topic Checkpoint automation - many questions in Ansible

Checkpoint automation - many questions

J_Saun — Thu, 21 Mar 2019 11:17:53 GMT

Just starting to get into automating configuration tasks on Checkpoint R80. I have installed cpAnsible on a CentOS that has python running and did a simple group and object add which worked fine

My questions:

- Is Ansible just running built in Checkpoint CLI commands? If so, where do I get a list of those commands?

- Why do I need Ansible?

- why do I need Python on my local machine if I have Ansible? (sorry - just dont understand the relationship between the 2)

- why do I need Python on the remote machine (the Checkpoint manager)

- is this possible on any Checkpoint version lower than R80? If not, how is similar automation performed on lower versions of Checkpoint (R77, R65)?

- is it possible to have a front end webform or something that passes request data (source, destination, port) to Python/Ansible/Checkpoint-directly and processes the request automatically?

Thanks!

Re: Checkpoint automation - many questions

PhoneBoy — Fri, 22 Mar 2019 05:03:03 GMT

Ansible is an automatic framework that runs on Python, which is an interpreted language.
When you use the cpModule, it is calling the REST API on the backend, which is only available in R80+ Management.
There is a python interpreter on recent versions of Check Point Management already but it is not used in this context.

There is no requirement to use Ansible for automation, it just happens to be a popular choice.
Anything that speaks a REST API can be used.
You can also use the CLI via the mgmt_cli command if you prefer.
API/CLI docs are here: https://sc1.checkpoint.com/documents/latest/APIs/index.html
There are also sample web forms on CheckMates that you can leverage.

Automating R77.x and earlier management is possible to varying degrees depending on what you are trying to do.
However, it does not have a REST API and requires a bit more work to automate.
You can find examples for specific tasks on CheckMates.

Re: Checkpoint automation - many questions

J_Saun — Fri, 22 Mar 2019 14:22:21 GMT

Thanks very much for the explanations.

Re: Checkpoint automation - many questions

J_Saun — Wed, 10 Apr 2019 00:23:10 GMT

I'm still trying to grasp the relationship between Ansible and Checkpoint API. I successfuly used cpAnsible and added a group with a host using the example they have on the Github cpansible page but I don't understand how the commands are getting sent to the Checkpoint manager.

Example:

The Ansible .yml has the following:

name: "add host"
check_point_mgmt:
command: add-host # Name of the command
parameters: # The parameters for it, in dictionary form
name: "host_demo"
ip-address: "1.2.3.5"

But, according to the Management API Reference doc, if I just want to do that via the CLI on the management server I use:

mgmt_cli add host name "New Host 1" ip-address "1.2.3.5" --version 1.1 --format json

In the .yml it uses add-host (note the hyphen) but the CLI command is add host (no hyphen).

Does checkpoint accept either?

Re: Checkpoint automation - many questions

Tribhawan_Singh — Wed, 26 Jun 2019 08:48:34 GMT

Is there a way we can run the Ansible script to perform basic health check commands on the checkpoint gateway.

Ansible script is to be run from a external jumphost and through that script , it should login into the firewall and take output of certain commands like connection state, memory, cpu and other basic commands.

Is it possible to achieve this through ansible.

Re: Checkpoint automation - many questions

PhoneBoy — Wed, 26 Jun 2019 17:32:24 GMT

Couple examples of this:
https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Ansible-for-Gaia-gateways/m-p/14305#M1017
https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Ansible-based-automation-for-Check-Point-Management-Server-and/m-p/54109#M3502