cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Automate your R80 Management Server using Ansible

Overview

Ansible (www.ansible.com) is a popular automation tool.

The Check Point Management Ansible module brings the ability to automate Check Point R80 management tasks (e.g. adding objects, manipulate the rulebase, push policy) into the Ansible automation platform.

Description

Provide Ansible "playbooks" with simple access to all available Check Point R80 Management APIs.

The ansible module is written in Python and its source code is available - you're welcome to review code, suggest enhancements or modify it.

Instructions

Refer to our GitHub repo (the link below) for detailed instructions.

Tested on version

R80.10, API version 1.1

Source Code Availability

The source code is now public on GitHub repository:

https://github.com/CheckPoint-APIs-Team/cpAnsible

NOTICE: By using this sample code you agree to terms and conditions in this Terms and Conditions

...

34 Replies

Re: Automate your R80 Management Server using Ansible

Looks interesting - thanks to Don Paterson​ for pointing me at this Smiley Happy

In the commands you have add-host and add-group - would add-network behave similarly? Can we also do delete actions in the same way?

I don't currently have an R80 build stood up to test it, but it's edging closer and closer to being a perfect fit for the automation I'm in the process of standing up.

0 Kudos

Re: Automate your R80 Management Server using Ansible

Yes, "add-network" and delete actions are also available.

Check the API reference for the complete list of API commands and their parameters.

Re: Automate your R80 Management Server using Ansible

Just in case it helps. Have a look at this one 🙂 :

Adding members to a group

0 Kudos

Re: Automate your R80 Management Server using Ansible

Hi all,

Is this the last version of the module? Is this module available on ansible repository?

I'm trying to run it on ansible 2.0.1.0 and I found some problems. I've saw you specify that python 2.7.9 is needed, but someone has tested it with python 2.7.5?

Thanks in advance,

0 Kudos
Employee+
Employee+

Re: Automate your R80 Management Server using Ansible

Looks greatSmiley Happy

Do Check Point plan to create something similar for Puppet?

0 Kudos
Employee+
Employee+

Re: Automate your R80 Management Server using Ansible

Hi Arnfinn,

Currently we do not have plans to support Puppet.

But if there will be a demand for Puppet from multiple customers, we will consider developing a similar solution.

Re: Automate your R80 Management Server using Ansible

Does this work w. Mac & R77.30?

0 Kudos
Employee+
Employee+

Re: Automate your R80 Management Server using Ansible

Hi Alex,

No, this won't work with R77.30 because the solution is based on the new API that was introduced only in R80.

I don't see any limitations for Mac as long as you can run Ansible on it.

0 Kudos

Re: Automate your R80 Management Server using Ansible

Has anyone faced an issue with not able to find the module  mgmt_api_lib while working on ansible

0 Kudos

Re: Automate your R80 Management Server using Ansible

Without knowing your setup, you need to check that the modules are where they should be for the library. Ansible checks in the following places:

  • In directories defined by ANSIBLE_LIBRARY if set
  • If not set, in directories defined by library in configuration file
  • In ./library directory relative to location of playbook in use
  • (I suspect, although I didn't spot it, you might also find that it's in ./roles/<rolename>/library and /etc/ansible/roles/<rolename>library)
  • In /etc/ansible/library
  • In /usr/lib/python2.7/site-packages/ansible/modules

Realistically, your libraries should be somewhere sensible. If you're using Version Control (and if you're not... why not?!?!) then they should be included in your VCS tree, which means either tracking /etc/ansible or the path to where you're running your playbook from.

Hope that helps!

Re: Automate your R80 Management Server using Ansible

Thank you.I will check that and keep this thread posted.Thank you for your reply

0 Kudos

Re: Automate your R80 Management Server using Ansible

I've finally had a chance to look at this (and sought advice from the #Ansible channel on irc.freenode.net).

So, it looks like the path specified by Checkpoint is very distribution specific, and doesn't fly with Ubuntu 16.04. Frankly, there's not enough to this library to mess around with it too much, and I ended up pulling the various elements of the library apart and making it into one single file. This then can be placed into [/path/to/your/ansible/playbook/or/role]/library (e.g. /etc/ansible/library or /home/useraccount/customer-a/library - where /home/useraccount/customer-a also has your inventory file and your playbook).

I was going to go into a deep-dive on how to make the merged file, but I've instead put it into a secret gist at github.com - please can the developers advise whether this can be made public?

check_point_mgmt.py combined into a single script, based on check_point_mgmt.py version 1.0.1 - PROP... 

One thing that would be useful would be if there is some way from the command line to enable the API, so then I don't need to open the management UI at all.....

Thanks!

0 Kudos

Re: Automate your R80 Management Server using Ansible

The key thing I have noticed about this script at the moment is that it is not idempotent. As such, you can't have your playbook run multiple times against the same host. I don't know whether to work around this, or to leave it as a concern for the reader.

I have also updated the gist I linked to before to add the ability to use the omit value (e.g. "{{ item.source|default('omit')}}") which is a fairly common pattern in my ansible use.

Realistically, the python script should check for the presence of a line item (e.g. host, network, group, etc) before trying to add it. It does not currently do this.

Re: Automate your R80 Management Server using Ansible

Thanks for providing the module, I have 2 questions:
Is this an opensource, can the community contribute to the code?

Can you provide GIT repository address? 

0 Kudos

Re: Automate your R80 Management Server using Ansible

Hey Michal,

I discussed this with a couple of the team involved in creating this - they are happy for changes to be contributed, but it's not in a public git repo as yet (there was talk of a Check Point github account, although I can't find it Smiley Happy ). Your best bet would be to do as I did - take the code, and put it in your own Git repo and share to this thread. The team are keen to improve things! I spent 1h30 on the phone with them discussing how to improve things, and they were very receptive.

Of course, the proof of the pudding is in the eating (as we say here!) and so I'd hope to see something change in the next few months, but I can't confirm or deny anything - aside from anything else, I don't work for Check Point, I'm just a consumer Smiley Happy

0 Kudos

Re: Automate your R80 Management Server using Ansible

Is the current Ansible repository compatible with R80.10?

0 Kudos

Re: Automate your R80 Management Server using Ansible

I've found it works for my usecases, but your mileage may vary!

0 Kudos

Re: Automate your R80 Management Server using Ansible

Has anyone used the add-simple-gateway command yet? Can anyone provide the list of parameters for that command? I tried to use what was in the api doc, but I must have something wrong.

0 Kudos
Employee+
Employee+

Re: Automate your R80 Management Server using Ansible

I use this command in my PowerShell script that creates a GW in Azure or AWS and then add objects, a GW object, Policy and pushes the policy at the end.

mgmt_cli add simple-gateway name vsecgwr8010 ipv4-address 10.0.0.10 application-control true data-awareness true firewall true one-time-password vpn12345 version R80.10 url-filtering true interfaces.1.name ext-gw interfaces.1.ipv4-address 10.5.0.10 interfaces.1.ipv4-mask-length 24 interfaces.1.topology external interfaces.1.anti-spoofing false interfaces.2.name int-gw interfaces.2.ipv4-address 10.5.1.10 interfaces.2.ipv4-mask-length 24 interfaces.2.topology internal interfaces.2.anti-spoofing false interfaces.2.topology-settings.ip-address-behind-this-interface specific interfaces.2.topology-settings.specific-network web-subnet -s sid.txt

The API doc should be fine.

Arnifnn

0 Kudos
Admin
Admin

Re: Automate your R80 Management Server using Ansible

Check Point's official github repository is here: Check Point Software Technologies LTD. · GitHub 

The ansible modules aren't there yet.

0 Kudos
Admin
Admin

Re: Automate your R80 Management Server using Ansible

A question was asked by Michal Taratuta‌ during our recent automation webcast: Are there any plans to make our Ansible modules idempotent?

0 Kudos

Re: Automate your R80 Management Server using Ansible

I guess since you making them already aviable online, here it should not take long for it to be copied to github

0 Kudos
Employee+
Employee+

Re: Automate your R80 Management Server using Ansible

Currently we do not have such plans.

0 Kudos
Employee+
Employee+

Re: Automate your R80 Management Server using Ansible

Employee+
Employee+

Re: Automate your R80 Management Server using Ansible

Ansibile does work with R77.30 with these 2 modules:

1. raw

2. shell

With R80/X you can use as well different modules including Check Point module 

I'm personally using R80.10 with Ansible Tower Smiley Happy

0 Kudos

Re: Automate your R80 Management Server using Ansible

#AWESOME! Cheers guys!

0 Kudos

Re: Automate your R80 Management Server using Ansible

Great!

Re: Automate your R80 Management Server using Ansible

Does anyone Ansible working with R77.30 in their environment?  If yes, care to share the experience?

I'd be keen to touch base as we are looking into this and see what level of automation we can get.

Thanks in advance!

0 Kudos

Re: Automate your R80 Management Server using Ansible

This Ansible module requires R80+ as it talks to the API. That said, you can manage R77.30 gateways from an R80+ manager... and that does work.

To manage Gaia on the hosts directly, you'd need to do everything with "Raw" commands, without gathering any facts from the device, because the Python that's on the hosts (at least, the last I checked with R77.30) didn't have the libraries that Ansible needs to perform the basic checks (I think it doesn't have hashing libraries, from memory)

Hope that helps!