Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Yevgeniy_Yeryom
Contributor

Ansible-based automation for Check Point Management Server and Check Point Gateways

Hello all,

I would like to share with you a tool for automatic configuration of Check Point management server and Check Point gateways. The tool is based on CP Management API, CP GAiA API, Ansible and enables a range of gateways and management related configuration actions. The tool is easily extendable.

The tool can be considered as a good starting point for the automation of your Check Point environment.

For management server

Following configuration is possible on management server:

  • Create/delete network, ranges, services objects
  • Create/delete policy packages
  • Add rules to the policy packages
  • Add gateways, establish SIC
  • Install policy on the gateways

For gateways

Following configuration is possible on gateways in accordance to various gateways attributes like CMA, SW version, gateway type, platform type, gateway IP.

  • DNS configuration
  • Users configuraion
  • Expert password configuration
  • User public keys copy
  • ...

Which means you can configure DNS, Users, Expert password or Users public keys specifically for gateways in certain CMAs or for gateways having certain SW version, or platform type, or IP address.

Below are the tool structure and the steps for the gateways configuration part. 

GAAnT.JPG

  1. Ansible playbook starts Dynamic Inventory Script
  2. Dynamic Inventory Script gets the list of all gateways from SMS or MDS via MGMT API.
  3. Dynamic Inventory Script reads the services configuration files.  
  4. Dynamic Inventory Script creates the Ansible inventory files based on gateways list and services configuration.  
  5. Ansible configures the gateways via GAiA API (and via SSH for expert mode) according to inventory files.

License, warranty, contact

The tool is provided with APACHE2.0 and without any liability, warranty or support. In case, you are interested in support or customization please contact Check Point Profession Services under:

PS-AUTOMATION@MICHAEL.CHECKPOINT.COM.

 

Detailed tool information is provided in the attached documentations and videos.

I hope the tool will be beneficial for you and I would appreciate your feedback. 🙂

 

Regards,

Yevgeniy

9 Replies
PhoneBoy
Admin
Admin

Nicely done!

0 Kudos
Yevgeniy_Yeryom
Contributor

Thanks. I appreciate your positive feedback. 🙂 

Tribhawan_Singh
Contributor

@PhoneBoy any idea what should be the ansible_network_os for checkpoint. I am getting below error while running my playbook

TASK [SHOW COMMAND] *************************************************************************************************************************************************************************
fatal: [HQFW]: FAILED! => {"msg": "Unable to automatically determine host network os. Please manually configure ansible_network_os value for this host"}

PhoneBoy
Admin
Admin

What is the default shell for the account you're using to connect via Ansible?
It probably should be bash instead of clish.
0 Kudos
Tribhawan_Singh
Contributor

@PhoneBoy Yes i am using bash shell. i have changed it to bash

0 Kudos
PhoneBoy
Admin
Admin

And did it work after you did that?
0 Kudos
Tribhawan_Singh
Contributor

@PhoneBoy Nah, That didn't work...

My script:

When i use roles then it works fine but the issue is ansible  output gives me lot of additional things which i don't want.

Below is the script when i use roles. But i don't want to use the roles features and i run the same thing in single play then i get the error of mentioning the device OS or i would say ansible_network_os under device name in host_vars directory. 

root@eve-ng:/etc/ansible# cat show-bash.yml

- hosts: checkpoint
serial: 1
gather_facts: no
tasks:

- name: SHOW COMMAND
import_role:
name: Trib_role
tasks_from: showbash
vars:
cmdfile: show-bash.cmd

 

#cat show-bash.cmd

 fw tab -t connections -s

 fw ver

 

[checkpoint]
HQFW

Under host_vars directory:

cat HQFW
---
ansible_host: 192.168.110.71
ansible_user: admin
ansible_ssh_pass: admin123
ansible_connection: network_cli


root@eve-ng:/etc/ansible/roles/Trib_role/tasks# cat showbash.yml
---
- name: SHOW CONFIG
cli_command:
command: "{{ item }}"
with_lines: cat {{ cmdfile }}
register: result1

- name: show output files
debug:
var: result1

***********************************************************************

-- Playbook which i want to run and which is asking me to give the OS name:

root@eve-ng:/etc/ansible# cat cp1.yml

- hosts: checkpoint
serial: 1
gather_facts: no
connection: network_cli
tasks:

- name: SHOW COMMAND
cli_command:
command:
- "cpinfo -y all"
- "fw ver"
register: result

- name: show output
debug:
var: result.stdout_lines

 

Please help.

PhoneBoy
Admin
Admin

You may have better luck using Ansible to call our Management API to execute the necessary gateway commands rather than using Ansible directly.
Most of our examples take this approach.
Vlad_Tonne
Employee Alumnus
Employee Alumnus

According to sk114661, you need to configure Ansible inventory or /etc/ansible/hosts with the relevant ansible_network_os.

 

ansible_network_os=checkpoint

 

Full configuration shown in sk114661.

 

BR,

Vlad Tonne.

Upcoming Events

    CheckMates Events