This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Aathi
Contributor
‎2019-04-01 10:03 PM

Checkpoint rule creation through ansible playbook

HI Team,

 

we are automating checkpoint firewall rule creation through ansible playbook.in that we are able to create a new rule base.facing difficulties to add the source/destination ,ports in existing rule base.Can you please let me know how to add the ips in existing rule bases.

Thanks in advance.

Regards

Aathi

 

4 Replies
PhoneBoy
Admin
Admin
‎2019-04-02 06:01 PM

You would use the set access-rule API call to modify an existing rule.
The exact rule you modify must be by name or UID.
Refer to the API documentation: https😕/sc1.checkpoint.com/documents/latest/APIs/index.html#cli/set-access-rule~v1.4
0 Kudos
Aathi
Contributor
‎2019-04-03 03:56 AM
In response to PhoneBoy

Hi ,

 

Please find the below error while using the set-access command.

fatal: [localhost]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"command": "set-access-section",
"fingerprint": null,
"parameters": "{'position': 1, 'layer': 'network', 'name': 'web'}",
"session-data": "{'failed': False, 'changed': False, 'response': {'url': '10.205.141.115:443', 'domain': None, 'sid': 'Fq1GsputgUdWSX8gATlDJOG-qyeMNyEfRlKymdCRUac', 'fingerprint': '844081C8A58B70EE1D68160892520A278783422C'}}"
}
},
"msg": "Command 'set-access-section {u'position': 1, u'layer': u'network', u'name': u'web'}' failed with error message: Unrecognized parameter [position]. All changes are discarded and the session is invalidated."

 

Playbook:

tasks:

  - name: "login"

    check_point_mgmt:

      command: login

      parameters:

        username: "{{mgmt_user}}"

        password: "{{mgmt_password}}"

        management: "{{mgmt_server}}"

      fingerprint: "{{mgmt_fingerprint}}"

    register: login_response

 

  - name: "set-host-cpx-host2"

    check_point_mgmt:

      command: set-host

      parameters:

        name: "host150"

        ip-address: "192.168.1.150"

      session-data: "{{login_response}}"

 

  - name: "add-host-cpx-host3"

    check_point_mgmt:

      command: set-host

      parameters:

        name: "host250"

        ip-address: "192.168.1.250"

      session-data: "{{login_response}}"

 

  - name: "create new tcp service"

    check_point_mgmt:

      command: add-service-tcp

      parameters:

        name: "tcp_777"

        port: "777"

      session-data: "{{login_response}}"

 

  - name: "create a section called 'script rules'"

    check_point_mgmt:

      command: set-access-section

      parameters:

        layer: "network"

        name: "web"

        position: 1

      session-data: '{{ login_response }}'

 

  - name: "create rule at the top of a section called 'script rules'"

    check_point_mgmt:

      command: set-access-rule

      parameters:

        layer: "network"

        name: "created by me"

        position:

          top: "web"

        source:

          - "host150"

        destination:

          - "host250"

        service:

          - "tcp_777"

        action: "accept"

      session-data: "{{login_response}}"

 

  - name: "publish"

    check_point_mgmt:

      command: publish

      session-data: "{{login_response}}"

 

I  I am just adding the port tcp.777 from existing rule base.

 

Thanks in advance.

 

Regards

Aathi

0 Kudos
Ron_Izraeli
Employee
Employee
‎2019-04-03 10:11 AM
In response to Aathi

If you'd like to "create a section called 'script rules'" you should use add-access-section and not set-access-section

0 Kudos
Aathi
Contributor
‎2019-04-11 09:28 PM
In response to Ron_Izraeli

Hi Team,

 

I have used below script to updated the existing rule base that is source and destination is same ,i tried to update the port only. already port 22 is allowed between mentioned source and destination .in addition i tried to allow 1813 between same source and destination.but its not updating instead of its replacing the port.Kindly check the below script and let me know if anything need to do the changes on to update the port.

 

tasks:
- name: "login"
check_point_mgmt:
command: login
parameters:
username: "{{mgmt_user}}"
password: "{{mgmt_password}}"
management: "{{mgmt_server}}"
fingerprint: "{{mgmt_fingerprint}}"
register: login_response

- name: "add-host--host2"
check_point_mgmt:
command: set-host
parameters:
name: "host2"
ip-address: "10.168.1.150"
session-data: "{{login_response}}"

- name: "add-host--host3"
check_point_mgmt:
command: set-host
parameters:
name: "host3"
ip-address: "10.168.1.50"
session-data: "{{login_response}}"

- name: "create new tcp service"
check_point_mgmt:
command: add-service-tcp
parameters:
name: "tcp_1813"
port: "1813"
session-data: "{{login_response}}"

- name: "create a section called 'script rules'"
check_point_mgmt:
command: add-access-section
parameters:
layer: "IND_BLR_POLICY_Network"
name: "web"
position: 1
session-data: '{{ login_response }}'

- name: "create rule at the top of a section called 'script rules'"
check_point_mgmt:
command: set-access-rule
parameters:
layer: "IND_BLR_POLICY_Network"
name: "created by me"
position:
top: "web"
source:
- "host2"
destination:
- "host3"
service:
- "tcp_1813"
action: "accept"
session-data: "{{login_response}}"

- name: "publish"
check_point_mgmt:
command: publish
session-data: "{{login_response}

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events