topic Re: Ansible Playbook NAT configuration R81.20 - couldn't resolve cp_mgmt_nat_rule in Ansible

Ansible Playbook NAT configuration R81.20 - couldn't resolve cp_mgmt_nat_rule

nadmin — Sat, 21 Sep 2024 01:57:57 GMT

Using check_point.mgmt 6.2.1 (current) in practicing my automation skills I learned in Tim's CCAS class. Ansible 2.10 on WSL running Ubuntu 22.04

https://galaxy.ansible.com/ui/repo/published/check_point/mgmt/content/module/cp_mgmt_nat_rule/?keywords=nat&version=6.2.1

The playbook creates an access policy (package), creates the access rule, and publishes the changes successfully.

When I try to add a task to add a NAT rule I get:

ERROR! couldn't resolve module/action 'cp_mgmt_nat_rule'. This oftent indicates a misspelling, missing collection, or incorrect module path.

This is confusing because everything else in collection check_point.mgmt worked.

Here is the task I'm adding:

- name: add a NAT rule cp_mgmt_nat_rule: package: Lab_Policy name: Outbound NAT enabled: true installed_on: - Policy Targets original_destination: All_Internet original_source: branch1_lan translated_source: branch1_outbound_nat method: hide position: top comments: outbound NAT state: present

Here is how I install my environment:

sudo apt install -y ansible python3-paramiko python3-pip
ansible-galaxy collection install community.general vyos.vyos check_point.mgmt check_point.gaia
python3 -m pip install XenAPI

Here is my complete process and how I build the lab using automation:

https://github.com/doritoes/NUC-Labs/blob/xcp-ng-improvement/XCP-ng/Appendix-Ansible.md

Anyone get the ansible working in check_point.mgmt 6.2.1? Or seen the same issue and solved it?

I did refer to this example

https://github.com/checkpointsw-devsec/enterprise-automation-poc/blob/main/ansible/roles/chkp-nat-policy/tasks/objects/configure-policy-nat-rules.yml

Re: Ansible Playbook NAT configuration R81.20 - couldn't resolve cp_mgmt_nat_rule

_Val_ — Mon, 23 Sep 2024 06:58:21 GMT

Please open a TAC request for this

Re: Ansible Playbook NAT configuration R81.20 - couldn't resolve cp_mgmt_nat_rule

PhoneBoy — Mon, 23 Sep 2024 18:19:27 GMT

The documentation for cp_mgmt_nat_rule says:

Minimum version required is 1.7.1 and JHF with PMTR-88097.

This corresponds to API version 1.7.1, which is R81.
The first JHF with PMTR-88097 is Take 82.

What version/JHF is your management?
If it's not at least the above version/JHF level, you can resolve the issue by upgrading.

Re: Ansible Playbook NAT configuration R81.20 - couldn't resolve cp_mgmt_nat_rule

nadmin — Mon, 23 Sep 2024 23:48:36 GMT

Thanks @PhoneBoy

Thanks interesting... here is the link saying check_point.mgmt verison 6.2.1 is the latest

https://galaxy.ansible.com/ui/repo/published/check_point/mgmt/content/module/cp_mgmt_nat_rule/?keywords=nat&version=6.2.1

SMS:

fwm ver

This is Check Point Security Management Server R81.20 - Build 441 (Check_Point_R81.20_T634,iso)

I was able to use cpuse to download and install R81.20 JHF 84 even with a trial version.

I also manually updated ansible to 2.16.

Still have the issues cp_mgmt_nat_rule and cp_mgmt_access_section.

I can try my work diamond support team, but generally I get better help here on api/automation.

I will open an issue on github.

Re: Ansible Playbook NAT configuration R81.20 - couldn't resolve cp_mgmt_nat_rule

Jim_Oqvist — Tue, 24 Sep 2024 07:07:57 GMT

Hi,

looking at the code in your task it looks like you are using the collection that comes with the Ansible installation. Please make sure you are using the collection installed from galaxy by referencing to it like this.

check_point.mgmt.cp_mgmt_nat_rule:

- name: add a NAT rule check_point.mgmt.cp_mgmt_nat_rule: package: Lab_Policy name: Outbound NAT enabled: true installed_on: - Policy Targets original_destination: All_Internet original_source: branch1_lan translated_source: branch1_outbound_nat method: hide position: top comments: outbound NAT state: present

Re: Ansible Playbook NAT configuration R81.20 - couldn't resolve cp_mgmt_nat_rule

nadmin — Wed, 25 Sep 2024 18:21:21 GMT

Thank you @Jim_Oqvist and edengr on Github repo.

This is the correct solution. The documentation could be clearer.

Prepending every module with check_point.mgmt works to resolve this issue.

examples:

check_point.mgmt.cp_mgmt_package
check_point.mgmt.cp_mgmt_access_rule
check_point.mgmt.cp_mgmt_access_section
check_point.mgmt.cp_mgmt_publish

This is extra work, but eliminates the problem of your task using different repos for different tasks.

For those who experience my issue on Ubuntu 22.04:

don't install the default ansible; install from the ppa to get a current version of Ansible
i got an older API version with ansible-galaxy collection install check_point.mgmt; use ansible-galaxy collection install --force check_point.mgmt; to get the latest version

Re: Ansible Playbook NAT configuration R81.20 - couldn't resolve cp_mgmt_nat_rule

Jim_Oqvist — Thu, 26 Sep 2024 12:48:15 GMT

Hi @nadmin ,

In a playbook, you can control the collections Ansible searches for modules and action plugins to execute.

By adding

  collections:
    - check_point.mgmt

You do not need to prepend every task with the collection name

More details here:

https://docs.ansible.com/ansible/latest/collections_guide/collections_using_playbooks.html#using-collections-in-playbooks