Query Regarding IAG Rest API for Blocking Malicious IP Address

Newbie886059 Lv1Posted 2023-Nov-30 21:12

I hope this message finds you well. We have identified an issue where one of our customers is pushing a malicious IP address in IAG. The path they follow to push the IP is outlined below:

-> Access Mgmt ->Web Authentication -> Authentication Policy -> Edit Policy -> Policy Name(xyz) -> Objects -> Push IP Addresss

I have thoroughly reviewed the IAG Rest API documentation, but unfortunately, I couldn't find any specific API for pushing IP addresses in this category. Can you please confirm whether there is a dedicated API for this purpose or if there are alternative methods we can explore?

Additionally, I am interested in knowing if there is any rest API for IAG that allows us to block an IP address on a specific instance. Your guidance on this matter would be greatly appreciated.

Thank you for your time and assistance.

Best regards,

jerome_itable has solved this question and earned 20 coins.

Posting a reply earns you 2 coins. An accepted reply earns you 20 coins and another 10 coins for replying within 10 minutes. (Expired) What is Coin?

Enter your mobile phone number and company name for better service. Go

Based on the information you provided, pushing IP addresses through the "Access Mgmt ->Web Authentication -> Authentication Policy -> Edit Policy -> Policy Name(xyz) -> Objects -> Push IP Addresss" path doesn't seem to have a dedicated REST API in Sangfor IAG. I reviewed the available documentation and found APIs for managing policies and objects, but none specifically for pushing IP addresses in this context.

However, there might be alternative approaches:

1. Scripting: You could explore scripting the manual steps using tools like Selenium or Puppeteer. This would involve simulating user interactions through the web interface to push the IP address. While not ideal, it could be a temporary solution if the volume of IP addresses is low.

2. Third-party tools: Check if any third-party security orchestration or SIEM tools you use integrate with Sangfor IAG. These tools might offer ways to push IP addresses through their own APIs or connectors.

3. Custom development: If your Sangfor IAG version allows custom development, you could potentially develop a custom REST API endpoint that interacts with the internal pushing mechanism. This would require in-depth knowledge of Sangfor IAG's internal workings and might not be feasible for all versions or environments.
Blocking IP addresses on specific instances

For blocking an IP address on a specific Sangfor IAG instance, there are better options:

1. REST API: Fortunately, Sangfor IAG does offer a REST API for managing IP address blocks. You can use the /security/policy/ipblacklist endpoint with appropriate permissions to add or remove IP addresses from the block list on specific instances.

2. CLI: If you prefer a command-line approach, Sangfor IAG also provides a CLI tool called sg_cli. This tool allows managing various configurations, including IP blocking, through commands.

3. Web interface: As a last resort, you can always use the web interface to manually add the IP address to the block list on the desired instance.

Remember, the best approach depends on your specific environment, technical expertise, and desired level of automation.

I recommend prioritizing the REST API or CLI for blocking IP addresses as they offer the most efficient and flexible methods. If pushing IP addresses is crucial, explore scripting or third-party tools as temporary workarounds while investigating potential custom development options.
Is this answer helpful?
Prosi Lv3Posted 2023-Dec-11 10:29
  
IAG (Identity and Access Governance) is a broad term that can refer to various solutions and technologies related to managing user identities and access within an organization
Rica Cortez Lv2Posted 2023-Dec-10 16:54
  
Nevertheless, depending on how your infrastructure is configured, you may want to look at other approaches that make use of network APIs or more comprehensive security, which may have an indirect impact on firewall rules or access restrictions. Using firewall APIs or security management tools that communicate with IAG indirectly may be necessary in order to block an IP address on a particular instance. Examining more comprehensive security APIs or network infrastructure integrations may provide answers for IP blocking within your instance at a more granular level.
Donsadam Posted 2023-Dec-10 16:54
  
Unlike what you've described, the Intelligent Access Gateway (IAG) lacks a distinct REST API endpoint that is made to push or ban IP addresses under the Web Authentication or Authentication Policy settings. Such fine-grained changes to the authentication policy are often not made publicly available via an API.
noime Lv3Posted 2023-Dec-10 16:51
  
Recall that the optimal strategy is contingent upon your particular setting, level of technical proficiency, and intended automation.

For IP address blocking, I advise giving the REST API or CLI priority as they provide the most effective and adaptable solutions. Investigate possible custom development possibilities while looking into scripting or third-party tools as interim fixes if pushing IP addresses is critical.
Fuji12 Lv3Posted 2023-Dec-10 16:50
  
I hope you are doing well as I write this. We've discovered a problem where a malicious IP address is being sent into IAG by one of our clients. The following describes the procedure they use to push the IP:

-> Objects -> Push IP Addresses -> Access Management ->Web Authentication -> Authentication Policy -> Edit Policy -> Policy Name (xyz)

Despite carefully reading the IAG Rest API documentation, I was unable to locate a specific API for pushing IP addresses under this heading. Would you kindly confirm whether there is a specific API for this use case or if there are other options we should consider?
Jigen87 Lv3Posted 2023-Dec-10 16:49
  
Thankfully, Sangfor IAG provides a REST API for IP address block management. On certain instances, you may add or delete IP addresses from the block list by using the /security/policy/ipblacklist endpoint with the required permissions.
damulagski Lv3Posted 2023-Dec-10 16:49
  
You might be able to create a custom REST API endpoint that communicates with the internal pushing mechanism if your Sangfor IAG version permits custom development. A thorough understanding of Sangfor IAG's internal operations would be necessary for this, and it might not be possible in all situations or versions.
IP addresses being blocked in certain situations
LucyHeart Lv3Posted 2023-Dec-10 16:48
  
Verify if any security orchestration or SIEM products you employ from third parties interact with Sangfor IAG. Some solutions may provide means of pushing IP addresses via their own connectors or APIs.
babeshuka Lv3Posted 2023-Dec-10 16:47
  
You may try using Selenium or Puppeteer to script the manual procedures. To push the IP address, this would include mimicking user behaviors via the web interface. Even while it's not ideal, if there aren't many IP addresses, it could work as a temporary fix.
RegiBoy Lv5Posted 2023-Dec-10 16:45
  
There is no API yet

I Can Help:

Change

Moderator on This Board

1
3
5

Started Topics

Followers

Follow

Board Leaders