untrust to-zone trust policy access-from-internet-to-server then permit
set security policies from-zone trust to-zone untrust policy access-from-server-to-internet match source-address any
set security policies from-zone trust to-zone untrust policy access-from-server-to-internet match destination-address any
set security policies from-zone trust to-zone untrust policy access-from-server-to-internet match application any
set security policies from-zone trust to-zone untrust policy access-from-server-to-internet then permit
set security nat source rule-set UNTRUST_TO_TRUST_SOURCE_NAT from zone untrust
set security nat source rule-set UNTRUST_TO_TRUST_SOURCE_NAT to zone trust
set security nat source rule-set UNTRUST_TO_TRUST_SOURCE_NAT rule U_TO_T_SOURCE_NAT_IPV4 match source-address 0.0.0.0/0
set security nat source rule-set UNTRUST_TO_TRUST_SOURCE_NAT rule U_TO_T_SOURCE_NAT_IPV4 match destination-address 0.0.0.0/0
set security nat source rule-set UNTRUST_TO_TRUST_SOURCE_NAT rule U_TO_T_SOURCE_NAT_IPV4 then source-nat interface
set security nat source rule-set TRUST_TO_UNTRUST_SOURCE_NAT from zone trust
set security nat source rule-set TRUST_TO_UNTRUST_SOURCE_NAT to zone untrust
set security nat source rule-set TRUST_TO_UNTRUST_SOURCE_NAT rule T_TO_U_SOURCE_NAT_IPV4 match source-address 0.0.0.0/0
set security nat source rule-set TRUST_TO_UNTRUST_SOURCE_NAT rule T_TO_U_SOURCE_NAT_IPV4 match destination-address 0.0.0.0/0
set security nat source rule-set TRUST_TO_UNTRUST_SOURCE_NAT rule T_TO_U_SOURCE_NAT_IPV4 then source-nat interface
set security nat destination pool DEST_NAT_TARGET_10_0_253_46 address 200.0.2.44/32
set security nat destination rule-set INCOMING_ON_GE_0_DEST_NAT from interface ge-0/0/0.0
set security nat destination rule-set INCOMING_ON_GE_0_DEST_NAT rule DEST_NAT_2_240 match destination-address 200.0.1.11/32
set security nat destination rule-set INCOMING_ON_GE_0_DEST_NAT rule DEST_NAT_2_240 match destination-port 80
set security nat destination rule-set INCOMING_ON_GE_0_DEST_NAT rule DEST_NAT_2_240 match destination-port 22
set security nat destination rule-set INCOMING_ON_GE_0_DEST_NAT rule DEST_NAT_2_240 match destination-port 443
set security nat destination rule-set INCOMING_ON_GE_0_DEST_NAT rule DEST_NAT_2_240 match destination-port 8080
set security nat destination rule-set INCOMING_ON_GE_0_DEST_NAT rule DEST_NAT_2_240 match destination-port 9090
set security nat destination rule-set INCOMING_ON_GE_0_DEST_NAT rule DEST_NAT_2_240 then destination-nat pool DEST_NAT_TARGET_10_0_253_46
set routing-instances fwdd_vr instance-type virtual-router
set routing-instances fwdd_vr interface ge-0/0/0.0
set routing-instances fwdd_vr interface ge-0/0/1.0
set routing-instances fwdd_vr routing-options static route 0.0.0.0/0 next-hop 200.0.1.1
commit

K2-SAAS.yml

AWSTemplateFormatVersion: 2010-09-09
Description: >-
  (K20001) - This template creates a Juniper vSRX instance along with Instance where
  Vulnerable application along with k2 agents is installed ***NOTE*** You must
  first subscribe to the appropriate Juniper VSRX marketplace AMI from the
  before you launch this template.
Parameters:
  ParentStackName:
    Description: Name of Parent Stack which is vSRX Stack Name as this cloudformation template will reuse some resources from vsrx stack like vpc, subnets.
    Default: vsrx #Configurable Section1
    Type: String
  KeyName:
    Description: Name of an existing EC2 KeyPair to enable SSH access to the instance
    Default: cft #Configurable Section2
    Type: AWS::EC2::KeyPair::KeyName
    ConstraintDescription: must be the name of an existing EC2 KeyPair.
############################ K2 Configuration #1 Starts Here  ############################
  InstanceType:
    Description: WebServer EC2 instance type
    Type: String
    Default: t2.medium
    AllowedValues: [t2.nano, t2.micro, t2.small, t2.medium, t2.large, t2.xlarge, t2.2xlarge,
      t3.nano, t3.micro, t3.small, t3.medium, t3.large, t3.xlarge, t3.2xlarge,
      m4.large, m4.xlarge, m4.2xlarge, m4.4xlarge, m4.10xlarge,
      m5.large, m5.xlarge, m5.2xlarge, m5.4xlarge,
      c5.large, c5.xlarge, c5.2xlarge, c5.4xlarge, c5.9xlarge,
      g3.8xlarge,
      r5.large, r5.xlarge, r5.2xlarge, r5.4xlarge,
      i3.xlarge, i3.2xlarge, i3.4xlarge, i3.8xlarge,
      d2.xlarge, d2.2xlarge, d2.4xlarge, d2.8xlarge]
    ConstraintDescription: must be a valid EC2 instance type.
  k2IsDocker:
    Type: String
    Default: "true" #Configurable Section2
    Description: If you want to install k2 agent in docker mode then set this parameter
                 to true otherwise if in non docker mode then set it to false.
    AllowedValues:
      ["true",
      "false"]
  k2CloudIP:
    Type: String
    Default: "k2io.net" #Configurable Section2 # Use In general "k2io.net"
    Description: Public IP of K2Cloud
  # k2IsPrivileged:
  #   Type: String
  #   Default: "false" #Configurable Section3
  #   Description: If you want to install k2 agent in privileged mode then set this parameter
  #                to true otherwise if in non privileged mode then set it to false.
  #   AllowedValues:
  #     ["true",
  #     "false"]
  k2VersionNumber:
    Type: String
    Default: "1.10.14" #Configurable Section4
    Description: Version of K2 agents
  k2CustomerId:
    Type: String
    Default: "910"
    Description: Provide your customer id as provided in k2 portal.
  k2TempToken:
    Type: String
    Default: "65470008664519211083609100231891391175" #Configurable Section5
    Description: Temp token to install k2 agents tarball.
############################ K2 Configuration #1 Ends Here ############################
Mappings:
  EC2AMI: #Configurable Section6
    us-east-1:
      AMIId: ami-0dd3922502962f0ae
    us-east-2:
      AMIId: ami-0dd3922502962f0ae
    us-west-2:
      AMIId: ami-b55a51cc
    us-west-1:
      #AMIId: ami-05db5717b629827c2
      AMIId: ami-0c09e97d0e404cb51
    eu-west-1:
      AMIId: ami-f1978897
    eu-central-1:
      AMIId: ami-0e258161
    ap-northeast-1:
      AMIId: ami-5c9a933b
    ap-southeast-1:
      AMIId: ami-cb981aa8
    ap-southeast-2:
      AMIId: ami-9a3322f9

Resources:
  vSRXInterface14:
    Type: 'AWS::EC2::NetworkInterface'
    Properties:
      Description: vSRXPrivateInterface1
      PrivateIpAddress: 200.0.2.44
      SourceDestCheck: false
      GroupSet:
        - Fn::ImportValue:
            !Join [':', [!Ref 'ParentStackName', 'VSRXSecurityGroup']]
      SubnetId:
        Fn::ImportValue:
          !Join [':', [!Ref 'ParentStackName', 'VPCPriSub11']]
  DemoInstance:
    Type: AWS::EC2::Instance
    Metadata:
############################ K2 Configuration #2 Starts Here  ############################
      AWS::CloudFormation::Init:
        configSets:
          ascending:
            - cfn_init_configuration
            - k2_install
            - k2_demo_app
        cfn_init_configuration:
          files:
             '/etc/cfn/cfn-hup.conf':
               content: !Sub |
                 [main]
                 stack=${AWS::StackId}
                 region=${AWS::Region}
                 interval=1
               mode: '000400'
               owner: root
               group: root
             '/lib/systemd/system/cfn-hup.service':
                content: |
                  [Unit]
                  Description=cfn-hup daemon
                  [Service]
                  Type=simple
                  ExecStart=/opt/aws/bin/cfn-hup
                  Restart=always
                  [Install]
                  WantedBy=multi-user.target
          commands:
            01enable_cfn_hup:
              command:
                systemctl enable cfn-hup.service
            02start_cfn_hup:
              command:
                systemctl start cfn-hup.service
        k2_install:
          files:
            /tmp/k2tmpinstall.sh:
              content: !Sub |
                #!/bin/bash
                sudo wget -O vm-all.zip '${k2CloudIP}/centralmanager/api/v1/help/installers/${k2VersionNumber}/download/${k2CustomerId}/${k2TempToken}/vm-all.zip?isDocker=${k2IsDocker}&groupName=PRODUCTION&agentDeploymentEnvironment=PRODUCTION&pullPolicyRequired=false'
                sudo unzip vm-all.zip
                sudo chown -R root:root k2install
                sudo chmod 755 k2install
                cd k2install
                sudo bash k2install.sh -i prevent-web
              mode: "000777"
              owner: "root"
              group: "root"
          commands:
            k2command:
              command: bash /tmp/k2tmpinstall.sh > /tmp/k2out.log 2>&1
              cwd: /tmp/
        k2_demo_app:
          commands:
            demoapp:
              command: docker run -v /opt/k2-ic:/opt/k2-ic -itd -p 8080:8080 -e JAVA_OPTS=" -javaagent:/opt/k2-ic/K2-JavaAgent-1.0.0-jar-with-dependencies.jar" --name k2-demo-application k2cyber/ic-test-application:single-container-application
              cwd: /tmp/
    Properties:
      NetworkInterfaces:
        - NetworkInterfaceId: !Ref vSRXInterface14
          DeviceIndex: '0'
      UserData:
        Fn::Base64: !Sub |
          #!/bin/bash
          # count=70
          # while [[ $count -ne 0 ]] ; do
          #       ping -c 1 8.8.8.8
          #       rc=$?
          #       if [[ $rc -eq 0 ]] ; then
          #         ((count = 1))
          #       fi
          #       ((count = count - 1))
          #       sleep 10
          # done
          # if [[ $rc -eq 0 ]] ; then
          #  echo `say The internet is back up.` > /tmp/connected.out
          # else
          #  echo `say Timeout.` > /tmp/timeout.out
          # fi
          distribution=`cat /etc/os-release | grep -w NAME | awk -F= '{print $2}' | tr -d '"'`
          if [[ -z $distribution ]]; then
            distribution=`cat /etc/*release | head -1 | awk -F' ' '{print $1}' | tr -d '"'`
            version_id=`cat /etc/*release | head -1 | awk -F' ' '{print $3}' | tr -d '"'`
          fi
          if [[ ($distribution == "Ubuntu") ]]; then
              apt-get update -y
              apt-get install -y python-setuptools
              apt-get install -y wget
              apt-get install -y unzip
          elif [[ (($distribution == "Fedora" ) || ($distribution == "CentOS Linux") || ( $distribution == "Red Hat Enterprise Linux Server") || ($distribution == "Red Hat Enterprise Linux") || ($distribution == "Amazon Linux") || ($distribution == "Amazon Linux AMI")) ]]; then
              yum update -y
              yum install -y python-setuptools
              yum install -y wget
              yum install -y unzip
          else
            echo "Didn't Update and not able to install prereqs"
          fi
          mkdir -p /opt/aws/bin
          wget https://s3.amazonaws.com/cloudformation-examples/aws-cfn-bootstrap-latest.tar.gz
          python -m easy_install --script-dir /opt/aws/bin aws-cfn-bootstrap-latest.tar.gz > /tmp/cfn-install.log 2>&1
          /opt/aws/bin/cfn-init -vvv --stack ${AWS::StackName} --resource DemoInstance -c ascending --region ${AWS::Region} > /tmp/cfn-init.log 2>&1
          /opt/aws/bin/cfn-signal -e $? --stack ${AWS::StackName} --resource DemoInstance --region ${AWS::Region} > /tmp/cfn-signal.log 2>&1
############################ K2 Configuration #2 Ends Here  ############################
# Below Parts will come from customer
      ImageId: !FindInMap
        - EC2AMI
        - !Ref 'AWS::Region'
        - AMIId
      InstanceType: !Ref 'InstanceType'
      KeyName: !Ref 'KeyName'
      BlockDeviceMappings:
      - DeviceName: "/dev/sda1"
        Ebs:
          VolumeType: "gp2"
          DeleteOnTermination: true
          VolumeSize: 200
      Tags:
        - Key: Name
          Value: K2Agent with Vulnerable Application

Outputs:
  InstanceId:
    Description: InstanceId of the newly created EC2 instance
    Value: !Ref 'DemoInstance'
  AZ:
    Description: Availability Zone of the newly created EC2 instance
    Value: !GetAtt [DemoInstance, AvailabilityZone]

Go through all the parameters and define their default values as per your setup or pass them in cloudformation command in VSRX.yml and K2-SAAS.yml
Provide AMIID in Mappings section as per region, you can only change one region also for your deployment.
Save the file as mentioned names.
Run them in below sequence
- VSRX.yml
- vsrx-policies.sh
- K2-SAAS.yml

Commands to run

Using AWS Console

Using AWS Cli For e.g.

aws cloudformation create-stack --region ${REGION_NAME} --stack-name ${PROVIDE_STACKNAME_HERE} --template-body file://${PROVIDE_TEMPLATE_NAME}

Example Command is below

aws cloudformation create-stack --region us-west-1 --stack-name k2-vSRX --template-body file://k2-vSRX.yml

Access the Vulnerable app through revenue data elastic ip of vsrx instance

End to End Verification

Generate an attack from the Vulnerable Application.

Link: http://<REVENUE_ELASTIC_IP>:8080

K2 Vulnerable Applications UI

K2M Firewall Blocked List On K2 UI: Settings → Firewall Integration → Blocked List Link: https://www.k2io.net/centralmanager/#!/app/settings/firewall

The attacker IP is detected and added to the blocked list, which can be viewed on K2 UI.

This IP list is regularly pulled by vSRX which enables the firewall to block any further requests to the application.

Link: Settings → Firewall Integration → Blocked List (https://www.k2io.net/centralmanager/#!/app/settings/firewall )

Visit the Vulnerable Application and it should not be accessible.
1. Note: The IP will be removed from the blocked list after 2 hours and if you wish you can remove it yourself.

PreviousvSRX + K2 SaaS NextSIEM

Last updated 4 years ago

Was this helpful?

hashtagGoal

hashtagPrerequisites

hashtagSteps

hashtagPart 1: K2 OnPrem Portal

hashtagPart 2: vSRX installation (This is a sample and you should use your own vSRX installation CFT)

hashtag Part 3: Installation of K2 agents on EC2 instances

hashtagPart 4 : Configure vSRX policies using K2Manager

hashtagStep 1 : Open Firewall Integration

hashtagStep 2 : Add a new Firewall Configuration Rule

hashtagAdd a new Firewall Configuration Rule

hashtagStep 3 : Add Blocking List Configurations

hashtagStep 4 : Add Allowed List Configurations​

hashtagComplete Template Example

hashtagEnd to End Verification

hashtagGenerate an attack from the Vulnerable Application.

hashtagLink: http://<REVENUE_ELASTIC_IP>:8080

hashtagK2 Vulnerable Applications UI

hashtagK2M Firewall Blocked List On K2 UI: Settings → Firewall Integration → Blocked List Link: https://www.k2io.net/centralmanager/#!/app/settings/firewallarrow-up-right

hashtagThe attacker IP is detected and added to the blocked list, which can be viewed on K2 UI.

Goal

Prerequisites

Steps

Part 1: K2 OnPrem Portal

Part 2: vSRX installation (This is a sample and you should use your own vSRX installation CFT)

Part 3: Installation of K2 agents on EC2 instances

Part 4 : Configure vSRX policies using K2Manager

Step 1 : Open Firewall Integration

Step 2 : Add a new Firewall Configuration Rule

Add a new Firewall Configuration Rule

Step 3 : Add Blocking List Configurations

Step 4 : Add Allowed List Configurations

Complete Template Example

End to End Verification

Generate an attack from the Vulnerable Application.

Link: http://<REVENUE_ELASTIC_IP>:8080

K2 Vulnerable Applications UI

K2M Firewall Blocked List On K2 UI: Settings → Firewall Integration → Blocked List Link: https://www.k2io.net/centralmanager/#!/app/settings/firewall

The attacker IP is detected and added to the blocked list, which can be viewed on K2 UI.