Hi, tks for your responsed 

I have reinstalled the lab and successfully sent API using Postman. Currently, I am encountering issues sending API from ClearPass Policy Manager to the Firewall. I have configured the Context Server actions on ClearPass and tested by logging in/out users from CP OnGuard Agent; however, I do not see any Identity Awareness logs on Check Point. How can I troubleshoot the log sending/receiving between these two servers? I would greatly appreciate your guidance.

I'm not familiar with the integration with Aruba.
Generally speaking, though:

• Users should be communicated to our gateways via the IDA API 
• Groups (necessary for Access Roles) will come from LDAP (usually from on-premise Active Directory)

I'd start by checking the Aruba side of this to make sure it is sending us information.
A simple tcpdump should verify the Aruba server is sending traffic to the gateway on port 443.

Thank you for your response. I have currently opened a support case with Aruba TAC to debug why the API is not being sent from ClearPass. I have an additional question: with this integration, does CheckPoint require user authentication (via LDAP or AD)? Can I create a dynamic policy to manage user access on CheckPoint based solely on parameters such as IP address and the ClearPass PC health check results?

Identity Awareness receives information via Identity Agents, Identity Collector, or the Identity Awareness API (e.g. for Aruba Clearpass).
Among this information is the user...which is not strictly required.
However, one or more Identity Tags would probably need to be defined to create the relevant Access Policy rules.

Hi, i tried to post API to Firewall IA API via Postman with this content: 

{"shared-secret":"**********", "user": "NACAdmin","ip-address":"1.2.3.4","identity-source": "Aruba ClearPass Policy Manager","calculate-roles":0,"fetch-user-groups": 0,"fetch-machine-groups": 0,"roles": "[%{Role Test}]"}

But i got result: 

Roles needs to be an array, which are enclosed in square brackets.
The roles listed between the square brackets must be enclosed in quotes (i.e. strings).
Your JSON should look like this:

{
  "shared-secret": "**********",
  "user": "NACAdmin",
  "ip-address": "1.2.3.4",
  "identity-source": "Aruba ClearPass Policy Manager",
  "calculate-roles": 0,
  "fetch-user-groups": 0,
  "fetch-machine-groups": 0,
  "roles": ["Role Test"]
}

Hi Phone Boy, Thank for your reply.  

I have successfully sent a manual API and the Checkpoint Firewall has added identity for the User. Currently, I am having an issue with ClearPass sending the API automatically to Checkpoint. Through capturing packets with Wireshark at the Firewall, I observed that there was a POST message sent from ClearPass.  However, there is no record in the log blade:IA. What should I do to debug this case, please help me

Can you see the exact API call with JSON body sent by Clearpass to the gateway?
Without that, and given that you were able to make a successful API call on your own, I assume this issue is on the Clearpass side.

Yes, i have capture on Wireshark about API packet sent to Checkpoint, ClearPass is not enclosing the ip-address parameter in outgoing communications, thus the current issue lies with ClearPass. I have opened a case with Aruba TAC and hope they can assist me in resolving this issue. Additionally, I would like to inquire about licenses for the lab. Where can I obtain a temporary license, as my current lab setup will run out of its license in a few days?

You can generate evaluation licenses via UserCenter, as described here: https://community.checkpoint.com/t5/General-Topics/How-to-Request-an-Evaluation-License-for-Security...

Hi, kindly answer my one more question. When i turn-up Identity Awareness on Firewall and use AD Query option. To connect the Firewall to the AD/LDAP server, I see there is a note that an Administrator account must be used. So, what is the admin account here? What are its privileges (e.g., domain admin, schema admin, or some other admin)? Do you have any documentation about this that you can share?

Start here: https://support.checkpoint.com/results/sk/sk93938
If you don't like users being part of the "Server Operators" group, see also: https://support.checkpoint.com/results/sk/sk104900

In general, we recommend using Identity Collector over ADQuery: https://support.checkpoint.com/results/sk/sk60301 

To integrate Firewall Checkpoint with an OpenLDAP server, what level of user permissions do I need to create at the LDAP end for the Firewall to be able to use the AD Query feature? Kindly guide me, tks! 

ADQuery uses WMI, which I'm fairly certain OpenLDAP does not implement.
In any case, we don't support the use of OpenLDAP for Identity Awareness.

Hi PhoneBoy, 

I have successfully sent an API from ClearPass to Checkpoint. However, now I have a new issue with updating the Access Role on the Firewall. For every Role value that I send with the variable "calculate-roles" = 1, the Firewall automatically updates all my users into all the existing Access Roles on the Firewall.

How can I update the role for the user correctly on the firewall? Please guide me, thank you.

To use groups sent through the Identity Awareness API, they have to be created as Identity Tags using the same capitalization as defined on the source.
See: https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_IdentityAwareness_AdminGuide... 

Hi PhoneBoy, 
My config for Access Role with Specified network below: 

Subnet added: 10.84.3.0/24

So I'm confused whether without the Access Role Up log, whether this User of mine can be correctly mapped to that CPPM Access Role or not?

The log you provided shows the roles that were mapped to the user (in your example CPPM).

Hi PhoneBoy, thank for your response. One more question, with this log below, is my user was updated with new Access Role when new api sent to Firewall ? 

Did you check the full log card of each entry?
I assume it would be listed there if it was updated.

Yes, i checked full log card of each entry and see user login successful with new roles. But at the PC test i dont see affected. 

"I don't see affected" please provide specifics about how you determined this.
Include screenshots of relevant rules and log entries (redacting sensitive details).

Hi PhoneBoy, 
Now i have new issue when operating with IA. In the log IA on Firewall i see user login successful like this

However, with this PC, its traffic is still being processed by the Deny rule in the Policy instead of going through the Accept rule

On the same PC, when I tried logging back into the ClearPass Agent with a different user, the traffic followed the correct path immediately. However, this issue only occurs the first time I apply the policy to direct the traffic. Once the users/IPs are stabilized, the issue no longer persists.

On Access Role setting, i specify source with IP pool only, User with "Any users" options. Should i try specify user with Authentication source like ClearPass (Source content of API) ? 

"this issue only occurs the first time I apply the policy to direct the traffic" please describe in more detail the precise steps taken here.
As far as I know, you can only specify Remote Access Clients as a specific identity source in an Access Role.

"this issue only occurs the first time I apply the policy to direct the traffic" - that i mean when i retry to send logout and re-login/login with another user and traffic go through stable, this issue no longer affect. 

And this issue also occurs randomly within an IP pool when I configure the policy. Even though the devices are on the same network segment, it only happens on one or a few PCs.

So it's only the first login on which this occurs, correct?
Further, it's not consistent, correct?

You're probably going to need a TAC case to investigate this.
https://help.checkpoint.com