Solved: Re: CME support for Autonomous Threat Prevention

Harald_Hansen · ‎2021-11-25

When will CME gain support for enabling Autonomous Threat Prevention in stead of separate TI blades?

At the moment the autoprov_cfg set template feature does not have a flag for this feature.

ChristianCastil · ‎2021-11-26

here is my explanation.

to run a script on the management, we need to point it at management level in the cme.

"autoprov_cfg set management -cs <path to script>"; this will instruct to management a script to run on itself

Now at template level, we will have a flag called Custom Parameter, this one is trigger every time a GW appears or disappear from the Controller and is added to the management, the custom parameter pass to the management script from the "$3" option, the first and second options are automatically handled by CME, first is "add" or "delete" and second is the new GW name.

so for example in your case the CME config can see like this;

controllers:
azuresandbox:
class: Azure
credentials:
"client_id": "XXXXXXXXXXXXXX"
"client_secret": "__protected__autoprovision/controllers/617A75726573616E64626F78/credentials/client_secret"
"grant_type": "client_credentials"
tenant: "XXXXXXXXX"
subscription: XXXXXXXXXXX
delay: 30
management:
custom-script: "/home/admin/script/enableautonomous.bash"
host: localhost
name: mgmt
templates:
vmssvdi:
application-control: true
custom-parameters: "autonomous vmss-rb"
https-inspection: true
identity-awareness: true
one-time-password: "__protected__autoprovision/74656D706C61746573/766D7373766469/one-time-password"
policy: vmss-rb
url-filtering: true
version: "R81.10"

That means when a new GW is added you will enable blades by the CME and also you will call the script "enableautonomous.bash" and pass parameter "add" "gwname" (this by default) "autonomous" "vmss-rb", now if in the script you have something like this;

#!/bin/bash
: ' ------- No supported in production ------- Enable features Needs to be run in Autoprovision template with "autonomous" as a custom parameter 
------- No supported in production ------- 
' 
. /opt/CPshared/5.0/tmp/.CPprofile.sh 
AUTOPROV_ACTION=$1 
GW_NAME=$2 
CUSTOM_PARAMETERS=$3 
RULEBASE=$4 

if [[ $AUTOPROV_ACTION == delete ]] 
then 
exit 0 
fi 

if [[ $CUSTOM_PARAMETERS != autonomonous ]]; 
then 
exit 0 
fi 

if [[ $CUSTOM_PARAMETERS == autonomonous ]] 
then 
INSTALL_STATUS=1 
POLICY_PACKAGE_NAME=$RULEBASE 

echo "Connection to API server" 
SID=$(mgmt_cli -r true login -f json | jq -r '.sid') 
GW_JSON=$(mgmt_cli --session-id $SID show simple-gateway name $GW_NAME -f json) 
GW_UID=$(echo $GW_JSON | jq '.uid') 

echo "enabling autonomous" 
mgmt_cli --session-id $SID set simple-gateway uid $GW_UID threat-prevention-mode autonomous 

echo "Publishing changes" 
mgmt_cli publish --session-id $SID 

echo "Install policy" 
until [[ $INSTALL_STATUS != 1 ]]; do 
mgmt_cli --session-id $SID -f json install-policy policy-package $POLICY_PACKAGE_NAME targets $GW_UID INSTALL_STATUS=$? 
done 
echo "Policy Installed" 
echo "Logging out of session" 
mgmt_cli logout --session-id $SID 
exit 0 
fi
exit 0

this is to run a script on the management, also there is a flag called "-nk" this one do a "set simple-gateway" API call, so you can use it on the template directly as "-nk threat-prevention-mode autonomous" this is simpler.

HOPE ALL IS CLEAR

View solution in original post

ChristianCastil · ‎2021-11-25

the management API v1.8 allow you to add that to a GW with the set-simple-gateway endpoint, so you can create a custom script that adds this to the deployed GW, if need help ping me

Harald_Hansen · ‎2021-11-25

I know how to create a script to do this, though I wonder where I should put this. There is an option in CME to trigger scripts on provisioning, though this is run in the context of each gateway. Is there an additional option to run a script on the SmartCenter/CMA?

ChristianCastil · ‎2021-11-26

here is my explanation.

to run a script on the management, we need to point it at management level in the cme.

"autoprov_cfg set management -cs <path to script>"; this will instruct to management a script to run on itself

Now at template level, we will have a flag called Custom Parameter, this one is trigger every time a GW appears or disappear from the Controller and is added to the management, the custom parameter pass to the management script from the "$3" option, the first and second options are automatically handled by CME, first is "add" or "delete" and second is the new GW name.

so for example in your case the CME config can see like this;

controllers:
azuresandbox:
class: Azure
credentials:
"client_id": "XXXXXXXXXXXXXX"
"client_secret": "__protected__autoprovision/controllers/617A75726573616E64626F78/credentials/client_secret"
"grant_type": "client_credentials"
tenant: "XXXXXXXXX"
subscription: XXXXXXXXXXX
delay: 30
management:
custom-script: "/home/admin/script/enableautonomous.bash"
host: localhost
name: mgmt
templates:
vmssvdi:
application-control: true
custom-parameters: "autonomous vmss-rb"
https-inspection: true
identity-awareness: true
one-time-password: "__protected__autoprovision/74656D706C61746573/766D7373766469/one-time-password"
policy: vmss-rb
url-filtering: true
version: "R81.10"

That means when a new GW is added you will enable blades by the CME and also you will call the script "enableautonomous.bash" and pass parameter "add" "gwname" (this by default) "autonomous" "vmss-rb", now if in the script you have something like this;

#!/bin/bash
: ' ------- No supported in production ------- Enable features Needs to be run in Autoprovision template with "autonomous" as a custom parameter 
------- No supported in production ------- 
' 
. /opt/CPshared/5.0/tmp/.CPprofile.sh 
AUTOPROV_ACTION=$1 
GW_NAME=$2 
CUSTOM_PARAMETERS=$3 
RULEBASE=$4 

if [[ $AUTOPROV_ACTION == delete ]] 
then 
exit 0 
fi 

if [[ $CUSTOM_PARAMETERS != autonomonous ]]; 
then 
exit 0 
fi 

if [[ $CUSTOM_PARAMETERS == autonomonous ]] 
then 
INSTALL_STATUS=1 
POLICY_PACKAGE_NAME=$RULEBASE 

echo "Connection to API server" 
SID=$(mgmt_cli -r true login -f json | jq -r '.sid') 
GW_JSON=$(mgmt_cli --session-id $SID show simple-gateway name $GW_NAME -f json) 
GW_UID=$(echo $GW_JSON | jq '.uid') 

echo "enabling autonomous" 
mgmt_cli --session-id $SID set simple-gateway uid $GW_UID threat-prevention-mode autonomous 

echo "Publishing changes" 
mgmt_cli publish --session-id $SID 

echo "Install policy" 
until [[ $INSTALL_STATUS != 1 ]]; do 
mgmt_cli --session-id $SID -f json install-policy policy-package $POLICY_PACKAGE_NAME targets $GW_UID INSTALL_STATUS=$? 
done 
echo "Policy Installed" 
echo "Logging out of session" 
mgmt_cli logout --session-id $SID 
exit 0 
fi
exit 0

this is to run a script on the management, also there is a flag called "-nk" this one do a "set simple-gateway" API call, so you can use it on the template directly as "-nk threat-prevention-mode autonomous" this is simpler.

HOPE ALL IS CLEAR

michiganf4n · ‎2022-05-03

When I try the -nk flag, using the latest version of CME as of 5/3/22, I get the following error:

API call failed: set-simple-gateway. Message: : Unrecognized parameter [threat-prevention-mode]

Any ideas on how to get past that?

ChristianCastil · ‎2022-05-03

the API is enabled from the v1.8, so if you're using any management with older API version, this instruction doesn't exist.

you can see the supported instructions from the API endpoint in the documentation

https://sc1.checkpoint.com/documents/latest/APIs/#cli/set-simple-gateway~v1.8%20

what SMS version you're using, CME is just to trigger, but when it triggers uses the Management API of the server.

michiganf4n · ‎2022-05-04

thanks. that's gotta be the issue. so, that leaves me with a couple of basic questions:

how do i check what api version i have?
how do i update the api?

our management server is running R81.10 take 45. so, we're on the latest software. does the api update separately from the main os?

Harald_Hansen · ‎2022-05-04

Take a look here:
https://sc1.checkpoint.com/documents/latest/APIs/#api_versions~v1.8%20

michiganf4n · ‎2022-05-04

i did some googling. it looks like i'm running api version 1.8, so i should have the command available:

xxxxxxxxxx> mgmt_cli show api-versions -f json
{
"current-version" : "1.8",
"supported-versions" : [ "1", "1.1", "1.2", "1.3", "1.4", "1.5", "1.6", "1.6.1", "1.7", "1.7.1", "1.8" ]
}

so, that wasn't it. any ideas what else could be causing the set-simple-gateway command to error out?

Harald_Hansen · ‎2022-05-04

What gateway version is set in the template?

michiganf4n · ‎2022-05-04

R81.10. Azure is deploying them on take 30.

Harald_Hansen · ‎2022-05-04

Ok, then it should be supported.

The -nk parameter is documented here: https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CME/Content/Topics-CME/CME_Structure_...

-nk

"KEY" "VALUE"

Configure other attributes to be added to the Management API command "set-simple-gateway" (API v1).

For example: -nk "save-logs-locally" "true"

Roman_Kats · ‎2021-11-29

Hi Harald_Hansen,

We understand the need in enabling Autonomous Threat Prevention via CME and have added it to our backlog.

Meanwhile you can use the solution with custom script Christian explained below.

Thanks,

Roman

Harald_Hansen · ‎2021-11-29

Thanks, both of you!

michiganf4n · ‎2022-02-09

Thanks. Is there a ballpark ETA for official support to enable Autonomous Threat Prevention in CME?

Dmitry_Gorn · ‎2022-05-04

Current ETA is during Q3.

Roman_Kats · ‎2022-07-10

Hi,

We would like to inform that the latest released CME take 200 contains support for Autonomous Threat Prevention

For more information refer to the sk157492
Thanks

Are you a member of CheckMates?

CME support for Autonomous Threat Prevention