This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Uri_Bialik
Employee
Employee
‎2016-09-27 12:35 AM
Jump to solution

Automate your R80 Management Server using Ansible

Overview

Ansible (www.ansible.com) is a popular automation tool.

The Check Point Management Ansible module brings the ability to automate Check Point R80 management tasks (e.g. adding objects, manipulate the rulebase, push policy) into the Ansible automation platform.

Description

Provide Ansible "playbooks" with simple access to all available Check Point R80 Management APIs.

The ansible module is written in Python and its source code is available - you're welcome to review code, suggest enhancements or modify it.

Instructions

Refer to our GitHub repo (the link below) for detailed instructions.

Tested on version

R80.10, API version 1.1

Source Code Availability

The source code is now public on GitHub repository:

https://github.com/CheckPoint-APIs-Team/cpAnsible

NOTICE: By using this sample code you agree to terms and conditions in this Terms and Conditions

...

1 Solution

Accepted Solutions
Duane_Toler
MVP Silver
MVP Silver
yesterday
In response to Daniel_Kavan
Jump to solution

I'm not official Check Point, but I can say that Ansible's big draw is that it doesn't require a lot on the remote managed host for host-based things.  I'm sure you aware of many of these details, but just to do a little bit of compare and contrast:

Ansible itself is written in Python, so it picks up all of Python's capabilities.  As for working with the Management API, this is an HTTPS service with JSON payloads, so the remote managed node is not a host in and of itself; it's a remote HTTPS server with specific callable functions (API endpoints).  Puppet wouldn't be very applicable for the purposes of managing the object database and security policy items.

As for managing the underlying management server host itself (host configuration, network info, routing services, etc.), Check Point hosts historically haven't had strong Python support on the hosts (never was needed until recently).  Even so, the Python packages are very limited.  The underlying OS constructs are managed via Gaia CLISH to interact with the various host-based components.

Check Point now offers the Gaia API to manage these host-based components, which brings us back to HTTPS server with remote callable functions (more API endpoints).  Gaia API isn't full-featured yet, but they're working on it.  Once again, Puppet isn't applicable here, either.  Nor do you need to have an array of Python of packages installed on all the Gaia hosts.
For pieces that aren't yet available in Gaia API, you have a few options available (none of which are fantastic, but they're workable... if you do a lot of the work, or borrow someone else's prior work).

Funny twist of fate:  Michael DeHaan started out working with Puppet and that led him to do Ansible.

Then there's just plain "momentum" and "right place, right time".  Ansible came along with its simplicity at the time it was needed most, and that just became its own gravity.  It's easy, became popular, and that drove adoption.  Momentum.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

View solution in original post

36 Replies
Jon_Spriggs
Participant
‎2016-09-29 12:54 AM
Jump to solution

Looks interesting - thanks to Don Paterson​ for pointing me at this Smiley Happy

In the commands you have add-host and add-group - would add-network behave similarly? Can we also do delete actions in the same way?

I don't currently have an R80 build stood up to test it, but it's edging closer and closer to being a perfect fit for the automation I'm in the process of standing up.

0 Kudos
Uri_Bialik
Employee
Employee
‎2016-09-29 04:28 AM
Jump to solution

Yes, "add-network" and delete actions are also available.

Check the API reference for the complete list of API commands and their parameters.

Donald_Paterson
Employee Alumnus
Employee Alumnus
‎2016-09-30 02:19 AM
Jump to solution

Just in case it helps. Have a look at this one 🙂 :

Adding members to a group

0 Kudos
Joan_Miquel_Luq
Explorer
‎2016-11-18 07:41 AM
Jump to solution

Hi all,

Is this the last version of the module? Is this module available on ansible repository?

I'm trying to run it on ansible 2.0.1.0 and I found some problems. I've saw you specify that python 2.7.9 is needed, but someone has tested it with python 2.7.5?

Thanks in advance,

0 Kudos
Arnfinn_Strand
Employee
Employee
‎2017-02-14 01:33 AM
Jump to solution

Looks greatSmiley Happy

Do Check Point plan to create something similar for Puppet?

0 Kudos
Eugene_Grybinny
Employee Alumnus
Employee Alumnus
‎2017-02-15 03:51 AM
Jump to solution

Hi Arnfinn,

Currently we do not have plans to support Puppet.

But if there will be a demand for Puppet from multiple customers, we will consider developing a similar solution.

Daniel_Kavan
MVP Gold
MVP Gold
yesterday
In response to Eugene_Grybinny
Jump to solution

Hi, @late 2025 now.    Is it still the case that Check Point doesn't support puppet?      We are a big AWX and puppet shoppe.   The puppet admin wants more information as to why/how ansible is supported vs puppet.   He's also asking if ansible playbook for check point are provided.   Puppet runs every 30 minutes and then it can trigger an ansible playbook.  But he just doesn't see why "puppet can't do it all" in a single script.   One answer may be there's a lot of ansible playbooks already written even a communtiy, Check_Point.Mgmt — Ansible Community Documentationor is there another constraint like python on the manager being needed?  Or that ansible is agentless.

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
yesterday
In response to Daniel_Kavan
Jump to solution

I'm not official Check Point, but I can say that Ansible's big draw is that it doesn't require a lot on the remote managed host for host-based things.  I'm sure you aware of many of these details, but just to do a little bit of compare and contrast:

Ansible itself is written in Python, so it picks up all of Python's capabilities.  As for working with the Management API, this is an HTTPS service with JSON payloads, so the remote managed node is not a host in and of itself; it's a remote HTTPS server with specific callable functions (API endpoints).  Puppet wouldn't be very applicable for the purposes of managing the object database and security policy items.

As for managing the underlying management server host itself (host configuration, network info, routing services, etc.), Check Point hosts historically haven't had strong Python support on the hosts (never was needed until recently).  Even so, the Python packages are very limited.  The underlying OS constructs are managed via Gaia CLISH to interact with the various host-based components.

Check Point now offers the Gaia API to manage these host-based components, which brings us back to HTTPS server with remote callable functions (more API endpoints).  Gaia API isn't full-featured yet, but they're working on it.  Once again, Puppet isn't applicable here, either.  Nor do you need to have an array of Python of packages installed on all the Gaia hosts.
For pieces that aren't yet available in Gaia API, you have a few options available (none of which are fantastic, but they're workable... if you do a lot of the work, or borrow someone else's prior work).

Funny twist of fate:  Michael DeHaan started out working with Puppet and that led him to do Ansible.

Then there's just plain "momentum" and "right place, right time".  Ansible came along with its simplicity at the time it was needed most, and that just became its own gravity.  It's easy, became popular, and that drove adoption.  Momentum.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
Alex_Alborzfard
Contributor
‎2017-02-16 09:56 AM
Jump to solution

Does this work w. Mac & R77.30?

Eugene_Grybinny
Employee Alumnus
Employee Alumnus
‎2017-02-20 10:12 PM
Jump to solution

Hi Alex,

No, this won't work with R77.30 because the solution is based on the new API that was introduced only in R80.

I don't see any limitations for Mac as long as you can run Ansible on it.

Venkatesh_Banda
Participant
‎2017-04-23 06:28 PM
Jump to solution

Has anyone faced an issue with not able to find the module  mgmt_api_lib while working on ansible

0 Kudos
Jon_Spriggs
Participant
‎2017-04-27 11:59 PM
Jump to solution

Without knowing your setup, you need to check that the modules are where they should be for the library. Ansible checks in the following places:

  • In directories defined by ANSIBLE_LIBRARY if set
  • If not set, in directories defined by library in configuration file
  • In ./library directory relative to location of playbook in use
  • (I suspect, although I didn't spot it, you might also find that it's in ./roles/<rolename>/library and /etc/ansible/roles/<rolename>library)
  • In /etc/ansible/library
  • In /usr/lib/python2.7/site-packages/ansible/modules

Realistically, your libraries should be somewhere sensible. If you're using Version Control (and if you're not... why not?!?!) then they should be included in your VCS tree, which means either tracking /etc/ansible or the path to where you're running your playbook from.

Hope that helps!

Venkatesh_Banda
Participant
‎2017-05-04 10:59 PM
Jump to solution

Thank you.I will check that and keep this thread posted.Thank you for your reply

0 Kudos
Jon_Spriggs
Participant
‎2017-06-29 08:43 AM
Jump to solution

I've finally had a chance to look at this (and sought advice from the #Ansible channel on irc.freenode.net).

So, it looks like the path specified by Checkpoint is very distribution specific, and doesn't fly with Ubuntu 16.04. Frankly, there's not enough to this library to mess around with it too much, and I ended up pulling the various elements of the library apart and making it into one single file. This then can be placed into [/path/to/your/ansible/playbook/or/role]/library (e.g. /etc/ansible/library or /home/useraccount/customer-a/library - where /home/useraccount/customer-a also has your inventory file and your playbook).

I was going to go into a deep-dive on how to make the merged file, but I've instead put it into a secret gist at github.com - please can the developers advise whether this can be made public?

check_point_mgmt.py combined into a single script, based on check_point_mgmt.py version 1.0.1 - PROP... 

One thing that would be useful would be if there is some way from the command line to enable the API, so then I don't need to open the management UI at all.....

Thanks!

0 Kudos
Jon_Spriggs
Participant
‎2017-07-03 08:43 AM
Jump to solution

The key thing I have noticed about this script at the moment is that it is not idempotent. As such, you can't have your playbook run multiple times against the same host. I don't know whether to work around this, or to leave it as a concern for the reader.

I have also updated the gist I linked to before to add the ability to use the omit value (e.g. "{{ item.source|default('omit')}}") which is a fairly common pattern in my ansible use.

Realistically, the python script should check for the presence of a line item (e.g. host, network, group, etc) before trying to add it. It does not currently do this.

Michal_Taratuta
Participant
‎2017-07-27 07:03 AM
Jump to solution

Thanks for providing the module, I have 2 questions:
Is this an opensource, can the community contribute to the code?

Can you provide GIT repository address? 

0 Kudos
Jon_Spriggs
Participant
‎2017-08-01 12:38 AM
Jump to solution

Hey Michal,

I discussed this with a couple of the team involved in creating this - they are happy for changes to be contributed, but it's not in a public git repo as yet (there was talk of a Check Point github account, although I can't find it Smiley Happy ). Your best bet would be to do as I did - take the code, and put it in your own Git repo and share to this thread. The team are keen to improve things! I spent 1h30 on the phone with them discussing how to improve things, and they were very receptive.

Of course, the proof of the pudding is in the eating (as we say here!) and so I'd hope to see something change in the next few months, but I can't confirm or deny anything - aside from anything else, I don't work for Check Point, I'm just a consumer Smiley Happy

0 Kudos
Erik_Jacobsen
Explorer
‎2017-08-10 11:25 AM
Jump to solution

Is the current Ansible repository compatible with R80.10?

0 Kudos
Jon_Spriggs
Participant
‎2017-08-13 11:54 PM
Jump to solution

I've found it works for my usecases, but your mileage may vary!

0 Kudos
James_Tidwell
Explorer
‎2017-08-17 10:51 AM
Jump to solution

Has anyone used the add-simple-gateway command yet? Can anyone provide the list of parameters for that command? I tried to use what was in the api doc, but I must have something wrong.

0 Kudos
Arnfinn_Strand
Employee
Employee
‎2017-08-17 11:40 AM
Jump to solution

I use this command in my PowerShell script that creates a GW in Azure or AWS and then add objects, a GW object, Policy and pushes the policy at the end.

mgmt_cli add simple-gateway name vsecgwr8010 ipv4-address 10.0.0.10 application-control true data-awareness true firewall true one-time-password vpn12345 version R80.10 url-filtering true interfaces.1.name ext-gw interfaces.1.ipv4-address 10.5.0.10 interfaces.1.ipv4-mask-length 24 interfaces.1.topology external interfaces.1.anti-spoofing false interfaces.2.name int-gw interfaces.2.ipv4-address 10.5.1.10 interfaces.2.ipv4-mask-length 24 interfaces.2.topology internal interfaces.2.anti-spoofing false interfaces.2.topology-settings.ip-address-behind-this-interface specific interfaces.2.topology-settings.specific-network web-subnet -s sid.txt

The API doc should be fine.

Arnifnn

0 Kudos
PhoneBoy
Admin
Admin
‎2017-08-17 09:15 PM
Jump to solution

Check Point's official github repository is here: Check Point Software Technologies LTD. · GitHub 

The ansible modules aren't there yet.

0 Kudos
PhoneBoy
Admin
Admin
‎2017-08-17 10:53 PM
Jump to solution

A question was asked by Michal Taratuta‌ during our recent automation webcast: Are there any plans to make our Ansible modules idempotent?

0 Kudos
Michal_Taratuta
Participant
‎2017-08-18 01:12 AM
Jump to solution

I guess since you making them already aviable online, here it should not take long for it to be copied to github

0 Kudos
Eugene_Grybinny
Employee Alumnus
Employee Alumnus
‎2017-08-20 01:08 AM
Jump to solution

Currently we do not have such plans.

0 Kudos
Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2017-09-01 11:44 PM
Jump to solution

GitHub - CheckPoint-APIs-Team/cpAnsible  Smiley Happy

Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2017-09-02 12:22 AM
Jump to solution

Ansibile does work with R77.30 with these 2 modules:

1. raw

2. shell

With R80/X you can use as well different modules including Check Point module 

I'm personally using R80.10 with Ansible Tower Smiley Happy

0 Kudos
Jon_Spriggs
Participant
‎2017-09-04 11:46 PM
Jump to solution

#AWESOME! Cheers guys!

0 Kudos
Michal_Taratuta
Participant
‎2017-09-06 01:14 AM
Jump to solution

Great!

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events