Regular Contributor I

Clearpass Generic HTTP Contect Server - Checkpoint

Hello Everyone,


I was wondering if anyone has tried to setup any context server integration with CPPM and Checkpoint firewalls.


Our end goal is to enable checkpoint to apply different firewall policies to different roles of guest. What we would like to do is to write rules in Checkpoint based on user roles defined in Clearpass and Aruba, and have Checkpoint apply different rules based on these roles.


Does anyone have any documentation of having CPPM talk to Checkpoint to pass user/group/role information, and then how this can be processed inside Checkpoint? I believe i heard from someone in the past that this might be possible using the Generic HTTP context server in 6.5, but i can't find much information about how this works.



Guru Elite

Re: Clearpass Generic HTTP Contect Server - Checkpoint

There are native Checkpoint server actions in 6.5. These update the
Checkpoint with username/IP combinations. So you're looking to add more

| Tim Cappalli | Aruba Security | @timcappalli | |

NOTE: Answers and views expressed by me on this forum are my own and not necessarily the position of Aruba or Hewlett Packard Enterprise.
Regular Contributor I

Re: Clearpass Generic HTTP Contect Server - Checkpoint

I guess my confusion is that Checkpoint will not understand a random username. For example if we have an anonymous guest with user '883883' how is that handles in Checkpoint?


I get that for AD users this makes sense as Checkpoint can be aware of domain users, and when it gets passed a username it can find this user in AD, and then apply rules based on AD Groups.


However for a guest user if we just pass the guest username how will checkpoint know if its a Guest or a contractor? Looking in clearpass the actions for the Checkpoint is:


[{"command":"add_user","username":"%{name}","ip":"%{ip}", "machine_name":"%{machine}","domain":"%{domain}",......


Could we change it up so that it says something like:

[{"command":"add_user","username":"%{role}","ip":"%{ip}", "machine_name":"%{machine}","domain":"%{domain}",.......


Would this pass the TIPS role as the username? Then we could fake it by creating users in AD with the username set to our clearpass roles? Then Checkpoint could lookup these 'users' and find a group. We could then write rules in checkpoint with these groups?

I guess my confusion lies in how Checkpoint uses this information, and what the best information would be to pass for guest users?





Re: Clearpass Generic HTTP Contect Server - Checkpoint



I'll hopefully have the CheckPoint TechNote released early next week....


The context server actions in 6.5 will not help you currently.... they are in there for a release of FW-1 that is not FCS yet.



Best Regards

ClearPass Product Manager

-- Found something helpful, important, or cool? Click the Kudos Star in a post.
-- Problem Solved? Click "Accept as Solution" in a post.
Regular Contributor I

Re: Clearpass Generic HTTP Contect Server - Checkpoint

Thanks for the quick reply Danny. I look forward to checking out the TechNote when its available.




Re: Clearpass Generic HTTP Contect Server - Checkpoint

CheckPoint Integration TechNote 1.2


Check here for all the latest technotes




Systems Engineer, Northeast USA

Search Airheads
Showing results for 
Search instead for 
Did you mean: