This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
IdentityUnknown
Contributor
Contributor
‎2019-09-11 12:03 AM
Jump to solution

Adding Rules to a Rule Section Using Ansible

Dear all,

we are using the Check Point Ansible module https://github.com/CheckPointSW/cpAnsible

 

Do you know how to group access rules below a section?

The API tells me:

https://sc1.checkpoint.com/documents/latest/APIs/#cli/add-access-rule~v1.5%20

But how to convert it to an ansible playbook?

Only the "position: "top"" statement seems to be working. I commented the other attempts out.

Any ideas?

 

 

  - name: "Section"
    check_point_mgmt:
      command: add-access-section
      parameters:
        layer: "Network"
		name: "section 1"
        position: "top"
      session-data: "{{login_response}}"

  - name: "Rule"
    check_point_mgmt:
      command: add-access-rule
      parameters:
        layer: "Network"
#        position.below: "section 1"
#		 position: "section 1"
        position: "top"
        name: "Access rule"
        source: "1.1.1.1"
        destination: "2.2.2.2"
        service: "ssh"
        action: "allow"
      session-data: "{{login_response}}"

 

 

Thank you & kind regards

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-09-12 02:50 PM
In response to IdentityUnknown
Jump to solution

My guess is you need to do something like:

 

  - name: "Rule"
    check_point_mgmt:
      command: add-access-rule
      parameters:
        layer: "Network"
        position:
          below: "section 1"
        name: "Access rule"
        source: "1.1.1.1"
        destination: "2.2.2.2"
        service: "ssh"
        action: "accept"
      session-data: "{{login_response}}"

 

View solution in original post

Maik
Advisor
‎2019-09-13 05:56 AM
In response to IdentityUnknown
Jump to solution

I'm no expert when it comes to Ansible, but my guess is that the parameter for the action statement should be "accept" instead of "allow" - as mentioned in the API documentation:

 

actionstring
Default: Drop		"Accept", "Drop", "Ask", "Inform", "Reject", "User Auth", "Client Auth", "Apply Layer".

View solution in original post

7 Replies
PhoneBoy
Admin
Admin
‎2019-09-11 01:16 PM
Jump to solution

What error do you get?
0 Kudos
IdentityUnknown
Contributor
Contributor
‎2019-09-11 11:38 PM
In response to PhoneBoy
Jump to solution

With the following task:

  - name: "Rule"
    check_point_mgmt:
      command: add-access-rule
      parameters:
        layer: "Network"
        position.below: "section 1"
        name: "Access rule"
        source: "1.1.1.1"
        destination: "2.2.2.2"
        service: "ssh"
        action: "allow"
      session-data: "{{login_response}}"

 

I got

 "msg": "Command 'add-access-rule {u'layer': u'Network', u'name': u'Access rule', u'service': u'ssh', u'destination': u'2.2.2.2', u'position.below': u'section 1', u'source': u'1.1.1.1', u'action': u'allow'}' failed with error message: message: Unrecognized parameter [position.below]\ncode: generic_err_invalid_parameter_name\n. All changes are discarded and the session is invalidated."

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-09-12 02:50 PM
In response to IdentityUnknown
Jump to solution

My guess is you need to do something like:

 

  - name: "Rule"
    check_point_mgmt:
      command: add-access-rule
      parameters:
        layer: "Network"
        position:
          below: "section 1"
        name: "Access rule"
        source: "1.1.1.1"
        destination: "2.2.2.2"
        service: "ssh"
        action: "accept"
      session-data: "{{login_response}}"

 

IdentityUnknown
Contributor
Contributor
‎2019-09-13 05:24 AM
In response to PhoneBoy
Jump to solution

I tried it as well before, but the statement is reordered (position at the end of the statement) and the exception is:

msg": "Command 'add-access-rule {u'layer': u'Network', u'name': u'Access rule', u'service': u'ssh', u'destination': u'2.2.2.2', u'source': u'1.1.1.1', u'action': u'allow', u'position': {u'below': u'section 1'}}' failed with error message: message: Invalid parameter for [action]. The invalid value: [allow]\ncode: generic_err_invalid_parameter\n. All changes are discarded and the session is invalidated."

 

0 Kudos
Maik
Advisor
‎2019-09-13 05:56 AM
In response to IdentityUnknown
Jump to solution

I'm no expert when it comes to Ansible, but my guess is that the parameter for the action statement should be "accept" instead of "allow" - as mentioned in the API documentation:

 

actionstring
Default: Drop		"Accept", "Drop", "Ask", "Inform", "Reject", "User Auth", "Client Auth", "Apply Layer".
IdentityUnknown
Contributor
Contributor
‎2019-09-13 06:12 AM
In response to Maik
Jump to solution

Yes, I worked with a typo in my example playbook. 

The task is working as PhoneBoy mentioned with the action string "accept" which Maik mentioned.

 

Thank you!

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-09-13 09:15 AM
In response to IdentityUnknown
Jump to solution

All I did was propagate the original mistake, fixed in my answer.
0 Kudos
Upcoming Events

    CheckMates Events