This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
ChristianCastil
Employee
Employee
‎2021-11-26 08:31 AM
In response to Harald_Hansen

here is my explanation.

to run a script on the management, we need to point it at management level in the cme.

"autoprov_cfg set management -cs <path to script>"; this will instruct to management a script to run on itself

Now at template level, we will have a flag called Custom Parameter, this one is trigger every time a GW appears or disappear from the Controller and is added to the management, the custom parameter pass to the management script from the "$3" option, the first and second options are automatically handled by CME, first is "add" or "delete" and second is the new GW name.

so for example in your case the CME config can see like this;

controllers:
azuresandbox:
class: Azure
credentials:
"client_id": "XXXXXXXXXXXXXX"
"client_secret": "__protected__autoprovision/controllers/617A75726573616E64626F78/credentials/client_secret"
"grant_type": "client_credentials"
tenant: "XXXXXXXXX"
subscription: XXXXXXXXXXX
delay: 30
management:
custom-script: "/home/admin/script/enableautonomous.bash"
host: localhost
name: mgmt
templates:
vmssvdi:
application-control: true
custom-parameters: "autonomous vmss-rb"
https-inspection: true
identity-awareness: true
one-time-password: "__protected__autoprovision/74656D706C61746573/766D7373766469/one-time-password"
policy: vmss-rb
url-filtering: true
version: "R81.10"

That means when a new GW is added you will enable blades by the CME and also you will call the script "enableautonomous.bash" and pass parameter "add" "gwname" (this by default) "autonomous" "vmss-rb", now if in the script you have something like this;

 

#!/bin/bash
: ' ------- No supported in production ------- Enable features Needs to be run in Autoprovision template with "autonomous" as a custom parameter 
------- No supported in production ------- 
' 
. /opt/CPshared/5.0/tmp/.CPprofile.sh 
AUTOPROV_ACTION=$1 
GW_NAME=$2 
CUSTOM_PARAMETERS=$3 
RULEBASE=$4 

if [[ $AUTOPROV_ACTION == delete ]] 
then 
exit 0 
fi 

if [[ $CUSTOM_PARAMETERS != autonomonous ]]; 
then 
exit 0 
fi 

if [[ $CUSTOM_PARAMETERS == autonomonous ]] 
then 
INSTALL_STATUS=1 
POLICY_PACKAGE_NAME=$RULEBASE 

echo "Connection to API server" 
SID=$(mgmt_cli -r true login -f json | jq -r '.sid') 
GW_JSON=$(mgmt_cli --session-id $SID show simple-gateway name $GW_NAME -f json) 
GW_UID=$(echo $GW_JSON | jq '.uid') 

echo "enabling autonomous" 
mgmt_cli --session-id $SID set simple-gateway uid $GW_UID threat-prevention-mode autonomous 

echo "Publishing changes" 
mgmt_cli publish --session-id $SID 

echo "Install policy" 
until [[ $INSTALL_STATUS != 1 ]]; do 
mgmt_cli --session-id $SID -f json install-policy policy-package $POLICY_PACKAGE_NAME targets $GW_UID INSTALL_STATUS=$? 
done 
echo "Policy Installed" 
echo "Logging out of session" 
mgmt_cli logout --session-id $SID 
exit 0 
fi
exit 0

 

 

this is to run a script on the management, also there is a flag called "-nk" this one do a "set simple-gateway" API call, so you can use it on the template directly as "-nk threat-prevention-mode autonomous" this is simpler.

 

HOPE ALL IS CLEAR

View solution in original post

(1)
Who rated this post