Yes, "add-network" and delete actions are also available.

Check the API reference for the complete list of API commands and their parameters.

Just in case it helps. Have a look at this one 🙂 :

Adding members to a group

Hi all,

Is this the last version of the module? Is this module available on ansible repository?

I'm trying to run it on ansible 2.0.1.0 and I found some problems. I've saw you specify that python 2.7.9 is needed, but someone has tested it with python 2.7.5?

Thanks in advance,

Looks great

Do Check Point plan to create something similar for Puppet?

Hi Arnfinn,

Currently we do not have plans to support Puppet.

But if there will be a demand for Puppet from multiple customers, we will consider developing a similar solution.

Does this work w. Mac & R77.30?

Hi Alex,

No, this won't work with R77.30 because the solution is based on the new API that was introduced only in R80.

I don't see any limitations for Mac as long as you can run Ansible on it.

Has anyone faced an issue with not able to find the module  mgmt_api_lib while working on ansible

Without knowing your setup, you need to check that the modules are where they should be for the library. Ansible checks in the following places:

• In directories defined by ANSIBLE_LIBRARY if set
• If not set, in directories defined by library in configuration file
• In ./library directory relative to location of playbook in use
• (I suspect, although I didn't spot it, you might also find that it's in ./roles/<rolename>/library and /etc/ansible/roles/<rolename>library)
• In /etc/ansible/library
• In /usr/lib/python2.7/site-packages/ansible/modules

Realistically, your libraries should be somewhere sensible. If you're using Version Control (and if you're not... why not?!?!) then they should be included in your VCS tree, which means either tracking /etc/ansible or the path to where you're running your playbook from.

Hope that helps!

Thank you.I will check that and keep this thread posted.Thank you for your reply

I've finally had a chance to look at this (and sought advice from the #Ansible channel on irc.freenode.net).

So, it looks like the path specified by Checkpoint is very distribution specific, and doesn't fly with Ubuntu 16.04. Frankly, there's not enough to this library to mess around with it too much, and I ended up pulling the various elements of the library apart and making it into one single file. This then can be placed into [/path/to/your/ansible/playbook/or/role]/library (e.g. /etc/ansible/library or /home/useraccount/customer-a/library - where /home/useraccount/customer-a also has your inventory file and your playbook).

I was going to go into a deep-dive on how to make the merged file, but I've instead put it into a secret gist at github.com - please can the developers advise whether this can be made public?

check_point_mgmt.py combined into a single script, based on check_point_mgmt.py version 1.0.1 - PROP... 

One thing that would be useful would be if there is some way from the command line to enable the API, so then I don't need to open the management UI at all.....

Thanks!

The key thing I have noticed about this script at the moment is that it is not idempotent. As such, you can't have your playbook run multiple times against the same host. I don't know whether to work around this, or to leave it as a concern for the reader.

I have also updated the gist I linked to before to add the ability to use the omit value (e.g. "{{ item.source|default('omit')}}") which is a fairly common pattern in my ansible use.

Realistically, the python script should check for the presence of a line item (e.g. host, network, group, etc) before trying to add it. It does not currently do this.

Thanks for providing the module, I have 2 questions:
Is this an opensource, can the community contribute to the code?

Can you provide GIT repository address? 

Hey Michal,

I discussed this with a couple of the team involved in creating this - they are happy for changes to be contributed, but it's not in a public git repo as yet (there was talk of a Check Point github account, although I can't find it ). Your best bet would be to do as I did - take the code, and put it in your own Git repo and share to this thread. The team are keen to improve things! I spent 1h30 on the phone with them discussing how to improve things, and they were very receptive.

Of course, the proof of the pudding is in the eating (as we say here!) and so I'd hope to see something change in the next few months, but I can't confirm or deny anything - aside from anything else, I don't work for Check Point, I'm just a consumer

Is the current Ansible repository compatible with R80.10?

I've found it works for my usecases, but your mileage may vary!

Has anyone used the add-simple-gateway command yet? Can anyone provide the list of parameters for that command? I tried to use what was in the api doc, but I must have something wrong.

I use this command in my PowerShell script that creates a GW in Azure or AWS and then add objects, a GW object, Policy and pushes the policy at the end.

mgmt_cli add simple-gateway name vsecgwr8010 ipv4-address 10.0.0.10 application-control true data-awareness true firewall true one-time-password vpn12345 version R80.10 url-filtering true interfaces.1.name ext-gw interfaces.1.ipv4-address 10.5.0.10 interfaces.1.ipv4-mask-length 24 interfaces.1.topology external interfaces.1.anti-spoofing false interfaces.2.name int-gw interfaces.2.ipv4-address 10.5.1.10 interfaces.2.ipv4-mask-length 24 interfaces.2.topology internal interfaces.2.anti-spoofing false interfaces.2.topology-settings.ip-address-behind-this-interface specific interfaces.2.topology-settings.specific-network web-subnet -s sid.txt

The API doc should be fine.

Arnifnn

Check Point's official github repository is here: Check Point Software Technologies LTD. · GitHub 

The ansible modules aren't there yet.

A question was asked by Michal Taratuta‌ during our recent automation webcast: Are there any plans to make our Ansible modules idempotent?

I guess since you making them already aviable online, here it should not take long for it to be copied to github

Currently we do not have such plans.

GitHub - CheckPoint-APIs-Team/cpAnsible  

Ansibile does work with R77.30 with these 2 modules:

1. raw

2. shell

With R80/X you can use as well different modules including Check Point module 

I'm personally using R80.10 with Ansible Tower

#AWESOME! Cheers guys!

Great!

Does anyone Ansible working with R77.30 in their environment?  If yes, care to share the experience?

I'd be keen to touch base as we are looking into this and see what level of automation we can get.

Thanks in advance!

This Ansible module requires R80+ as it talks to the API. That said, you can manage R77.30 gateways from an R80+ manager... and that does work.

To manage Gaia on the hosts directly, you'd need to do everything with "Raw" commands, without gathering any facts from the device, because the Python that's on the hosts (at least, the last I checked with R77.30) didn't have the libraries that Ansible needs to perform the basic checks (I think it doesn't have hashing libraries, from memory)

Hope that helps!