Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Aathi
Contributor

Checkpoint rule creation through ansible playbook

HI Team,

 

we are automating checkpoint firewall rule creation through ansible playbook.in that we are able to create a new rule base.facing difficulties to add the source/destination ,ports in existing rule base.Can you please let me know how to add the ips in existing rule bases.

Thanks in advance.

Regards

Aathi

 

4 Replies
PhoneBoy
Admin
Admin

You would use the set access-rule API call to modify an existing rule.
The exact rule you modify must be by name or UID.
Refer to the API documentation: https😕/sc1.checkpoint.com/documents/latest/APIs/index.html#cli/set-access-rule~v1.4
0 Kudos
Aathi
Contributor

Hi ,

 

Please find the below error while using the set-access command.

fatal: [localhost]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"command": "set-access-section",
"fingerprint": null,
"parameters": "{'position': 1, 'layer': 'network', 'name': 'web'}",
"session-data": "{'failed': False, 'changed': False, 'response': {'url': '10.205.141.115:443', 'domain': None, 'sid': 'Fq1GsputgUdWSX8gATlDJOG-qyeMNyEfRlKymdCRUac', 'fingerprint': '844081C8A58B70EE1D68160892520A278783422C'}}"
}
},
"msg": "Command 'set-access-section {u'position': 1, u'layer': u'network', u'name': u'web'}' failed with error message: Unrecognized parameter [position]. All changes are discarded and the session is invalidated."

 

Playbook:

tasks:

  - name: "login"

    check_point_mgmt:

      command: login

      parameters:

        username: "{{mgmt_user}}"

        password: "{{mgmt_password}}"

        management: "{{mgmt_server}}"

      fingerprint: "{{mgmt_fingerprint}}"

    register: login_response

 

  - name: "set-host-cpx-host2"

    check_point_mgmt:

      command: set-host

      parameters:

        name: "host150"

        ip-address: "192.168.1.150"

      session-data: "{{login_response}}"

 

  - name: "add-host-cpx-host3"

    check_point_mgmt:

      command: set-host

      parameters:

        name: "host250"

        ip-address: "192.168.1.250"

      session-data: "{{login_response}}"

 

  - name: "create new tcp service"

    check_point_mgmt:

      command: add-service-tcp

      parameters:

        name: "tcp_777"

        port: "777"

      session-data: "{{login_response}}"

 

  - name: "create a section called 'script rules'"

    check_point_mgmt:

      command: set-access-section

      parameters:

        layer: "network"

        name: "web"

        position: 1

      session-data: '{{ login_response }}'

 

  - name: "create rule at the top of a section called 'script rules'"

    check_point_mgmt:

      command: set-access-rule

      parameters:

        layer: "network"

        name: "created by me"

        position:

          top: "web"

        source:

          - "host150"

        destination:

          - "host250"

        service:

          - "tcp_777"

        action: "accept"

      session-data: "{{login_response}}"

 

  - name: "publish"

    check_point_mgmt:

      command: publish

      session-data: "{{login_response}}"

 

I  I am just adding the port tcp.777 from existing rule base.

 

Thanks in advance.

 

Regards

Aathi

0 Kudos
Ron_Izraeli
Employee
Employee

If you'd like to "create a section called 'script rules'" you should use add-access-section and not set-access-section

0 Kudos
Aathi
Contributor

Hi Team,

 

I have used below script to updated the existing rule base that is source and destination is same ,i tried to update the port only. already port 22 is allowed between mentioned source and destination .in addition i tried to allow 1813 between same source and destination.but its not updating instead of its replacing the port.Kindly check the below script and let me know if anything need to do the changes on to update the port.

 

tasks:
- name: "login"
check_point_mgmt:
command: login
parameters:
username: "{{mgmt_user}}"
password: "{{mgmt_password}}"
management: "{{mgmt_server}}"
fingerprint: "{{mgmt_fingerprint}}"
register: login_response

- name: "add-host--host2"
check_point_mgmt:
command: set-host
parameters:
name: "host2"
ip-address: "10.168.1.150"
session-data: "{{login_response}}"

- name: "add-host--host3"
check_point_mgmt:
command: set-host
parameters:
name: "host3"
ip-address: "10.168.1.50"
session-data: "{{login_response}}"

- name: "create new tcp service"
check_point_mgmt:
command: add-service-tcp
parameters:
name: "tcp_1813"
port: "1813"
session-data: "{{login_response}}"

- name: "create a section called 'script rules'"
check_point_mgmt:
command: add-access-section
parameters:
layer: "IND_BLR_POLICY_Network"
name: "web"
position: 1
session-data: '{{ login_response }}'

- name: "create rule at the top of a section called 'script rules'"
check_point_mgmt:
command: set-access-rule
parameters:
layer: "IND_BLR_POLICY_Network"
name: "created by me"
position:
top: "web"
source:
- "host2"
destination:
- "host3"
service:
- "tcp_1813"
action: "accept"
session-data: "{{login_response}}"

- name: "publish"
check_point_mgmt:
command: publish
session-data: "{{login_response}

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events