This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
User1234
Contributor
‎2022-07-27 08:13 AM
Jump to solution

Best Practices Managing NAT Rules

Hi!

Managing NAT rules with ansible looks a bit tricky. I already saw the 3 different modules to add, edit and delete rule (rather than having one like the access_rules) and saw the thing that the only identifier for NAT rules is the rule number. As the rule number depends on automatic and manual rules, they are likely to change even if no manual NAT rule is modified.

Does anyone have a working task/playbook to maintain manual NAT rules with ansible? Are there any best practices? Any examples (apart from the micro examples of the documentation)?

1 Solution

Accepted Solutions
Jim_Oqvist
Employee
Employee
‎2023-03-27 10:33 AM
Jump to solution

Hi,

Starting from R81 API version 1.7 and later we started supporting to use name in the NAT rule which enables us to create a idempotent module for our ansible collection to add, change and delete NAT rules. 

This module has been developed by R&D and is going to be added to Galaxy repository in the next version we release of the collection.

https://github.com/CheckPointSW/CheckPointAnsibleMgmtCollection/blob/master/plugins/modules/cp_mgmt_...

If you want to find an example on how to use it you can find that here:

https://github.com/checkpointsw-devsec/enterprise-automation-poc/blob/main/ansible/roles/chkp-nat-po...

Please note as described in the module the management server needs to have a JHF that addresses PMTR-88097

https://support.checkpoint.com/search#q=PMTR-88097 

 

View solution in original post

0 Kudos
4 Replies
boneyard
Contributor
‎2023-03-27 08:52 AM
Jump to solution

Very good question, anyone with experience since that wants to share?

I'm trying to get it working and will share in another thread some feedback, but it is pretty different from the access policy and other Check Point Ansible modules. Requiring a different approach yet again. Ansible Modules for every vendor require some getting used to, but having to do it in different ways for one product feels like it is not developed for the users.

0 Kudos
Jim_Oqvist
Employee
Employee
‎2023-03-27 10:33 AM
Jump to solution

Hi,

Starting from R81 API version 1.7 and later we started supporting to use name in the NAT rule which enables us to create a idempotent module for our ansible collection to add, change and delete NAT rules. 

This module has been developed by R&D and is going to be added to Galaxy repository in the next version we release of the collection.

https://github.com/CheckPointSW/CheckPointAnsibleMgmtCollection/blob/master/plugins/modules/cp_mgmt_...

If you want to find an example on how to use it you can find that here:

https://github.com/checkpointsw-devsec/enterprise-automation-poc/blob/main/ansible/roles/chkp-nat-po...

Please note as described in the module the management server needs to have a JHF that addresses PMTR-88097

https://support.checkpoint.com/search#q=PMTR-88097 

 

0 Kudos
boneyard
Contributor
‎2023-03-27 11:01 AM
In response to Jim_Oqvist
Jump to solution

Hi Jim, that is good to read. Do you have an idea when to expect this in the Galaxy repository?

0 Kudos
Jim_Oqvist
Employee
Employee
‎2023-03-27 11:08 AM
In response to boneyard
Jump to solution

R&Ds plan was if all goes well to release the next collection before end of this Quarter which means end of this week, it might be postponed if any issues are identified during the testing phase.

0 Kudos
Upcoming Events

    Sort by:
    CheckMates Events