Hi all,
I've followed some of the tips here and with a little trial and error, got IA enabled using only the API. Usual disclaimer applies when using the generic object approaches of course, but this works and is consistent when applied automatically. This is an excerpt from a larger Ansible playbook - but the general flow is:
- Get the UID of the gateway you're enabling IA on (in this case, it's a VS).
- Create a localhost object with the IP of 127.0.0.1
- Capture the UID for this (or look up the UID of an object if one exists)
- Set the IA properties on the gateway with its UID, observing the proper formatting and schema structure. In this instance, I used the web API because it will accept JSON formatted data which is a lot easier to interpret than the mgmt_cli something.1 format (for me, at least).
- name: Create localhost object for IDA whitelist
hosts: chkpmds
gather_facts: no
connection: httpapi
vars:
ansible_ssh_user:
ansible_ssh_pass:
ansible_ssh_common_args:
tasks:
- name: Create cloudguard_local object
check_point.mgmt.cp_mgmt_host:
auto_publish_session: true
name: cloudguard_local
ipv4_address: 127.0.0.1
state: present
- name: Configure Identity Awareness
gather_facts: no
hosts: chkpmds
connection: httpapi
vars:
ansible_ssh_user:
ansible_ssh_pass:
tasks:
- name: get localhost object UID
check_point.mgmt.cp_mgmt_host_facts:
name: cloudguard_local
- name: get FW obj UID
check_point.mgmt.checkpoint_object_facts:
object_filter: "{{ vs_name }}"
- name: UID for VS_1
ansible.builtin.debug:
var: ansible_facts.checkpoint_objects.objects.0.uid
verbosity: 2
- name: UID for localhost obj
ansible.builtin.debug:
var: ansible_facts.host.uid
verbosity: 2
- name: Set properties of IA object
uri:
url: https://[mgmt IP]/web_api/v1.7/set-generic-object
method: POST
body_format: json
headers:
X-chkp-sid: "{{ login_token_details.json.sid }}"
validate_certs: no
body: '{"uid":"{{ ansible_facts.checkpoint_objects.objects.0.uid }}","identityAwareBlade":{"create":"com.checkpoint.objects.classes.dummy.CpmiIdentityAwareBlade","owned-object":{"idaApiSettings":{"idaApiClientVerificationSettings":[]},"enableIdaApi":"True","idcSettings":[],"isCollectingIdentities":"True","identityAwareBladeInstalled":"INSTALLED"}}}'
- name: Set properties of IA object
uri:
url: https://[mgmt IP]/web_api/v1.7/set-generic-object
method: POST
body_format: json
headers:
X-chkp-sid: "{{ login_token_details.json.sid }}"
validate_certs: no
body: '{"uid":"{{ ansible_facts.checkpoint_objects.objects.0.uid }}","identityAwareBlade":{"idaApiSettings":{"idaApiClientVerificationSettings":[{"create":"com.checkpoint.objects.identity_awareness_classes.dummy.CpmiIdentityAwareClientVerificationEntry","owned-object":{"preSharedSecret":"sausage123","whiteListClient":"{{ ansible_facts.host.uid }}"}}]}}}'
This gets the settings added to the object, then you need to install policy (or for a VS, make a dummy change via vsx_provisioning_tool to 'push' the config).