This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
pdn
Contributor
‎2023-08-31 08:13 PM
Jump to solution

Adding a data center object (Cisco NDO/APIC EPG) to a Checkpoint's network group object

Hi,

 

I need your prompt help and feedbacks, please.

 

We've developed a software application that touches both Cisco NDO/APIC and Checkpoint.  So far, I've found integration between Cisco NDO/APIC and Checkpoint really challenging, frustrating to be honest.  

 

Particularly, regarding the associating a NDO/APIC's data center object to Checkpoint's network group.  This is all REST API calls.  After creating the DC object (an EPG) in NDO/APIC, I would need to associate the EPG to an existing Checkpoint's network group.  So, I used add-data-center-object and publish WAPI calls.

 

The association works at times, but failed other times.  In particular, I do see the EPG DC object created on Checkpoint, but it's not associated to the existing network group at times.  I don't even see the logs on Checkpoint that the DC object was created, network group is modified and the publish step, like the picture below which shows a successful DC object create and successful association.  I even introduced few-second delay between DC object create (on the Checkpoint) and the publish, but not helping to address issue 100%.

 

Why this happens?  If you run into the same issue, please share how to address it.  Appreciate your feedbacks and help!

 

Is there a WAPI API call that allows me to update (ie, add) an existing network group with a DC object?  I can't see such API exists from the Management API Reference documentation.  If it exists, I like to implement a check logic into my code, like below:

 

add-data-center-object

publish

While (DC_object isn't added into the Checkpoint's network group yet):

     wait(1sec)

     try to update (add the DC_object) the network group again.

     publish

     Check again, if DC_object is added to the Checkpoint's network group.

 

After while loop is exited, the DC object should now be in the network group.

 

Would this solution help address my association issue?

 

 

 

 

 

Preview file
26 KB
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-09-01 01:11 PM
Jump to solution

The publish action is not synchronous and returns a task-id.
You will need to monitor this task-id to confirm when the publish action completes.
Only then will the changes be effective.

View solution in original post

(1)
7 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-09-01 12:47 AM
Jump to solution

Why not contact the local CP SE and/or TAC for help?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
pdn
Contributor
‎2023-09-01 05:35 AM
In response to G_W_Albrecht
Jump to solution

I was thinking about that, but thought this channel would also be of help.  I am sure there are people who have NDO/APIC & Checkpoint integration experience here.

 

Anything feedback is appreciated.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2023-09-01 05:41 AM
In response to pdn
Jump to solution

Example at the bottom maybe?

Andy

 

https://sc1.checkpoint.com/documents/latest/APIs/#cli/add-data-center-object~v1.9%20

Best,
Andy
0 Kudos
pdn
Contributor
‎2023-09-01 07:12 AM
In response to the_rock
Jump to solution

As mentioned in my problem statement, I already used add-data-center-object. 

 

So I used add-data-center-object API call to create an DC object.  In the body, I have the network group name in the request body like below:

 

url = f"{cp_url}/add-data-center-object"

body = {"data-center-uid": “abc”,
"uid-in-data-center": “xyz”,
"groups”: [“CP_network_group”]}

response = self.session.post(url, json=body, verify=self.verify)

0 Kudos
PhoneBoy
Admin
Admin
‎2023-09-01 01:11 PM
Jump to solution

The publish action is not synchronous and returns a task-id.
You will need to monitor this task-id to confirm when the publish action completes.
Only then will the changes be effective.

(1)
pdn
Contributor
‎2023-09-01 05:59 PM
In response to PhoneBoy
Jump to solution

Is show-task the right WAPI call to check for the publish task status?

 

https://sc1.checkpoint.com/documents/latest/APIs/#web/show-task~v1.8%20

 

I guess I can do a loop that checks for its status, before continuing on.  If not done, I can delay 1, and check again.  

 

0 Kudos
pdn
Contributor
‎2023-09-01 09:31 PM
In response to pdn
Jump to solution

Mr. PhoneBoy, your hint was very helpful!   I went back, added more code, checks, and now it is working 100%. 

Thank you so much!  

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events