Technical Tip: How to troubleshoot on clear pass policy manager (CPPM) API

sthapa · ‎08-27-2020

Description
This article describes how to troubleshoot on clear pass policy manager (CPPM) API.

This feature allows the FortiGate to integrate with ClearPass by providing an API to ClearPass so that it can push endpoint healthy/unhealthy state in real-time over to FortiGate for use in policy.

Solution
The FortiGate follows below procedure to validate the clear pass policy manager (CPPM) API Request.

1) API Request comes from Trusted host IP which is configured for FortiGate REST API Admin.
2) Next, the FortiGate validates the REST API key coming from clear pass policy manager (CPPM) Server.

Tips: The Authorization key type has to Bearer in Authorization Header.

H "Authorization: Bearer <KEY>" -H "accept: application/json"

3.) After REST API authorization the FortiGate validates the POST datatype and format.
The HTTP post key value 'endpoint_ip’ should be array and 'spt' key value should be string.

Example.

H "Cotent-Type: application/x-www-form-urlencoded"
d "{'endpoint_ip' : ['10.10.10.2', '10.10.10.10', '172.16.80.203'], 'spt': 'healthy'}"

- Run the below command to verify the API request coming from clear pass policy manager (CPPM) is Getting authorized by Fortigate Firewall or not.

# dia debug reset.
# dia debug application httpsd -1
# dia debug cli 8
# dia debug en

[httpsd 4548 - 1597584268     info] fweb_debug_init[301] -- New POST request for "/api/v2/monitor/firewall/clearpassaddress/add" from "172.26.x.x:30957"
[httpsd 4548 - 1597584268     info] fweb_debug_init[302] -- User-Agent: "python-requests/2.24.0"
[httpsd 4548 - 1597584268     info] fweb_debug_init[304] -- Handler "api_monitor_v2-handler" assigned to request
[httpsd 4548 - 1597584268 warning] api_access_check_for_api_key[964] -- API Key request authorized for ccpm from 172.26.x.x.                                   <-----The REST API key accepted by the FortiGate.
[httpsd 4548 - 1597584268     info] api_store_parameter[239] -- add API parameter 'endpoint_ip' (type=array)                                                  <----- Post Data Endpoint.
[httpsd 4548 - 1597584268     info] api_store_parameter[239] -- add API parameter
)  Post Data endpoint healthy/unhealthy state.
[httpsd 4548 - 1597584268     info] endpoint_process_req_vdom[858] -- new API request (action='add',path='firewall',name='clearpass-address',vdom='root',user='ccpm')
[httpsd 4548 - 1597584268     info] build_firewall_addr_clearpass_install[3562] -- Add 77.77.77.77 with SPT 1.                                                <----- Adding SPT IS '1'.
Indicates states as healthy.
[httpsd 4548 - 1597584268     info] fweb_debug_final[203] -- Completed POST request for "/api/v2/monitor/firewall/clearpass-address/add" (HTTP 200)           <----- HTTP 200 OK indicates Successful.
    Run below to check the dynamic firewall list updating by API.
# diagnose firewall dynamic list
List all dynamic addresses:
cppm: ID(176)
        ADDR(44.4.4.4)
        ADDR(10.10.10.4)
        ADDR(5.5.5.5)
        ADDR(10.10.10.10)
        ADDR(5.5.5.55)
        ADDR(77.77.77.77)                                                                                                                                     <----- New entry added here.
        ADDR(172.16.80.203)

Related Articles

Technical Tip: How to call 'REST API' script through ClearPass application