Ansible Checkpoint Module - check_point.mgmt.cp_mg...

tawsif · ‎2021-04-14

Hi All,

I'm running into an issue when I try to use the above mentioned module. In my Firewall environment, we have 5 domains and hence we use Global domain for a Global assignment on all 5 domains. However when I use this module, if the hosts are not present in any domain, it tends to create the host and adds it to the assigned group that is mentioned on the script. But if the hosts are already present on the firewalls and already exist on different groups, it tends to move the existing hosts from the other groups and puts it in the new group that is mentioned on the script. This is creating an outage on our firewall rules. Is there a workaround for this? Below is the sample script that I'm using:

- name: add-host-object

check_point.mgmt.cp_mgmt_host:

name: "{{ item.value.Name | quote }}"

ip_address: "{{ item.value.IP | quote }}"

comments: "{{ item.value.Comments }}"

groups: gTest1A

loop: "{{ user.dict | dict2items }}"

ignore_errors: yes

delegate_to: Global

- name: add-network-group

check_point.mgmt.cp_mgmt_group:

name: gTest1A

comments: "anything"

state: present

auto_publish_session: yes

ignore_errors: yes

delegate_to: Global

- name: wait for session to be refreshed

wait_for:

timeout: 30

- name: global-assignment

check_point.mgmt.cp_mgmt_assign_global_assignment:

dependent_domains:

- xxx

global_domains: Global

wait_for_task: yes

wait_for_task_timeout: 30

ignore_errors: yes

Jonas_Rosenboom · ‎2021-04-14

Hi,

this happens because when you specify

groups: gTest1A

you tell it to make sure the host is in the listed groups (gTest1A) and ONLY in those groups.

Depending on your setup, the correct solution could be to configure the group members with the cp_mgmt_group module.

This will work if the group is not supposed to contain any members that are configured outside of your Ansible script. Otherwise it would have the same effect, where it will remove all hosts and only leave the ones specified as members.

tawsif · ‎2021-04-14

Hi Jonas,

So in my environment, IP's get re-used all the time and there may be cases where the hostnames have changed but IP's remained the same and the firewall has the existing host object with the same IP in a different group. When we get a new request to create a new group with new hostnames but with the same IP's that are already present on the firewall in other groups, how can we avoid them being not moved from their group but just instead add the new hosts to the new group that is specified in the script?

Jonas_Rosenboom · ‎2021-04-14

If you have the same IP, but a different name for the host object, it will emit a warning regarding the duplicate IP, but Ansible would not consider them the same object (and therefore not try to update the groups for the old object).

The conflict only occurs if you are trying to create host objects with the same name as an existing one.

As long as the group is managed only by Ansible and the script is aware of the entire list of members for that group, that is not a problem either way if you change the membership configuration from being done per host, to being done with the group module:

    - name: add-network-group
      check_point.mgmt.cp_mgmt_group:
          name: ExampleGroup
          comments: "anything"
          state: present
          members:
            "{{ list_of_hosts }}"
          auto_publish_session: yes

Also, check out our Generic Data Center feature. If you have a very dynamic environment this might be even better than updating objects and groups. There is no need to install policy for the updates to take effect.

PS: If you don't have a lab environment to test your Ansible script against, you can use the SmartConsole demo mode for that.
After starting a new demo session from SmartConsole, copy the server IP address and use admin/demo123 as your credentials.

tawsif · ‎2021-04-14

Is there a way, may be another module which can check if the same host exist then it can just error out? What if I want to create different groups with the same hosts but the same hosts can exist in multiple groups? Because there are different team members who works on different tasks and may not be able to check if the host is already present on the Firewall.

Jonas_Rosenboom · ‎2021-04-15

If you don't specify ignore_errors: yes the cp_mgmt_host module will error out and not continue if an object with the same IP already exists.

"msg": "Checkpoint device returned error 400 with message {u'message': u'Validation failed with 1 warning', u'code': u'err_validation_failed', u'warnings': [{u'message': u'Multiple objects have the same IP address 203.0.113.1'}]} Unpublished changes were discarded"}

If you want to have different groups with the same hosts in them, you can repeat the cp_mgmt_group module:

  - name: add-network-group
    check_point.mgmt.cp_mgmt_group:
      name: FirstExampleGroup
      state: present
      members: "{{ hosts_in_group }}"
      auto_publish_session: yes

  - name: add-network-group
    check_point.mgmt.cp_mgmt_group:
      name: SecondExampleGroup
      state: present
      members: "{{ hosts_in_group }}"
      auto_publish_session: yes

The key is to NOT specify the groups parameter for the cp_mgmt_host module, as that would change all group memberships to match your input.

Ansible Checkpoint Module - check_point.mgmt.cp_mgmt_host

Gaia of Cloning Groups manageable with ansible?

Best Practices Managing NAT Rules

checkpint firewall backup through ansible

Playbooks to Push Policy to all Packages or a List...

ansible_checkpoint_domain does not change while lo...

Are you a member of CheckMates?

Ansible Checkpoint Module - check_point.mgmt.cp_mgmt_host

Gaia of Cloning Groups manageable with ansible?

Best Practices Managing NAT Rules

checkpint firewall backup through ansible

Playbooks to Push Policy to all Packages or a List...

ansible_checkpoint_domain does not change while lo...