https://community.checkpoint.com/t5/Ansible/Create-role-to-add-sections-and-rules/m-p/142602#M648 <P>Hi there!</P><P>I want to create a access layer ruleset with sections and rules.</P><P>There are two modules provided by checkpoint which seem to be relevant:</P><UL><LI><A href="https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_access_rule_module.html#ansible-collections-check-point-mgmt-cp-mgmt-access-rule-module" target="_blank" rel="noopener"><SPAN class="">cp_mgmt_access_rule</SPAN></A></LI><LI><A href="https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_access_section_module.html#ansible-collections-check-point-mgmt-cp-mgmt-access-section-module" target="_blank" rel="noopener"><SPAN class="">cp_mgmt_access_section</SPAN></A></LI></UL><P><SPAN class="">I am having a yaml file which contains all rules in the right order, looking something like this:</SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">- Name: "FW MGMT" Comments: "MGMT Clients to FW" Action: Accept Destination: o-fw01 Source: allow_fwmgmt Enable: yes Service: - ssh_version_2 - https-tcp8443 - Name: "GW Identity Access" Comments: "Access f. Identity Awareness" Action: Accept Destination: fw01 Source: allow_fw-identity Enable: yes Service: https - Name: "FW Stealth" Comments: "FW Stealth Rule" Action: Drop Destination: fw01 Source: Any Enable: yes Service: Any</LI-CODE><P>&nbsp;</P><P>The corresponding task looks something like this:<BR /><BR /></P><P>&nbsp;</P><LI-CODE lang="markup">- name: set access rule check_point.mgmt.cp_mgmt_access_rule: name: "{{ item.Name }}" position: "{{ index | int + 1 }}" comments: "{{ item.Comments }}" destination: "{{ item.Destination }}" source: "{{ item.Source }}" service: "{{ item.Service }}" action: "{{ item.Action }}" loop: "{{ cp_access_rules }}" loop_control: index_var: index</LI-CODE><P>&nbsp;</P><P>&nbsp; So it takes the first entry of the rules file and submits it as first rule to the rulebase, takes the second on and puts it on second position and so on, using the index.</P><P>Is it somehow possible to combine this with sections?</P><P>Is it possible to put sections between the rules in the same file and let ansible decide which task to execute?</P><P>I tried put a&nbsp;cp_mgmt_access_rule and a&nbsp;cp_mgmt_access_section in a block and loop the block but ansible does not support looping entire blocks.</P><P>&nbsp;</P><P>Is there a better way to do this?</P> Mon, 28 Feb 2022 10:21:21 GMT User1234 2022-02-28T10:21:21Z https://community.checkpoint.com/t5/Ansible/Create-role-to-add-sections-and-rules/m-p/142602#M648 <P>Hi there!</P><P>I want to create a access layer ruleset with sections and rules.</P><P>There are two modules provided by checkpoint which seem to be relevant:</P><UL><LI><A href="https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_access_rule_module.html#ansible-collections-check-point-mgmt-cp-mgmt-access-rule-module" target="_blank" rel="noopener"><SPAN class="">cp_mgmt_access_rule</SPAN></A></LI><LI><A href="https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_access_section_module.html#ansible-collections-check-point-mgmt-cp-mgmt-access-section-module" target="_blank" rel="noopener"><SPAN class="">cp_mgmt_access_section</SPAN></A></LI></UL><P><SPAN class="">I am having a yaml file which contains all rules in the right order, looking something like this:</SPAN></P><P>&nbsp;</P><LI-CODE lang="markup">- Name: "FW MGMT" Comments: "MGMT Clients to FW" Action: Accept Destination: o-fw01 Source: allow_fwmgmt Enable: yes Service: - ssh_version_2 - https-tcp8443 - Name: "GW Identity Access" Comments: "Access f. Identity Awareness" Action: Accept Destination: fw01 Source: allow_fw-identity Enable: yes Service: https - Name: "FW Stealth" Comments: "FW Stealth Rule" Action: Drop Destination: fw01 Source: Any Enable: yes Service: Any</LI-CODE><P>&nbsp;</P><P>The corresponding task looks something like this:<BR /><BR /></P><P>&nbsp;</P><LI-CODE lang="markup">- name: set access rule check_point.mgmt.cp_mgmt_access_rule: name: "{{ item.Name }}" position: "{{ index | int + 1 }}" comments: "{{ item.Comments }}" destination: "{{ item.Destination }}" source: "{{ item.Source }}" service: "{{ item.Service }}" action: "{{ item.Action }}" loop: "{{ cp_access_rules }}" loop_control: index_var: index</LI-CODE><P>&nbsp;</P><P>&nbsp; So it takes the first entry of the rules file and submits it as first rule to the rulebase, takes the second on and puts it on second position and so on, using the index.</P><P>Is it somehow possible to combine this with sections?</P><P>Is it possible to put sections between the rules in the same file and let ansible decide which task to execute?</P><P>I tried put a&nbsp;cp_mgmt_access_rule and a&nbsp;cp_mgmt_access_section in a block and loop the block but ansible does not support looping entire blocks.</P><P>&nbsp;</P><P>Is there a better way to do this?</P> Mon, 28 Feb 2022 10:21:21 GMT https://community.checkpoint.com/t5/Ansible/Create-role-to-add-sections-and-rules/m-p/142602#M648 User1234 2022-02-28T10:21:21Z https://community.checkpoint.com/t5/Ansible/Create-role-to-add-sections-and-rules/m-p/142809#M650 <P>Sounds like more of a question of whether Ansible will allow this sort of functionality versus a specific question with our module.</P> Wed, 02 Mar 2022 15:25:30 GMT https://community.checkpoint.com/t5/Ansible/Create-role-to-add-sections-and-rules/m-p/142809#M650 PhoneBoy 2022-03-02T15:25:30Z https://community.checkpoint.com/t5/Ansible/Create-role-to-add-sections-and-rules/m-p/142826#M651 <P>No it is not possible. Push your rules, then push your sections after that. It's going to be position specific. What you can do is know your rules around a section and store that as&nbsp;<EM>set_facts</EM> and reuse that variable in setting the position.<BR />Good luck!</P> Wed, 02 Mar 2022 17:23:17 GMT https://community.checkpoint.com/t5/Ansible/Create-role-to-add-sections-and-rules/m-p/142826#M651 Art_Zalenekas 2022-03-02T17:23:17Z