Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
User1234
Contributor

Create role to add sections and rules

Hi there!

I want to create a access layer ruleset with sections and rules.

There are two modules provided by checkpoint which seem to be relevant:

I am having a yaml file which contains all rules in the right order, looking something like this:

 

-
    Name: "FW MGMT"
    Comments: "MGMT Clients to FW"
    Action: Accept
    Destination: o-fw01
    Source: allow_fwmgmt
    Enable: yes
    Service:
      - ssh_version_2
      - https-tcp8443
-
    Name: "GW Identity Access"
    Comments: "Access f. Identity Awareness"
    Action: Accept
    Destination: fw01
    Source: allow_fw-identity
    Enable: yes
    Service: https
-
    Name: "FW Stealth"
    Comments: "FW Stealth Rule"
    Action: Drop
    Destination: fw01
    Source: Any
    Enable: yes
    Service: Any

 

The corresponding task looks something like this:

 

- name: set access rule
  check_point.mgmt.cp_mgmt_access_rule:
    name: "{{ item.Name }}"
    position: "{{ index | int + 1 }}"
    comments: "{{ item.Comments }}"
    destination: "{{ item.Destination }}"
    source: "{{ item.Source }}"
    service: "{{ item.Service }}"
    action: "{{ item.Action }}"
  loop: "{{ cp_access_rules }}"
  loop_control:
    index_var: index

 

  So it takes the first entry of the rules file and submits it as first rule to the rulebase, takes the second on and puts it on second position and so on, using the index.

Is it somehow possible to combine this with sections?

Is it possible to put sections between the rules in the same file and let ansible decide which task to execute?

I tried put a cp_mgmt_access_rule and a cp_mgmt_access_section in a block and loop the block but ansible does not support looping entire blocks.

 

Is there a better way to do this?

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

Sounds like more of a question of whether Ansible will allow this sort of functionality versus a specific question with our module.

0 Kudos
Art_Zalenekas
Employee
Employee

No it is not possible. Push your rules, then push your sections after that. It's going to be position specific. What you can do is know your rules around a section and store that as set_facts and reuse that variable in setting the position.
Good luck!

0 Kudos