Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Uri_Bialik

Automate your R80 Management Server using Ansible

Overview

Ansible (www.ansible.com) is a popular automation tool.

The Check Point Management Ansible module brings the ability to automate Check Point R80 management tasks (e.g. adding objects, manipulate the rulebase, push policy) into the Ansible automation platform.

Description

Provide Ansible "playbooks" with simple access to all available Check Point R80 Management APIs.

The ansible module is written in Python and its source code is available - you're welcome to review code, suggest enhancements or modify it.

Instructions

Refer to our GitHub repo (the link below) for detailed instructions.

Tested on version

R80.10, API version 1.1

Source Code Availability

The source code is now public on GitHub repository:

https://github.com/CheckPoint-APIs-Team/cpAnsible

NOTICE: By using this sample code you agree to terms and conditions in this Terms and Conditions

...

34 Replies
Jon_Spriggs
Participant

Looks interesting - thanks to Don Paterson​ for pointing me at this Smiley Happy

In the commands you have add-host and add-group - would add-network behave similarly? Can we also do delete actions in the same way?

I don't currently have an R80 build stood up to test it, but it's edging closer and closer to being a perfect fit for the automation I'm in the process of standing up.

0 Kudos
Uri_Bialik

Yes, "add-network" and delete actions are also available.

Check the API reference for the complete list of API commands and their parameters.

Donald_Paterson
Employee Alumnus
Employee Alumnus

Just in case it helps. Have a look at this one 🙂 :

Adding members to a group

0 Kudos
Joan_Miquel_Luq
Explorer

Hi all,

Is this the last version of the module? Is this module available on ansible repository?

I'm trying to run it on ansible 2.0.1.0 and I found some problems. I've saw you specify that python 2.7.9 is needed, but someone has tested it with python 2.7.5?

Thanks in advance,

0 Kudos
Arnfinn_Strand
Employee
Employee

Looks greatSmiley Happy

Do Check Point plan to create something similar for Puppet?

0 Kudos
Eugene_Grybinny
Employee Alumnus
Employee Alumnus

Hi Arnfinn,

Currently we do not have plans to support Puppet.

But if there will be a demand for Puppet from multiple customers, we will consider developing a similar solution.

Alex_Alborzfard
Contributor

Does this work w. Mac & R77.30?

0 Kudos
Eugene_Grybinny
Employee Alumnus
Employee Alumnus

Hi Alex,

No, this won't work with R77.30 because the solution is based on the new API that was introduced only in R80.

I don't see any limitations for Mac as long as you can run Ansible on it.

0 Kudos
Venkatesh_Banda
Participant

Has anyone faced an issue with not able to find the module  mgmt_api_lib while working on ansible

0 Kudos
Jon_Spriggs
Participant

Without knowing your setup, you need to check that the modules are where they should be for the library. Ansible checks in the following places:

  • In directories defined by ANSIBLE_LIBRARY if set
  • If not set, in directories defined by library in configuration file
  • In ./library directory relative to location of playbook in use
  • (I suspect, although I didn't spot it, you might also find that it's in ./roles/<rolename>/library and /etc/ansible/roles/<rolename>library)
  • In /etc/ansible/library
  • In /usr/lib/python2.7/site-packages/ansible/modules

Realistically, your libraries should be somewhere sensible. If you're using Version Control (and if you're not... why not?!?!) then they should be included in your VCS tree, which means either tracking /etc/ansible or the path to where you're running your playbook from.

Hope that helps!

Venkatesh_Banda
Participant

Thank you.I will check that and keep this thread posted.Thank you for your reply

0 Kudos
Jon_Spriggs
Participant

I've finally had a chance to look at this (and sought advice from the #Ansible channel on irc.freenode.net).

So, it looks like the path specified by Checkpoint is very distribution specific, and doesn't fly with Ubuntu 16.04. Frankly, there's not enough to this library to mess around with it too much, and I ended up pulling the various elements of the library apart and making it into one single file. This then can be placed into [/path/to/your/ansible/playbook/or/role]/library (e.g. /etc/ansible/library or /home/useraccount/customer-a/library - where /home/useraccount/customer-a also has your inventory file and your playbook).

I was going to go into a deep-dive on how to make the merged file, but I've instead put it into a secret gist at github.com - please can the developers advise whether this can be made public?

check_point_mgmt.py combined into a single script, based on check_point_mgmt.py version 1.0.1 - PROP... 

One thing that would be useful would be if there is some way from the command line to enable the API, so then I don't need to open the management UI at all.....

Thanks!

0 Kudos
Jon_Spriggs
Participant

The key thing I have noticed about this script at the moment is that it is not idempotent. As such, you can't have your playbook run multiple times against the same host. I don't know whether to work around this, or to leave it as a concern for the reader.

I have also updated the gist I linked to before to add the ability to use the omit value (e.g. "{{ item.source|default('omit')}}") which is a fairly common pattern in my ansible use.

Realistically, the python script should check for the presence of a line item (e.g. host, network, group, etc) before trying to add it. It does not currently do this.

Michal_Taratuta
Participant

Thanks for providing the module, I have 2 questions:
Is this an opensource, can the community contribute to the code?

Can you provide GIT repository address? 

0 Kudos
Jon_Spriggs
Participant

Hey Michal,

I discussed this with a couple of the team involved in creating this - they are happy for changes to be contributed, but it's not in a public git repo as yet (there was talk of a Check Point github account, although I can't find it Smiley Happy ). Your best bet would be to do as I did - take the code, and put it in your own Git repo and share to this thread. The team are keen to improve things! I spent 1h30 on the phone with them discussing how to improve things, and they were very receptive.

Of course, the proof of the pudding is in the eating (as we say here!) and so I'd hope to see something change in the next few months, but I can't confirm or deny anything - aside from anything else, I don't work for Check Point, I'm just a consumer Smiley Happy

0 Kudos
Erik_Jacobsen
Explorer

Is the current Ansible repository compatible with R80.10?

0 Kudos
Jon_Spriggs
Participant

I've found it works for my usecases, but your mileage may vary!

0 Kudos
James_Tidwell
Explorer

Has anyone used the add-simple-gateway command yet? Can anyone provide the list of parameters for that command? I tried to use what was in the api doc, but I must have something wrong.

0 Kudos
Arnfinn_Strand
Employee
Employee

I use this command in my PowerShell script that creates a GW in Azure or AWS and then add objects, a GW object, Policy and pushes the policy at the end.

mgmt_cli add simple-gateway name vsecgwr8010 ipv4-address 10.0.0.10 application-control true data-awareness true firewall true one-time-password vpn12345 version R80.10 url-filtering true interfaces.1.name ext-gw interfaces.1.ipv4-address 10.5.0.10 interfaces.1.ipv4-mask-length 24 interfaces.1.topology external interfaces.1.anti-spoofing false interfaces.2.name int-gw interfaces.2.ipv4-address 10.5.1.10 interfaces.2.ipv4-mask-length 24 interfaces.2.topology internal interfaces.2.anti-spoofing false interfaces.2.topology-settings.ip-address-behind-this-interface specific interfaces.2.topology-settings.specific-network web-subnet -s sid.txt

The API doc should be fine.

Arnifnn

0 Kudos
PhoneBoy
Admin
Admin

Check Point's official github repository is here: Check Point Software Technologies LTD. · GitHub 

The ansible modules aren't there yet.

0 Kudos
PhoneBoy
Admin
Admin

A question was asked by Michal Taratuta‌ during our recent automation webcast: Are there any plans to make our Ansible modules idempotent?

0 Kudos
Michal_Taratuta
Participant

I guess since you making them already aviable online, here it should not take long for it to be copied to github

0 Kudos
Eugene_Grybinny
Employee Alumnus
Employee Alumnus

Currently we do not have such plans.

0 Kudos
Ofir_Shikolski
Employee Alumnus
Employee Alumnus

Ofir_Shikolski
Employee Alumnus
Employee Alumnus

Ansibile does work with R77.30 with these 2 modules:

1. raw

2. shell

With R80/X you can use as well different modules including Check Point module 

I'm personally using R80.10 with Ansible Tower Smiley Happy

0 Kudos
Jon_Spriggs
Participant

#AWESOME! Cheers guys!

0 Kudos
Michal_Taratuta
Participant

Great!

Noli_Pineda
Explorer

Does anyone Ansible working with R77.30 in their environment?  If yes, care to share the experience?

I'd be keen to touch base as we are looking into this and see what level of automation we can get.

Thanks in advance!

0 Kudos
Jon_Spriggs
Participant

This Ansible module requires R80+ as it talks to the API. That said, you can manage R77.30 gateways from an R80+ manager... and that does work.

To manage Gaia on the hosts directly, you'd need to do everything with "Raw" commands, without gathering any facts from the device, because the Python that's on the hosts (at least, the last I checked with R77.30) didn't have the libraries that Ansible needs to perform the basic checks (I think it doesn't have hashing libraries, from memory)

Hope that helps!

Upcoming Events

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    CheckMates Events