topic Re: How do I turn on IA from mgmt_cli? in API / CLI Discussion

How do I turn on IA from mgmt_cli?

Greg_Harewood — Wed, 19 Aug 2020 22:45:13 GMT

Hi,

--> How do I turn on IA from mgmt_cli?

Actually my question is really more general. The gw object contains a field identityAwareBlade, which when used contains an owned object. Within that is a field identityAwareBladeInstalled with a simple string value to say whether it is turned on.

If you have enabled and disabled the blade, then the object is in place and the blade can be flipped with the identityAwareBladeInstalled field. If it's never been turned on, then the owned object is not present.

So my question is really more general than IA. It is:

--> How do you create a single owned object?

I know how to create an owned object in an array - this is well documented for adding interfaces:

set generic-object uid FWUID interfaces.add.create "com.checkpoint.objects.classes.dummy.CpmiClusterInterface" \
interfaces.add.owned-object.netmask "255.255.255.0" \
interfaces.add.owned-object.ipaddr 22.22.22.22

But in this case there is no array. I also cannot even try the same syntax because fishing inside the identityAwareBlade field in a working IA installation does not reveal an object class, which would be required to experiment with the above syntax. There is an objectclass in dbedit but that's not very useful as there is some guesswork in translating between the two.

So I'm stuck. Any help would be appreciated! Thanks!

(Follow-on question... is there a table of object schema anywhere?)

Re: How do I turn on IA from mgmt_cli?

PhoneBoy — Wed, 19 Aug 2020 23:46:03 GMT

This might have to be done with dbedit itself, though I'm not sure of the syntax there either.
Paging @Omer_Kleinstern

Re: How do I turn on IA from mgmt_cli?

Uriel_F — Thu, 20 Aug 2020 07:54:45 GMT

I wouldn't recommend turning on the Identity Awareness blade using the generic API.

Even if we got exactly all the changes that are done in the DB on the GW object, there are other logics that are executed during the enablement of this blade which are not straight forward, and require some thorough investigation to get correctly.

Providing a formal API to enable and configure this blade is on our roadmap, and should be available in future versions, however I can't say exactly when at the moment

Re: How do I turn on IA from mgmt_cli?

Greg_Harewood — Thu, 20 Aug 2020 09:15:33 GMT

So I've got as far as...

set generic-object uid FWUID identityAwareBlade.create "com.checkpoint.objects.classes....identityAwareBlade??" \
identityAwareBlade.identityAwareBladeInstalled INSTALLED

This gets me forward a little, having found the syntax for adding a single owned object not in an array. But I still need the object class name.

@Uriel_F - I appreciate your looking at your caution. What I didn't say is that I got a start on this from Yevgeniy Yeryomin who gave me a relevant ansible runbook that he's used before. He's either not worried about side effects for our application, or the engine that processes the ansible runbook is doing some other magic that I need to get to the bottom of. In any case the relevant section is...

## Step 10: Modify gateway object, IDA blade parameters
- name: "Modify gateway object, IDA blade parameters"
  check_point_mgmt:
    command: set-generic-object
    parameters:
      uid: "{{ gwuid }}"
      identityAwareBlade:
        identityAwareBladeInstalled: "INSTALLED"
        enableIdaApi: "true"
        shareIdentitiesWithOtherGateways: "false"
        enableOtherGateways: "false"
        iaMaxAuthenticatedUsers: "70000"
        iaMaxEnforcedIdentities: "70000"
        cccMaxMsgSize: "65535"
        publishMethod: "PUSH"

There's a bit more to it but you can see that for our application we are going to have a very simple configuration that relies only on a pdp/pep share from another gateway, which is possibly why we can get away with enabling it this way.

Please help me with the object class so that I can convert the script. I'm not sure what magic ansible is pulling not to need to know it, but mgmt_cli and web_api both seem to need it and cannot magically guess what kind of object goes in here.

Re: How do I turn on IA from mgmt_cli?

Greg_Harewood — Mon, 24 Aug 2020 10:10:11 GMT

So the answer is...

cat > dbEdit.tmp <<EOF modify network_objects ${GWNAME} identity_aware_blade identity_aware_blade modify network_objects ${GWNAME} identity_aware_blade:identity_aware_blade_installed installed update_all EOF dbedit -s ${DOMAINIP} -u "${SCRIPTUSER}" -p "${SCRIPTPASS}" -f dbEdit.tmp

It requires side effects and dbedit seems to be the one supported scripting choice that already includes the correct side effects when enabling IA.

Re: How do I turn on IA from mgmt_cli?

Harald_Hansen — Wed, 25 Aug 2021 17:04:58 GMT

Any update on the formal API implementation? I checked R81.10 and didn't find any IA feature here either.

Is it possible to share the API roadmap? It would at least temper expectations.

Re: How do I turn on IA from mgmt_cli?

StuartGreen — Tue, 21 Sep 2021 09:05:27 GMT

Hi all,

I've followed some of the tips here and with a little trial and error, got IA enabled using only the API. Usual disclaimer applies when using the generic object approaches of course, but this works and is consistent when applied automatically. This is an excerpt from a larger Ansible playbook - but the general flow is:

- Get the UID of the gateway you're enabling IA on (in this case, it's a VS).

- Create a localhost object with the IP of 127.0.0.1

- Capture the UID for this (or look up the UID of an object if one exists)

- Set the IA properties on the gateway with its UID, observing the proper formatting and schema structure. In this instance, I used the web API because it will accept JSON formatted data which is a lot easier to interpret than the mgmt_cli something.1 format (for me, at least).

- name: Create localhost object for IDA whitelist hosts: chkpmds gather_facts: no connection: httpapi vars: ansible_ssh_user: ansible_ssh_pass: ansible_ssh_common_args: tasks: - name: Create cloudguard_local object check_point.mgmt.cp_mgmt_host: auto_publish_session: true name: cloudguard_local ipv4_address: 127.0.0.1 state: present - name: Configure Identity Awareness gather_facts: no hosts: chkpmds connection: httpapi vars: ansible_ssh_user: ansible_ssh_pass: tasks: - name: get localhost object UID check_point.mgmt.cp_mgmt_host_facts: name: cloudguard_local - name: get FW obj UID check_point.mgmt.checkpoint_object_facts: object_filter: "{{ vs_name }}" - name: UID for VS_1 ansible.builtin.debug: var: ansible_facts.checkpoint_objects.objects.0.uid verbosity: 2 - name: UID for localhost obj ansible.builtin.debug: var: ansible_facts.host.uid verbosity: 2 - name: Set properties of IA object uri: url: https://[mgmt IP]/web_api/v1.7/set-generic-object method: POST body_format: json headers: X-chkp-sid: "{{ login_token_details.json.sid }}" validate_certs: no body: '{"uid":"{{ ansible_facts.checkpoint_objects.objects.0.uid }}","identityAwareBlade":{"create":"com.checkpoint.objects.classes.dummy.CpmiIdentityAwareBlade","owned-object":{"idaApiSettings":{"idaApiClientVerificationSettings":[]},"enableIdaApi":"True","idcSettings":[],"isCollectingIdentities":"True","identityAwareBladeInstalled":"INSTALLED"}}}' - name: Set properties of IA object uri: url: https://[mgmt IP]/web_api/v1.7/set-generic-object method: POST body_format: json headers: X-chkp-sid: "{{ login_token_details.json.sid }}" validate_certs: no body: '{"uid":"{{ ansible_facts.checkpoint_objects.objects.0.uid }}","identityAwareBlade":{"idaApiSettings":{"idaApiClientVerificationSettings":[{"create":"com.checkpoint.objects.identity_awareness_classes.dummy.CpmiIdentityAwareClientVerificationEntry","owned-object":{"preSharedSecret":"sausage123","whiteListClient":"{{ ansible_facts.host.uid }}"}}]}}}'

This gets the settings added to the object, then you need to install policy (or for a VS, make a dummy change via vsx_provisioning_tool to 'push' the config).

Re: How do I turn on IA from mgmt_cli?

PhoneBoy — Tue, 21 Sep 2021 16:08:36 GMT

Wow, nicely done!

Re: How do I turn on IA from mgmt_cli?

Tomer_Noy — Wed, 22 Sep 2021 05:10:53 GMT

Just updating that we are planning to include official Identity Awareness Management APIs to the gateway / cluster object in the upcoming R81.20.

You are more than welcome to join the EA to try it out, or reach out to @Alon_Alapi for more info.