- Products
- Learn
- Local User Groups
- Partners
- More
Quantum Spark Management Unleashed!
Introducing Check Point Quantum Spark 2500:
Smarter Security, Faster Connectivity, and Simpler MSP Management!
Check Point Named Leader
2025 Gartner® Magic Quadrant™ for Hybrid Mesh Firewall
HTTPS Inspection
Help us to understand your needs better
CheckMates Go:
SharePoint CVEs and More!
Ansible (www.ansible.com) is a popular automation tool.
The Check Point Management Ansible module brings the ability to automate Check Point R80 management tasks (e.g. adding objects, manipulate the rulebase, push policy) into the Ansible automation platform.
Provide Ansible "playbooks" with simple access to all available Check Point R80 Management APIs.
The ansible module is written in Python and its source code is available - you're welcome to review code, suggest enhancements or modify it.
Refer to our GitHub repo (the link below) for detailed instructions.
R80.10, API version 1.1
The source code is now public on GitHub repository:
https://github.com/CheckPoint-APIs-Team/cpAnsible
NOTICE: By using this sample code you agree to terms and conditions in this Terms and Conditions
...
Looks interesting - thanks to Don Paterson for pointing me at this
In the commands you have add-host and add-group - would add-network behave similarly? Can we also do delete actions in the same way?
I don't currently have an R80 build stood up to test it, but it's edging closer and closer to being a perfect fit for the automation I'm in the process of standing up.
Yes, "add-network" and delete actions are also available.
Check the API reference for the complete list of API commands and their parameters.
Just in case it helps. Have a look at this one 🙂 :
Hi all,
Is this the last version of the module? Is this module available on ansible repository?
I'm trying to run it on ansible 2.0.1.0 and I found some problems. I've saw you specify that python 2.7.9 is needed, but someone has tested it with python 2.7.5?
Thanks in advance,
Looks great
Do Check Point plan to create something similar for Puppet?
Hi Arnfinn,
Currently we do not have plans to support Puppet.
But if there will be a demand for Puppet from multiple customers, we will consider developing a similar solution.
Does this work w. Mac & R77.30?
Hi Alex,
No, this won't work with R77.30 because the solution is based on the new API that was introduced only in R80.
I don't see any limitations for Mac as long as you can run Ansible on it.
Has anyone faced an issue with not able to find the module mgmt_api_lib while working on ansible
Without knowing your setup, you need to check that the modules are where they should be for the library. Ansible checks in the following places:
ANSIBLE_LIBRARY
if setlibrary
in configuration file./library
directory relative to location of playbook in use/etc/ansible/library
/usr/lib/python2.7/site-packages/ansible/modules
Realistically, your libraries should be somewhere sensible. If you're using Version Control (and if you're not... why not?!?!) then they should be included in your VCS tree, which means either tracking /etc/ansible or the path to where you're running your playbook from.
Hope that helps!
Thank you.I will check that and keep this thread posted.Thank you for your reply
I've finally had a chance to look at this (and sought advice from the #Ansible channel on irc.freenode.net).
So, it looks like the path specified by Checkpoint is very distribution specific, and doesn't fly with Ubuntu 16.04. Frankly, there's not enough to this library to mess around with it too much, and I ended up pulling the various elements of the library apart and making it into one single file. This then can be placed into [/path/to/your/ansible/playbook/or/role]/library (e.g. /etc/ansible/library or /home/useraccount/customer-a/library - where /home/useraccount/customer-a also has your inventory file and your playbook).
I was going to go into a deep-dive on how to make the merged file, but I've instead put it into a secret gist at github.com - please can the developers advise whether this can be made public?
One thing that would be useful would be if there is some way from the command line to enable the API, so then I don't need to open the management UI at all.....
Thanks!
The key thing I have noticed about this script at the moment is that it is not idempotent. As such, you can't have your playbook run multiple times against the same host. I don't know whether to work around this, or to leave it as a concern for the reader.
I have also updated the gist I linked to before to add the ability to use the omit value (e.g. "{{ item.source|default('omit')}}") which is a fairly common pattern in my ansible use.
Realistically, the python script should check for the presence of a line item (e.g. host, network, group, etc) before trying to add it. It does not currently do this.
Thanks for providing the module, I have 2 questions:
Is this an opensource, can the community contribute to the code?
Can you provide GIT repository address?
Hey Michal,
I discussed this with a couple of the team involved in creating this - they are happy for changes to be contributed, but it's not in a public git repo as yet (there was talk of a Check Point github account, although I can't find it ). Your best bet would be to do as I did - take the code, and put it in your own Git repo and share to this thread. The team are keen to improve things! I spent 1h30 on the phone with them discussing how to improve things, and they were very receptive.
Of course, the proof of the pudding is in the eating (as we say here!) and so I'd hope to see something change in the next few months, but I can't confirm or deny anything - aside from anything else, I don't work for Check Point, I'm just a consumer
Is the current Ansible repository compatible with R80.10?
I've found it works for my usecases, but your mileage may vary!
Has anyone used the add-simple-gateway command yet? Can anyone provide the list of parameters for that command? I tried to use what was in the api doc, but I must have something wrong.
I use this command in my PowerShell script that creates a GW in Azure or AWS and then add objects, a GW object, Policy and pushes the policy at the end.
mgmt_cli add simple-gateway name vsecgwr8010 ipv4-address 10.0.0.10 application-control true data-awareness true firewall true one-time-password vpn12345 version R80.10 url-filtering true interfaces.1.name ext-gw interfaces.1.ipv4-address 10.5.0.10 interfaces.1.ipv4-mask-length 24 interfaces.1.topology external interfaces.1.anti-spoofing false interfaces.2.name int-gw interfaces.2.ipv4-address 10.5.1.10 interfaces.2.ipv4-mask-length 24 interfaces.2.topology internal interfaces.2.anti-spoofing false interfaces.2.topology-settings.ip-address-behind-this-interface specific interfaces.2.topology-settings.specific-network web-subnet -s sid.txt
The API doc should be fine.
Arnifnn
Check Point's official github repository is here: Check Point Software Technologies LTD. · GitHub
The ansible modules aren't there yet.
A question was asked by Michal Taratuta during our recent automation webcast: Are there any plans to make our Ansible modules idempotent?
I guess since you making them already aviable online, here it should not take long for it to be copied to github
Currently we do not have such plans.
Ansibile does work with R77.30 with these 2 modules:
1. raw
2. shell
With R80/X you can use as well different modules including Check Point module
I'm personally using R80.10 with Ansible Tower
#AWESOME! Cheers guys!
Great!
Does anyone Ansible working with R77.30 in their environment? If yes, care to share the experience?
I'd be keen to touch base as we are looking into this and see what level of automation we can get.
Thanks in advance!
This Ansible module requires R80+ as it talks to the API. That said, you can manage R77.30 gateways from an R80+ manager... and that does work.
To manage Gaia on the hosts directly, you'd need to do everything with "Raw" commands, without gathering any facts from the device, because the Python that's on the hosts (at least, the last I checked with R77.30) didn't have the libraries that Ansible needs to perform the basic checks (I think it doesn't have hashing libraries, from memory)
Hope that helps!
Wed 10 Sep 2025 @ 11:00 AM (CEST)
Effortless Web Application & API Security with AI-Powered WAF, an intro to CloudGuard WAFWed 10 Sep 2025 @ 11:00 AM (EDT)
Quantum Spark Management Unleashed: Hands-On TechTalk for MSPs Managing SMB NetworksFri 12 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live Netherlands - Sessie 38: Harmony Email & CollaborationWed 10 Sep 2025 @ 11:00 AM (EDT)
Quantum Spark Management Unleashed: Hands-On TechTalk for MSPs Managing SMB NetworksFri 12 Sep 2025 @ 10:00 AM (CEST)
CheckMates Live Netherlands - Sessie 38: Harmony Email & CollaborationAbout CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY