topic Ansible-based automation for Check Point Management Server and Check Point Gateways in Ansible

Ansible-based automation for Check Point Management Server and Check Point Gateways

Yevgeniy_Yeryom — Mon, 27 May 2019 06:30:11 GMT

Hello all,

I would like to share with you a tool for automatic configuration of Check Point management server and Check Point gateways. The tool is based on CP Management API, CP GAiA API, Ansible and enables a range of gateways and management related configuration actions. The tool is easily extendable.

The tool can be considered as a good starting point for the automation of your Check Point environment.

For management server

Following configuration is possible on management server:

Create/delete network, ranges, services objects
Create/delete policy packages
Add rules to the policy packages
Add gateways, establish SIC
Install policy on the gateways

For gateways

Following configuration is possible on gateways in accordance to various gateways attributes like CMA, SW version, gateway type, platform type, gateway IP.

DNS configuration
Users configuraion
Expert password configuration
User public keys copy
...

Which means you can configure DNS, Users, Expert password or Users public keys specifically for gateways in certain CMAs or for gateways having certain SW version, or platform type, or IP address.

Below are the tool structure and the steps for the gateways configuration part.

Ansible playbook starts Dynamic Inventory Script
Dynamic Inventory Script gets the list of all gateways from SMS or MDS via MGMT API.
Dynamic Inventory Script reads the services configuration files.
Dynamic Inventory Script creates the Ansible inventory files based on gateways list and services configuration.
Ansible configures the gateways via GAiA API (and via SSH for expert mode) according to inventory files.

License, warranty, contact

The tool is provided with APACHE2.0 and without any liability, warranty or support. In case, you are interested in support or customization please contact Check Point Profession Services under:

PS-AUTOMATION@MICHAEL.CHECKPOINT.COM.

Detailed tool information is provided in the attached documentations and videos.

I hope the tool will be beneficial for you and I would appreciate your feedback. 🙂

Regards,

Yevgeniy

Re: A tool for CheckPoint Management and CheckPoint automation with Ansible

PhoneBoy — Thu, 23 May 2019 02:03:02 GMT

Nicely done!

Re: A tool for CheckPoint Management and CheckPoint automation with Ansible

Yevgeniy_Yeryom — Fri, 24 May 2019 09:27:51 GMT

Thanks. I appreciate your positive feedback. 🙂

Re: Ansible-based automation for Check Point Management Server and Check Point Gateways

Tribhawan_Singh — Fri, 26 Jul 2019 22:57:46 GMT

@PhoneBoy any idea what should be the ansible_network_os for checkpoint. I am getting below error while running my playbook

TASK [SHOW COMMAND] *************************************************************************************************************************************************************************
fatal: [HQFW]: FAILED! => {"msg": "Unable to automatically determine host network os. Please manually configure ansible_network_os value for this host"}

Re: Ansible-based automation for Check Point Management Server and Check Point Gateways

PhoneBoy — Fri, 26 Jul 2019 23:48:54 GMT

What is the default shell for the account you're using to connect via Ansible?
It probably should be bash instead of clish.

Re: Ansible-based automation for Check Point Management Server and Check Point Gateways

Tribhawan_Singh — Sat, 27 Jul 2019 15:35:19 GMT

@PhoneBoy Yes i am using bash shell. i have changed it to bash

Re: Ansible-based automation for Check Point Management Server and Check Point Gateways

PhoneBoy — Sat, 27 Jul 2019 22:16:14 GMT

And did it work after you did that?

Re: Ansible-based automation for Check Point Management Server and Check Point Gateways

Tribhawan_Singh — Sun, 28 Jul 2019 19:23:46 GMT

@PhoneBoy Nah, That didn't work...

My script:

When i use roles then it works fine but the issue is ansible output gives me lot of additional things which i don't want.

Below is the script when i use roles. But i don't want to use the roles features and i run the same thing in single play then i get the error of mentioning the device OS or i would say ansible_network_os under device name in host_vars directory.

root@eve-ng:/etc/ansible# cat show-bash.yml

- hosts: checkpoint
serial: 1
gather_facts: no
tasks:

- name: SHOW COMMAND
import_role:
name: Trib_role
tasks_from: showbash
vars:
cmdfile: show-bash.cmd

#cat show-bash.cmd

fw tab -t connections -s

fw ver

[checkpoint]
HQFW

Under host_vars directory:

cat HQFW
---
ansible_host: 192.168.110.71
ansible_user: admin
ansible_ssh_pass: admin123
ansible_connection: network_cli

root@eve-ng:/etc/ansible/roles/Trib_role/tasks# cat showbash.yml
---
- name: SHOW CONFIG
cli_command:
command: "{{ item }}"
with_lines: cat {{ cmdfile }}
register: result1

- name: show output files
debug:
var: result1

***********************************************************************

-- Playbook which i want to run and which is asking me to give the OS name:

root@eve-ng:/etc/ansible# cat cp1.yml

- hosts: checkpoint
serial: 1
gather_facts: no
connection: network_cli
tasks:

- name: SHOW COMMAND
cli_command:
command:
- "cpinfo -y all"
- "fw ver"
register: result

- name: show output
debug:
var: result.stdout_lines

Please help.

Re: Ansible-based automation for Check Point Management Server and Check Point Gateways

PhoneBoy — Tue, 30 Jul 2019 15:32:31 GMT

You may have better luck using Ansible to call our Management API to execute the necessary gateway commands rather than using Ansible directly.
Most of our examples take this approach.

Re: Ansible-based automation for Check Point Management Server and Check Point Gateways

Vlad_Tonne — Tue, 11 Feb 2020 19:29:35 GMT

According to sk114661, you need to configure Ansible inventory or /etc/ansible/hosts with the relevant ansible_network_os.

ansible_network_os=checkpoint

Full configuration shown in sk114661.

BR,

Vlad Tonne.