Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
J_Saun
Contributor
Jump to solution

Checkpoint automation - many questions

Just starting to get into automating configuration tasks on Checkpoint R80. I have installed cpAnsible on a CentOS that has python running and did a simple group and object add which worked fine

 

My questions:

- Is Ansible just running built in Checkpoint CLI commands? If so, where do I get a list of those commands?

- Why do I need Ansible?

- why do I need Python on my local machine if I have Ansible? (sorry - just dont understand the relationship between the 2)

- why do I need Python on the remote machine (the Checkpoint manager)

- is this possible on any Checkpoint version lower than R80? If not, how is similar automation performed on lower versions of Checkpoint (R77, R65)?

- is it possible to have a front end webform or something that passes request data (source, destination, port) to Python/Ansible/Checkpoint-directly and processes the request automatically?

 

Thanks!

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
Ansible is an automatic framework that runs on Python, which is an interpreted language.
When you use the cpModule, it is calling the REST API on the backend, which is only available in R80+ Management.
There is a python interpreter on recent versions of Check Point Management already but it is not used in this context.

There is no requirement to use Ansible for automation, it just happens to be a popular choice.
Anything that speaks a REST API can be used.
You can also use the CLI via the mgmt_cli command if you prefer.
API/CLI docs are here: https://sc1.checkpoint.com/documents/latest/APIs/index.html
There are also sample web forms on CheckMates that you can leverage.

Automating R77.x and earlier management is possible to varying degrees depending on what you are trying to do.
However, it does not have a REST API and requires a bit more work to automate.
You can find examples for specific tasks on CheckMates.

View solution in original post

5 Replies
PhoneBoy
Admin
Admin
Ansible is an automatic framework that runs on Python, which is an interpreted language.
When you use the cpModule, it is calling the REST API on the backend, which is only available in R80+ Management.
There is a python interpreter on recent versions of Check Point Management already but it is not used in this context.

There is no requirement to use Ansible for automation, it just happens to be a popular choice.
Anything that speaks a REST API can be used.
You can also use the CLI via the mgmt_cli command if you prefer.
API/CLI docs are here: https://sc1.checkpoint.com/documents/latest/APIs/index.html
There are also sample web forms on CheckMates that you can leverage.

Automating R77.x and earlier management is possible to varying degrees depending on what you are trying to do.
However, it does not have a REST API and requires a bit more work to automate.
You can find examples for specific tasks on CheckMates.
J_Saun
Contributor

Thanks very much for the explanations.

0 Kudos
J_Saun
Contributor

I'm still trying to grasp the relationship between Ansible and Checkpoint API. I successfuly used cpAnsible and added a group with a host using the example they have on the Github cpansible page but I don't understand how the commands are getting sent to the Checkpoint manager.

 

Example:

 

The Ansible .yml has the following:

name: "add host"
check_point_mgmt:
command: add-host # Name of the command
parameters: # The parameters for it, in dictionary form
name: "host_demo"
ip-address: "1.2.3.5"

 

But, according to the Management API Reference doc, if I just want to do that via the CLI on the management server I use:

mgmt_cli add host name "New Host 1" ip-address "1.2.3.5" --version 1.1 --format json

 

In the .yml it uses add-host (note the hyphen) but the CLI command is add host (no hyphen).

Does checkpoint accept either?

0 Kudos
Tribhawan_Singh
Contributor

Is there a way we can run the Ansible script to perform basic health check commands on the checkpoint gateway.

Ansible script is to be run from a external jumphost and through that script , it should login into the firewall and take output of certain commands like connection state, memory, cpu and other basic commands.

Is it possible to achieve this through ansible.

0 Kudos
Upcoming Events

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    CheckMates Events