- Products
- Learn
- Local User Groups
- Partners
- More
On-Premise SD-WAN Management
Register HereWhat's New in R82.10?
Watch Here AI Security Masters E8:
Claude Mythos: New Era in Cyber Security
CheckMates Go:
The Moment Before
Dear all,
we are using the Check Point Ansible module https://github.com/CheckPointSW/cpAnsible
Do you know how to group access rules below a section?
The API tells me:
https://sc1.checkpoint.com/documents/latest/APIs/#cli/add-access-rule~v1.5%20
But how to convert it to an ansible playbook?
Only the "position: "top"" statement seems to be working. I commented the other attempts out.
Any ideas?
- name: "Section"
check_point_mgmt:
command: add-access-section
parameters:
layer: "Network"
name: "section 1"
position: "top"
session-data: "{{login_response}}"
- name: "Rule"
check_point_mgmt:
command: add-access-rule
parameters:
layer: "Network"
# position.below: "section 1"
# position: "section 1"
position: "top"
name: "Access rule"
source: "1.1.1.1"
destination: "2.2.2.2"
service: "ssh"
action: "allow"
session-data: "{{login_response}}"
Thank you & kind regards
My guess is you need to do something like:
- name: "Rule"
check_point_mgmt:
command: add-access-rule
parameters:
layer: "Network"
position:
below: "section 1"
name: "Access rule"
source: "1.1.1.1"
destination: "2.2.2.2"
service: "ssh"
action: "accept"
session-data: "{{login_response}}"
I'm no expert when it comes to Ansible, but my guess is that the parameter for the action statement should be "accept" instead of "allow" - as mentioned in the API documentation:
| action | string Default: Drop | "Accept", "Drop", "Ask", "Inform", "Reject", "User Auth", "Client Auth", "Apply Layer". |
With the following task:
- name: "Rule"
check_point_mgmt:
command: add-access-rule
parameters:
layer: "Network"
position.below: "section 1"
name: "Access rule"
source: "1.1.1.1"
destination: "2.2.2.2"
service: "ssh"
action: "allow"
session-data: "{{login_response}}"
I got
"msg": "Command 'add-access-rule {u'layer': u'Network', u'name': u'Access rule', u'service': u'ssh', u'destination': u'2.2.2.2', u'position.below': u'section 1', u'source': u'1.1.1.1', u'action': u'allow'}' failed with error message: message: Unrecognized parameter [position.below]\ncode: generic_err_invalid_parameter_name\n. All changes are discarded and the session is invalidated."
My guess is you need to do something like:
- name: "Rule"
check_point_mgmt:
command: add-access-rule
parameters:
layer: "Network"
position:
below: "section 1"
name: "Access rule"
source: "1.1.1.1"
destination: "2.2.2.2"
service: "ssh"
action: "accept"
session-data: "{{login_response}}"
I tried it as well before, but the statement is reordered (position at the end of the statement) and the exception is:
msg": "Command 'add-access-rule {u'layer': u'Network', u'name': u'Access rule', u'service': u'ssh', u'destination': u'2.2.2.2', u'source': u'1.1.1.1', u'action': u'allow', u'position': {u'below': u'section 1'}}' failed with error message: message: Invalid parameter for [action]. The invalid value: [allow]\ncode: generic_err_invalid_parameter\n. All changes are discarded and the session is invalidated."
I'm no expert when it comes to Ansible, but my guess is that the parameter for the action statement should be "accept" instead of "allow" - as mentioned in the API documentation:
| action | string Default: Drop | "Accept", "Drop", "Ask", "Inform", "Reject", "User Auth", "Client Auth", "Apply Layer". |
Yes, I worked with a typo in my example playbook.
The task is working as PhoneBoy mentioned with the action string "accept" which Maik mentioned.
Thank you!
Thu 09 Jul 2026 @ 10:00 AM (CEST)
Schutz souveräner Workloads: Check Point & die AWS European Sovereign CloudThu 09 Jul 2026 @ 11:00 AM (CEST)
The Cloud Architects Series: Check Point Edge Protection SD-WAN & SASEThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 09 Jul 2026 @ 11:00 AM (EDT)
Tips and Tricks 2026 #9 - What's New with Check Point Email SecurityFri 10 Jul 2026 @ 11:00 AM (IDT)
CheckMates Live Netherlands - Sessie 48: Nieuwe Check Point Workspace SecurityTue 14 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E11: READY OR NOT: Securing the AI Enterprise 3/5 - AI Workforce SecurityThu 30 Jul 2026 @ 10:00 AM (PDT)
AI Security Masters E12: READY OR NOT: Securing the AI Enterprise 4/5 - AI GatewayThu 20 Aug 2026 @ 10:00 AM (PDT)
AI Security Masters E13: READY OR NOT: Securing the AI Ent 5/5 - AI Research & Threat LandscapeAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY