Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Greg_Harewood
Contributor

How do I turn on IA from mgmt_cli?

Hi,

--> How do I turn on IA from mgmt_cli?

Actually my question is really more general.  The gw object contains a field identityAwareBlade, which when used contains an owned object.  Within that is a field identityAwareBladeInstalled with a simple string value to say whether it is turned on.

If you have enabled and disabled the blade, then the object is in place and the blade can be flipped with the identityAwareBladeInstalled field.  If it's never been turned on, then the owned object is not present.

So my question is really more general than IA.  It is:

--> How do you create a single owned object?

I know how to create an owned object in an array - this is well documented for adding interfaces:

set generic-object uid FWUID interfaces.add.create "com.checkpoint.objects.classes.dummy.CpmiClusterInterface" \
    interfaces.add.owned-object.netmask "255.255.255.0" \
    interfaces.add.owned-object.ipaddr 22.22.22.22

But in this case there is no array.  I also cannot even try the same syntax because fishing inside the identityAwareBlade field in a working IA installation does not reveal an object class, which would be required to experiment with the above syntax. There is an objectclass in dbedit but that's not very useful as there is some guesswork in translating between the two.

So I'm stuck.  Any help would be appreciated! Thanks!

(Follow-on question... is there a table of object schema anywhere?)

0 Kudos
8 Replies
PhoneBoy
Admin
Admin

This might have to be done with dbedit itself, though I'm not sure of the syntax there either.
Paging @Omer_Kleinstern 

0 Kudos
Uriel_F
Employee
Employee

I wouldn't recommend turning on the Identity Awareness blade using the generic API. 

Even if we got exactly all the changes that are done in the DB on the GW object, there are other logics that are executed during the enablement of this blade which are not straight forward, and require some thorough investigation to get correctly.

Providing a formal API to enable and configure this blade is on our roadmap, and should be available in future versions, however I can't say exactly when at the moment

0 Kudos
Greg_Harewood
Contributor

So I've got as far as...

set generic-object uid FWUID identityAwareBlade.create "com.checkpoint.objects.classes....identityAwareBlade??" \
    identityAwareBlade.identityAwareBladeInstalled INSTALLED

This gets me forward a little, having found the syntax for adding a single owned object not in an array.  But I still need the object class name.

@Uriel_F - I appreciate your looking at your caution.  What I didn't say is that I got a start on this from Yevgeniy Yeryomin who gave me a relevant ansible runbook that he's used before.  He's either not worried about side effects for our application, or the engine that processes the ansible runbook is doing some other magic that I need to get to the bottom of. In any case the relevant section is...

## Step 10: Modify gateway object, IDA blade parameters
- name: "Modify gateway object, IDA blade parameters"
  check_point_mgmt:
    command: set-generic-object
    parameters:
      uid: "{{ gwuid }}"
      identityAwareBlade:
        identityAwareBladeInstalled: "INSTALLED"
        enableIdaApi: "true"
        shareIdentitiesWithOtherGateways: "false"
        enableOtherGateways: "false"
        iaMaxAuthenticatedUsers: "70000"
        iaMaxEnforcedIdentities: "70000"
        cccMaxMsgSize: "65535"
        publishMethod: "PUSH"

There's a bit more to it but you can see that for our application we are going to have a very simple configuration that relies only on a pdp/pep share from another gateway, which is possibly why we can get away with enabling it this way.

Please help me with the object class so that I can convert the script.  I'm not sure what magic ansible is pulling not to need to know it, but mgmt_cli and web_api both seem to need it and cannot magically guess what kind of object goes in here.

0 Kudos
Greg_Harewood
Contributor

So the answer is...

 

cat > dbEdit.tmp <<EOF
modify network_objects ${GWNAME} identity_aware_blade identity_aware_blade
modify network_objects ${GWNAME} identity_aware_blade:identity_aware_blade_installed installed
update_all
EOF

dbedit -s ${DOMAINIP} -u "${SCRIPTUSER}" -p "${SCRIPTPASS}" -f dbEdit.tmp

 

It requires side effects and dbedit seems to be the one supported scripting choice that already includes the correct side effects when enabling IA.

0 Kudos
Harald_Hansen
Advisor
Advisor

Any update on the formal API implementation? I checked R81.10 and didn't find any IA feature here either. 

Is it possible to share the API roadmap? It would at least temper expectations.

0 Kudos
Stuart_Green1
Employee
Employee

Hi all,

I've followed some of the tips here and with a little trial and error, got IA enabled using only the API. Usual disclaimer applies when using the generic object approaches of course, but this works and is consistent when applied automatically. This is an excerpt from a larger Ansible playbook - but the general flow is:

- Get the UID of the gateway you're enabling IA on (in this case, it's a VS).

- Create a localhost object with the IP of 127.0.0.1

- Capture the UID for this (or look up the UID of an object if one exists)

- Set the IA properties on the gateway with its UID, observing the proper formatting and schema structure. In this instance, I used the web API because it will accept JSON formatted data which is a lot easier to interpret than the mgmt_cli something.1 format (for me, at least).

- name: Create localhost object for IDA whitelist
 hosts: chkpmds
 gather_facts: no
 connection: httpapi
 vars:
 ansible_ssh_user:
 ansible_ssh_pass:
 ansible_ssh_common_args:
 tasks:
 - name: Create cloudguard_local object
 check_point.mgmt.cp_mgmt_host:
 auto_publish_session: true
 name: cloudguard_local
 ipv4_address: 127.0.0.1
 state: present
 
 - name: Configure Identity Awareness
 gather_facts: no
 hosts: chkpmds
 connection: httpapi
 vars:
 ansible_ssh_user:
 ansible_ssh_pass:
 tasks:
 - name: get localhost object UID
 check_point.mgmt.cp_mgmt_host_facts:
 name: cloudguard_local
 - name: get FW obj UID
 check_point.mgmt.checkpoint_object_facts:
 object_filter: "{{ vs_name }}"
 - name: UID for VS_1
 ansible.builtin.debug:
 var: ansible_facts.checkpoint_objects.objects.0.uid
 verbosity: 2
 - name: UID for localhost obj
 ansible.builtin.debug:
 var: ansible_facts.host.uid
 verbosity: 2
 
  - name: Set properties of IA object
 uri:
 url: https://[mgmt IP]/web_api/v1.7/set-generic-object
 method: POST
 body_format: json
 headers:
 X-chkp-sid: "{{ login_token_details.json.sid }}"
 validate_certs: no
 body: '{"uid":"{{ ansible_facts.checkpoint_objects.objects.0.uid }}","identityAwareBlade":{"create":"com.checkpoint.objects.classes.dummy.CpmiIdentityAwareBlade","owned-object":{"idaApiSettings":{"idaApiClientVerificationSettings":[]},"enableIdaApi":"True","idcSettings":[],"isCollectingIdentities":"True","identityAwareBladeInstalled":"INSTALLED"}}}'
 - name: Set properties of IA object
 uri:
 url: https://[mgmt IP]/web_api/v1.7/set-generic-object
 method: POST
 body_format: json
 headers:
 X-chkp-sid: "{{ login_token_details.json.sid }}"
 validate_certs: no
 body: '{"uid":"{{ ansible_facts.checkpoint_objects.objects.0.uid }}","identityAwareBlade":{"idaApiSettings":{"idaApiClientVerificationSettings":[{"create":"com.checkpoint.objects.identity_awareness_classes.dummy.CpmiIdentityAwareClientVerificationEntry","owned-object":{"preSharedSecret":"sausage123","whiteListClient":"{{ ansible_facts.host.uid }}"}}]}}}'

 

This gets the settings added to the object, then you need to install policy (or for a VS, make a dummy change via vsx_provisioning_tool to 'push' the config).

PhoneBoy
Admin
Admin

Wow, nicely done!

0 Kudos
Tomer_Noy
Employee
Employee

Just updating that we are planning to include official Identity Awareness Management APIs to the gateway / cluster object in the upcoming R81.20.

You are more than welcome to join the EA to try it out, or reach out to @Alon_Alapi for more info.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events