Solved: Re: Cisco API and thrid party access

Niklas.D · ‎11-25-2021

Hi

I have a third party firewall, (Checkpoint) and i am trying to get my Security Groups to the firewall.

The Firewall can access the ISE, and i see all my Security Groups, but when accessing a SGT there are no IPS in it.

is there easy way to make sure that i setup my ISE correct for this to work?

Maybe i am missing something? that is my feeling that i missed something in the Creation of the SGT or ISE API.

Greg Gibbs · ‎11-28-2021

As the Checkpoint document states... "It allows the use of TrustSec security groups in the security policy according to the static IP-to-SGT mappings in ISE"

These are specifically the admin-created mappings found on the Work Centers > TrustSec > Components > IP SGT Static Mapping page. This is the same info returned by the '/ers/config/sgmapping' REST API call.

Dynamic IP-SGT bindings for endpoint sessions are stored in the Session Database and published by the pxGrid Session Directory topic. There is no single ERS API call that allows you to extract all dynamic IP-SGT bindings from ISE. This is the where the pxGrid integration would be used to allow the Checkpoint Identity Collector to learn these mappings as they are created/updated.

If the Checkpoint ID Collector is integrated correctly via pxGrid, but is not learning the IP-SGT bindings via the pxGrid topic(s), you might need to open a TAC case to investigate further.

View solution in original post

Niklas.D · ‎11-25-2021

I was looking at this, and it cointains "IP" ex. but i cant get it out of the ISE.

https://developer.cisco.com/docs/identity-services-engine/v1/#!sgmapping

ex. but i cant get it out of the ISE.

Also i have around 3000 Devices Connected but only 25 devices in the

Work Centers-> TrustSec -> Dashboard

Greg Gibbs · ‎11-25-2021

I'm not sure I understand what you are trying to do using the REST API. Checkpoint supports direct integration with ISE via pxGrid to allow ISE to share Scalable Groups and IP-SGT bindings that Checkpoint can then use in firewall policies.

https://community.checkpoint.com/t5/General-Topics/White-Paper-Integration-of-Check-Point-Identity-Collector-and/td-p/53429

Niklas.D · ‎11-25-2021

Yeah i been looking at this also, and tried it also.

And allways i get no hits, its like the ISE SGTs are empty both via PxGrid and or the API.

even when i curl this.

https://developer.cisco.com/docs/identity-services-engine/v1/#!sgmapping

it even says it should contain IP of the hosts

Niklas.D · ‎11-25-2021

https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_CloudGuard_Controller_AdminGuide/html_frameset.htm?topic=documents/R80.30/WebAdminGuides/EN/CP_R80.30_CloudGuard_Controller_AdminGuide/209643

So this is the one i am trying to get to work with the API

Greg Gibbs · ‎11-28-2021

As the Checkpoint document states... "It allows the use of TrustSec security groups in the security policy according to the static IP-to-SGT mappings in ISE"

These are specifically the admin-created mappings found on the Work Centers > TrustSec > Components > IP SGT Static Mapping page. This is the same info returned by the '/ers/config/sgmapping' REST API call.

Dynamic IP-SGT bindings for endpoint sessions are stored in the Session Database and published by the pxGrid Session Directory topic. There is no single ERS API call that allows you to extract all dynamic IP-SGT bindings from ISE. This is the where the pxGrid integration would be used to allow the Checkpoint Identity Collector to learn these mappings as they are created/updated.

If the Checkpoint ID Collector is integrated correctly via pxGrid, but is not learning the IP-SGT bindings via the pxGrid topic(s), you might need to open a TAC case to investigate further.

Niklas.D · ‎11-29-2021

Thank you Greg for clearing this up for me!

So for dynamic only the collector will work!

Greg Gibbs · ‎11-30-2021

Copied from private message so that others with similar questions may learn as well...

Question from @Niklas.D:

So as i said before i tried to use the collector also!

and we did get alot of info, but could not get the IP in to Checkpoint.

Is there away to see what is in the PxGrid Database? To confirm that it working.

Response:

The session database is quite dynamic, so you would need to confirm if Checkpoint provides a way to list out all of the known (static and dynamic) IP-SGT bindings learned via pxGrid.

There is no way from the ISE GUI to list the sessions in the pxgrid Session topic, however, you can leverage the pxGrid API to pull this information directly. See the information on Cisco DevNet related to the pxGrid API.

One of my colleagues also built a python library that leverages the pxGrid API that is useful for this kind of testing. You can find his GitHub page here.

Example output from the 'session all' command using this client tool:

{
  "sessions": [
    {
      "timestamp": "2021-12-01T09:29:44.438+11:00",
      "state": "STARTED",
      "userName": "grzwin10pc1.domain.local",
      "callingStationId": "00:50:56:8D:C9:44",
      "calledStationId": "00:56:2B:80:C0:86",
      "auditSessionId": "C0A8642300000044EDAB61E1",
      "ipAddresses": [
        "192.168.140.102"
      ],
      "macAddress": "00:50:56:8D:C9:44",
      "nasIpAddress": "192.168.120.35",
      "nasPortId": "GigabitEthernet0/6",
      "nasPortType": "Ethernet",
      "endpointProfile": "Windows10-Workstation",
      "endpointOperatingSystem": "Windows 10 Pro",
      "ctsSecurityGroup": "Employees",
...