cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

dynamic access policy using "Identity Awareness" infrastructure

I would like to accomplish the following;

Build a script that will poll a DNS server for a domain (www.example.com or microsoft.com)

And then use the response (host/user object) of the DNS server to update the security gateway firewall policy.

Preferrably I would like to give the ‘host/user object’ a timeout settings so it will dissapear from the policy automatically.

In order to accomplish the timeout feature my idea was to use the Identity Awareness functionality (the same infrastructure used when integrating with Active Directory and VMWare NSX).

The main reason for doing this is to build a dynamic policy based on DNS. So the firewall policy is periodically updated with the latest ip-addresses retreived from the DNS server.

I get quite some customers asking a more dynamic firewall policy. Our current domain objects are not suitable for this. And the new R80.10 feature will not provide this as well (as far as I understand now)

Perhaps the above can be used to accomplish this.

Is this possible using R80 and the REST API’s?

I've seen a "R80 dynamic DNS rule auto update" script. But I don't think this is using timeout settings and is only for 1 host object (ip-addres)

Labels (1)
0 Kudos
2 Replies
Quinn_Yost
Nickel

Re: dynamic access policy using "Identity Awareness" infrastructure

You're certainly on the right track.    I have a code snippet from a CheckPoint rep that may get you closer to what you're looking for.

# Do the work

url="https://"+fw_ip+"/_IA_MU_Agent/idasdk/add-identity"

print url

headers = {'Content-Type':'application/json'}

req=requests.post(url,json=object_list,headers=headers,verify=False)

print json.dumps(req.text,indent=4)

Similarly, the code also includes in a cleanup routine:

url="https://"+fw_ip+"/_IA_MU_Agent/idasdk/delete-identity"

There also appears to be a git repository that was working on pulling identity from several cloud providers and using the idaapi (look at checkpoint.py) to update the gateways.
GitHub - dana-at-cp/cpcloud: cpcloud is a convenience library, written in Python, that is useful for...

0 Kudos
Quinn_Yost
Nickel

Re: dynamic access policy using "Identity Awareness" infrastructure

Since my initial comment, Dana Traversie​ has posted the following information about the git library on Exchange point.
Check Point Code Sample Template [1]