This document outlines how to apply Cloudguard Workload protection to an Azure Function in a CI/CD pipeline. The feature being installed is call FSP or Function Self Protect. This is for demonstration purposes only. Here is a logical diagram of the Azure Function:
This function is deployed through Github Actions. That being said, it can be deployed using any CI/CD tool. All of the instructions for the CI/CD pipeline are stored in the build.yml. From a high level this is what the build pipeline does:
- Configure Runner Environment
- Set up Azure Resource Group, Storage Container and Function App
- Apply Cloudguard FSP (Function Self Protect
Get started by forking this repository!
In order to run this demo, you need the following:
Github Account
Azure Account
Check Point Cloud Security Posture Management Account
To run the activity.py script, you must also have Python3.
Ensur Azure Serverless Protection is enabled on Check Point Cloud Security Posture Management
Create an App Registration in Azure. As this will be used multiple times, please note the following:
- Application (client) ID
- Directory (tenant) ID
- Secret
- Subscription ID
Ensure that you give this app registration "Contributor" permission.
First go to Settings > Secrets and populate the secrets:
CG_TOKEN - Note: This must be in the format DOME9_API_KEY:DOME_API_SECRET
AZURE_SUBSCRIPTION_ID
AZURE_TENANT_ID
AZURE_CLIENT_ID
AZURE_CLIENT_SECRET
AZ_RG - This is the name of the resource group to be created
AZ_LOCATION - Azure Region. EG: West US 2
STORAGE_NAME - Name of your storage container
APP_NAME - App name. This must be unique
Note: Standard naming for Azure rules apply.
Second, select the "Actions" tab and enable workflows.
To deploy this function to Azure, modify the _build_flag and commit the changes. This kicks off the Github Action pipeline. Once the build is finished, you will then see it in Check Point CSPM
Depending on when you build your function in relation to the sync interval it may take some time for the information to appear. If you would like to force this synchronization, you can run the following command:
curl -X POST https://api.dome9.com/v2/AzureCloudAccount/<CLOUDGUARD_ID_FOR_AZURE>/SyncNow --basic -u <DOME9_API_KEY>:<DOME_SECRET> -H 'Accept: application/json'
Open Check Point CSPM and navigate to the "Serverless" option. Select "Serverless Assets" and click on the function you created. This is what you will see:
First, grab the URL of your function.
To test the function, navigate back to the /scripts directory and run activity.py.
λ python scripts\activity.py
Target: <APP URL>
Select 1 for Bening Input and 2 for Malicious Input: 1
b'Hello, Cloudguard Workload. This HTTP triggered function executed successfully.'
You can also test putting in malicious input. Here is an example:
λ python scripts\activity.py
Target: <APP URL>
Select 1 for Bening Input and 2 for Malicious Input: 2
b'This HTTP triggered function executed successfully. Pass a name in the query string or in the request body for a personalized response.'
At this point, since this product is still in EA, it only has detection capabilities. Blocking capabilities are comming soon!
To delete the environment, modify the _destroy_flag and commit the changes. This will delete everything that was created.