Creating a new firewall policy with Ansible

boneyard — Fri, 05 Apr 2024 15:01:53 GMT

I have seen it asked before but haven't found a clear answer.

Currently im managing a firewall policy via Ansible. When I need to make big changes I just delete all rules and sections and load the new ones.

I would like to load the new rules in a different policy and then eventually install that policy. Afterwards perhaps deleting the old policy and use that process for future changes,

But it seems the Check Point Ansible modules don't do much with policies. I can do something with layers, but with the layer it is unclear to me in which policy it will be created.

Is it correct that policy creation is not done in Ansible?

Re: Creating a new firewall policy with Ansible

Erik_Lagzdins — Fri, 05 Apr 2024 18:21:14 GMT

I believe what you are looking for is the cp_mgmt_package module to create a new policy and new Access Control layer, then use the cp_mgmt_access_rule module to add rules.

Documentation and examples for the modules can be found here: https://docs.ansible.com/ansible/devel/collections/check_point/mgmt/index.html

Process flow:

1. Create a brand new policy package with the cp_mgmt_package module, and add the access layer at the same time.

2. Add access rules with the cp_mgmt_access_rule or cp_mgmt_access_rules modules to the access layer in the new policy package. Both modules are designed to add/modify rules to access layer policies but have their own pros/cons depending on your situation.

3. Install the new policy over the existing policy on your gateway.

4. Delete the old unused policy package, manually or with the cp_mgmt_package module.

topic Creating a new firewall policy with Ansible in Ansible

Creating a new firewall policy with Ansible

Re: Creating a new firewall policy with Ansible