This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Oscar_Medina1
Contributor
‎2018-05-11 08:38 AM
Jump to solution

Ansible for creating NAT Rules, Hosts etc. - getting success but objects are not saved!

Hi Everyone,

I am a DevOps practitioner, and currently helping a client automate the provisioning and configuration of CheckPoint firewalls in Azure.

I created an Ansible Playbook with sample tasks to add Host, and NAT Rule, with no errors but somehow, these objects are not saved.  Has anyone run into this?

Playbook Contents

---

- name: "login"
check_point_mgmt:
command: login
parameters:
username: "{{mgmt_user}}"
password: "{{mgmt_password}}"
management: "{{mgmt_server}}"
fingerprint: "{{mgmt_fingerprint}}"
register: login_response


- name: "Get TCP Service"
check_point_mgmt:
command: show-service-tcp
parameters:
name: "DAS-Granite-FaceClient-20003-TCP-443"
session-data: "{{login_response}}"

- name: "publish"
check_point_mgmt:
command: publish
session-data: "{{login_response}}"


Execution output

All tasks succeed. Zero errors!

<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /Users/sharepointoscar/.ansible/tmp/ansible-tmp-1526006124.196667-230724803151205/ > /dev/null 2>&1 && sleep 0'
ok: [127.0.0.1] => {
"changed": false,
"invocation": {
"module_args": {
"command": "logout",
"fingerprint": null,
"parameters": null,
"session-data": "{'failed': False, 'changed': False, 'response': {'url': 'ipredacted:443', 'domain': None, 'sid': '-JkGsmtdamz-UqAG067hXCl1tTFQvUvkfDH9KB1_5P4', 'fingerprint':'redacted"
}
},
"response": {
"message": "OK"
}
}
META: ran handlers
META: ran handlers
____________
< PLAY RECAP >
------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||

127.0.0.1 : ok=7 changed=0 unreachable=0 failed=0

Labels
0 Kudos
1 Solution

Accepted Solutions
Oscar_Medina1
Contributor
‎2018-05-11 01:17 PM
In response to Robert_Decker
Jump to solution

Thank you Robert Decker‌ . I downloaded and setup that cpAnsible.  I was using an old one.  My environment required for me to specify the ansible interpreter since I have multiple versions of Python.  To do that, I simply added this to the Group VARS as follows:

ansible_python_interpreter: "/usr/local/bin/python2.7"

So two things that helped:

  1. Download and setup the cpAnsible as per Robert Decker‌ suggestion
  2. Ensure that we run Ansible with Python 2.7 as anything in the 3.x will not work.  This is done by specifying it in the group_vars.yml file for a typical ansible project structure.

And that does it, thanks for all of your help Tomer Sole‌ and Robert Decker

This was a weird one Smiley Happy, hope it helps someone.

Cheers,
@SharePointOscar

View solution in original post

4 Replies
Robert_Decker
Advisor
‎2018-05-11 08:44 AM
Jump to solution

Hi Oscar,

Have you tried using our cpAnsible library on GitHub?

Robert.

Oscar_Medina1
Contributor
‎2018-05-11 09:20 AM
In response to Robert_Decker
Jump to solution

Hey Robert Decker‌ . Yes, I essentially grabbed the sample stuff from there and configured my environment accordingly.  

Interesting thing is, PostMan calls with same username/password combination work.  The last call using Postman is "Publish".

I do see the SID and task ID being passed when I execute the Ansible last task of "Publish" as well, and I get a good response...

0 Kudos
Tomer_Sole
Mentor
Mentor
‎2018-05-11 10:54 AM
In response to Oscar_Medina1
Jump to solution

Exactly. Changes are saved, but not published for everyone else to see. https://community.checkpoint.com/thread/5042-using-mgmtcli-without-automatic-publish#comment-5982 

Oscar_Medina1
Contributor
‎2018-05-11 01:17 PM
In response to Robert_Decker
Jump to solution

Thank you Robert Decker‌ . I downloaded and setup that cpAnsible.  I was using an old one.  My environment required for me to specify the ansible interpreter since I have multiple versions of Python.  To do that, I simply added this to the Group VARS as follows:

ansible_python_interpreter: "/usr/local/bin/python2.7"

So two things that helped:

  1. Download and setup the cpAnsible as per Robert Decker‌ suggestion
  2. Ensure that we run Ansible with Python 2.7 as anything in the 3.x will not work.  This is done by specifying it in the group_vars.yml file for a typical ansible project structure.

And that does it, thanks for all of your help Tomer Sole‌ and Robert Decker

This was a weird one Smiley Happy, hope it helps someone.

Cheers,
@SharePointOscar

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events