topic Re: Ansible PlayBook error in MDS in Ansible

Ansible PlayBook error in MDS

Matlu — Mon, 14 Jul 2025 20:41:26 GMT

Hello, Community.

I am new with using Ansible to automate tasks on a Check Point MDS.

I have managed to create a PlayBook, which “apparently” works, because when I run the playbook from my Rocky Linux (Ansible), I don't get any errors.

My problem is that the objects that I create through the PlayBook, do not appear in the “visual” part of the SmartConsole.

The PlayBook tries to create 5 new objects, which are already created, but when you look for them in the SmartConsole, they do not appear.

Is this normal?
Is there a setting I should use?

Thanks for your comments.

Re: Ansible PlayBook error in MDS

PhoneBoy — Mon, 14 Jul 2025 22:37:16 GMT

Does your playbook publish?
Without that, no one else will be able to see the changes.

https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_publish_module.html#ansible-collections-check-point-mgmt-cp-mgmt-publish-module

Re: Ansible PlayBook error in MDS

Matlu — Mon, 14 Jul 2025 22:44:16 GMT

Hi,
Currently, my Playbook has the following content.

[srvrocky@localhost ansible-mdsmgmt]$ cat test-login.yml
---
- name: Eliminar host-demo y crear 5 nuevos hosts
hosts: mds
gather_facts: no
tasks:

- name: Eliminar host-demo si existe
check_point.mgmt.cp_mgmt_host:
name: "host-demo"
state: "absent"
auto_publish_session: true
ignore_errors: yes

- name: Crear 5 nuevos objetos tipo host
check_point.mgmt.cp_mgmt_host:
name: "{{ item.name }}"
ip_address: "{{ item.ip }}"
auto_publish_session: true
loop:
- { name: "host-demo-01", ip: "192.0.2.101" }
- { name: "host-demo-02", ip: "192.0.2.102" }
- { name: "host-demo-03", ip: "192.0.2.103" }
- { name: "host-demo-04", ip: "192.0.2.104" }
- { name: "host-demo-05", ip: "192.0.2.105" }

- name: Mostrar mensaje final
ansible.builtin.debug:
msg: "Se eliminaron objetos antiguos y se crearon 5 nuevos hosts."
[srvrocky@localhost ansible-mdsmgmt]$

The Playbook works well “apparently” because I don't get any error, but when I go to the SmartConsole to check, the new objects created do not appear.

Gracias por los comentarios.

Re: Ansible PlayBook error in MDS

Erik_Lagzdins — Tue, 15 Jul 2025 12:24:58 GMT

Where are you variables required for the Check Point modules?

It could be that you're missing the ansible_checkpoint_domain variable which states what Domain you want to create the hosts in. Without stating the target domain, Ansible will create the hosts in the System domain for the MDS which are not viewable in SmartConsole.

Vars example:

vars:
ansible_connection: httpapi
ansible_httpapi_use_ssl: True
ansible_httpapi_validate_certs: False
ansible_network_os: check_point.mgmt.checkpoint #Using Galaxy https://galaxy.ansible.com/check_point collection
ansible_checkpoint_domain: Customer1 #Replace with your target domain name, or "Global" to target the global domain.

Re: Ansible PlayBook error in MDS

Matlu — Thu, 17 Jul 2025 12:33:33 GMT

Hello, @Erik_Lagzdins

A doubt, is it possible to ‘feed’ a playbook with a source that is a file for example but in csv extension or a notepad or some other format, that will help me to update the content of what I need?

I explain below.

If your playbook works, but you need to update it daily with new data, for example, you have a playbook that you create massive IPs, but this is daily, today for example you create 50 IPs, and tomorrow you get a file with 80 new IPs

Is it always necessary to ‘edit’ the playbook file manually and place those 80 new IPs, or is there a way to ‘upload’ a file to the playbook?

I hope my doubt is well explained

Basically I would like to understand how I could update the playbook with daily information without the need to edit the file manually every time it is needed

Thanks for your comments.

Re: Ansible PlayBook error in MDS

Erik_Lagzdins — Thu, 17 Jul 2025 14:07:10 GMT

Yes it is possible. As a Professional Services engineer this is directly related to a project I am involved with. A problem like this would be too complicated to solve over a Check Mates post, but I'll share the high level steps.

This solution requires 2x playbooks, 1 for retrieving the data from a server, 1 for applying the changes to a Check Point server.

1. In the first playbook, use a "Get" request to retrieve new host object data from a webserver with the built-in ansible uri module, preferably in json format. Register the host object data, and use a set_fact task to be able to reuse the data for the next task.

2. In a second playbook, use the cp_mgmt host modules to create new hosts based on the data you retrieved and registered from the first task.

The challenging parts are making sure the object data is available on the webserver in the correct format, and figuring out the syntax to use a loop with the cp_mgmt_host module.

To simplify, you can skip step 1 completely by manually adding and editing a "vars_files" in the 2nd playbook to point to a json file with your host object data prior to running the playbook.

Re: Ansible PlayBook error in MDS

Matlu — Thu, 17 Jul 2025 16:29:53 GMT

I have several doubts, but the first one I have when reading your recommendation is, do I need to involve a new server in my environment, to accomplish these tasks?

A web server, as such?

For example, I am now in a lab environment testing all this.

And I only have my MDS management PC, my MDS, and my Rocky Linux (where is the Ansible)

So, to achieve "having 2 Playbooks" for this goal, I would need to add in my environment a server that works as a web server, where is the available information of the new IP mass creation requests?

I did not understand this part very well.

It is a bit cumbersome.

My problem or better said, the detail that I have, is that the request that I have is massive in an "almost daily" way

Today 20 new IPs arrive, tomorrow 30, the day after tomorrow 70, and so on (Some days can arrive only 2, or 5 IPs) is something unpredictable

But to think about "editing" the Playbook manually each time that a new request arrives, is quite manual and little automated, don't you think?

Re: Ansible PlayBook error in MDS

Erik_Lagzdins — Thu, 17 Jul 2025 17:33:24 GMT

I assumed the host information was coming from an external server already. If that's not the case, then you don't need to fetch data but you still need to tell Ansible about the updated host data each day. There are multiple solutions, it depends on what is easiest in your environment.

1. Update the vars_file filename in the playbook on each execution.

2. Replace the entire host data in the vars_file itself, that way the playbook never needs to be edited since the input filename will be static.

3. Use an extra on-demand variable for the filename with the updated host data. This would be my preferred solution in a simple setup.

I attached examples of very simple host data and a playbook that you should be able to build off of.

--- - name: Host Creation Playbook gather_facts: no hosts: mds vars: ansible_python_interpreter: /usr/bin/python3 ansible_connection: httpapi ansible_httpapi_use_ssl: true ansible_httpapi_validate_certs: false ansible_network_os: check_point.mgmt.checkpoint ansible_checkpoint_domain: Domain1 ansible_ssh_user: cpadmin ansible_ssh_password: vpn123 vars_files: - /home/user1/host_object_data.json tasks: - name: Configure hosts cp_mgmt_host: state: "{{item.state}}" color: "{{item.color}}" name: "{{item.name}}" ip_address: "{{item.ip_address}}" auto_publish_session: true loop: "{{ cp_mgmt_host_tasks }}" ignore_errors: yes