- CheckMates
- :
- Products
- :
- CloudMates Products
- :
- Cloud Network Security
- :
- Discussion
- :
- CME support for Autonomous Threat Prevention
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
CME support for Autonomous Threat Prevention
When will CME gain support for enabling Autonomous Threat Prevention in stead of separate TI blades?
At the moment the autoprov_cfg set template feature does not have a flag for this feature.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
here is my explanation.
to run a script on the management, we need to point it at management level in the cme.
"autoprov_cfg set management -cs <path to script>"; this will instruct to management a script to run on itself
Now at template level, we will have a flag called Custom Parameter, this one is trigger every time a GW appears or disappear from the Controller and is added to the management, the custom parameter pass to the management script from the "$3" option, the first and second options are automatically handled by CME, first is "add" or "delete" and second is the new GW name.
so for example in your case the CME config can see like this;
controllers:
azuresandbox:
class: Azure
credentials:
"client_id": "XXXXXXXXXXXXXX"
"client_secret": "__protected__autoprovision/controllers/617A75726573616E64626F78/credentials/client_secret"
"grant_type": "client_credentials"
tenant: "XXXXXXXXX"
subscription: XXXXXXXXXXX
delay: 30
management:
custom-script: "/home/admin/script/enableautonomous.bash"
host: localhost
name: mgmt
templates:
vmssvdi:
application-control: true
custom-parameters: "autonomous vmss-rb"
https-inspection: true
identity-awareness: true
one-time-password: "__protected__autoprovision/74656D706C61746573/766D7373766469/one-time-password"
policy: vmss-rb
url-filtering: true
version: "R81.10"
That means when a new GW is added you will enable blades by the CME and also you will call the script "enableautonomous.bash" and pass parameter "add" "gwname" (this by default) "autonomous" "vmss-rb", now if in the script you have something like this;
#!/bin/bash
: ' ------- No supported in production ------- Enable features Needs to be run in Autoprovision template with "autonomous" as a custom parameter
------- No supported in production -------
'
. /opt/CPshared/5.0/tmp/.CPprofile.sh
AUTOPROV_ACTION=$1
GW_NAME=$2
CUSTOM_PARAMETERS=$3
RULEBASE=$4
if [[ $AUTOPROV_ACTION == delete ]]
then
exit 0
fi
if [[ $CUSTOM_PARAMETERS != autonomonous ]];
then
exit 0
fi
if [[ $CUSTOM_PARAMETERS == autonomonous ]]
then
INSTALL_STATUS=1
POLICY_PACKAGE_NAME=$RULEBASE
echo "Connection to API server"
SID=$(mgmt_cli -r true login -f json | jq -r '.sid')
GW_JSON=$(mgmt_cli --session-id $SID show simple-gateway name $GW_NAME -f json)
GW_UID=$(echo $GW_JSON | jq '.uid')
echo "enabling autonomous"
mgmt_cli --session-id $SID set simple-gateway uid $GW_UID threat-prevention-mode autonomous
echo "Publishing changes"
mgmt_cli publish --session-id $SID
echo "Install policy"
until [[ $INSTALL_STATUS != 1 ]]; do
mgmt_cli --session-id $SID -f json install-policy policy-package $POLICY_PACKAGE_NAME targets $GW_UID INSTALL_STATUS=$?
done
echo "Policy Installed"
echo "Logging out of session"
mgmt_cli logout --session-id $SID
exit 0
fi
exit 0
this is to run a script on the management, also there is a flag called "-nk" this one do a "set simple-gateway" API call, so you can use it on the template directly as "-nk threat-prevention-mode autonomous" this is simpler.
HOPE ALL IS CLEAR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the management API v1.8 allow you to add that to a GW with the set-simple-gateway endpoint, so you can create a custom script that adds this to the deployed GW, if need help ping me
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know how to create a script to do this, though I wonder where I should put this. There is an option in CME to trigger scripts on provisioning, though this is run in the context of each gateway. Is there an additional option to run a script on the SmartCenter/CMA?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
here is my explanation.
to run a script on the management, we need to point it at management level in the cme.
"autoprov_cfg set management -cs <path to script>"; this will instruct to management a script to run on itself
Now at template level, we will have a flag called Custom Parameter, this one is trigger every time a GW appears or disappear from the Controller and is added to the management, the custom parameter pass to the management script from the "$3" option, the first and second options are automatically handled by CME, first is "add" or "delete" and second is the new GW name.
so for example in your case the CME config can see like this;
controllers:
azuresandbox:
class: Azure
credentials:
"client_id": "XXXXXXXXXXXXXX"
"client_secret": "__protected__autoprovision/controllers/617A75726573616E64626F78/credentials/client_secret"
"grant_type": "client_credentials"
tenant: "XXXXXXXXX"
subscription: XXXXXXXXXXX
delay: 30
management:
custom-script: "/home/admin/script/enableautonomous.bash"
host: localhost
name: mgmt
templates:
vmssvdi:
application-control: true
custom-parameters: "autonomous vmss-rb"
https-inspection: true
identity-awareness: true
one-time-password: "__protected__autoprovision/74656D706C61746573/766D7373766469/one-time-password"
policy: vmss-rb
url-filtering: true
version: "R81.10"
That means when a new GW is added you will enable blades by the CME and also you will call the script "enableautonomous.bash" and pass parameter "add" "gwname" (this by default) "autonomous" "vmss-rb", now if in the script you have something like this;
#!/bin/bash
: ' ------- No supported in production ------- Enable features Needs to be run in Autoprovision template with "autonomous" as a custom parameter
------- No supported in production -------
'
. /opt/CPshared/5.0/tmp/.CPprofile.sh
AUTOPROV_ACTION=$1
GW_NAME=$2
CUSTOM_PARAMETERS=$3
RULEBASE=$4
if [[ $AUTOPROV_ACTION == delete ]]
then
exit 0
fi
if [[ $CUSTOM_PARAMETERS != autonomonous ]];
then
exit 0
fi
if [[ $CUSTOM_PARAMETERS == autonomonous ]]
then
INSTALL_STATUS=1
POLICY_PACKAGE_NAME=$RULEBASE
echo "Connection to API server"
SID=$(mgmt_cli -r true login -f json | jq -r '.sid')
GW_JSON=$(mgmt_cli --session-id $SID show simple-gateway name $GW_NAME -f json)
GW_UID=$(echo $GW_JSON | jq '.uid')
echo "enabling autonomous"
mgmt_cli --session-id $SID set simple-gateway uid $GW_UID threat-prevention-mode autonomous
echo "Publishing changes"
mgmt_cli publish --session-id $SID
echo "Install policy"
until [[ $INSTALL_STATUS != 1 ]]; do
mgmt_cli --session-id $SID -f json install-policy policy-package $POLICY_PACKAGE_NAME targets $GW_UID INSTALL_STATUS=$?
done
echo "Policy Installed"
echo "Logging out of session"
mgmt_cli logout --session-id $SID
exit 0
fi
exit 0
this is to run a script on the management, also there is a flag called "-nk" this one do a "set simple-gateway" API call, so you can use it on the template directly as "-nk threat-prevention-mode autonomous" this is simpler.
HOPE ALL IS CLEAR
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When I try the -nk flag, using the latest version of CME as of 5/3/22, I get the following error:
API call failed: set-simple-gateway. Message: : Unrecognized parameter [threat-prevention-mode]
Any ideas on how to get past that?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
the API is enabled from the v1.8, so if you're using any management with older API version, this instruction doesn't exist.
you can see the supported instructions from the API endpoint in the documentation
https://sc1.checkpoint.com/documents/latest/APIs/#cli/set-simple-gateway~v1.8%20
what SMS version you're using, CME is just to trigger, but when it triggers uses the Management API of the server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks. that's gotta be the issue. so, that leaves me with a couple of basic questions:
- how do i check what api version i have?
- how do i update the api?
our management server is running R81.10 take 45. so, we're on the latest software. does the api update separately from the main os?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
i did some googling. it looks like i'm running api version 1.8, so i should have the command available:
xxxxxxxxxx> mgmt_cli show api-versions -f json
{
"current-version" : "1.8",
"supported-versions" : [ "1", "1.1", "1.2", "1.3", "1.4", "1.5", "1.6", "1.6.1", "1.7", "1.7.1", "1.8" ]
}
so, that wasn't it. any ideas what else could be causing the set-simple-gateway command to error out?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What gateway version is set in the template?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R81.10. Azure is deploying them on take 30.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ok, then it should be supported.
The -nk parameter is documented here: https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CME/Content/Topics-CME/CME_Structure_...
|
"KEY" "VALUE" |
Configure other attributes to be added to the Management API command " For example: |
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Harald_Hansen,
We understand the need in enabling Autonomous Threat Prevention via CME and have added it to our backlog.
Meanwhile you can use the solution with custom script Christian explained below.
Thanks,
Roman
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks, both of you!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks. Is there a ballpark ETA for official support to enable Autonomous Threat Prevention in CME?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Current ETA is during Q3.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
We would like to inform that the latest released CME take 200 contains support for Autonomous Threat Prevention
For more information refer to the sk157492
Thanks