topic Re: Adding security zone to gateway interface using Ansible in Firewall and Security Management

Adding security zone to gateway interface using Ansible

Govind135438 — Thu, 23 Oct 2025 13:02:08 GMT

I am trying to automate assigning security zone to Security Gateway ethernet bonding interface.

Using Check Point R82.

Here is the code snippet from my Ansible playbook:

- name: Update security zone for interface
  check_point.mgmt.cp_mgmt_simple_gateway:
    name: gw-893628
    interfaces:
      - name: eth0
        security-zone-settings:
          "specific-zone": "{{ security_zone }}"
        security-zone: true
    state: present

The output looks like this indicating no changes to

TASK [Debug update_result] ******************************************************************************************************************************************
ok: [10.25.58.51] => {
    "msg": {
        "changed": false,
        "checkpoint_session_uid": "113f422c-8e32-41fd-9288-e6f275372336",
        "failed": false
    }
}

Please help me correct code.

Re: Adding security zone to gateway interface using Ansible

the_rock — Thu, 23 Oct 2025 17:31:16 GMT

Just a "messenger", but here is what AI gave...

**********

You're very close — the problem is with how the security-zone-settings field is structured in the cp_mgmt_simple_gateway module.

In the Check Point Management API (and Ansible collection check_point.mgmt), the correct field names and hierarchy are slightly different from what you used. The field security-zone-settings expects a dictionary, and the correct key for assigning a specific zone is specific-zone, not "specific-zone": "value" — and you must not use both security-zone and security-zone-settings together incorrectly.

Let’s fix it step by step 👇

✅ Corrected Playbook Example

- name: Update security zone for interface
  check_point.mgmt.cp_mgmt_simple_gateway:
    name: gw-893628
    interfaces:
      - name: eth0
        security_zone_settings:
          specific_zone: "{{ security_zone }}"
    state: present
  register: update_result

- debug:
    msg: "{{ update_result }}"

⚙️ Key Points

Use underscores instead of hyphens in YAML keys for Ansible modules (Python interprets field names with underscores).
- ✅ security_zone_settings
- 🚫 security-zone-settings
Nested structure:
- The correct field is security_zone_settings.specific_zone, not security-zone or security-zone: true.
You don’t need the line security-zone: true; that flag doesn’t exist in this context.

✅ Example with a bonding interface

If your interface is a bonding interface, just specify the bond name:

- name: Update security zone for bond interface
  check_point.mgmt.cp_mgmt_simple_gateway:
    name: gw-893628
    interfaces:
      - name: bond0
        security_zone_settings:
          specific_zone: "Internal_Zone"
    state: present

🔍 Optional: Force an update

Sometimes, Check Point’s API won’t mark a change unless you explicitly use ignore_warnings: true or ignore_errors: true:

  check_point.mgmt.cp_mgmt_simple_gateway:
    name: gw-893628
    interfaces:
      - name: eth0
        security_zone_settings:
          specific_zone: "{{ security_zone }}"
    state: present
    ignore_warnings: true

✅ Summary

Wrong Key	Correct Key	Notes
`security-zone-settings`	`security_zone_settings`	Use underscores
`"specific-zone": "{{ security_zone }}"`	`specific_zone: "{{ security_zone }}"`	No quotes or hyphen
`security-zone: true`	(remove)	Not needed

Would you like me to show a full playbook example including session login/logout (cp_mgmt_login / cp_mgmt_publish/ cp_mgmt_logout)? That’s often required for changes to persist.

Re: Adding security zone to gateway interface using Ansible

Duane_Toler — Thu, 23 Oct 2025 17:57:04 GMT

Careful. If you're doing the interfaces property to a gateway, you MUST include ALL of the interfaces in the list. Otherwise, this will overwrite your existing interfaces with what you include in the list. As @the_rock pasted (from ChatGPT 😉), you don't put quotes around the property key names (on the left side of the ":" character).

You also don't need to use "state: present"; this is assumed.

Be sure you follow up this task with a call to "cp_mgmt_simple_gateway_facts" and register it to a variable, then print that variable with a "debug" task. Until you are certain you have the task written correctly, with the expected results, you should use the cp_mgmt_discard module at the end. Once you are happy with the results, then you can use cp_mgmt_publish to commit your changes.

Re: Adding security zone to gateway interface using Ansible

the_rock — Thu, 23 Oct 2025 18:04:28 GMT

I would always trust Duane Toler genius over AI 🙂

Re: Adding security zone to gateway interface using Ansible

Duane_Toler — Thu, 23 Oct 2025 18:13:57 GMT

hah! thanks 😁 ChatGPT wasn't entirely wrong, tho. It just didn't catch the interface list. The rest of my info was largely about "style" (and safety/caution), too.

Re: Adding security zone to gateway interface using Ansible

the_rock — Thu, 23 Oct 2025 18:15:08 GMT

I speak the truth 🙂

Re: Adding security zone to gateway interface using Ansible

PhoneBoy — Fri, 24 Oct 2025 01:25:43 GMT

It's worth noting that R82 has separate API endpoints for managing the interfaces on a gateway object.
For example, there is an explicit add-interface endpoint.
It appears this is also reflected in our Ansible collection: https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_interface_module.html#ansible-collections-check-point-mgmt-cp-mgmt-interface-module

While I didn't test this in Ansible, I did test it through the API and it works.
Even found a bug 🙂

If you use the interface options as part of the gateway object in R82, you get the same behavior as before (i.e. must specify ALL interfaces as part of the call).

Re: Adding security zone to gateway interface using Ansible

Govind135438 — Fri, 24 Oct 2025 10:24:26 GMT

Thank you very much @PhoneBoy for suggesting add_interface module. It worked. However I see a problem. The security zone gets assigned to the interface but not enabled.

See the screenshots after running the playbook:

Zone assigned but not displayed in SmartConsoleZone assigned but not enabled

Is this related to the bug you have observed or am I missing something?

Here is my code snippet from the playbook:

- name: add-interface check_point.mgmt.cp_mgmt_interface: anti_spoofing: true anti_spoofing_settings: action: detect exclude_packets: false spoof_tracking: log cluster_network_type: cluster gateway_uid: eb095b8b-a78c-9c4c-8e36-7c30b45f8878 name: eth1 security_zone_settings: auto_calculated: false specific_zone: "{{ security_zone }}" register: update_result - name: Debug update_result ansible.builtin.debug: msg: "{{ update_result }}" - name: Publish the changes check_point.mgmt.cp_mgmt_publish: #when: update_result is changed

Re: Adding security zone to gateway interface using Ansible

Duane_Toler — Fri, 24 Oct 2025 13:10:07 GMT

Are you certain your variable "security_zone" is defined as you expect it to be, and is that zone defined already? Add yourself a debug call just prior your module to be sure.

Re: Adding security zone to gateway interface using Ansible

Duane_Toler — Fri, 24 Oct 2025 13:07:38 GMT

If you have access to the management server via SSH, you can look in the API debug log in $MDS_FWDIR/log/api.elg for any errors.

If your server is R82 or R81.20 JHF 101 and higher, you can get API usage details and info with $FWDIR/scripts/api_log_to_json.py. See sk181906 for details.

Re: Adding security zone to gateway interface using Ansible

the_rock — Fri, 24 Oct 2025 13:21:07 GMT

Yea, that file should contain any related errors.

Re: Adding security zone to gateway interface using Ansible

Govind135438 — Fri, 24 Oct 2025 13:59:14 GMT

The variable "security_zone" is hardcoded with valid value. I am testing the scripts in local Check Point environment before testing in the production environment.

Re: Adding security zone to gateway interface using Ansible

the_rock — Fri, 24 Oct 2025 14:07:03 GMT

Thats super smart!

Re: Adding security zone to gateway interface using Ansible

PhoneBoy — Fri, 24 Oct 2025 21:13:26 GMT

I believe it did have something to do with adding a Zone, though my internal email thread wasn't clear on this point.
In any case, suggest a TAC case and I'm flagging @Omer_Kleinstern on the underlying API bug.