topic Adding Rules to a Rule Section Using Ansible in Ansible

Adding Rules to a Rule Section Using Ansible

IdentityUnknown — Mon, 16 Sep 2019 00:24:59 GMT

Dear all,

we are using the Check Point Ansible module https://github.com/CheckPointSW/cpAnsible

Do you know how to group access rules below a section?

The API tells me:

https://sc1.checkpoint.com/documents/latest/APIs/#cli/add-access-rule~v1.5%20

But how to convert it to an ansible playbook?

Only the "position: "top"" statement seems to be working. I commented the other attempts out.

Any ideas?

- name: "Section" check_point_mgmt: command: add-access-section parameters: layer: "Network" name: "section 1" position: "top" session-data: "{{login_response}}" - name: "Rule" check_point_mgmt: command: add-access-rule parameters: layer: "Network" # position.below: "section 1" # position: "section 1" position: "top" name: "Access rule" source: "1.1.1.1" destination: "2.2.2.2" service: "ssh" action: "allow" session-data: "{{login_response}}"

Thank you & kind regards

Re: Question regarding Ansible with Check Point

PhoneBoy — Wed, 11 Sep 2019 20:16:01 GMT

What error do you get?

Re: Question regarding Ansible with Check Point

IdentityUnknown — Thu, 12 Sep 2019 06:38:39 GMT

With the following task:

- name: "Rule" check_point_mgmt: command: add-access-rule parameters: layer: "Network" position.below: "section 1" name: "Access rule" source: "1.1.1.1" destination: "2.2.2.2" service: "ssh" action: "allow" session-data: "{{login_response}}"

I got

"msg": "Command 'add-access-rule {u'layer': u'Network', u'name': u'Access rule', u'service': u'ssh', u'destination': u'2.2.2.2', u'position.below': u'section 1', u'source': u'1.1.1.1', u'action': u'allow'}' failed with error message: message: Unrecognized parameter [position.below]\ncode: generic_err_invalid_parameter_name\n. All changes are discarded and the session is invalidated."

Re: Question regarding Ansible with Check Point

PhoneBoy — Mon, 16 Sep 2019 00:24:14 GMT

My guess is you need to do something like:

- name: "Rule" check_point_mgmt: command: add-access-rule parameters: layer: "Network" position: below: "section 1" name: "Access rule" source: "1.1.1.1" destination: "2.2.2.2" service: "ssh" action: "accept" session-data: "{{login_response}}"

Re: Question regarding Ansible with Check Point

IdentityUnknown — Fri, 13 Sep 2019 12:24:40 GMT

I tried it as well before, but the statement is reordered (position at the end of the statement) and the exception is:

msg": "Command 'add-access-rule {u'layer': u'Network', u'name': u'Access rule', u'service': u'ssh', u'destination': u'2.2.2.2', u'source': u'1.1.1.1', u'action': u'allow', u'position': {u'below': u'section 1'}}' failed with error message: message: Invalid parameter for [action]. The invalid value: [allow]\ncode: generic_err_invalid_parameter\n. All changes are discarded and the session is invalidated."

Re: Question regarding Ansible with Check Point

Maik — Fri, 13 Sep 2019 12:56:13 GMT

I'm no expert when it comes to Ansible, but my guess is that the parameter for the action statement should be "accept" instead of "allow" - as mentioned in the API documentation:

action

string
Default: Drop

"Accept", "Drop", "Ask", "Inform", "Reject", "User Auth", "Client Auth", "Apply Layer".

Re: Question regarding Ansible with Check Point

IdentityUnknown — Fri, 13 Sep 2019 13:12:09 GMT

Yes, I worked with a typo in my example playbook.

The task is working as PhoneBoy mentioned with the action string "accept" which Maik mentioned.

Thank you!

Re: Question regarding Ansible with Check Point

PhoneBoy — Fri, 13 Sep 2019 16:15:13 GMT

All I did was propagate the original mistake, fixed in my answer.