cp-pxgrid is a client implementation of Cisco's pxGrid Security Product Integration Framework (SPIF) that subscribes and reads from pxGrid and sends in this project, via Identity Awareness API identity information to Check Point firewalls. This is done so that user or machine identities from Cisco ISE can be used in firewall rules using Check Point Identity Awareness.
pxGrid runs primarily on Cisco ISE but all manner of products can publish data to pxGrid that is then spread to other subscribers. pxGrid uses STOMP as a message broker much like MQTT. WebSockets can be used to create an low-overhead communication channel for streaming STOMP data.
In the larger scheme of things, Cisco ISE is primarily used on networks implementing 802.1x with RADIUS as the authentication, authorization and accounting protocol of choice.
- Python 3.6 or later
- Python module requirements via
pip3
It's almost simple, lots of steps though. All this on a Debian 10.3.
- Generate your pxGrid certificate from ISE. Important!
scpthe zip-file to your server.
user@host:~$ apt-get install unzip python3-venv python3-pip
user@host:~$ unzip <zip-file> -d pxgrid-cert
user@host:~$ git clone https://github.com/durd/cp-pxgrid.git
user@host:~$ cd cp-pxgrid
user@host:~/cp-pxgrid$ pip3 install -r requirements
user@host:~/cp-pxgrid$ mkdir /usr/local/cp-pxgrid
user@host:~/cp-pxgrid$ cp python/ /usr/local/cp-pxgrid/
user@host:~/cp-pxgrid$ cd /usr/local/cp-pxgrid/
user@host:/usr/local/cp-pxgrid$ cp ~/pxgrid-cert .
user@host:/usr/local/cp-pxgrid$ cd pxgrid-certThis will remove the password you set in ISE, so that we can run the script as a daemon/service. The other option is to have the password in plain text in the service-files. Not much better.
user@host:/usr/local/cp-pxgrid/pxgrid-cert$ openssl rsa -in <private key> -out <private key>.1
user@host:/usr/local/cp-pxgrid/pxgrid-cert$ rm <private key>
user@host:/usr/local/cp-pxgrid/pxgrid-cert$ mv <private key>.1 <private key>
user@host:/usr/local/cp-pxgrid/pxgrid-cert$ chmod 644 <private key>
user@host:/usr/local/cp-pxgrid/pxgrid-cert$ cd ..Before proceeding, make sure you have added your host to your Checkpoints gateways list of allowed hosts for Identity Web API and saved the PSK. Also make sure you allow traffic to the gate by selecting an appropiate setting in Client Access Permissions for your setup.
user@host:/usr/local/cp-pxgrid$ cp gwconfig.py.example gwconfig.pyOpen gwconfig.py with your favourite editor. Add the HA/VIP-address of your gateway (the IP in the gw object in SmartConsole) and PSK for it, save and exit the editor
user@host:/usr/local/cp-pxgrid/pxgrid-cert$ cd ~/cp-pxgrid
user@host:~/cp-pxgrid$ cp cp-pxgrid.logrotate /etc/logrotate.d/cp-pxgrid
user@host:~/cp-pxgrid$ cp cp-pxgrid.rsyslogd.conf /etc/rsyslog.d/cp-pxgrid.conf
user@host:~/cp-pxgrid$ systemctl restart rsyslogEdit all *.service files to fit your setup regarding ISE hostnames, nodenames, paths, and filenames of certificates and keys. The .timer file references a .service file, make sure it still corresponds! Else the bulkdl-script will not execute and sessions will time out on the firewall.
user@host:~/cp-pxgrid$ cp *.service *.timer /etc/systemd/system/
user@host:~/cp-pxgrid$ systemctl enable cp-pxgrid-bulkdl-reboot.service cp-pxgrid.service cp-pxgrid-bulkdl.timerIf the information in the .service-files, the IP of the gate and its PSK are correct then:
user@host:~/cp-pxgrid$ systemctl start cp-pxgrid.service cp-pxgrid-bulkdl.timerYou should start seeing output in /var/log/cp-pxgrid.log
Look for errors in systemctl status <service> or in /var/log/syslog if need be.
We were working on implementing an 802.1x-network, and using the logged in identities to be able to create firewall rules based on machine and username identities and in extension Active Directory groups and identities. Machine identities didn't work as intended after some time and we were told that pxGrid was sending out the wrong information.
I had noticed earlier that machine identities were used as usernames on the firewall instead of machine. I never thought anything about this as the feature worked as expected anyway. I asked Check Point what values from pxGrid they were matching against, so that I could get back to Cisco. I never got an answer to this. I finally was told that our Cisco ISE was a version they did not support, IDC supported ISE v2.4 and we had been on v2.6 for quite some time.
Either way, I got tired of waiting on TAC, and remembering about pxgrid-rest-ws I preemptively started developing this project. Oh yes, clients with IPv6 was broken on Check Points IDC, but is supported with this project.
cp-pxgrid is implemented using Python and several Python modules with the intent of creating an asynchronous (non-blocking) client in case a firewall is too slow to respond or that there is too much data coming from pxGrid.
Cisco ISE is configured with no reauthentication as recommended by Cisco, probably because overloading ISE is possible otherwise. Reauthentication can also only be configured by as much as 65535s or 18 hours. Reauthentication also relies entirely on the clients supplicant being responsive and work every time. RADIUS accounting is configured as default from the cat9300 l3-switch which is 12h. Accounting is used by ISE to keep a session updated and active, it is also more lightweight and only relies on the switch to see an active session.
Note: This script is currently only for machine authentications as Check Points Identity Collector works well for user authentications. Check Point is working on supporting Cisco ISE v2.6, which I hope fixes machine authentications. The script however is very easily extended to support user authentications, the code is half there already. Even better, it can also run on Linux.
When the above script is running with ~300 klients on a WIFI network, CPU-usage on the 1 vcpu server is practically 0%, memory usage is 0,7% on the same server with 4GB of RAM. Stats for an entire wired network with ~800 clients is coming.
Should be run within the configured fetchhours in gwconfig.py by either CRON or the supplied systemd timer. It collects and injects the created and updated sessions from ISE, so that there is an overlap against fetchhours. This script actually keeps the identity sessions on the firewall active and extends the sessions timeout everytime it is run, unless a session is removed of course.
The most CPU intensive script is session_query_reboot.cp.py which is supposed to be run at server startup or reboot. The script downloads the complete session database from ISE. This is so because it is unknown for how long the server reboots for or is stopped for maintenance or downtime. Typically run on the same server as above, CPU usage is ~21% and runs for ~4s as measured with the time command on Linux.
No consideration has actually been taken to the inevitablity of a firewall reloading. Even firewalls in active/active or active/standby configuration might die because of hardware failure, power outage or simply a bug in software.
Care should be taken to manually run session_query_reboot.cp.py to populate the firewalls identity session table. A simple reboot of a cp-pxgrid server could also be done.
Check Points Identity Awareness is so pragmatic that if the firewall receives multiple updates for the same identity, it simply extends the identity sessions timeout accordingly to the supplied session-timeout API attribute.
Therefore, this project can be run on 2 or more servers without any synchronisation without issue. As long as one server has access to the Identity Awareness API and Cisco ISE, all is well.
All scripts log to syslog under their own programnames for the sake of rsyslogd. There are different loglevels, but all logs can be customised in the scripts.
An example of sorting the programname to a specific logfile is included. Also included is configuration file for logrotate.
There are a few shortcomings of pxGrid, for example no session timeout is published along with the data. This makes it hard to create a timeout of the identity session on the firewall and created the need for session_query_all.cp.py. Check Point IDC creates its own database containing identities received on pxGrid. Based on the time received, the software queries ISE for that particular IP to see if ISE still has a session for it or not. This specific implementation was out of scope for this project and therefore not implemented. It could potentially have smoothed out the periodic gathering of updated sessions.
MQTT would maybe have been a better choice of message broker as it allows for buffering of messages to ensure all subscribers receive the same information, it would have alleviated the need for both session_query_all.cp.py and session_query_reboot.cp.py. Iirc this is called MQTT QoS, not to be confused with network QoS.
Also, filtering! Allow for filtering of sessions! Like, I only want sessions that have state: STARTED.
Another shortcoming is Check Points Identity Awareness API, that it does not support a session-timeout of 0 to account for ISE by default not having a timeout in pxGrid on active sessions. There is a reason for this of course, and I can see that having 0 is practically unlimited. If there for some reason is no DISCONNECT that would clear that session, this could expend memory the firewall could use for its connection table instead.
I'm not a python programmer. I actually don't consider myself a programmer or developer at all. It has always been from necessity. Hence some code is probably unnecessary or could be moved to a function. I'm not sure asyncio is done right, because I simply don't know how I would test it.
All pull requests are welcome of course.
This project relies very heavily on Cisco's example project of a pxGrid v2.0 client pxgrid-rest-ws. Everything below is from the original README of Cisco's repo. The latest version is of course available at Cisco's repo above.
It was fun learning about Git more properly and actually using Python for real for once. Python did get on my nerves a few times regarding data types and variable references. But all was figured out, probably not remembered but why else would Google and StackOverflow exist?
pxGrid is a protocol framework that defines the control mechanisms to facilitate machine-to-machine communications.
Benefits of using pxGrid:
- Reduce complexity of meshed network
- Centralized authentication and authorization
- Service abstraction
- Minimize human configuration errors
This project contains documentation and samples to use pxGrid.
See documentation to learn how to use pxGrid.