Create a Post
Harald_Hansen
Collaborator

CME support for Autonomous Threat Prevention

Jump to solution

When will CME gain support for enabling Autonomous Threat Prevention in stead of separate TI blades?

At the moment the autoprov_cfg set template feature does not have a flag for this feature.

0 Kudos
1 Solution

Accepted Solutions
ChristianCastil
Employee
Employee

here is my explanation.

to run a script on the management, we need to point it at management level in the cme.

"autoprov_cfg set management -cs <path to script>"; this will instruct to management a script to run on itself

Now at template level, we will have a flag called Custom Parameter, this one is trigger every time a GW appears or disappear from the Controller and is added to the management, the custom parameter pass to the management script from the "$3" option, the first and second options are automatically handled by CME, first is "add" or "delete" and second is the new GW name.

so for example in your case the CME config can see like this;

controllers:
azuresandbox:
class: Azure
credentials:
"client_id": "XXXXXXXXXXXXXX"
"client_secret": "__protected__autoprovision/controllers/617A75726573616E64626F78/credentials/client_secret"
"grant_type": "client_credentials"
tenant: "XXXXXXXXX"
subscription: XXXXXXXXXXX
delay: 30
management:
custom-script: "/home/admin/script/enableautonomous.bash"
host: localhost
name: mgmt
templates:
vmssvdi:
application-control: true
custom-parameters: "autonomous vmss-rb"
https-inspection: true
identity-awareness: true
one-time-password: "__protected__autoprovision/74656D706C61746573/766D7373766469/one-time-password"
policy: vmss-rb
url-filtering: true
version: "R81.10"

That means when a new GW is added you will enable blades by the CME and also you will call the script "enableautonomous.bash" and pass parameter "add" "gwname" (this by default) "autonomous" "vmss-rb", now if in the script you have something like this;

 

#!/bin/bash
: ' ------- No supported in production ------- Enable features Needs to be run in Autoprovision template with "autonomous" as a custom parameter 
------- No supported in production ------- 
' 
. /opt/CPshared/5.0/tmp/.CPprofile.sh 
AUTOPROV_ACTION=$1 
GW_NAME=$2 
CUSTOM_PARAMETERS=$3 
RULEBASE=$4 

if [[ $AUTOPROV_ACTION == delete ]] 
then 
exit 0 
fi 

if [[ $CUSTOM_PARAMETERS != autonomonous ]]; 
then 
exit 0 
fi 

if [[ $CUSTOM_PARAMETERS == autonomonous ]] 
then 
INSTALL_STATUS=1 
POLICY_PACKAGE_NAME=$RULEBASE 

echo "Connection to API server" 
SID=$(mgmt_cli -r true login -f json | jq -r '.sid') 
GW_JSON=$(mgmt_cli --session-id $SID show simple-gateway name $GW_NAME -f json) 
GW_UID=$(echo $GW_JSON | jq '.uid') 

echo "enabling autonomous" 
mgmt_cli --session-id $SID set simple-gateway uid $GW_UID threat-prevention-mode autonomous 

echo "Publishing changes" 
mgmt_cli publish --session-id $SID 

echo "Install policy" 
until [[ $INSTALL_STATUS != 1 ]]; do 
mgmt_cli --session-id $SID -f json install-policy policy-package $POLICY_PACKAGE_NAME targets $GW_UID INSTALL_STATUS=$? 
done 
echo "Policy Installed" 
echo "Logging out of session" 
mgmt_cli logout --session-id $SID 
exit 0 
fi
exit 0

 

 

this is to run a script on the management, also there is a flag called "-nk" this one do a "set simple-gateway" API call, so you can use it on the template directly as "-nk threat-prevention-mode autonomous" this is simpler.

 

HOPE ALL IS CLEAR


View solution in original post

(1)
5 Replies
ChristianCastil
Employee
Employee

the management API v1.8 allow you to add that to a GW with the set-simple-gateway endpoint, so you can create a custom script that adds this to the deployed GW, if need help ping me

0 Kudos
Harald_Hansen
Collaborator

I know how to create a script to do this, though I wonder where I should put this. There is an option in CME to trigger scripts on provisioning, though this is run in the context of each gateway. Is there an additional option to run a script on the SmartCenter/CMA?

0 Kudos
ChristianCastil
Employee
Employee

here is my explanation.

to run a script on the management, we need to point it at management level in the cme.

"autoprov_cfg set management -cs <path to script>"; this will instruct to management a script to run on itself

Now at template level, we will have a flag called Custom Parameter, this one is trigger every time a GW appears or disappear from the Controller and is added to the management, the custom parameter pass to the management script from the "$3" option, the first and second options are automatically handled by CME, first is "add" or "delete" and second is the new GW name.

so for example in your case the CME config can see like this;

controllers:
azuresandbox:
class: Azure
credentials:
"client_id": "XXXXXXXXXXXXXX"
"client_secret": "__protected__autoprovision/controllers/617A75726573616E64626F78/credentials/client_secret"
"grant_type": "client_credentials"
tenant: "XXXXXXXXX"
subscription: XXXXXXXXXXX
delay: 30
management:
custom-script: "/home/admin/script/enableautonomous.bash"
host: localhost
name: mgmt
templates:
vmssvdi:
application-control: true
custom-parameters: "autonomous vmss-rb"
https-inspection: true
identity-awareness: true
one-time-password: "__protected__autoprovision/74656D706C61746573/766D7373766469/one-time-password"
policy: vmss-rb
url-filtering: true
version: "R81.10"

That means when a new GW is added you will enable blades by the CME and also you will call the script "enableautonomous.bash" and pass parameter "add" "gwname" (this by default) "autonomous" "vmss-rb", now if in the script you have something like this;

 

#!/bin/bash
: ' ------- No supported in production ------- Enable features Needs to be run in Autoprovision template with "autonomous" as a custom parameter 
------- No supported in production ------- 
' 
. /opt/CPshared/5.0/tmp/.CPprofile.sh 
AUTOPROV_ACTION=$1 
GW_NAME=$2 
CUSTOM_PARAMETERS=$3 
RULEBASE=$4 

if [[ $AUTOPROV_ACTION == delete ]] 
then 
exit 0 
fi 

if [[ $CUSTOM_PARAMETERS != autonomonous ]]; 
then 
exit 0 
fi 

if [[ $CUSTOM_PARAMETERS == autonomonous ]] 
then 
INSTALL_STATUS=1 
POLICY_PACKAGE_NAME=$RULEBASE 

echo "Connection to API server" 
SID=$(mgmt_cli -r true login -f json | jq -r '.sid') 
GW_JSON=$(mgmt_cli --session-id $SID show simple-gateway name $GW_NAME -f json) 
GW_UID=$(echo $GW_JSON | jq '.uid') 

echo "enabling autonomous" 
mgmt_cli --session-id $SID set simple-gateway uid $GW_UID threat-prevention-mode autonomous 

echo "Publishing changes" 
mgmt_cli publish --session-id $SID 

echo "Install policy" 
until [[ $INSTALL_STATUS != 1 ]]; do 
mgmt_cli --session-id $SID -f json install-policy policy-package $POLICY_PACKAGE_NAME targets $GW_UID INSTALL_STATUS=$? 
done 
echo "Policy Installed" 
echo "Logging out of session" 
mgmt_cli logout --session-id $SID 
exit 0 
fi
exit 0

 

 

this is to run a script on the management, also there is a flag called "-nk" this one do a "set simple-gateway" API call, so you can use it on the template directly as "-nk threat-prevention-mode autonomous" this is simpler.

 

HOPE ALL IS CLEAR


View solution in original post

(1)
Roman_Kats
Employee
Employee

Hi Harald_Hansen,

We understand the need in enabling Autonomous Threat Prevention via CME and have added it to our backlog.

Meanwhile you can use the solution with custom script Christian explained below.

Thanks,

Roman

0 Kudos
Harald_Hansen
Collaborator

Thanks, both of you!

0 Kudos