topic Re: dynamic access policy using "Identity Awareness" infrastructure in API / CLI Discussion

dynamic access policy using "Identity Awareness" infrastructure

Hans_van_den_Bo — Thu, 20 Oct 2016 06:38:54 GMT

I would like to accomplish the following;

Build a script that will poll a DNS server for a domain (www.example.com or microsoft.com)

And then use the response (host/user object) of the DNS server to update the security gateway firewall policy.

Preferrably I would like to give the ‘host/user object’ a timeout settings so it will dissapear from the policy automatically.

In order to accomplish the timeout feature my idea was to use the Identity Awareness functionality (the same infrastructure used when integrating with Active Directory and VMWare NSX).

The main reason for doing this is to build a dynamic policy based on DNS. So the firewall policy is periodically updated with the latest ip-addresses retreived from the DNS server.

I get quite some customers asking a more dynamic firewall policy. Our current domain objects are not suitable for this. And the new R80.10 feature will not provide this as well (as far as I understand now)

Perhaps the above can be used to accomplish this.

Is this possible using R80 and the REST API’s?

I've seen a "R80 dynamic DNS rule auto update" script. But I don't think this is using timeout settings and is only for 1 host object (ip-addres)

Re: dynamic access policy using "Identity Awareness" infrastructure

Quinn_Yost — Tue, 25 Oct 2016 17:42:12 GMT

You're certainly on the right track. I have a code snippet from a CheckPoint rep that may get you closer to what you're looking for.

# Do the work
url="https://"+fw_ip+"/_IA_MU_Agent/idasdk/add-identity"
print url
headers = {'Content-Type':'application/json'}
req=requests.post(url,json=object_list,headers=headers,verify=False)
print json.dumps(req.text,indent=4)

Similarly, the code also includes in a cleanup routine:

url="https://"+fw_ip+"/_IA_MU_Agent/idasdk/delete-identity"

There also appears to be a git repository that was working on pulling identity from several cloud providers and using the idaapi (look at checkpoint.py) to update the gateways.
GitHub - dana-at-cp/cpcloud: cpcloud is a convenience library, written in Python, that is useful for querying instance i…

Re: dynamic access policy using "Identity Awareness" infrastructure

Quinn_Yost — Fri, 28 Oct 2016 18:27:01 GMT

Since my initial comment, Dana Traversie has posted the following information about the git library on Exchange point.
Check Point Code Sample Template [1]