cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Employee+
Employee+

IP List Enforcement using Identity API

Create Identities from an IP list (like this) and enforce based on your rule base configuration. Using the Identity API will provide IP list updates without having to install policy each time an IP is added to the list. The created identities will be stored inside Access Role objects. The main use-cases for this is for IP black-listing / white-listing and is a great alternative to using fw sam.

Requirements:

- Identity Web API enabled on gateway (More on that HERE)

- Access Role Object in rule base and policy installed to gateway

     Example Rule With Access Role Object

     Running The Python Script

   PDP Table (Identity Table) Entry On the Enforcing Gateway

   

3 Replies
Admin
Admin

Re: IP List Enforcement using Identity API

Another way to skin the cat Smiley Happy

Note this is *probably* only relevant on R77.30 and above, based on the fact you're talking about the IDA API

0 Kudos
Employee+
Employee+

Re: IP List Enforcement using Identity API

Correct! There are about 5+ ways I can imagine to do this same function. I have alternate versions that us 'fw sam', 'fw samp', 'run-script' etc. I like the ID API best because you don't need to install policy when you change IPs in the list. The logging is also good because you can specify details in your identity when you create it and it will show on the log in Smart Console.

Tim_Koopman
Nickel

Re: IP List Enforcement using Identity API

Nice work.

I see you had the same idea as me. I already use IA for blocking Tor IPs.

psCheckPoint/Examples/Tor_IA at master · tkoopman/psCheckPoint · GitHub

0 Kudos