cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
Employee+
Employee+

IP List Enforcement using Identity API

Create Identities from an IP list (like this) and enforce based on your rule base configuration. Using the Identity API will provide IP list updates without having to install policy each time an IP is added to the list. The created identities will be stored inside Access Role objects. The main use-cases for this is for IP black-listing / white-listing and is a great alternative to using fw sam.

Requirements:

- Identity Web API enabled on gateway (More on that HERE)

- Access Role Object in rule base and policy installed to gateway

     Example Rule With Access Role Object

     Running The Python Script

   PDP Table (Identity Table) Entry On the Enforcing Gateway

   

4 Replies
Highlighted
Admin
Admin

Re: IP List Enforcement using Identity API

Another way to skin the cat Smiley Happy

Note this is *probably* only relevant on R77.30 and above, based on the fact you're talking about the IDA API

0 Kudos
Highlighted
Employee+
Employee+

Re: IP List Enforcement using Identity API

Correct! There are about 5+ ways I can imagine to do this same function. I have alternate versions that us 'fw sam', 'fw samp', 'run-script' etc. I like the ID API best because you don't need to install policy when you change IPs in the list. The logging is also good because you can specify details in your identity when you create it and it will show on the log in Smart Console.

Highlighted
Nickel

Re: IP List Enforcement using Identity API

Nice work.

I see you had the same idea as me. I already use IA for blocking Tor IPs.

psCheckPoint/Examples/Tor_IA at master · tkoopman/psCheckPoint · GitHub

0 Kudos
Highlighted

Re: IP List Enforcement using Identity API

Hi guys, once I have the script running and the sessions are being published on my GW as Identity Awareness API how can I select the Role Blacklist?

Thanks,

0 Kudos