cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Checkpoint automation with Ansible

Hi all,

I am starting to play with Ansible playbooks, but either I don't understand the Checkpoint published Ansible documentation, or the way it works is a bit strange.

As far as I have read in the documentation and in the examples, the playbooks are ran on the local Ansible server (localhost), but still there is a section to define the credentials to connect via SSH to the Ansible server. So basically, when running the playbook on the Ansible server, the script will connect to itself via SSH and then it will connect to the Checkpoint management server to run the commands. I guess there should be a way to skip this, and also avoid having SSH credentials in the Ansible configuration files (only the Checkpoint management credentials will be configured).

Is this the intended way of working, or I'm completely messing up the configuration?

Thanks!

Tags (1)
5 Replies
Admin
Admin

Re: Checkpoint automation with Ansible

It should not be required to define localhost (with SSH credentials) in /etc/ansible/hosts.

0 Kudos

Re: Checkpoint automation with Ansible

I have tried without that, but I get the SSH banner from the ansible server in the error generated when I try to run the playbook, so it is definitely trying to connect to itself. Should I configure the playbook with 'localhost' in the "hosts" section, or with the checkpoint management server?

In all the examples and tutorials I see that the hosts section of the playbook is set to 'localhost'

0 Kudos
Admin
Admin

Re: Checkpoint automation with Ansible

If you want to see a working example, I recommend checking this: https://community.checkpoint.com/thread/5478-leveraging-the-r8010-api-to-automate-and-streamline-sec... 

My /etc/ansible/hosts based on this example has nothing in it (or just all comments) and all the playbooks refer to localhost only.

Re: Checkpoint automation with Ansible

Hi, I hope I can ask my question in this post and don't need to create a new post for this since my question is also related to Check Point automation with Ansible.

Due to FQDN resolving issues on our current version (and not able to upgrade to R80 yet since we are using SP solution) we want to update our FW rulebase based doing some DNS queries in a script and create new host objects and update a network object group with the relevant host objects). Since there's still an issue with the way the cpAnsible module is working (idempotence - https://github.com/CheckPointSW/cpAnsible/issues/7) I would like to use the parameter set-if-exists but for some reason my ansible playbook if failing with the following error: "The error was: ValueError: No JSON object could be decoded".

So basically I'm using the set-if-exists parameter wrong in my playbook. If I remove this line the playbook will run successfully (for new/not yet configured host objects)

PLAY [localhost] *******************************************************************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************************************************
ok: [localhost]

TASK [login] ***********************************************************************************************************************************************************************
ok: [localhost]

TASK [add host] ********************************************************************************************************************************************************************
changed: [localhost] => (item={u'ip_address': u'172.217.23.206', u'fqdn': u'<a href="http://www.youtube.com" target="_blank">www.youtube.com</a>', u'name': u'fqdn-<a href="http://www.youtube.com-172.217.23.206" target="_blank">www.youtube.com-172.217.23.206</a>', u'host_name': u'fqdn-<a href="http://www.youtube.com-172.217.23.206" target="_blank">www.youtube.com-172.217.23.206</a>'})
changed: [localhost] => (item={u'ip_address': u'172.217.23.238', u'fqdn': u'<a href="http://www.youtube.com" target="_blank">www.youtube.com</a>', u'name': u'fqdn-<a href="http://www.youtube.com-172.217.23.238" target="_blank">www.youtube.com-172.217.23.238</a>', u'host_name': u'fqdn-<a href="http://www.youtube.com-172.217.23.238" target="_blank">www.youtube.com-172.217.23.238</a>'})
changed: [localhost] => (item={u'ip_address': u'216.58.201.78', u'fqdn': u'<a href="http://www.youtube.com" target="_blank">www.youtube.com</a>', u'name': u'fqdn-<a href="http://www.youtube.com-216.58.201.78" target="_blank">www.youtube.com-216.58.201.78</a>', u'host_name': u'fqdn-<a href="http://www.youtube.com-216.58.201.78" target="_blank">www.youtube.com-216.58.201.78</a>'})

TASK [publish] *********************************************************************************************************************************************************************
ok: [localhost]

TASK [logout] **********************************************************************************************************************************************************************
ok: [localhost]

PLAY RECAP *************************************************************************************************************************************************************************
localhost                  : ok=5    changed=1    unreachable=0    failed=0

 

My playbook looks like this:

---
- hosts: "localhost"                        # Note #2 in the Description section
  vars_files:
  - test.yml
  tasks:
  - name: "login"                           # You have to login to the management
                                            # server before running any commands
    check_point_mgmt:
      command: login
      parameters:
        username: "{{username}}"          # Variables set in /etc/ansible/hosts, to avoid needing
        password: "{{password}}"       # to type your login details in every playbook.
        management: "{{mds_ip}}"
        domain: "{{mds_domain}}"
      fingerprint: "{{mds_fingerprint}}"
    register: login_response                # Register the output from the login
                                            # command so we can use it later to run commands.
  - name: "add host"
    check_point_mgmt:
      command: add-host                     # Name of the command
      parameters:                           #  The parameters for it, in dictionary form
        name: "{{item.host_name}}"
        ip-address: "{{item.ip_address}}"
        set-if-exists: true
      session-data: "{{ login_response }}"  # The session data we received from
    with_items: "{{host_table}}"

  - name: "publish"                         # Publishing is important if you want
                                            # your changes to be saved.
    check_point_mgmt:                       # This will actually 'discard' when
                                            # check mode is enabled (ansible-playbook -C)
                                            # unless you add 'always_run: yes' to the task.
      command: publish
      session-data: "{{login_response}}"
  - name: logout
    check_point_mgmt:
      command: logout
      session-data: '{{login_response}}'

 

Many thanks!

Tags (1)

Re: Checkpoint automation with Ansible

Ok I found the issue. The set-if-exists value should be between quotes

 

set-if-exists: "true"

 

0 Kudos