Thanks 🙂  I have my next 2 episodes partially ready.  I know it's been a few months since the last one, but I'm not ghosting it.  I moved to a new home right after my last episode, and it's taking a while to get everything settled (a lot longer than I thought it might).

These next two episode topics are going to be about improving playbooks with external task lists, handling more object types, and the order-of-operations for deleting objects (sometimes that's not such an easy task!).  The episode after these is going to be working with access rules and layers (everyone's favorite!).

Hello, @Duane_Toler 
I'm sharing my Playbook with you.
Can you let me know if you think it's okay?
Or do you have any suggestions for improvement?
Thank you.

This playbook is doing too much "work".  You do not need to use the URI module and the playbook should not prompt for input.  Automation is designed not to be interactive.  The input data should be provided with the external variables files.  If you design the variables file with a structured format (YAML or JSON), then the playbooks can read these files automatically and perform the actions.

You need to install the Check Point management module collection from Ansible Galaxy.  I cover the module collection in a separate video.  My series is using Docker containers, but you don't have to use Docker.

https://www.youtube.com/watch?v=OcW3mH4frEk&t=1s

Use this command to do it:

ansible-galaxy collection install check_point.mgmt

You need to use an inventory file of some kind to tell Ansible about your MDS host.  If you want to use a username and password, that's ok, but your password needs to be encrypted.  You can use this inventory to get you started.  Save this as "inventory.yml":

---
all:
  hosts:
    SEC001:  # Name of your domain / nombre de CMA
      ansible_host: 192.168.60.155  # IP del MDS
      ansible_checkpoint_domain: SEC001  # Name of your domain / nombre de CMA
      policy_package: Standard  # Name of policy package for the domain
    SEC002:  # Name of your domain / nombre de CMA
      ansible_host: 192.168.60.155  # IP del MDS
      ansible_checkpoint_domain: SEC002  # Name of your domain / nombre de CMA
      policy_package: Standard  # Name of policy package / nombre de policy package para el dominio

...

 Verify the inventory is correct with this command:

ansible-inventory -i inventory.yml --list

The output should look like this:

{
    "_meta": {
        "hostvars": {
            "SEC001": {
                "ansible_checkpoint_domain": "SEC001",
                "ansible_host": "192.168.60.155",
                "policy_package": "Standard"
            },
            "SEC002": {
                "ansible_checkpoint_domain": "SEC002",
                "ansible_host": "192.168.60.155",
                "policy_package": "Standard"
            }
        }
    },
    "all": {
        "children": [
            "ungrouped"
        ]
    },
    "ungrouped": {
        "hosts": [
            "SEC001",
            "SEC002"
        ]
    }
}

I don't know how your current text file is made, or where you create it.  If you are writing the text file manually, then you need to write it with the YAML format as I showed above.  Create one YAML variable file for each of your management domains as I showed and include the name of the management domain in the filename.

If you want the playbook to install the policy to your gateways automatically, then you can add these two tasks to the playbook I already gave you.  Here's a complete playbook using the domains you showed (SEC001, SEC002, etc.).

---
- name: Mass Rule Delete
  hosts: SEC001,SEC002,SEC003  # los dominios (CMA) en el inventorio
  gather_facts: false
  become: false
  connection: httpapi
  serial: 1  # MÁS IMPORTANTE

  vars:
    ansible_network_os: check_point.mgmt.checkpoint
    ansible_user: admin   # Usario de SmartConsole
    ansible_password: "YOUR_PASSWORD"  # Esto no está encriptado

  vars_files:
    - "vars_{{ inventory_hostname }}.yml"  # Ansible cargará un archivo de variables para cada host de inventario, que es el nombre de su dominio

  tasks:
    - name: Delete rules
      check_point.mgmt.cp_mgmt_access_rule:
        name: "{{ item.name }}"
        layer: "{{ item.layer }}"
        # state: absent    # uncomment this to delete the rule
        # enabled: false   # or, uncomment this to disable the rule
      loop: "{{ access_rules |default([]) }}"  # "access_rules" está en el archivo de variables para el dominio
      loop_control:
        label: "{{ item.name }}"

    - name: Publish
      check_point.mgmt.cp_mgmt_publish:
        wait_for_task: true

    - name: Verify policy
      check_point.mgmt.cp_mgmt_verify_policy:
        policy_package: "{{ policy_package }}"  # "policy_package" es en lo inventorio para el dominio
        wait_for_task: true
        wait_for_task_timeout: 10  # en minutos

    - name: Install Policy
      check_point.mgmt.cp_mgmt_verify_policy:
        policy_package: "{{ policy_package }}"
        access: true
        install_on_all_cluster_members_or_fail: true
        wait_for_task: true
        wait_for_task_timeout: 10  # en minutos

(EDIT:  add comments to either disable the rule, or delete the rule; choose only one)

Hello @Duane_Toler 
How do you validate whether Ansible has the module installed? I am referring to “ansible-galaxy collection install check_point.mgmt.”
In your recommendation, how would you “feed” your Ansible server so that you can add new IPs/domains to a group of objects in each CMA on a daily basis?
I'm trying to do it through a txt file, but I'm no longer sure if that's the right way.
The idea would be to simply “copy and paste” the new lists that are sent to us daily.
Is this best done with an Excel file?
In your series of videos on your YouTube channel, will you make any videos related to these scenarios? 😁
Thank you for your comments.

Hey bro,

Im sure Duane will confirm, but maybe this?

ansible-galaxy collection list | grep check_point

You can check the collection with the ansible-galaxy command again:

ansible-galaxy collection list check_point.mgmt

 If the collection is installed, it will return the location on disk where the collection is installed and the version of the collection:

# /home/dtoler/ansible/collections/ansible_collections
Collection       Version
---------------- -------
check_point.mgmt 6.2.1  

You can verify the path for your Ansible collections path with the command "ansible --version".  This will load the default ansible configuration file from the default search path (/etc/ansible, your home directory, or the current local directory):

$ ansible --version
ansible [core 2.16.3]
  config file = /home/dtoler/ansible/ansible.cfg
  configured module search path = ['/home/dtoler/ansible/library']
  ansible python module location = /usr/lib/python3.12/site-packages/ansible
  ansible collection location = /home/dtoler/ansible/collections
  executable location = /usr/bin/ansible
  python version = 3.12.3 (main, Jun 19 2024, 10:06:03) [GCC 8.5.0 20210514 (Red Hat 8.5.0-22)] (/usr/bin/python3.12)
  jinja version = 3.1.2
  libyaml = True

To feed data to Ansible, there are 2 ways that are "best": YAML format, or JSON format.  Ansible can work with either format equally.  If you are writing the data manually yourself, then you will want to use YAML because it is easier to type and has less rules about how to structure the content.  However, if you are pulling the data from another source (such as with an API, or something generated programmatically), then most likely JSON will be the format to use.

You can use a CSV exported from Excel, but this could result in more work than necessary, especially if the ordering of the fields change.  YAML and JSON don't require your fields to be in a specific order.

The first thing you need to do, when starting with Ansible, is to start thinking of your data source as some type of "object" that you can describe in a consistent way.  For example, if you want to add many host objects, you will describe the host objects as a "list of items".  If you want to assign these hosts to a specific group, you can add that to the host object description.  This is how to do it with YAML:

host_objects:
  - name: Host1
    ipv4_address: 192.0.2.1
    color: orange
    comments: This is the Host1 object
    groups:
      - group1
      - group2
  - name: Host2
    ipv4_address: 192.0.2.2
    color: forest green
    comments: This is another object
    groups:
      - group2
      - group3

You can save this YAML list object in a separate file, such as "vars_hosts.yml".

You can write your playbook to be generic, so that it acts as a template.  The playbook will always do the same thing every time, but the content will be loaded from the separate YAML variables file.

- name: Add hosts to management server
  hosts: cpmgmt01  # change this to your MDS domain or your mgmt server
  gather_facts: false
  connection: httpapi

  vars:
    install_policy: true  # change this to false to skip policy install
    policy_package: 'YOUR POLICY PACKAGE NAME' # Change this to your policy package; such as Standard
    ansible_network_os: check_point.mgmt.checkpoint
    ansible_api_key: "your API key string"  # use the API key if your administrator has one
    # ansible_user: YOUR_SMARTCONSOLE_USERNAME  # use this instead of api key
    # ansible_password: YOUR_SMARTCONSOLE_PASSWORD  # use this instead of api key

  vars_files:
    - vars_hosts.yml  # THIS is the external variables file that has your host objects defined

  tasks:
    - name: Add host objects
      check_point.mgmt.cp_mgmt_host:
        name: "{{ item.name }}"
        ipv4_addres: "{{ item.ipv4_address | default(omit) }}"
        ipv6_address: "{{ item.ipv6_address |default(omit) }}"
        color: "{{ item.color | default(omit) }}"
        comments: "{{ item.comments | default(omit) }}"
        groups: "{{ item.groups |default(omit) }}"
      loop: "{{ host_objects |default([]) }}"
      loop_control:
        label: "{{ item.name }}"

    - name: Publish
      check_point.mgmt.cp_mgmt_publish:
        wait_for_task: true

    - name: Install Policy
      check_point.mgmt.cp_mgmt_install_policy:
        policy_package: "{{ policy_package }}"
        policy_targets: "{{ policy_targets |default(omit) }}"
        access: true
        install_on_all_cluster_members_or_fail: true
        wait_for_task: true
        wait_for_task_timeout: 5  # minutes
      when: install_policy |default(false)

This playbook will read the vars_hosts.yml file containing your host objects and their properties.  The "host_objects" list will be used by the Check Point "mgmt" collection "cp_mgmt_host" module.  I used it in a loop to iterate through each list item and add, or edit, a host object with the given properties.  I used the "default(omit)" filter many times so that if those properties aren't present, those will be removed when the Ansible module is used.  This lets you have missing values, but prevent the playbook from failing.

At the end, I use the Publish module to save changes to the management server database.  I also added a call to the "install policy" module.  I used a  "when" condition so that you can disable this module with a variable at the top.  There's a variable named "install_policy" and I wrote it to be 'true', but you can change it to 'false', and this will skip the policy installation at the end.   You can review the changes in SmartConsole first, if you'd like, before automatically installing the policy.

If you used JSON, instead, that's ok so long as your host_objects list has the same properties:

{
  "host_objects": [
    {
      "name": "Host1",
      "ipv4_address": "192.0.2.1",
      "color": "orange",
      "comments": "This is the Host1 object",
      "groups": [
        "group1",
        "group2"
      ]
    },
    {
      "name": "Host2",
      "ipv4_address": "192.0.2.2",
      "color": "forest green",
      "comments": "This is another object",
      "groups": [
        "group2",
        "group3"
      ]
    }
  ]
}

In this example, both the YAML and the JSON format are the exact same, just in different syntax.  Ansible can read both without issue.

If your data source is some other format, such as CSV... ouch.  Again, you can force CSV to work, but it's not pretty.  Many people do it, so it's not always "wrong", but it certainly is not "best".  You will have to do extra work somewhere to get it into some format you can use easily with Ansible.

I hope this helps get you closer to your goal!

FYI: I don't advocate this and I think this is a very poor option, but if you REALLY needed it, you can do this, but it depends strongly on how your CSV header row is defined.  This assumes an Excel-exported CSV where each field is properly quoted.  If you have a field that contains its own comma-separated list of values, you can use that as a list of groups for an object.  Example CSV:

Name,IPv4,Color,Groups
"host1","192.0.2.10","green","group1,group2,group2"
"host2","192.0.2.11","green","group3"
"host3","192.0.2.12","blue"

These tasks will read the CSV and use the Groups field as a group list:

    - name: Read and parse an Excel-exported CSV
      set_fact:
        host_objects: "{{ lookup('ansible.builtin.file', 'host_objects.csv')  | community.general.from_csv(dialect='excel') }}"

    - name: Print parsed objects list
      debug:
        msg:
          name: "{{ item.Name }}"
          ipv4_address: "{{ item.IPv4 |default(omit) }}"
          color: "{{ item.Color |default(omit) }}"
          groups: "{% if item.Groups %} {{ item.Groups |split(',') }} {% else %}{{ omit }}{% endif %}"
      loop: "{{ host_objects |default([]) }}"
      loop_control:
        label: "{{ item.Name }}"

The output would be:

TASK [Read and parse an Excel-exported CSV] *******************************************
ok: [localhost]

TASK [Print parsed objects list] *******************************************
ok: [localhost] => (item=host1) => {
    "msg": {
        "color": "green",
        "groups": " ['group1', 'group2', 'group2'] ",
        "ipv4_address": "192.0.2.10",
        "name": "host1"
    }
}
ok: [localhost] => (item=host2) => {
    "msg": {
        "color": "green",
        "groups": " ['group3'] ",
        "ipv4_address": "192.0.2.11",
        "name": "host2"
    }
}
ok: [localhost] => (item=host3) => {
    "msg": {
        "color": "blue",
        "ipv4_address": "192.0.2.12",
        "name": "host3"
    }
}

So instead of the debug, you can replace that with the check_point.mgmt.cp_mgmt_host module instead.  You'll need to take extra care that you use the dictionary keys that match the CSV header row.   If the header row were to ever change, then you need to change this in every task in your playbook, which is not ideal at all.

I wouldn't do this, and I don't recommend it, but there ya go.

@Matlu 

Hey brother, just an idea. Can you maybe try install below extension by Heiko Ankenbrand and see if it helps?

https://community.checkpoint.com/t5/SmartConsole-Extensions/SmartConsole-Extension-Easy-deletion-of-...

Thats way more important than youtube, come on lol

Let me know when ready, will check them out!