Solved: Unable to assign security zone to Check Point R82 ...

Govind135438

I am new to Check Point or any enterprise grade firewall product.

I am trying to automate security zone creation which involves assigning security zone to Security Gateway ethernet bonding interface.

I need help because I cannot make the zone associated to gateway interface.

Using Check Point Security Gateway/Mgmt R82. The security gateway is Open server running on a VMware VM.

Here is the code snippet from my Ansible playbook:

- name: Check Point Play 
  hosts: check_point_mgmt
  connection: httpapi
  gather_facts: no

  tasks:
    - name: Check Point vars
      ansible.builtin.include_vars:
        file: global_vars/check_point_vars.yml

    - name: Get gateway object info
      check_point.mgmt.cp_mgmt_simple_gateway_facts:
        name: "gw-893628"
      register: rg_gw_info

    - name: Block
      block:
        - name: Add VLAN interface to Management gateway object
          check_point.mgmt.cp_mgmt_interface:
            gateway_uid: "{{ rg_gw_info.ansible_facts.simple_gateway.uid }}"
            name: "eth0.3004"
            ipv4_address: "10.25.178.49"
            ipv4_mask_length: "28"
            topology: internal
            topology_settings:
              ip_address_behind_this_interface: "network defined by the interface ip and net mask"
            security_zone_settings:
              auto_calculated: false
              specific_zone: "testzone1"
              specific_security_zone_enabled: true
            anti_spoofing: true
            anti_spoofing_settings:
              action: detect
              spoof_tracking: log
            state: present
            wait_for_task: true
            wait_for_task_timeout: "{{ g_wait_for_task_timeout }}" # Wait for 10 minutes before failing
          register: rg_update_result

        - name: Debug rg_update_result
          ansible.builtin.debug:
            var: rg_update_result

        - name: Publish changes
          check_point.mgmt.cp_mgmt_publish:
            wait_for_task: true
            wait_for_task_timeout: "{{ g_wait_for_task_timeout }}" # Wait for 10 minutes before failing

The screenshot below shows VLAN interface settings with security zone which looks assigned but the checkbox not ticked.

Security zone appears but not selected

The next steps in my workflow works only after I manually tick the checkbox for "Specify security zone".

Same issue even with command-line. Can you review my command to see if I missed any options?

Here is the command I ran to set the interface “eth0.3004” to “testzone1”:

gw-893628> mgmt_cli -r true set interface uid 0ffed6ab-866f-4bd0-9bb9-a859201d0f05 name eth0.3004 security-zone-settings.auto-calculated false security-zone-settings.specific-zone testzone1

Here is another command I ran for setting the interface “eth0.3004” to one of the built-in zones “InternalZone”:

gw-893628> mgmt_cli -r true set interface uid 0ffed6ab-866f-4bd0-9bb9-a859201d0f05 name eth0.3004 security-zone-settings.auto-calculated false security-zone-settings.specific-zone InternalZone

Am I missing any step for assigning the security zone to the Gateway interface?

Duane_Toler

Good catch! This boolean is indeed not available in the module. Another interesting point is that even the API reference documentation doesn't show that as a valid parameter. However, the example request at the bottom shows this parameter being used. It's the same for API v2 and v2.0.1.

Meanwhile, the good news is that this can be added to the Ansible module if you want it; you can edit the module code to include it yourself to test it. If you're not in the mood to edit the module code, I added the parameters to the module in my GitHub tree you can test. You can can install this branch with ansible-galaxy with a Git URL:

ansible-galaxy collection install -U git+https://github.com/duanetoler/CheckPointAnsibleMgmtCollection.git,cp_mgmt_interface

This will install into your existing default collection path, but you if you need it to be installed elsewhere, then add -p <pathname> at the end.

The -U option will do an in-place upgrade of what you have already. If you have issues, or want to revert back to the original Check Point collection, then re-install the collection from ansible-galaxy like you did originally, but also add the -U option. This will again overwrite what you installed from my branch and put you back to where you started.

Let us know if it works. If it doesn't, ...let us know, too.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

View solution in original post

Govind135438

I ran the test SUCCESSFULLY after applying the fix from @Duane_Toler.

Really appreciate your quick help in resolving this issue.

We need this fix in the public version of the Ansible collection for our customer to accept our automation code.

May I know when I can expect this fix rollout out to Ansible collection?

View solution in original post

Govind135438

Update from my side: The following command worked as expected when I include "security-zone-settings.specific-security-zone-enabled true" :

gw-893628> mgmt_cli -r true set interface uid 0ffed6ab-866f-4bd0-9bb9-a859201d0f05 name eth0.3004 security-zone-settings.auto-calculated false security-zone-settings.specific-security-zone-enabled true  security-zone-settings.specific-zone testzone1

gw-893628> mgmt_cli -r true publish

However the Ansible playbook playbook fails when I include "security-zone-settings.specific-security-zone-enabled: true".

Looks like Ansible module "check_point.mgmt.cp_mgmt_interface" needs changes to accept the variable "check_point.mgmt.cp_mgmt_interface".

the_rock

Hey @Govind135438

I know @Duane_Toler is great with Ansible, so maybe he can help you here.

Best,
Andy

Duane_Toler

Thanks for the accolades. 🙂

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

the_rock

Truth ALWAYS has to be told, my friend 🙂

Best,
Andy

Duane_Toler

Good catch! This boolean is indeed not available in the module. Another interesting point is that even the API reference documentation doesn't show that as a valid parameter. However, the example request at the bottom shows this parameter being used. It's the same for API v2 and v2.0.1.

Meanwhile, the good news is that this can be added to the Ansible module if you want it; you can edit the module code to include it yourself to test it. If you're not in the mood to edit the module code, I added the parameters to the module in my GitHub tree you can test. You can can install this branch with ansible-galaxy with a Git URL:

ansible-galaxy collection install -U git+https://github.com/duanetoler/CheckPointAnsibleMgmtCollection.git,cp_mgmt_interface

This will install into your existing default collection path, but you if you need it to be installed elsewhere, then add -p <pathname> at the end.

The -U option will do an in-place upgrade of what you have already. If you have issues, or want to revert back to the original Check Point collection, then re-install the collection from ansible-galaxy like you did originally, but also add the -U option. This will again overwrite what you installed from my branch and put you back to where you started.

Let us know if it works. If it doesn't, ...let us know, too.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

Govind135438

Great! I can test using the code from your branch and confirm soon.

Duane_Toler

One more nuance I didn't notice earlier: In your task, be sure that integers are integers. Things like your ipv4 prefix-length, for example. Don't quote those items; they need to be integers not strings. Most of the strings you have quoted also don't need to be quoted. YAML takes strings as they are. Even your interface name doesn't need to be quoted because it has alpha characters with it; it won't be interpolated as a float.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

the_rock

Alwaus super helpful.

Best,
Andy

Govind135438

Thanks for pointing. Will make necessary changes to our code. The actual code uses variables instead of hardcoded values.

Govind135438

I ran the test SUCCESSFULLY after applying the fix from @Duane_Toler.

Really appreciate your quick help in resolving this issue.

We need this fix in the public version of the Ansible collection for our customer to accept our automation code.

May I know when I can expect this fix rollout out to Ansible collection?

Duane_Toler

Excellent to hear that it works! Thanks! I sent the Ansible collection team a pull request for it. There's no specific time estimate right now, but you can always monitor the status of the PR here:
https://github.com/CheckPointSW/CheckPointAnsibleMgmtCollection/pull/192

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

the_rock

Excellent as always Duane!

Best,
Andy

Duane_Toler

Hey FYI: The Ansible module team says they will include this parameter in a future update, but not with the PR patch I made. They will need to do some extra work to get this option added because there are 2 mutually-exclusive booleans involved, which I didn't notice earlier. In the meantime, you're welcome to keep using the module I made or you can revert to the original collection version and you'll need to handle the zone settings manually (or with your own raw API call.

Take care!

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

PhoneBoy

I vaguely remember a bug I found (and internally reported) in the API for this particular function.
You might also want to make sure you're on the latest recommend JHF.

Govind135438

# /home/avireddi/.ansible/collections/ansible_collections
Collection                Version
------------------------- -------
check_point.gaia          7.0.0
check_point.mgmt          6.7.0

# /usr/lib/python3/dist-packages/ansible_collections
Collection                Version
------------------------- -------
check_point.mgmt          1.0.6

This is what I see from the output of "ansible-galaxy collection list" command.

Can you please confirm if I am on the lastest versions?

Duane_Toler

The search order for your collections is determined by the "collections_path" option in your ansible.cfg configuration file. You can see where ansible, ansible-playbook, and ansible-galaxy find your configuration path (and collections path) with the "--version" option to each of those commands.

You want to be careful about always updating to the latest collection versions because newer versions will stop supporting older versions of Ansible over time. This is where Docker is helpful, so you can always have a Docker image available that uses specific versions of Ansible, Python, and (optionally) the collections.

You can always update to the latest collection version with the ansible-galaxy command to install the collections as you did originally, but add the "-U" parameter to do an in-place upgrade to the latest version available.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

Are you a member of CheckMates?

Unable to assign security zone to Check Point R82 Security Gateway VLAN interface