This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
boneyard
Contributor
‎2023-10-01 12:11 PM
Jump to solution

Data Center object in Ansible

I created a generic Data Center object to read a local JSOB file in the GUI.

I don’t see any Ansible module to do the same. There is one for objects within the Data Center, but not the level higher. Is that correct? 

If so any plans to add this?

In the meantime any workaround known?

(1)
1 Solution

Accepted Solutions
Bob_Zimmerman
Authority
Authority
‎2023-10-01 01:57 PM
Jump to solution

The management API has the ability to create generic datacenter objects, but does not (as of R81.20 jumbo 26) have the ability to populate them. The Ansible modules provide a subset of management API functionality, so Ansible also can't populate a generic datacenter object.

View solution in original post

0 Kudos
8 Replies
Bob_Zimmerman
Authority
Authority
‎2023-10-01 01:57 PM
Jump to solution

The management API has the ability to create generic datacenter objects, but does not (as of R81.20 jumbo 26) have the ability to populate them. The Ansible modules provide a subset of management API functionality, so Ansible also can't populate a generic datacenter object.

0 Kudos
b0neyard
Explorer
‎2023-10-02 08:43 AM
In response to Bob_Zimmerman
Jump to solution

Thanks Bob.

Do you (or someone else) by chance have an answer on if / when this will be added?

And if there is a workaround?

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2023-10-02 09:17 AM
In response to b0neyard
Jump to solution

I don't work for Check Point, I'm just an extraordinarily heavy user of the management API. I know a lot of remaining gaps are expected to be addressed in R82, but I don't think I've seen the EA program for it yet. No idea if this is one of the things planned for R82.

You might be able to use set-generic-object calls to manually poke the properties you want into the object, but that's definitely not something I would try to do through Ansible. This would take some experimentation, since set-generic-object is an undocumented management API call. Additionally, set-generic-object is not supported, so if something goes wrong and it blows up your management server, the TAC would tell you you're on your own.

0 Kudos
PhoneBoy
Admin
Admin
‎2023-10-06 09:22 AM
In response to b0neyard
Jump to solution

In general, for a feature/function to be available in our Ansible, it must be available in our Management API.
The Management API currently does not support this function.

I recommend you discuss these requirements with your local Check Point office as they will probably have to be addressed in the context of an RFE.

 

0 Kudos
Hugo_vd_Kooij
Advisor
‎2023-10-04 04:09 AM
In response to Bob_Zimmerman
Jump to solution

In my understanding if you create a datcenter object it should be populated from another source. So If I create an AWS Datacenter object then the objects should be read from AWS by the SmartCenter. So adding object in a datacenter should be done in the actual datacenter and not inside SmartCenter.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Bob_Zimmerman
Authority
Authority
‎2023-10-04 07:26 AM
In response to Hugo_vd_Kooij
Jump to solution

That's how datacenter objects in general work, yes. They have to know what data to get from where, though. Since Check Point can't account for all external datacenter data sources, they have a "Generic Data Center" object. You give this object a URL to a JSON file, a fetch interval, and optionally a custom header key and value.

The API can create a Generic Data Center object, but it can't provide the URL, fetch interval, or custom header data to make that object useful.

0 Kudos
Hugo_vd_Kooij
Advisor
‎2023-10-04 11:01 PM
In response to Bob_Zimmerman
Jump to solution

I see. But then you have a list of objects that you can as objects yourself I would assume that to be the more controlled way. The generic datacenter object is more or less a  workaround for non-API users in my view.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
Bob_Zimmerman
Authority
Authority
‎2023-10-05 06:38 AM
In response to Hugo_vd_Kooij
Jump to solution

Check Point management changes are mid-weight. You have to log in, make the change, publish, push policy, etc. Generic datacenters are lighter-weight in that the system fetches the new stuff in the datacenter on its own periodically. This way your firewall rules can say "Allow all the web servers for this application to talk to the database servers for this application", and the rule doesn't have to care about the exact machines which make up either group. The datacenter object is then responsible for populating the groups as machines are built and destroyed.

To me, it's kind of like LSM. It separates the intended access from the precise implementation of that access.

0 Kudos
Upcoming Events

    CheckMates Events