This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
MattElkington
Contributor
‎2020-03-12 08:58 AM

Azure Scale Sets & Identity Awareness Identity Web API enabling

I'm deploying my first Azure VMSS.

To get the cloudguard controller working on the gateway I need to enable the Identity Awareness Identity Web API and allow 127.0.0.1.

How do I ensure that this is in my scale set template?  i am assuming that I need to add mgmt_cli commands to enable that?  I don't seem to be able to find anything relating to the Web API configuration when I query the already provisioned (and manually configured) instances.

I know I need to run:

autoprov_cfg set template -tn "<configuration-template-name>" -nk "<parameter-name>" "<parameter-value>"

However I don't seem to be able to find any commands in the cli reference in regards to enabling the Identity Web API and adding an allowed host.

 

My existing scale set members are all configured as I require, however the moment it tries to scale out, any new gateway will come up without the IS Web API setup correctly, so won;t accept the policy assigned because it'll have Cloudguard objects in it, but the gateway on;t accept it because IA isn;t enabled correctly for it.

 

Any help greatly appreciated.

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2020-03-12 04:32 PM

If you enable IDA on the gateway itself, you should only need to enable the API, which you can do on the gateway CLI using pdp api enable.
However, that shouldn't be necessary as the integration with CloudGuard Controller uses Identity Awareness.
What versions are in use here (gateway and management) and has CloudGuard Controller been installed/updated?
0 Kudos
MattElkington
Contributor
‎2020-03-12 06:31 PM
In response to PhoneBoy

Management is R80.40

Gateways are R80.30

So I should pass the "pdp api enable" in the azure bootstrap script as long as the CME template has IA enabled and that would resolve the issue?

Do I not specifically have to allow 127.0.0.1 and create a key as the documentation for CloudGuard Controller suggests in relation to enabling IA?

I'll double check the cloudguard controller version tomorrow as I don't have access currently, but the management was upgraded within the last week and CME was installed 3 days ago (CME Version: Build: 991000574 Take: 79).

I'm just painfully aware that any manual modifications to the existing scale set gateway objects won't be reflected in any newly provisioned scaled set objects without manual intervention by an administrator (which won't be me once I finish the deployment), which seems to run contrary to the idea of automatic scale sets.

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-12 08:43 PM
In response to MattElkington

Pretty sure the key is only needed when connecting over a network and loopback is allowed by default.
You can try passing it in the bootstrap but I was under the impression this happened by default…at least it does in AWS.
Might be worth a TAC case.
0 Kudos
Matthias_Haas
Advisor
‎2020-03-13 03:54 AM
In response to MattElkington

have you tried to add the IA module to the template:

<autoprov_cfg set template -tn <template-name> -ia

 

see also Cloud Management Extension R80.10 and Higher Administration Guide (This link was edited by Check Point on 19 Dec 2021)

 

That is working for us

Matthias

 

 

0 Kudos
Aaron_Vivadelli
Contributor
Contributor
‎2021-04-30 12:24 PM
In response to MattElkington

I wanted to mention that you don't have to do this with the bootstrap script that you need to select during the VMSS build process in Azure.  You can create a bash script on your management server, then configure the CME template to run that script during initialization.

  autoprov_cfg set template -tn <template_name> -cg "/home/admin/gateway_script"

 

This can be used for the "pdp api enable" command, but I agree with you about using the Management API to configure the Gateway Object for things such as Identity Collector.  It's how I found this article.

0 Kudos
kusch445
Explorer
‎2021-01-13 06:01 AM

Hi there

My point is, when enabling IA with template, how to set the properties from smart console like, Identity Collector? There are many more properties for other properties from smart console, which are not listed by API or clish commands.

Thanks for your inputs.

Gabriel

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2021-01-13 06:36 AM

Hi Gabriel,

Please have your local Check Point SE contact me to share your requirements offline.

An example of what is currently possible is available here:

https://community.checkpoint.com/t5/Cloud-Network-Security-IaaS/ID-Sharing-on-AutoScaling/m-p/97207#...

CCSM R77/R80/ELITE
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events