Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
boneyard
Contributor
Jump to solution

Data Center object in Ansible

I created a generic Data Center object to read a local JSOB file in the GUI.

I don’t see any Ansible module to do the same. There is one for objects within the Data Center, but not the level higher. Is that correct? 

If so any plans to add this?

In the meantime any workaround known?

(1)
1 Solution

Accepted Solutions
Bob_Zimmerman
Authority
Authority

The management API has the ability to create generic datacenter objects, but does not (as of R81.20 jumbo 26) have the ability to populate them. The Ansible modules provide a subset of management API functionality, so Ansible also can't populate a generic datacenter object.

View solution in original post

0 Kudos
8 Replies
Bob_Zimmerman
Authority
Authority

The management API has the ability to create generic datacenter objects, but does not (as of R81.20 jumbo 26) have the ability to populate them. The Ansible modules provide a subset of management API functionality, so Ansible also can't populate a generic datacenter object.

0 Kudos
b0neyard
Explorer

Thanks Bob.

Do you (or someone else) by chance have an answer on if / when this will be added?

And if there is a workaround?

0 Kudos
Bob_Zimmerman
Authority
Authority

I don't work for Check Point, I'm just an extraordinarily heavy user of the management API. I know a lot of remaining gaps are expected to be addressed in R82, but I don't think I've seen the EA program for it yet. No idea if this is one of the things planned for R82.

You might be able to use set-generic-object calls to manually poke the properties you want into the object, but that's definitely not something I would try to do through Ansible. This would take some experimentation, since set-generic-object is an undocumented management API call. Additionally, set-generic-object is not supported, so if something goes wrong and it blows up your management server, the TAC would tell you you're on your own.

0 Kudos
PhoneBoy
Admin
Admin

In general, for a feature/function to be available in our Ansible, it must be available in our Management API.
The Management API currently does not support this function.

I recommend you discuss these requirements with your local Check Point office as they will probably have to be addressed in the context of an RFE.

 

0 Kudos
Hugo_vd_Kooij
Advisor

In my understanding if you create a datcenter object it should be populated from another source. So If I create an AWS Datacenter object then the objects should be read from AWS by the SmartCenter. So adding object in a datacenter should be done in the actual datacenter and not inside SmartCenter.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Bob_Zimmerman
Authority
Authority

That's how datacenter objects in general work, yes. They have to know what data to get from where, though. Since Check Point can't account for all external datacenter data sources, they have a "Generic Data Center" object. You give this object a URL to a JSON file, a fetch interval, and optionally a custom header key and value.

The API can create a Generic Data Center object, but it can't provide the URL, fetch interval, or custom header data to make that object useful.

0 Kudos
Hugo_vd_Kooij
Advisor

I see. But then you have a list of objects that you can as objects yourself I would assume that to be the more controlled way. The generic datacenter object is more or less a  workaround for non-API users in my view.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Bob_Zimmerman
Authority
Authority

Check Point management changes are mid-weight. You have to log in, make the change, publish, push policy, etc. Generic datacenters are lighter-weight in that the system fetches the new stuff in the datacenter on its own periodically. This way your firewall rules can say "Allow all the web servers for this application to talk to the database servers for this application", and the rule doesn't have to care about the exact machines which make up either group. The datacenter object is then responsible for populating the groups as machines are built and destroyed.

To me, it's kind of like LSM. It separates the intended access from the precise implementation of that access.

0 Kudos
Upcoming Events

    CheckMates Events