This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Bogdan_Radu
Explorer
‎2018-10-16 05:31 AM

Checkpoint automation with Ansible

Hi all,

I am starting to play with Ansible playbooks, but either I don't understand the Checkpoint published Ansible documentation, or the way it works is a bit strange.

As far as I have read in the documentation and in the examples, the playbooks are ran on the local Ansible server (localhost), but still there is a section to define the credentials to connect via SSH to the Ansible server. So basically, when running the playbook on the Ansible server, the script will connect to itself via SSH and then it will connect to the Checkpoint management server to run the commands. I guess there should be a way to skip this, and also avoid having SSH credentials in the Ansible configuration files (only the Checkpoint management credentials will be configured).

Is this the intended way of working, or I'm completely messing up the configuration?

Thanks!

5 Replies
PhoneBoy
Admin
Admin
‎2018-10-16 07:47 AM

It should not be required to define localhost (with SSH credentials) in /etc/ansible/hosts.

0 Kudos
Bogdan_Radu
Explorer
‎2018-10-17 02:36 AM
In response to PhoneBoy

I have tried without that, but I get the SSH banner from the ansible server in the error generated when I try to run the playbook, so it is definitely trying to connect to itself. Should I configure the playbook with 'localhost' in the "hosts" section, or with the checkpoint management server?

In all the examples and tutorials I see that the hosts section of the playbook is set to 'localhost'

0 Kudos
PhoneBoy
Admin
Admin
‎2018-10-17 04:03 AM
In response to Bogdan_Radu

If you want to see a working example, I recommend checking this: https://community.checkpoint.com/thread/5478-leveraging-the-r8010-api-to-automate-and-streamline-sec... 

My /etc/ansible/hosts based on this example has nothing in it (or just all comments) and all the playbooks refer to localhost only.

Gert_Vossius
Participant
‎2019-04-04 09:23 PM

Hi, I hope I can ask my question in this post and don't need to create a new post for this since my question is also related to Check Point automation with Ansible.

Due to FQDN resolving issues on our current version (and not able to upgrade to R80 yet since we are using SP solution) we want to update our FW rulebase based doing some DNS queries in a script and create new host objects and update a network object group with the relevant host objects). Since there's still an issue with the way the cpAnsible module is working (idempotence - https://github.com/CheckPointSW/cpAnsible/issues/7) I would like to use the parameter set-if-exists but for some reason my ansible playbook if failing with the following error: "The error was: ValueError: No JSON object could be decoded".

So basically I'm using the set-if-exists parameter wrong in my playbook. If I remove this line the playbook will run successfully (for new/not yet configured host objects)

PLAY [localhost] *******************************************************************************************************************************************************************

TASK [Gathering Facts] *************************************************************************************************************************************************************
ok: [localhost]

TASK [login] ***********************************************************************************************************************************************************************
ok: [localhost]

TASK [add host] ********************************************************************************************************************************************************************
changed: [localhost] => (item={u'ip_address': u'172.217.23.206', u'fqdn': u'<a href="http://www.youtube.com" target="_blank">www.youtube.com</a>', u'name': u'fqdn-<a href="http://www.youtube.com-172.217.23.206" target="_blank">www.youtube.com-172.217.23.206</a>', u'host_name': u'fqdn-<a href="http://www.youtube.com-172.217.23.206" target="_blank">www.youtube.com-172.217.23.206</a>'})
changed: [localhost] => (item={u'ip_address': u'172.217.23.238', u'fqdn': u'<a href="http://www.youtube.com" target="_blank">www.youtube.com</a>', u'name': u'fqdn-<a href="http://www.youtube.com-172.217.23.238" target="_blank">www.youtube.com-172.217.23.238</a>', u'host_name': u'fqdn-<a href="http://www.youtube.com-172.217.23.238" target="_blank">www.youtube.com-172.217.23.238</a>'})
changed: [localhost] => (item={u'ip_address': u'216.58.201.78', u'fqdn': u'<a href="http://www.youtube.com" target="_blank">www.youtube.com</a>', u'name': u'fqdn-<a href="http://www.youtube.com-216.58.201.78" target="_blank">www.youtube.com-216.58.201.78</a>', u'host_name': u'fqdn-<a href="http://www.youtube.com-216.58.201.78" target="_blank">www.youtube.com-216.58.201.78</a>'})

TASK [publish] *********************************************************************************************************************************************************************
ok: [localhost]

TASK [logout] **********************************************************************************************************************************************************************
ok: [localhost]

PLAY RECAP *************************************************************************************************************************************************************************
localhost                  : ok=5    changed=1    unreachable=0    failed=0

 

My playbook looks like this:

---
- hosts: "localhost"                        # Note #2 in the Description section
  vars_files:
  - test.yml
  tasks:
  - name: "login"                           # You have to login to the management
                                            # server before running any commands
    check_point_mgmt:
      command: login
      parameters:
        username: "{{username}}"          # Variables set in /etc/ansible/hosts, to avoid needing
        password: "{{password}}"       # to type your login details in every playbook.
        management: "{{mds_ip}}"
        domain: "{{mds_domain}}"
      fingerprint: "{{mds_fingerprint}}"
    register: login_response                # Register the output from the login
                                            # command so we can use it later to run commands.
  - name: "add host"
    check_point_mgmt:
      command: add-host                     # Name of the command
      parameters:                           #  The parameters for it, in dictionary form
        name: "{{item.host_name}}"
        ip-address: "{{item.ip_address}}"
        set-if-exists: true
      session-data: "{{ login_response }}"  # The session data we received from
    with_items: "{{host_table}}"

  - name: "publish"                         # Publishing is important if you want
                                            # your changes to be saved.
    check_point_mgmt:                       # This will actually 'discard' when
                                            # check mode is enabled (ansible-playbook -C)
                                            # unless you add 'always_run: yes' to the task.
      command: publish
      session-data: "{{login_response}}"
  - name: logout
    check_point_mgmt:
      command: logout
      session-data: '{{login_response}}'

 

Many thanks!

Gert_Vossius
Participant
‎2019-04-07 09:56 PM
In response to Gert_Vossius

Ok I found the issue. The set-if-exists value should be between quotes

 

set-if-exists: "true"

 

0 Kudos
Upcoming Events

    Sort by:
    CheckMates Events