Cloudgenix Portal

Documentation:

Software-Defined WAN (SD-WAN) connects your sites and applications over any WAN transport with performance, security, compliance, and agility, managed with business-centric policies, enabling tomorrow’s WAN today.

CloudGenix Software-Defined WAN (SD-WAN) is the industry’s most complete solution for customers that want to build hybrid networks consisting of MPLS private WANs and commodity Internet connections for cloud application adoption, remote office high availability, application performance, and end-to-end visibility.

Powered by CloudGenix Instant-On Networks (ION) devices deployed in locations where visibility and control are desired, CloudGenix SD-WAN allows you to create policies based on business intent rather than a series of fragmented networking features, enables dynamic path selection using the highest performing network, and provides visibility into performance and availability for applications and networks.

A secure application fabric, AppFabric, is established amongst all ION devices, creating a virtual private network (VPN) over every WAN link.

Policies are defined that are aligned with your business intent that specify performance, compliance, and security rules for your applications and sites.

ION devices will automatically choose the best WAN path for your applications based on business policy and real-time analysis of the application performance metrics and WAN links.

FIGURE 1: CLOUDGENIX AUTOMATICALLY SELECTS THE BEST PATH ACCORDING TO POLICY, WAN HEALTH, AND APPLICATION TRANSACTION PERFORMANCE METRICS.

CloudGenix AppFabric gives you the freedom to incorporate any type of WAN into your branch office—including MPLS, broadband Internet, and cellular—allowing you to make connectivity decisions based on the price and performance demanded by each branch office and each application.

CloudGenix ION devices automatically establish secure connectivity amongst your sites and continually monitors the health and performance of WAN links and applications to dynamically choose the best performing path.

When a problem arises, AppFabric will automatically self-heal and divert traffic to another appropriate path according to policies you define.

Features:

AppFabric is built using top-down policies that map applications, sites, and WAN links to requirements for performance, security, and compliance.

No need for complicated routing protocols or lengthy router configs.

AppFabric allows confident integration of apps regardless of where they reside—in your data center, in the cloud, or as software as a service (SaaS).

  • AppFabric makes sure your users get the best performance possible, and provides insight into how those apps and how your WAN links are performing to address problems when they arise.

AppFabric takes advantage of all allowed WAN paths for an application.

With multiple WAN links, AppFabric provides both high availability and load-balancing meaning WAN links aren’t sitting idle waiting for a failure to happen.

The CloudGenix SD-WAN solution provides a wealth of benefits for your business.

CloudGenix ION allows you to take advantage of a diverse set of WAN transports including MPLS, LTE, and broadband to build a secure, unified, high-performance, highly-available hybrid WAN for your enterprise.

  • With CloudGenix ION, WAN paths are dynamically selected based on policy and real-time performance measurement while configuration of complex routing protocols and fragmented networking features are virtually eliminated.
  • CloudGenix ION allows you to meet the performance and availability demands that are required when deploying cloud and SaaS applications, including remote office WAN high availability, bandwidth, and consistent latency.

With CloudGenix ION, the best path for your cloud and SaaS applications is used, including direct Internet connections, unburdening your private MPLS links while improving end-user performance.

CloudGenix ION can help reduce the number of devices required in remote offices by replacing routers and zone-based firewalls.

Any WAN link with an Ethernet connection can be connected directly to the CloudGenix ION; any WAN link with a non-Ethernet connection will require a modem or equipment from your provider to directly connect to the CloudGenix ION.

  • Along with reducing remote office hardware, management and operational costs are reduced.

CloudGenix allows you to configure policies for performance, compliance, and security based on business intent rather than low-level network characteristics.

By defining policies according to application, sites, and networks, risks of misconfiguration or misinterpretation, commonly encountered when configuring routers and firewalls, is avoided completely.

With CloudGenix ION, you can move closer to a software-defined enterprise.

  • CloudGenix ION allows you to take advantage of diverse WAN transports in the remote office and data center, including broadband and LTE.
  • By integrating these transports and defining application policies for performance, private MPLS links can be reserved for internal applications while Internet connections can be used for cloud and SaaS applications.

Further, Internet links can be used as primary or backup VPN connections between sites. With CloudGenix ION, your dependency on private MPLS WANs is reduced, creating an opportunity for substantial cost savings.

HOW DOES CLOUDGENIX SD-WAN WORK?

CloudGenix ION continually monitors the health and performance of your WAN links within each site and can be viewed within the CloudGenix cloud management portal.

With visibility into usage by WAN link type, overall link health, link-level statistics (bandwidth, loss, latency, jitter), top applications, and concurrent flows, you can quickly see how your WAN links are performing and glean actionable insights.

CloudGenix ION dissects application flows to measure key performance indicators for dynamic path selection and visibility into application performance.

  • CloudGenix provides visibility into the elements contributing to application response time, overall application throughput, quality and health, and transaction statistics.
  • Visibility into these metrics helps understand how applications are performing and identify the root cause of performance issues for data center and cloud applications alike, eliminating finger-pointing.
  • CloudGenix software defined WAN (SD-WAN) with AppFabric connects your sites securely with application awareness to seamlessly integrate cloud, take advantage of broadband Internet, align WAN management with business priority, and reduce remote office hardware and operational costs.
  • Download thePalo Alto Networks CloudGenix SD-WAN Overview Datasheet (PDF).
  • Created On 11/02/20 16:28 PM - Last Modified 12/04/20 08:13 AM. What is Device Toolkit CloudGenix and how to access it?

Benefits:

  • The CloudGenix Device Toolkit provides a debugging interface to perform advanced troubleshooting of ION devices independent of the CloudGenix portal.

Configuring CloudGenix on your SD-WAN Device

It is accessed through the Controller web interface or Secure Socket Shell (SSH).

Administrators may use industry-standard tools such as tcpdump, ping, tcpping, traceroute, and curl to verify traffic flow, view detailed status of virtual private networks (VPNs), enable debug logging, and access a variety of other commands to perform detailed monitoring and troubleshooting of devices.

CloudGenix offers the ability to provide selective role-based access to the Device Toolkit.

CloudGenix devices with release version 5.2.1 and later support remote access to the Device Toolkit.

The following image outlines the steps for enabling the Device Toolkit.

Enabling Device Access.

Before you can use the CloudGenix Device Toolkit, tenant-level or device-level access must be enabled and user roles defined through the CloudGenix Administrator Portal.

To enable access to the device from the portal.

From the User tab, select System Administration.

Click the Device Toolkit User Management tab.

Then, click Add Device User.

The Device Toolkit can be accessed from the device configuration page.

Step 1: Click Remote Access.

Click the icon with the three dots next to the device to open the menu.

Then, click Remote Access to log in to the Device Toolkit.

Step 2: Access Device Toolkit Commands.

Log in with your credentials to start accessing the Device Toolkit commands.

Upon successful authentication, a remote session will be established.

Additional Information. CloudGenix provides three levels of access to the device.

Control over the device increases with each level.

The levels of access are Monitor, Read Only, and Super.

The access role is per device, so an administrator may act as a Super user on one device and Read Only on another device.

Troubleshooting Guide.

Created On 10/28/20 19:38 PM - Last Modified 12/04/20 08:13 AM. How to claim a CloudGenix ION Device?

An ION device cannot download configurations from the controller or talk to other SD-WAN devices until the user claims the device.

When the ION device is claimed, a Customer Installed Certificate (CIC) is installed in the ION device.

The CIC is installed and the device is assigned to a site, the controller can push configuration to the device over a bi-directionally authenticated SSL connection.

The following are the steps for claiming a device:.

Connect a controller port (or internet port) to a network that is enabled for DHCP.

You can also use the device toolkit to manually configure the IP for static IP addressing.

Overview:

After internet connectivity is established, the CloudGenix controller validates the ION device MIC, which is stored in the TPM.

Within the CloudGenix portal, the device is displayed as being in an online-unclaimed state.

When the administrator claims the ION, another certificate is installed on the device (which is signed by the customer tenant CA), this is the Customer Installed Certificate (CIC).

  • The ION reconnects to the controller using the CIC, which then permits it to be fully configured and interact with the rest of the customer's network.
  • The device can then be assigned to a site for further configuration. Additional Information. When you create the site at Check PointCloudGuard Connect, on this site you must configure your branch office to route traffic through CloudGuard Connect.
  • Check Point creates the back-end architecture for tunneling the traffic from the branch device to the Internet.

To enhance the service reliability, we recommend you to create and use two tunnels.

If you use IPsec tunnels, Check Point provides the tunnel addresses as FQDN domains.

  • If your branch device supports configuration of the tunnels as IP addresses, and not as FQDN domains, Check Point strongly recommends to send a notification to Check Point Support about your configuration.

For more information about how to open a support ticket for CloudGuard Connect, see sk154712.

To configure your branch device:.

On the site thumbnail, click the Configure branch device button:. The Instructions window opens.

From the top field, select your SD-WAN branch office device. Follow the instructions on the screen to get the IPsec configuration properties, pre-shared key, tunnel addresses, and the traffic routes.

Refer to the CloudGenix SD-WAN Help for additional information.

  • To enable security on your sites, you must log into the CloudGenix management web interface.
  • To configure CloudGenix on your SD-WAN Device, perform these steps:.
  • Create and configure two IPSec Tunnels for the routing traffic.
  • See Creating an IPsec Profile. Create a Service Group for connection between the CloudGenix devices and the third-party integrations.
  • See Creating a Service Group. Assign the traffic to the site. See Assigning the IPsec Tunnels to the Site.

Test your configuration.

See Testing your Configuration. Check Point provides two IPsec tunnels for its cloud security service.

In process of a back-end upgrade Check Point can reset one of these tunnels for a short period of time.

In this case, to achieve an up-time of 99.999% you must create two identical IPsec tunnels.

Attach to them suffixes 1 and 2. In this Guide the tunnels are named Check-Point-tunnel-1 and Check-Point-tunnel-2.

To create a WAN Edge IPsec first tunnel:. From the CloudGenix SD-WAN User Interface, go toPolicies > Stacked Policies.

Click IPSec Profiles.

  • In the IPsec Profile window, click Add IPsec Profile. Go to IPsec Profile page.
  • In Info section, define a name and description. In IKE Group section, edit the IKE settings of the IPsec profile.
  • Set these parameters. Key Exchange must be set to IKEv2. IKEv1 is also supported.
  • DH Group must be set to MODP-1024. Encryption must be set to SHA-1.

Hash must be set to PSK. DPD must be enabled.

IKE shared secret must be set to the pre-shared key that you defined at Check Point Infinity Portal.

In Authentication section, edit the authentication settings:. Type must be set to PSK. Secret: Enter the pre-shared key of the Check Point Site that you copied at the previous steps. See Creating a New Site. Local ID Type must be set to Interface IP Address.

Review the IPsec Profile Configuration Settings.

Click Save & Exit. Service Group is a set of tags and labels that represent integration with Check Point. The user can observe the connection between the CloudGenix devices and the third-party integrations.

Service Group will include two Check Point tunnels.

  • SeeCreating a New Site . To create a WAN Edge Upsurge Service Group:.
  • From the CloudGenix Central SD-WAN User Interface, go to Policies > Stacked Policies > Service & DC Groups.
  • Go to Groups tab > Endpoints. In the Endpoints window, change the settings from CloudGenix to 3rd Party.
  • Click Add Endpoint. Creating a tag for the first tunnel:.
  • Name must be an alias for this tunnel.
  • In this case, Check-Point-tunnel-1. Admin Up must be checked.
  • Click Add Endpoint. Creating a tag for the second tunnel:.
  • Name must be an alias for this tunnel.
  • In this case, Check-Point-tunnel-2. Admin Up must be checked.
  • Click Save & Exit. Go to Policies > Groups > Domains, click (+)Add to add a new Domain.

Note - DomainName must be an alias for the Site (in this case, the Name is Check Point).

  • Go to Sites tab > Domain column. From the drop-down list, select the correct Domain for your device.
  • Note -For the purpose of this Guide, the Preset Domain is used.
  • Complete your CloudGuard Connect configuration and assign both Check PointIPsec Tunnels to the Site.
  • To configure the branch office device interface:.
  • From the CloudGenix User Interface, go to Map.
  • Locate your device on the map. Click on the selected device. Go to Interface Config > Create a New Interface.
  • Add the two created Check PointIPsec tunnels:. Click [+] icon > select 3rd Party VPN and click Add.
  • The Tunnel Configuration page opens. Configure these settings:. Name must be an alias for this tunnel.
  • In this case, Check-Point-tunnel-1. Admin Up must be checked. Parent Interface must be set to the outbound interface.
  • Inner Tunnel IP / Address Mask must be set to an internal IP behind your device that you must allocate for the tunnel.
  • Endpoint must be set to the Endpoint that represented a tunnel defined in the previous step.
  • In this case, Check-Point-tunnel-1. Peer Hostname must be set to the destination of the first Check Point tunnel that you copied from the previous steps.

Peer IP must remain empty. IPSec Profile must be set to the value defined in the first step.

See Creating an IPSec Profile. Click Create 3rd Party VPN. If the tunnel was created successfully, you will be informed by an indication in the top-right corner of the page.

Repeat the above steps for Check-Point-tunnel-1 to create the second IPsec tunnel.

Note - Name must be an alias for this tunnel. In this case, Check-Point-tunnel-2.

Click Create 3rd Party VPN. If the tunnel was created successfully, you will be informed by an indication in the top-right corner of the page.

Click Cancel to go back to the interfaces configuration.

  • To test the CloudGuard configuration, you must check its activity on your branch office device.

After that go to the Check Point Infinity Portal and monitor Cybersecurity Events.

See Monitoring Cybersecurity Events. To test the CloudGuard configuration:.

Route the traffic from your Site to the Internet.

  • From the CloudGenix SD-WAN User Interface, go to the Activity.

Make sure that Check-Point-tunnel-1 and Check-Point-tunnel-1 tunnels are up.

They must show the amount of traffic that is sent and received. Now you can monitor the Cybersecurity Events on the Check Point Infinity Portal.

See Monitoring Cybersecurity Events.

  • resp_object: CloudGenix Extended requests.Response object.
  • raw: Optional. If True, return list of dicts (raw error messages.) Default False.

Returns: text_type error message, or list of dicts (if raw=True). None if no errors.

Parse API response object, return text for printing on warning in response.

Parameters:

  • resp_object: CloudGenix Extended requests.Response object.
  • raw: Optional. If True, return list of dicts (raw warning messages.) Default False.

Returns: text_type warning message, or list of dicts (if raw=True). None if no warnings.

Permanently remove a single header from session

Parameters:

  • header: str of single header to remove

Returns: Mutates requests.Session() object, no return.

def reparse_login_cookie_after_region_update(

self, login_response)

Sometimes, login cookie gets sent with region info instead of api.cloudgenix.com. This functionre-parses the original login request and applies cookies to the session if they now match the new region.

Parameters:

  • login_response: requests.Response from a non-region login.

Returns: updates API() object directly, no return.

def rest_call(

self, url, method, data=None, sensitive=False, timeout=None, content_json=True, raw_msgs=False, retry=None, max_retry=None, retry_sleep=None)

Generic REST call worker function

Parameters:

  • url: URL for the REST call
  • method: METHOD for the REST call
  • data: Optional DATA for the call (for POST/PUT/etc.)
  • sensitive: Flag if content request/response should be hidden from logging functions
  • timeout: Requests Timeout
  • content_json: Bool on whether the Content-Type header should be set to application/json
  • raw_msgs: True/False, if True, do not convert API sideband messages (warnings, errors) to text.
  • retry: DEPRECATED - please use modify_rest_retry instead.
  • max_retry: DEPRECATED - please use modify_rest_retry instead.
  • retry_sleep: DEPRECATED - please use modify_rest_retry instead.

Returns: Requests.Response object, extended with:

  • cgx_status: Bool, True if a successful CloudGenix response, False if error.
  • cgx_content: Content of the response, guaranteed to be in Dict format. Empty/invalid responses will be converted to a Dict response.
  • cgx_errors: Text error messages if any are present. None if none. List if raw_msgs is True.
  • cgx_warnings: Text warning messages if any are present. None if none. List if raw_msgs is True.

def set_debug(

self, debuglevel, set_format=None, set_handler=None)

Change the debug level of the API

Parameters:

  • set_format: Optional. If set and text_type, use input for formatter. Otherwise, default formatter.
  • set_format: Optional. If set and logging.Handler type, use input for handler. Otherwise, default logging.StreamHandler()

Returns: No item returned.

Modify ssl verification settings

Parameters:

  • ssl_verify:
    • True: Verify using builtin BYTE_CA_BUNDLE.
    • False: No SSL Verification.
    • Str: Full path to a x509 PEM CA File or bundle.

Returns: Mutates API object in place, no return.

def throw_error(

message, resp=None, cr=True, exception=)

Non-recoverable error, write message to STDERR and raise exception

Parameters:

  • message: Message text
  • resp: Optional - CloudGenix SDK Response object
  • cr: Optional - Use (or not) Carriage Returns.
  • exception: Optional - Custom Exception to throw, otherwise uses CloudGenixAPIError

Returns: No Return, throws exception.

Recoverable Warning.

Parameters:

  • message: Message text
  • resp: Optional - CloudGenix SDK Response object
  • cr: Optional - Use (or not) Carriage Returns.

Returns: No Return.

Update the controller string with dynamic region info.Controller string should end up as ..cloudgenix.com

Parameters:

  • region: region string.

Returns: No return value, mutates the controller in the class namespace

URL Decode function using REGEX

Parameters:

  • url: URLENCODED text string

Returns: Non URLENCODED string

View current cookies in the requests.Session() object

Returns: List of Dicts, one cookie per Dict.

View current headers in the requests.Session() object

Returns: Dict, Key header, value is header value.

View current rest retry settings in the requests.Session() object

Parameters:

  • url: URL to use to determine retry methods for. Defaults to 'https://'

Returns: Dict, Key header, value is header value.

Permanently add/overwrite headers to the API() WebSocket object (Python 3.6+ Only)

Parameters:

  • headers: dict with header/value

Returns: Mutates API() object, no return.

Generic WebSocket worker function, automatically uses authentication from cloudgenix.API() session.

Parameters:

  • url: URL for the REST call
  • Any other websocket.client.Connect argument or keyword argument (see NOTE: below)

Returns:websocket.client.Connect object.

NOTE: Any websocket.client.Connect supported argument or keyword argument will be accepted, and willbe passed to the underlying Connect() request. ssl and extra_header keyword arguments will override the SDKauto-generated cookies/headers and SSL contexts used for authentication. For more info on available options, seehttps://websockets.readthedocs.io/en/stable/api.html#websockets.client.connect

Permanently remove a single header from the API() WebSocket object (Python 3.6+ Only)

Parameters:

  • header: str of single header to remove

Returns: Mutates API() object, no return.

View current headers in the API() WebSocket object (Python 3.6+ Only)

Returns: Dict, Key header, value is header value.

BUSINESS POLICIES, NOT NETWORK CONFIGS

var delete

var get

var interactive

API object link to cloudgenix.interactive.Interactive

var patch

var post

var put

var update_info_url

var version

class CloudGenixAPIError

USE ANY WAN TRANSPORT

  • builtins.Exception
  • builtins.BaseException
  • builtins.object

IT’S ALL ABOUT THE USER EXPERIENCE

var args

REDUCE DEPENDENCY ON PRIVATE MPLS WANS

CloudGenix Explicit CA Certificate Bundle for API calls (CA Pinning).

Author: CloudGenix

Copyright: (c) 2017-2021 CloudGenix, Inc

License: MIT

CloudGenix Python SDK - DELETE

Author: CloudGenix

Copyright: (c) 2017-2021 CloudGenix, Inc

License: MIT

CloudGenix Python SDK - GET

Author: CloudGenix

Copyright: (c) 2017-2021 CloudGenix, Inc

License: MIT

CloudGenix Python Interactive SDK Helper functions

Author: CloudGenix

Copyright: (c) 2017-2021 CloudGenix, Inc

License: MIT

CloudGenix Python SDK - PATCH

Author: CloudGenix

Copyright: (c) 2017-2021 CloudGenix, Inc

License: MIT

CloudGenix Python SDK - POST

Author: CloudGenix

Copyright: (c) 2017-2021 CloudGenix, Inc

License: MIT

CloudGenix Python SDK - PUT

Author: CloudGenix

Copyright: (c) 2017-2021 CloudGenix, Inc

License: MIT

CloudGenix Python SDK - WebSocket Functions

Author: CloudGenix

Copyright: (c) 2017-2021 CloudGenix, Inc

License: MIT