This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
J_Saun
Contributor
‎2019-03-21 04:17 AM
Jump to solution

Checkpoint automation - many questions

Just starting to get into automating configuration tasks on Checkpoint R80. I have installed cpAnsible on a CentOS that has python running and did a simple group and object add which worked fine

 

My questions:

- Is Ansible just running built in Checkpoint CLI commands? If so, where do I get a list of those commands?

- Why do I need Ansible?

- why do I need Python on my local machine if I have Ansible? (sorry - just dont understand the relationship between the 2)

- why do I need Python on the remote machine (the Checkpoint manager)

- is this possible on any Checkpoint version lower than R80? If not, how is similar automation performed on lower versions of Checkpoint (R77, R65)?

- is it possible to have a front end webform or something that passes request data (source, destination, port) to Python/Ansible/Checkpoint-directly and processes the request automatically?

 

Thanks!

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2019-03-21 10:03 PM
Jump to solution

Ansible is an automatic framework that runs on Python, which is an interpreted language.
When you use the cpModule, it is calling the REST API on the backend, which is only available in R80+ Management.
There is a python interpreter on recent versions of Check Point Management already but it is not used in this context.

There is no requirement to use Ansible for automation, it just happens to be a popular choice.
Anything that speaks a REST API can be used.
You can also use the CLI via the mgmt_cli command if you prefer.
API/CLI docs are here: https://sc1.checkpoint.com/documents/latest/APIs/index.html
There are also sample web forms on CheckMates that you can leverage.

Automating R77.x and earlier management is possible to varying degrees depending on what you are trying to do.
However, it does not have a REST API and requires a bit more work to automate.
You can find examples for specific tasks on CheckMates.

View solution in original post

5 Replies
PhoneBoy
Admin
Admin
‎2019-03-21 10:03 PM
Jump to solution

Ansible is an automatic framework that runs on Python, which is an interpreted language.
When you use the cpModule, it is calling the REST API on the backend, which is only available in R80+ Management.
There is a python interpreter on recent versions of Check Point Management already but it is not used in this context.

There is no requirement to use Ansible for automation, it just happens to be a popular choice.
Anything that speaks a REST API can be used.
You can also use the CLI via the mgmt_cli command if you prefer.
API/CLI docs are here: https://sc1.checkpoint.com/documents/latest/APIs/index.html
There are also sample web forms on CheckMates that you can leverage.

Automating R77.x and earlier management is possible to varying degrees depending on what you are trying to do.
However, it does not have a REST API and requires a bit more work to automate.
You can find examples for specific tasks on CheckMates.
J_Saun
Contributor
‎2019-03-22 07:22 AM
In response to PhoneBoy
Jump to solution

Thanks very much for the explanations.

0 Kudos
J_Saun
Contributor
‎2019-04-09 05:23 PM
In response to J_Saun
Jump to solution

I'm still trying to grasp the relationship between Ansible and Checkpoint API. I successfuly used cpAnsible and added a group with a host using the example they have on the Github cpansible page but I don't understand how the commands are getting sent to the Checkpoint manager.

 

Example:

 

The Ansible .yml has the following:

name: "add host"
check_point_mgmt:
command: add-host # Name of the command
parameters: # The parameters for it, in dictionary form
name: "host_demo"
ip-address: "1.2.3.5"

 

But, according to the Management API Reference doc, if I just want to do that via the CLI on the management server I use:

mgmt_cli add host name "New Host 1" ip-address "1.2.3.5" --version 1.1 --format json

 

In the .yml it uses add-host (note the hyphen) but the CLI command is add host (no hyphen).

Does checkpoint accept either?

0 Kudos
Tribhawan_Singh
Contributor
‎2019-06-26 01:48 AM
In response to J_Saun
Jump to solution

Is there a way we can run the Ansible script to perform basic health check commands on the checkpoint gateway.

Ansible script is to be run from a external jumphost and through that script , it should login into the firewall and take output of certain commands like connection state, memory, cpu and other basic commands.

Is it possible to achieve this through ansible.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events