topic Re: Working with NAT rules in Ansible

Working with NAT rules

boneyard — Mon, 27 Mar 2023 15:55:13 GMT

Anyone found a way around the issues I encounter with trying to create the NAT policy?

### Name

I'm unable to set the name of a NAT rule. This is possible manually in Smart Console.

### Position

I'm unable to get rules above the Automatic Generated Rules. This is possible in Smart Console.

I can't use position 1 or 2 because those are for default rules. Can't use 0 as error states must be great equal 1. So when I create the rule on position 3 it is below the others. I really miss an insert above / below position X kinda option. Or a move rule option. That goes for access policies also.

Possibly with check_point.mgmt.cp_mgmt_set_nat_rule and new position option, but zero documentation on if at all and if so how. The fact i have to do it according to the document by "Edit existing object using object name or uid." and the example not showing either doesn't give me a warm feeling ...

### Multiple modules

I can't use state present / absent as with a regular access policy and many other Ansible modules. So have to use cp_mgmt_add_nat_rule AND cp_mgmt_delete_nat_rule, why this difference?

Re: Working with NAT rules

the_rock — Mon, 27 Mar 2023 16:34:23 GMT

Hi there,

Not sure I understand your poitns 1 and 2. Name can be configured, as well as position.

Andy

Re: Working with NAT rules

Jim_Oqvist — Mon, 27 Mar 2023 17:49:42 GMT

Hi,

Starting from R81 API version 1.7 and later we started supporting to use name in the NAT rule which enables you to create a idempotent module for our ansible collection to add, change and delete NAT rules.

This module has been developed by R&D and is going to be added to Galaxy repository in the next version we release of the collection.

https://github.com/CheckPointSW/CheckPointAnsibleMgmtCollection/blob/master/plugins/modules/cp_mgmt_nat_rule.py

The new module allows you to use relative position such as "top" and "bottom" to overcome the challenges of creating a rule above or below the automatic generated NAT rules in a situation when there is no manual NAT rule already in place in that location.

If you want to find an example on how to use it you can find that here:
(this example uses the relative position "top" to be able to create the first rule in a new NAT rule base above the automatic NAT rule)

https://github.com/checkpointsw-devsec/enterprise-automation-poc/blob/main/ansible/roles/chkp-nat-policy/tasks/objects/configure-policy-nat-rules.yml

Please note as described in the module the management server needs to have a JHF that addresses PMTR-88097

https://support.checkpoint.com/search#q=PMTR-88097

Re: Working with NAT rules

boneyard — Mon, 27 Mar 2023 17:57:31 GMT

If I use name: "name" in my Ansible playbook I get an error stating name isnt valid option for a NAT rule.

"msg": "Unsupported parameters for (cp_mgmt_add_nat_rule) module: name. Supported parameters include: ignore_errors, translated_destination, translated_source, original_destination, ignore_warnings, package, wait_for_task_timeout, install_on, version, comments, enabled, original_source, translated_service, original_service, details_level, wait_for_task, position, method."}

Position isn't really position it seems, just a value which must be unique. So if I have

1 - first NAT rule

2 - second NAT rule

3 - third NAT rule

I can only use position 4 (which will put it below 3), if I use any of the other positions I get an error. That is my experience at least.

Oh 81.10 BTW, forgot to add that.

Re: Working with NAT rules

the_rock — Mon, 27 Mar 2023 18:01:16 GMT

Ok, disregard what I said then, I thought you were strictly referring to smart console.

Andy