This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nadmin
Explorer
‎2024-09-20 06:57 PM
Jump to solution

Ansible Playbook NAT configuration R81.20 - couldn't resolve cp_mgmt_nat_rule

Using check_point.mgmt 6.2.1 (current) in practicing my automation skills I learned in Tim's  CCAS class. Ansible 2.10 on WSL running Ubuntu 22.04

https://galaxy.ansible.com/ui/repo/published/check_point/mgmt/content/module/cp_mgmt_nat_rule/?keywo...

The playbook creates an access policy (package), creates the access rule, and publishes the changes successfully.

When I try to add a task to add a NAT rule I get:

 

ERROR! couldn't resolve module/action 'cp_mgmt_nat_rule'. This oftent indicates a misspelling, missing collection, or incorrect module path.

 

This is confusing because everything else in collection check_point.mgmt worked.

Here is the task I'm adding:

 

    - name: add a NAT rule
      cp_mgmt_nat_rule:
        package: Lab_Policy
        name: Outbound NAT
        enabled: true
        installed_on:
        - Policy Targets
        original_destination: All_Internet
        original_source: branch1_lan
        translated_source: branch1_outbound_nat
        method: hide
        position: top
        comments: outbound NAT
        state: present

 

  Here is how I install my environment:

  • sudo apt install -y ansible python3-paramiko python3-pip
  • ansible-galaxy collection install community.general vyos.vyos check_point.mgmt check_point.gaia
  • python3 -m pip install XenAPI

Here is my complete process and how I build the lab using automation:

https://github.com/doritoes/NUC-Labs/blob/xcp-ng-improvement/XCP-ng/Appendix-Ansible.md

Anyone get the ansible working in check_point.mgmt 6.2.1? Or seen the same issue and solved it?

I did refer to this example

https://github.com/checkpointsw-devsec/enterprise-automation-poc/blob/main/ansible/roles/chkp-nat-po...

0 Kudos
2 Solutions

Accepted Solutions
_Val_
Admin
Admin
‎2024-09-22 11:58 PM
Jump to solution

Please open a TAC request for this

View solution in original post

0 Kudos
Jim_Oqvist
Employee
Employee
‎2024-09-24 12:07 AM
Jump to solution

Hi,

looking at the code in your task it looks like you are using the collection that comes with the Ansible installation. Please make sure you are using the collection installed from galaxy by referencing to it like this.

check_point.mgmt.cp_mgmt_nat_rule:

    - name: add a NAT rule
      check_point.mgmt.cp_mgmt_nat_rule:
        package: Lab_Policy
        name: Outbound NAT
        enabled: true
        installed_on:
        - Policy Targets
        original_destination: All_Internet
        original_source: branch1_lan
        translated_source: branch1_outbound_nat
        method: hide
        position: top
        comments: outbound NAT
        state: present

 

View solution in original post

0 Kudos
6 Replies
_Val_
Admin
Admin
‎2024-09-22 11:58 PM
Jump to solution

Please open a TAC request for this

0 Kudos
PhoneBoy
Admin
Admin
‎2024-09-23 11:19 AM
Jump to solution

The documentation for cp_mgmt_nat_rule says:

  • Minimum version required is 1.7.1 and JHF with PMTR-88097.

This corresponds to API version 1.7.1, which is R81.
The first JHF with PMTR-88097 is Take 82.

What version/JHF is your management?
If it's not at least the above version/JHF level, you can resolve the issue by upgrading.

0 Kudos
nadmin
Explorer
‎2024-09-23 04:48 PM
In response to PhoneBoy
Jump to solution

Thanks @PhoneBoy 

Thanks interesting... here is the link saying check_point.mgmt verison 6.2.1 is the latest

https://galaxy.ansible.com/ui/repo/published/check_point/mgmt/content/module/cp_mgmt_nat_rule/?keywo...

SMS:

fwm ver

This is Check Point Security Management Server R81.20 - Build 441 (Check_Point_R81.20_T634,iso)

I was able to use cpuse to download and install R81.20 JHF 84 even with a trial version.

I also manually updated ansible to 2.16.

Still have the issues cp_mgmt_nat_rule and cp_mgmt_access_section.

I can try my work diamond support team, but generally I get better help here on api/automation.

I will open an issue on github.

 

0 Kudos
Jim_Oqvist
Employee
Employee
‎2024-09-24 12:07 AM
Jump to solution

Hi,

looking at the code in your task it looks like you are using the collection that comes with the Ansible installation. Please make sure you are using the collection installed from galaxy by referencing to it like this.

check_point.mgmt.cp_mgmt_nat_rule:

    - name: add a NAT rule
      check_point.mgmt.cp_mgmt_nat_rule:
        package: Lab_Policy
        name: Outbound NAT
        enabled: true
        installed_on:
        - Policy Targets
        original_destination: All_Internet
        original_source: branch1_lan
        translated_source: branch1_outbound_nat
        method: hide
        position: top
        comments: outbound NAT
        state: present

 

0 Kudos
nadmin
Explorer
‎2024-09-25 11:21 AM
In response to Jim_Oqvist
Jump to solution

Thank you @Jim_Oqvist  and edengr on Github repo.

This is the correct solution. The documentation could be clearer.

Prepending every module with check_point.mgmt works to resolve this issue.

examples:

  • check_point.mgmt.cp_mgmt_package
  • check_point.mgmt.cp_mgmt_access_rule
  • check_point.mgmt.cp_mgmt_access_section
  • check_point.mgmt.cp_mgmt_publish

This is extra work, but eliminates the problem of your task using different repos for different tasks.

For those who experience my issue on Ubuntu 22.04:

  • don't install the default ansible; install from the ppa to get a current version of Ansible
  • i got an older API version with ansible-galaxy collection install check_point.mgmt; use ansible-galaxy collection install --force check_point.mgmt; to get the latest version
0 Kudos
Jim_Oqvist
Employee
Employee
‎2024-09-26 05:48 AM
In response to nadmin
Jump to solution

Hi @nadmin ,

In a playbook, you can control the collections Ansible searches for modules and action plugins to execute.

By adding

  collections:
    - check_point.mgmt

You do not need to prepend every task with the collection name

More details here:

https://docs.ansible.com/ansible/latest/collections_guide/collections_using_playbooks.html#using-col...

 

0 Kudos
Upcoming Events

    Sort by:
    CheckMates Events