Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Greg_Harewood
Contributor

How do I turn on IA from mgmt_cli?

Hi,

--> How do I turn on IA from mgmt_cli?

Actually my question is really more general.  The gw object contains a field identityAwareBlade, which when used contains an owned object.  Within that is a field identityAwareBladeInstalled with a simple string value to say whether it is turned on.

If you have enabled and disabled the blade, then the object is in place and the blade can be flipped with the identityAwareBladeInstalled field.  If it's never been turned on, then the owned object is not present.

So my question is really more general than IA.  It is:

--> How do you create a single owned object?

I know how to create an owned object in an array - this is well documented for adding interfaces:

set generic-object uid FWUID interfaces.add.create "com.checkpoint.objects.classes.dummy.CpmiClusterInterface" \
    interfaces.add.owned-object.netmask "255.255.255.0" \
    interfaces.add.owned-object.ipaddr 22.22.22.22

But in this case there is no array.  I also cannot even try the same syntax because fishing inside the identityAwareBlade field in a working IA installation does not reveal an object class, which would be required to experiment with the above syntax. There is an objectclass in dbedit but that's not very useful as there is some guesswork in translating between the two.

So I'm stuck.  Any help would be appreciated! Thanks!

(Follow-on question... is there a table of object schema anywhere?)

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

This might have to be done with dbedit itself, though I'm not sure of the syntax there either.
Paging @Omer_Kleinstern 

0 Kudos
Uriel_Fleischma
Employee
Employee

I wouldn't recommend turning on the Identity Awareness blade using the generic API. 

Even if we got exactly all the changes that are done in the DB on the GW object, there are other logics that are executed during the enablement of this blade which are not straight forward, and require some thorough investigation to get correctly.

Providing a formal API to enable and configure this blade is on our roadmap, and should be available in future versions, however I can't say exactly when at the moment

0 Kudos
Greg_Harewood
Contributor

So I've got as far as...

set generic-object uid FWUID identityAwareBlade.create "com.checkpoint.objects.classes....identityAwareBlade??" \
    identityAwareBlade.identityAwareBladeInstalled INSTALLED

This gets me forward a little, having found the syntax for adding a single owned object not in an array.  But I still need the object class name.

@Uriel_Fleischma - I appreciate your looking at your caution.  What I didn't say is that I got a start on this from Yevgeniy Yeryomin who gave me a relevant ansible runbook that he's used before.  He's either not worried about side effects for our application, or the engine that processes the ansible runbook is doing some other magic that I need to get to the bottom of. In any case the relevant section is...

## Step 10: Modify gateway object, IDA blade parameters
- name: "Modify gateway object, IDA blade parameters"
  check_point_mgmt:
    command: set-generic-object
    parameters:
      uid: "{{ gwuid }}"
      identityAwareBlade:
        identityAwareBladeInstalled: "INSTALLED"
        enableIdaApi: "true"
        shareIdentitiesWithOtherGateways: "false"
        enableOtherGateways: "false"
        iaMaxAuthenticatedUsers: "70000"
        iaMaxEnforcedIdentities: "70000"
        cccMaxMsgSize: "65535"
        publishMethod: "PUSH"

There's a bit more to it but you can see that for our application we are going to have a very simple configuration that relies only on a pdp/pep share from another gateway, which is possibly why we can get away with enabling it this way.

Please help me with the object class so that I can convert the script.  I'm not sure what magic ansible is pulling not to need to know it, but mgmt_cli and web_api both seem to need it and cannot magically guess what kind of object goes in here.

0 Kudos
Greg_Harewood
Contributor

So the answer is...

 

cat > dbEdit.tmp <<EOF
modify network_objects ${GWNAME} identity_aware_blade identity_aware_blade
modify network_objects ${GWNAME} identity_aware_blade:identity_aware_blade_installed installed
update_all
EOF

dbedit -s ${DOMAINIP} -u "${SCRIPTUSER}" -p "${SCRIPTPASS}" -f dbEdit.tmp

 

It requires side effects and dbedit seems to be the one supported scripting choice that already includes the correct side effects when enabling IA.

0 Kudos