MattElkington
Participant

Azure Scale Sets & Identity Awareness Identity Web API enabling

I'm deploying my first Azure VMSS.

To get the cloudguard controller working on the gateway I need to enable the Identity Awareness Identity Web API and allow 127.0.0.1.

How do I ensure that this is in my scale set template?  i am assuming that I need to add mgmt_cli commands to enable that?  I don't seem to be able to find anything relating to the Web API configuration when I query the already provisioned (and manually configured) instances.

I know I need to run:

autoprov_cfg set template -tn "<configuration-template-name>" -nk "<parameter-name>" "<parameter-value>"

However I don't seem to be able to find any commands in the cli reference in regards to enabling the Identity Web API and adding an allowed host.

 

My existing scale set members are all configured as I require, however the moment it tries to scale out, any new gateway will come up without the IS Web API setup correctly, so won;t accept the policy assigned because it'll have Cloudguard objects in it, but the gateway on;t accept it because IA isn;t enabled correctly for it.

 

Any help greatly appreciated.

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

If you enable IDA on the gateway itself, you should only need to enable the API, which you can do on the gateway CLI using pdp api enable.
However, that shouldn't be necessary as the integration with CloudGuard Controller uses Identity Awareness.
What versions are in use here (gateway and management) and has CloudGuard Controller been installed/updated?
0 Kudos
MattElkington
Participant

Management is R80.40

Gateways are R80.30

So I should pass the "pdp api enable" in the azure bootstrap script as long as the CME template has IA enabled and that would resolve the issue?

Do I not specifically have to allow 127.0.0.1 and create a key as the documentation for CloudGuard Controller suggests in relation to enabling IA?

I'll double check the cloudguard controller version tomorrow as I don't have access currently, but the management was upgraded within the last week and CME was installed 3 days ago (CME Version: Build: 991000574 Take: 79).

I'm just painfully aware that any manual modifications to the existing scale set gateway objects won't be reflected in any newly provisioned scaled set objects without manual intervention by an administrator (which won't be me once I finish the deployment), which seems to run contrary to the idea of automatic scale sets.

 

 

0 Kudos
PhoneBoy
Admin
Admin

Pretty sure the key is only needed when connecting over a network and loopback is allowed by default.
You can try passing it in the bootstrap but I was under the impression this happened by default…at least it does in AWS.
Might be worth a TAC case.
0 Kudos
Matthias_Haas
Advisor

have you tried to add the IA module to the template:

<autoprov_cfg set template -tn <template-name> -ia

 

see also CME R80.10 and Above Administration Guide 

 

That is working for us

Matthias

 

 

0 Kudos
Aaron_Vivadelli
Contributor

I wanted to mention that you don't have to do this with the bootstrap script that you need to select during the VMSS build process in Azure.  You can create a bash script on your management server, then configure the CME template to run that script during initialization.

  autoprov_cfg set template -tn <template_name> -cg "/home/admin/gateway_script"

 

This can be used for the "pdp api enable" command, but I agree with you about using the Management API to configure the Gateway Object for things such as Identity Collector.  It's how I found this article.

0 Kudos
kusch445
Explorer

Hi there

My point is, when enabling IA with template, how to set the properties from smart console like, Identity Collector? There are many more properties for other properties from smart console, which are not listed by API or clish commands.

Thanks for your inputs.

Gabriel

0 Kudos
Chris_Atkinson
Employee
Employee

Hi Gabriel,

Please have your local Check Point SE contact me to share your requirements offline.

An example of what is currently possible is available here:

https://community.checkpoint.com/t5/Cloud-Network-Security-IaaS/ID-Sharing-on-AutoScaling/m-p/97207#...

0 Kudos