cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Highlighted
J_Saun
Nickel

Checkpoint automation - many questions

Jump to solution

Just starting to get into automating configuration tasks on Checkpoint R80. I have installed cpAnsible on a CentOS that has python running and did a simple group and object add which worked fine

 

My questions:

- Is Ansible just running built in Checkpoint CLI commands? If so, where do I get a list of those commands?

- Why do I need Ansible?

- why do I need Python on my local machine if I have Ansible? (sorry - just dont understand the relationship between the 2)

- why do I need Python on the remote machine (the Checkpoint manager)

- is this possible on any Checkpoint version lower than R80? If not, how is similar automation performed on lower versions of Checkpoint (R77, R65)?

- is it possible to have a front end webform or something that passes request data (source, destination, port) to Python/Ansible/Checkpoint-directly and processes the request automatically?

 

Thanks!

1 Solution

Accepted Solutions
Admin
Admin

Re: Checkpoint automation - many questions

Jump to solution
Ansible is an automatic framework that runs on Python, which is an interpreted language.
When you use the cpModule, it is calling the REST API on the backend, which is only available in R80+ Management.
There is a python interpreter on recent versions of Check Point Management already but it is not used in this context.

There is no requirement to use Ansible for automation, it just happens to be a popular choice.
Anything that speaks a REST API can be used.
You can also use the CLI via the mgmt_cli command if you prefer.
API/CLI docs are here: https://sc1.checkpoint.com/documents/latest/APIs/index.html
There are also sample web forms on CheckMates that you can leverage.

Automating R77.x and earlier management is possible to varying degrees depending on what you are trying to do.
However, it does not have a REST API and requires a bit more work to automate.
You can find examples for specific tasks on CheckMates.
3 Replies
Admin
Admin

Re: Checkpoint automation - many questions

Jump to solution
Ansible is an automatic framework that runs on Python, which is an interpreted language.
When you use the cpModule, it is calling the REST API on the backend, which is only available in R80+ Management.
There is a python interpreter on recent versions of Check Point Management already but it is not used in this context.

There is no requirement to use Ansible for automation, it just happens to be a popular choice.
Anything that speaks a REST API can be used.
You can also use the CLI via the mgmt_cli command if you prefer.
API/CLI docs are here: https://sc1.checkpoint.com/documents/latest/APIs/index.html
There are also sample web forms on CheckMates that you can leverage.

Automating R77.x and earlier management is possible to varying degrees depending on what you are trying to do.
However, it does not have a REST API and requires a bit more work to automate.
You can find examples for specific tasks on CheckMates.
J_Saun
Nickel

Re: Checkpoint automation - many questions

Jump to solution

Thanks very much for the explanations.

0 Kudos
J_Saun
Nickel

Re: Checkpoint automation - many questions

Jump to solution

I'm still trying to grasp the relationship between Ansible and Checkpoint API. I successfuly used cpAnsible and added a group with a host using the example they have on the Github cpansible page but I don't understand how the commands are getting sent to the Checkpoint manager.

 

Example:

 

The Ansible .yml has the following:

name: "add host"
check_point_mgmt:
command: add-host # Name of the command
parameters: # The parameters for it, in dictionary form
name: "host_demo"
ip-address: "1.2.3.5"

 

But, according to the Management API Reference doc, if I just want to do that via the CLI on the management server I use:

mgmt_cli add host name "New Host 1" ip-address "1.2.3.5" --version 1.1 --format json

 

In the .yml it uses add-host (note the hyphen) but the CLI command is add host (no hyphen).

Does checkpoint accept either?

0 Kudos