Create a Post
Harald_Hansen
Advisor

CME support for Autonomous Threat Prevention

Jump to solution

When will CME gain support for enabling Autonomous Threat Prevention in stead of separate TI blades?

At the moment the autoprov_cfg set template feature does not have a flag for this feature.

0 Kudos
1 Solution

Accepted Solutions
ChristianCastil
Employee
Employee

here is my explanation.

to run a script on the management, we need to point it at management level in the cme.

"autoprov_cfg set management -cs <path to script>"; this will instruct to management a script to run on itself

Now at template level, we will have a flag called Custom Parameter, this one is trigger every time a GW appears or disappear from the Controller and is added to the management, the custom parameter pass to the management script from the "$3" option, the first and second options are automatically handled by CME, first is "add" or "delete" and second is the new GW name.

so for example in your case the CME config can see like this;

controllers:
azuresandbox:
class: Azure
credentials:
"client_id": "XXXXXXXXXXXXXX"
"client_secret": "__protected__autoprovision/controllers/617A75726573616E64626F78/credentials/client_secret"
"grant_type": "client_credentials"
tenant: "XXXXXXXXX"
subscription: XXXXXXXXXXX
delay: 30
management:
custom-script: "/home/admin/script/enableautonomous.bash"
host: localhost
name: mgmt
templates:
vmssvdi:
application-control: true
custom-parameters: "autonomous vmss-rb"
https-inspection: true
identity-awareness: true
one-time-password: "__protected__autoprovision/74656D706C61746573/766D7373766469/one-time-password"
policy: vmss-rb
url-filtering: true
version: "R81.10"

That means when a new GW is added you will enable blades by the CME and also you will call the script "enableautonomous.bash" and pass parameter "add" "gwname" (this by default) "autonomous" "vmss-rb", now if in the script you have something like this;

 

#!/bin/bash
: ' ------- No supported in production ------- Enable features Needs to be run in Autoprovision template with "autonomous" as a custom parameter 
------- No supported in production ------- 
' 
. /opt/CPshared/5.0/tmp/.CPprofile.sh 
AUTOPROV_ACTION=$1 
GW_NAME=$2 
CUSTOM_PARAMETERS=$3 
RULEBASE=$4 

if [[ $AUTOPROV_ACTION == delete ]] 
then 
exit 0 
fi 

if [[ $CUSTOM_PARAMETERS != autonomonous ]]; 
then 
exit 0 
fi 

if [[ $CUSTOM_PARAMETERS == autonomonous ]] 
then 
INSTALL_STATUS=1 
POLICY_PACKAGE_NAME=$RULEBASE 

echo "Connection to API server" 
SID=$(mgmt_cli -r true login -f json | jq -r '.sid') 
GW_JSON=$(mgmt_cli --session-id $SID show simple-gateway name $GW_NAME -f json) 
GW_UID=$(echo $GW_JSON | jq '.uid') 

echo "enabling autonomous" 
mgmt_cli --session-id $SID set simple-gateway uid $GW_UID threat-prevention-mode autonomous 

echo "Publishing changes" 
mgmt_cli publish --session-id $SID 

echo "Install policy" 
until [[ $INSTALL_STATUS != 1 ]]; do 
mgmt_cli --session-id $SID -f json install-policy policy-package $POLICY_PACKAGE_NAME targets $GW_UID INSTALL_STATUS=$? 
done 
echo "Policy Installed" 
echo "Logging out of session" 
mgmt_cli logout --session-id $SID 
exit 0 
fi
exit 0

 

 

this is to run a script on the management, also there is a flag called "-nk" this one do a "set simple-gateway" API call, so you can use it on the template directly as "-nk threat-prevention-mode autonomous" this is simpler.

 

HOPE ALL IS CLEAR


View solution in original post

(1)
16 Replies
ChristianCastil
Employee
Employee

the management API v1.8 allow you to add that to a GW with the set-simple-gateway endpoint, so you can create a custom script that adds this to the deployed GW, if need help ping me

0 Kudos
Harald_Hansen
Advisor

I know how to create a script to do this, though I wonder where I should put this. There is an option in CME to trigger scripts on provisioning, though this is run in the context of each gateway. Is there an additional option to run a script on the SmartCenter/CMA?

0 Kudos
ChristianCastil
Employee
Employee

here is my explanation.

to run a script on the management, we need to point it at management level in the cme.

"autoprov_cfg set management -cs <path to script>"; this will instruct to management a script to run on itself

Now at template level, we will have a flag called Custom Parameter, this one is trigger every time a GW appears or disappear from the Controller and is added to the management, the custom parameter pass to the management script from the "$3" option, the first and second options are automatically handled by CME, first is "add" or "delete" and second is the new GW name.

so for example in your case the CME config can see like this;

controllers:
azuresandbox:
class: Azure
credentials:
"client_id": "XXXXXXXXXXXXXX"
"client_secret": "__protected__autoprovision/controllers/617A75726573616E64626F78/credentials/client_secret"
"grant_type": "client_credentials"
tenant: "XXXXXXXXX"
subscription: XXXXXXXXXXX
delay: 30
management:
custom-script: "/home/admin/script/enableautonomous.bash"
host: localhost
name: mgmt
templates:
vmssvdi:
application-control: true
custom-parameters: "autonomous vmss-rb"
https-inspection: true
identity-awareness: true
one-time-password: "__protected__autoprovision/74656D706C61746573/766D7373766469/one-time-password"
policy: vmss-rb
url-filtering: true
version: "R81.10"

That means when a new GW is added you will enable blades by the CME and also you will call the script "enableautonomous.bash" and pass parameter "add" "gwname" (this by default) "autonomous" "vmss-rb", now if in the script you have something like this;

 

#!/bin/bash
: ' ------- No supported in production ------- Enable features Needs to be run in Autoprovision template with "autonomous" as a custom parameter 
------- No supported in production ------- 
' 
. /opt/CPshared/5.0/tmp/.CPprofile.sh 
AUTOPROV_ACTION=$1 
GW_NAME=$2 
CUSTOM_PARAMETERS=$3 
RULEBASE=$4 

if [[ $AUTOPROV_ACTION == delete ]] 
then 
exit 0 
fi 

if [[ $CUSTOM_PARAMETERS != autonomonous ]]; 
then 
exit 0 
fi 

if [[ $CUSTOM_PARAMETERS == autonomonous ]] 
then 
INSTALL_STATUS=1 
POLICY_PACKAGE_NAME=$RULEBASE 

echo "Connection to API server" 
SID=$(mgmt_cli -r true login -f json | jq -r '.sid') 
GW_JSON=$(mgmt_cli --session-id $SID show simple-gateway name $GW_NAME -f json) 
GW_UID=$(echo $GW_JSON | jq '.uid') 

echo "enabling autonomous" 
mgmt_cli --session-id $SID set simple-gateway uid $GW_UID threat-prevention-mode autonomous 

echo "Publishing changes" 
mgmt_cli publish --session-id $SID 

echo "Install policy" 
until [[ $INSTALL_STATUS != 1 ]]; do 
mgmt_cli --session-id $SID -f json install-policy policy-package $POLICY_PACKAGE_NAME targets $GW_UID INSTALL_STATUS=$? 
done 
echo "Policy Installed" 
echo "Logging out of session" 
mgmt_cli logout --session-id $SID 
exit 0 
fi
exit 0

 

 

this is to run a script on the management, also there is a flag called "-nk" this one do a "set simple-gateway" API call, so you can use it on the template directly as "-nk threat-prevention-mode autonomous" this is simpler.

 

HOPE ALL IS CLEAR


(1)
michiganf4n
Participant

When I try the -nk flag, using the latest version of CME as of 5/3/22, I get the following error:

API call failed: set-simple-gateway. Message: : Unrecognized parameter [threat-prevention-mode]

Any ideas on how to get past that?

0 Kudos
ChristianCastil
Employee
Employee

the API is enabled from the v1.8, so if you're using any management with older API version, this instruction doesn't exist.

 

you can see the supported instructions from the API endpoint in the documentation

https://sc1.checkpoint.com/documents/latest/APIs/#cli/set-simple-gateway~v1.8%20

 

what SMS version you're using, CME is just to trigger, but when it triggers uses the Management API of the server.

0 Kudos
michiganf4n
Participant

thanks. that's gotta be the issue.  so, that leaves me with a couple of basic questions:

  1. how do i check what api version i have?
  2. how do i update the api?

our management server is running R81.10 take 45.  so, we're on the latest software.  does the api update separately from the main os?

0 Kudos
Harald_Hansen
Advisor
0 Kudos
michiganf4n
Participant

i did some googling.  it looks like i'm running api version 1.8, so i should have the command available:

xxxxxxxxxx> mgmt_cli show api-versions -f json
{
"current-version" : "1.8",
"supported-versions" : [ "1", "1.1", "1.2", "1.3", "1.4", "1.5", "1.6", "1.6.1", "1.7", "1.7.1", "1.8" ]
}

so, that wasn't it.  any ideas what else could be causing the set-simple-gateway command to error out?

0 Kudos
Harald_Hansen
Advisor

What gateway version is set in the template?

0 Kudos
michiganf4n
Participant

R81.10.  Azure is deploying them on take 30.

0 Kudos
Harald_Hansen
Advisor

Ok, then it should be supported. 

The -nk parameter is documented here: https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CME/Content/Topics-CME/CME_Structure_...

-nk

"KEY" "VALUE"

Configure other attributes to be added to the Management API command "set-simple-gateway" (API v1).

For example: -nk "save-logs-locally" "true"

0 Kudos
Roman_Kats
Employee
Employee

Hi Harald_Hansen,

We understand the need in enabling Autonomous Threat Prevention via CME and have added it to our backlog.

Meanwhile you can use the solution with custom script Christian explained below.

Thanks,

Roman

0 Kudos
Harald_Hansen
Advisor

Thanks, both of you!

0 Kudos
michiganf4n
Participant

Thanks.  Is there a ballpark ETA for official support to enable Autonomous Threat Prevention in CME?

0 Kudos
Dmitry_Gorn
Employee
Employee

Current ETA is during Q3.

Roman_Kats
Employee
Employee

Hi,

We would like to inform that the latest released CME take 200 contains support for Autonomous Threat Prevention

For more information refer to the sk157492 
Thanks

0 Kudos