I wouldn't recommend turning on the Identity Awareness blade using the generic API. 

Even if we got exactly all the changes that are done in the DB on the GW object, there are other logics that are executed during the enablement of this blade which are not straight forward, and require some thorough investigation to get correctly.

Providing a formal API to enable and configure this blade is on our roadmap, and should be available in future versions, however I can't say exactly when at the moment

So I've got as far as...

set generic-object uid FWUID identityAwareBlade.create "com.checkpoint.objects.classes....identityAwareBlade??" \
    identityAwareBlade.identityAwareBladeInstalled INSTALLED

This gets me forward a little, having found the syntax for adding a single owned object not in an array.  But I still need the object class name.

@Uriel_F - I appreciate your looking at your caution.  What I didn't say is that I got a start on this from Yevgeniy Yeryomin who gave me a relevant ansible runbook that he's used before.  He's either not worried about side effects for our application, or the engine that processes the ansible runbook is doing some other magic that I need to get to the bottom of. In any case the relevant section is...

## Step 10: Modify gateway object, IDA blade parameters
- name: "Modify gateway object, IDA blade parameters"
  check_point_mgmt:
    command: set-generic-object
    parameters:
      uid: "{{ gwuid }}"
      identityAwareBlade:
        identityAwareBladeInstalled: "INSTALLED"
        enableIdaApi: "true"
        shareIdentitiesWithOtherGateways: "false"
        enableOtherGateways: "false"
        iaMaxAuthenticatedUsers: "70000"
        iaMaxEnforcedIdentities: "70000"
        cccMaxMsgSize: "65535"
        publishMethod: "PUSH"

There's a bit more to it but you can see that for our application we are going to have a very simple configuration that relies only on a pdp/pep share from another gateway, which is possibly why we can get away with enabling it this way.

Please help me with the object class so that I can convert the script.  I'm not sure what magic ansible is pulling not to need to know it, but mgmt_cli and web_api both seem to need it and cannot magically guess what kind of object goes in here.

So the answer is...

cat > dbEdit.tmp <<EOF
modify network_objects ${GWNAME} identity_aware_blade identity_aware_blade
modify network_objects ${GWNAME} identity_aware_blade:identity_aware_blade_installed installed
update_all
EOF

dbedit -s ${DOMAINIP} -u "${SCRIPTUSER}" -p "${SCRIPTPASS}" -f dbEdit.tmp

It requires side effects and dbedit seems to be the one supported scripting choice that already includes the correct side effects when enabling IA.

Any update on the formal API implementation? I checked R81.10 and didn't find any IA feature here either. 

Is it possible to share the API roadmap? It would at least temper expectations.

Hi all,

I've followed some of the tips here and with a little trial and error, got IA enabled using only the API. Usual disclaimer applies when using the generic object approaches of course, but this works and is consistent when applied automatically. This is an excerpt from a larger Ansible playbook - but the general flow is:

- Get the UID of the gateway you're enabling IA on (in this case, it's a VS).

- Create a localhost object with the IP of 127.0.0.1

- Capture the UID for this (or look up the UID of an object if one exists)

- Set the IA properties on the gateway with its UID, observing the proper formatting and schema structure. In this instance, I used the web API because it will accept JSON formatted data which is a lot easier to interpret than the mgmt_cli something.1 format (for me, at least).

- name: Create localhost object for IDA whitelist
 hosts: chkpmds
 gather_facts: no
 connection: httpapi
 vars:
 ansible_ssh_user:
 ansible_ssh_pass:
 ansible_ssh_common_args:
 tasks:
 - name: Create cloudguard_local object
 check_point.mgmt.cp_mgmt_host:
 auto_publish_session: true
 name: cloudguard_local
 ipv4_address: 127.0.0.1
 state: present
 
 - name: Configure Identity Awareness
 gather_facts: no
 hosts: chkpmds
 connection: httpapi
 vars:
 ansible_ssh_user:
 ansible_ssh_pass:
 tasks:
 - name: get localhost object UID
 check_point.mgmt.cp_mgmt_host_facts:
 name: cloudguard_local
 - name: get FW obj UID
 check_point.mgmt.checkpoint_object_facts:
 object_filter: "{{ vs_name }}"
 - name: UID for VS_1
 ansible.builtin.debug:
 var: ansible_facts.checkpoint_objects.objects.0.uid
 verbosity: 2
 - name: UID for localhost obj
 ansible.builtin.debug:
 var: ansible_facts.host.uid
 verbosity: 2
 
  - name: Set properties of IA object
 uri:
 url: https://[mgmt IP]/web_api/v1.7/set-generic-object
 method: POST
 body_format: json
 headers:
 X-chkp-sid: "{{ login_token_details.json.sid }}"
 validate_certs: no
 body: '{"uid":"{{ ansible_facts.checkpoint_objects.objects.0.uid }}","identityAwareBlade":{"create":"com.checkpoint.objects.classes.dummy.CpmiIdentityAwareBlade","owned-object":{"idaApiSettings":{"idaApiClientVerificationSettings":[]},"enableIdaApi":"True","idcSettings":[],"isCollectingIdentities":"True","identityAwareBladeInstalled":"INSTALLED"}}}'
 - name: Set properties of IA object
 uri:
 url: https://[mgmt IP]/web_api/v1.7/set-generic-object
 method: POST
 body_format: json
 headers:
 X-chkp-sid: "{{ login_token_details.json.sid }}"
 validate_certs: no
 body: '{"uid":"{{ ansible_facts.checkpoint_objects.objects.0.uid }}","identityAwareBlade":{"idaApiSettings":{"idaApiClientVerificationSettings":[{"create":"com.checkpoint.objects.identity_awareness_classes.dummy.CpmiIdentityAwareClientVerificationEntry","owned-object":{"preSharedSecret":"sausage123","whiteListClient":"{{ ansible_facts.host.uid }}"}}]}}}'

This gets the settings added to the object, then you need to install policy (or for a VS, make a dummy change via vsx_provisioning_tool to 'push' the config).

Wow, nicely done!