topic Re: Verify Policy Ansible with Checkpoint in DevSecOps

Verify Policy Ansible with Checkpoint

ukohae — Tue, 09 Feb 2021 18:21:02 GMT

Hi,

Goal: I am trying to Verify Access Control Policy using Ansible for a particular domain

I used the documentation https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_verify_policy_module.html#ansible-collections-check-point-mgmt-cp-mgmt-verify-policy-module

- name: verify-policy
  cp_mgmt_verify_policy:
    policy_package: standard

I set

- name: verify-policy
  cp_mgmt_verify_policy:
    policy_package: #the UID or String of the device

I got an error message when I ran my playbook

Playbook.yml

---
- hosts: check_point
  connection: httpapi
  gather_facts: False
  vars_files:
    - 'my_var.yaml'
    - 'login.yml'
  tasks:
  - name: verify-policy
    check_point.mgmt.cp_mgmt_verify_policy:
      policy_package: #device name or UID added here
    #cp_mgmt_verify_policy:
       #policy_package: standard

my_var.yaml

ansible_httpapi_validate_certs: False
ansible_httpapi_use_ssl: True
ansible_network_os: check_point.mgmt.checkpoint
ansible_python_interpreter: /usr/bin/python3

login.yml

ansible_user: #checkpoint username
ansible_password: #checkpoint password

host inventory

[check_point]
#ip address of my checkpoint device

Error Message

$ ansible-playbook Playbook.yml

PLAY [check_point] **************************************************************************************

TASK [verify-policy]
fatal: [checkpoint]: FAILED! => {"changed": false, "msg": "Checkpoint device returned error 404 with message {'code: 'generic_err_object_not_found'} Unpublished chnages were dicharged"}

PLAY RECAP **********************************************************************************************
checkpoint        :ok=0     changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

I'm I doing anything wrong here, is there anything I should be aware of?

Re: Verify Policy Ansible with Checkpoint

funkylicious — Tue, 09 Feb 2021 19:39:19 GMT

policy_package:

i guess that it refers to the policy/security package that you are running the verification for.

dunno if it's case sensitive.

L.E. just saw that you are doing it for a specific domain in an MDS env. try and add at end

---
- hosts: check_point
  connection: httpapi
  gather_facts: False
  vars_files:
    - 'my_var.yaml'
    - 'login.yml'
  tasks:
  - name: verify-policy
    check_point.mgmt.cp_mgmt_verify_policy:
      policy_package: policy-name
    
    vars:
      ansible_checkpoint_domain: "domain"

Re: Verify Policy Ansible with Checkpoint

ukohae — Tue, 09 Feb 2021 19:52:18 GMT

Hi,

I am very confused, it in terms of policy/security package, can you give me an example?

Would I say

policy_package: Access Control

Re: Verify Policy Ansible with Checkpoint

funkylicious — Tue, 09 Feb 2021 19:56:34 GMT

hi,

the name of the policy package that you are setting rules in and installing on the gateways.

you can see it in Security Policies ( default name is Standard ) or from the firewall with fw stat.

Re: Verify Policy Ansible with Checkpoint

the_rock — Tue, 09 Feb 2021 21:09:10 GMT

Technically, access control is an ordered layer and policy package would be the name of the policy that you gave (I dont know, could be standard, or companyname_policy or whatever you named it)

Andy

Re: Verify Policy Ansible with Checkpoint

Art_Zalenekas — Tue, 09 Feb 2021 22:12:24 GMT

You said you are executing against the domain, so you are in MDS environment. You have to provide the CMA/Domain/DMS name as in the MDS as well. See the README and search for ansible_checkpoint_domain: https://galaxy.ansible.com/check_point/mgmt

In short, you have to give the variable ansible_checkpoint_domain the CMA domain name as in the MDS at either the inventory level, the playbook, or the task level.

Inventory file for your host:
mds-cma-name ansible_host=192.168.1.111 ansible_checkpoint_domain=CMA1

That should be it.
Also, when you execute the playbook, add 1 verbosity level (-v) so that you can see more stdout than just "changed".
Furthermore, as this is just a verify and no changes are made, consider adding changed_when: false to the root level of the task.

--- - name: Verify Policy hosts: mds-cma1 connection: httpapi tasks: - name: verify-policy check_point.mgmt.cp_mgmt_verify_policy: policy_package: "My_Policy" changed_when: false

Re: Verify Policy Ansible with Checkpoint

ukohae — Tue, 09 Feb 2021 22:23:08 GMT

Thanks, everyone. Everyone's contribution on here was a solution. It works!!!

Re: Verify Policy Ansible with Checkpoint

ukohae — Tue, 09 Feb 2021 23:40:53 GMT

Hi,

what if I have multiple domains with many policies in them. How do I write my inventories to contain those domains and policies?

Re: Verify Policy Ansible with Checkpoint

Art_Zalenekas — Wed, 10 Feb 2021 04:36:30 GMT

well, in the ini format you can list the hosts as if they are CMAs with the variable ansible_checkpoint_domain

[cmas] cma1 ansible_host=192.168.1.11 ansible_checkpoint_domain=cma1 cma2 ansible_host=192.168.1.11 ansible_checkpoint_domain=cma2 cma3 ansible_host=192.168.1.11 ansible_checkpoint_domain=cma3

I believe there is a bug in the login/discard/logout process of each httpapi plugin connection instantiation, because if in the playbook we call hosts: cmas or multi-host execution, we don't relogin but reuse the same session. That is a bug. So for now if you want to loop all hosts in the cmas hosts group, you will have to write a separate playbook and call it for each CMA, or can still have the same playbook with the same hosts-group cmas, and limit the execution to a host in the group like ansible-playbook ... --limit=cma2

Sorry, but this is the workaround for now.