Solved: Re: Setting Checkpoint gaia Password policy throug...

Kirankatariya · ‎2026-02-28

This is my code

ansible cfg

[defaults]

inventory = /etc/ansible/checkpoint/hosts

deprecation_warnings = False

host_key_checking=false

retry_files_enabled=false

interpreter_python=/usr/bin/python3

log_path = /etc/ansible/checkpoint/ansible.log

[ssh_connection]

scp_if_ssh=True

========

Host File

[mgmt]

192.168.17.82

[mgmt:vars]

ansible_httpapi_validate_certs=False

ansible_httpapi_use_ssl=True

ansible_user=admin

ansible_password=admin1234

ansible_network_os=check_point.gaia.checkpoint

ansible_httpapi_base_url=/gaia_api/v1.9

====

Code

- name : Hardening command

hosts: mgmt

connection : httpapi

gather_facts: no

tasks:

- name: Change password policy

check_point.gaia.cp_gaia_password_policy:

password_strength:

minimum_length: 12

complexity: 3

palindrome_check_enabled: true

password_history:

check_history_enabled: true

repeated_history_length: 5

lock_settings:

must_one_time_password_enabled: true

password_expiration_days: 90

password_expiration_warning_days: 7

password_expiration_maximum_days_before_lock: 10

inactivity_settings:

lock_unused_accounts_enabled: true

inactivity_threshold_days: 365

failed_attempts_settings:

failed_lock_enabled: true

failed_lock_enforced_on_admin: true

failed_attempts_allowed: 5

failed_lock_duration_seconds: 600

Errors

kiran@DESKTOP-LBRMDFD:/etc/ansible/checkpoint$ ansible-playbook hardening.yml -vvvv
ansible-playbook [core 2.17.14]
config file = /etc/ansible/checkpoint/ansible.cfg
configured module search path = ['/home/kiran/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/kiran/.local/lib/python3.10/site-packages/ansible
ansible collection location = /home/kiran/.ansible/collections:/usr/share/ansible/collections
executable location = /home/kiran/.local/bin/ansible-playbook
python version = 3.10.12 (main, Nov 20 2023, 15:14:05) [GCC 11.4.0] (/usr/bin/python3)
jinja version = 3.1.3
libyaml = True
Using /etc/ansible/checkpoint/ansible.cfg as config file
setting up inventory plugins
Loading collection ansible.builtin from
host_list declined parsing /etc/ansible/checkpoint/hosts as it did not pass its verify_file() method
script declined parsing /etc/ansible/checkpoint/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/checkpoint/hosts as it did not pass its verify_file() method
Parsed /etc/ansible/checkpoint/hosts inventory source with ini plugin
Loading collection check_point.gaia from /home/kiran/.ansible/collections/ansible_collections/check_point/gaia
Loading callback plugin default of type stdout, v2.0 from /home/kiran/.local/lib/python3.10/site-packages/ansible/plugins/callback/default.py
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: hardening.yml *********************************************************************************************************************************************************************
Positional arguments: hardening.yml
verbosity: 4
connection: ssh
become_method: sudo
tags: ('all',)
inventory: ('/etc/ansible/checkpoint/hosts',)
forks: 5
1 plays in hardening.yml

PLAY [Hardening command] ********************************************************************************************************************************************************************

TASK [Change password policy] ***************************************************************************************************************************************************************
task path: /etc/ansible/checkpoint/hardening.yml:8
redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
Loading collection ansible.netcommon from /home/kiran/.local/lib/python3.10/site-packages/ansible_collections/ansible/netcommon
Loading collection ansible.utils from /home/kiran/.local/lib/python3.10/site-packages/ansible_collections/ansible/utils
setting up inventory plugins
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
yaml declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
ini declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
toml declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
[WARNING]: No inventory was parsed, only implicit localhost is available
<192.168.17.82> attempting to start connection
<192.168.17.82> using connection plugin ansible.netcommon.httpapi
Found ansible-connection at path /home/kiran/.local/bin/ansible-connection
<192.168.17.82> local domain socket does not exist, starting it
<192.168.17.82> control socket path is /home/kiran/.ansible/pc/c9bd22817c
<192.168.17.82> Loading collection ansible.builtin from
<192.168.17.82> redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
<192.168.17.82> Loading collection ansible.netcommon from /home/kiran/.local/lib/python3.10/site-packages/ansible_collections/ansible/netcommon
<192.168.17.82> Loading collection ansible.utils from /home/kiran/.local/lib/python3.10/site-packages/ansible_collections/ansible/utils
<192.168.17.82> Loading collection check_point.gaia from /home/kiran/.ansible/collections/ansible_collections/check_point/gaia
<192.168.17.82> setting up inventory plugins
<192.168.17.82> host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
<192.168.17.82> Skipping due to inventory source not existing or not being readable by the current user
<192.168.17.82> script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
<192.168.17.82> auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
<192.168.17.82> Skipping due to inventory source not existing or not being readable by the current user
<192.168.17.82> yaml declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
<192.168.17.82> Skipping due to inventory source not existing or not being readable by the current user
<192.168.17.82> ini declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
<192.168.17.82> Skipping due to inventory source not existing or not being readable by the current user
<192.168.17.82> toml declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
<192.168.17.82> local domain socket listeners started successfully
<192.168.17.82> loaded API plugin ansible_collections.check_point.gaia.plugins.httpapi.checkpoint from path /home/kiran/.ansible/collections/ansible_collections/check_point/gaia/plugins/httpapi/checkpoint.py for platform type check_point.gaia.checkpoint
<192.168.17.82> Loading collection ansible.builtin from
<192.168.17.82> local domain socket path is /home/kiran/.ansible/pc/c9bd22817c
<192.168.17.82> ESTABLISH LOCAL CONNECTION FOR USER: kiran
<192.168.17.82> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/kiran/.ansible/tmp/ansible-local-312649hld3z1u0 `"&& mkdir "` echo /home/kiran/.ansible/tmp/ansible-local-312649hld3z1u0/ansible-tmp-1772278842.9638596-312655-165213546880304 `" && echo ansible-tmp-1772278842.9638596-312655-165213546880304="` echo /home/kiran/.ansible/tmp/ansible-local-312649hld3z1u0/ansible-tmp-1772278842.9638596-312655-165213546880304 `" ) && sleep 0'
Using module file /home/kiran/.ansible/collections/ansible_collections/check_point/gaia/plugins/modules/cp_gaia_password_policy.py
<192.168.17.82> PUT /home/kiran/.ansible/tmp/ansible-local-312649hld3z1u0/tmph_06ghsq TO /home/kiran/.ansible/tmp/ansible-local-312649hld3z1u0/ansible-tmp-1772278842.9638596-312655-165213546880304/AnsiballZ_cp_gaia_password_policy.py
<192.168.17.82> EXEC /bin/sh -c 'chmod u+rwx /home/kiran/.ansible/tmp/ansible-local-312649hld3z1u0/ansible-tmp-1772278842.9638596-312655-165213546880304/ /home/kiran/.ansible/tmp/ansible-local-312649hld3z1u0/ansible-tmp-1772278842.9638596-312655-165213546880304/AnsiballZ_cp_gaia_password_policy.py && sleep 0'
<192.168.17.82> EXEC /bin/sh -c '/usr/bin/python3 /home/kiran/.ansible/tmp/ansible-local-312649hld3z1u0/ansible-tmp-1772278842.9638596-312655-165213546880304/AnsiballZ_cp_gaia_password_policy.py && sleep 0'
<192.168.17.82> EXEC /bin/sh -c 'rm -f -r /home/kiran/.ansible/tmp/ansible-local-312649hld3z1u0/ansible-tmp-1772278842.9638596-312655-165213546880304/ > /dev/null 2>&1 && sleep 0'
fatal: [192.168.17.82]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"lock_settings": {
"failed_attempts_settings": {
"failed_attempts_allowed": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"failed_lock_duration_seconds": 600,
"failed_lock_enabled": true,
"failed_lock_enforced_on_admin": true
},
"inactivity_settings": {
"inactivity_threshold_days": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"lock_unused_accounts_enabled": true
},
"must_one_time_password_enabled": true,
"password_expiration_days": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"password_expiration_maximum_days_before_lock": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"password_expiration_warning_days": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
},
"password_history": {
"check_history_enabled": true,
"repeated_history_length": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
},
"password_strength": {
"complexity": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"minimum_length": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"palindrome_check_enabled": true
},
"version": null,
"virtual_system_id": null
}
},
"msg": "Checkpoint device returned error ********00 with message {'code': 'generic_error', 'errors': 'not well-formed (invalid token): line ********4, column 29', 'msg': 'General Exception'}"
}

PLAY RECAP **********************************************************************************************************************************************************************************
192.168.17.82 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

Duane_Toler · ‎2026-03-02

Oh, I see your error for real now. It's your "connection" line. You have a space after "connection" and before the colon:

  connection : httpapi

Remove the extra space and that will fix it. Another thing to note: Be careful after run this task. If you have any existing users created, they will be subject to this policy immediately, including the 'admin' user. If you have any other tasks to run in this playbook, they may fail because you are enforcing this policy on the 'admin' user as well:

            failed_lock_enforced_on_admin: true

Be sure you understand the effects this policy will have. If you lock out your user, then you will need to SSH to the host (or login via Gaia Portal) and you'll be prompted to change the password immediately.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

View solution in original post

Duane_Toler · ‎2026-02-28

The problem is your `password_strength:` parameters. The three keys are indented 1 character too far (3, instead of 2).

    - name: Change password policy
      check_point.gaia.cp_gaia_password_policy:
        password_strength:
           minimum_length: 12
           complexity: 3
           palindrome_check_enabled: true

Instead, it should be:

    - name: Change password policy
      check_point.gaia.cp_gaia_password_policy:
        password_strength:
          minimum_length: 12
          complexity: 3
          palindrome_check_enabled: true

Bring those the lines one less space. You also shouldn't have an extra line between the parameter sections; bring them all together as one section.

In your inventory file, you don't need the `ansible_httpapi_base_url` parameter, either. If you want to execute the module with a different API version (often for testing, or for version compatibility issues), then use the `version:` parameter on the module. You use any prior API version you'd like, but be aware that prior versions have less parameters and capabilities, so you'll need to adjust as needed for that API version.

Let us know if you need more help!

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

Kirankatariya · ‎2026-03-01

still i am getting the same error.

---

- name : Playbook Hardening

hosts: mgmt

connection : httpapi

gather_facts : False

tasks:

- name: Change password policy

check_point.gaia.cp_gaia_password_policy:

password_strength:

minimum_length: 12

complexity: 3

palindrome_check_enabled: true

password_history:

check_history_enabled: true

repeated_history_length: 5

lock_settings:

must_one_time_password_enabled: true

password_expiration_days: 90

password_expiration_warning_days: 7

password_expiration_maximum_days_before_lock: 10

inactivity_settings:

lock_unused_accounts_enabled: true

inactivity_threshold_days: 365

failed_attempts_settings:

failed_lock_enabled: true

failed_lock_enforced_on_admin: true

failed_attempts_allowed: 5

failed_lock_duration_seconds: 600

Kirankatariya · ‎2026-03-01

iran@DESKTOP-LBRMDFD:/etc/ansible/checkpoint$ ansible-playbook --check hardening.yml -vvvv
ansible-playbook [core 2.17.14]
config file = /etc/ansible/checkpoint/ansible.cfg
configured module search path = ['/home/kiran/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/kiran/.local/lib/python3.10/site-packages/ansible
ansible collection location = /home/kiran/.ansible/collections:/usr/share/ansible/collections
executable location = /home/kiran/.local/bin/ansible-playbook
python version = 3.10.12 (main, Jan 26 2026, 14:55:28) [GCC 11.4.0] (/usr/bin/python3)
jinja version = 3.1.3
libyaml = True
Using /etc/ansible/checkpoint/ansible.cfg as config file
setting up inventory plugins
Loading collection ansible.builtin from
host_list declined parsing /etc/ansible/checkpoint/hosts as it did not pass its verify_file() method
script declined parsing /etc/ansible/checkpoint/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/checkpoint/hosts as it did not pass its verify_file() method
Parsed /etc/ansible/checkpoint/hosts inventory source with ini plugin
Loading collection check_point.gaia from /home/kiran/.ansible/collections/ansible_collections/check_point/gaia
Loading callback plugin default of type stdout, v2.0 from /home/kiran/.local/lib/python3.10/site-packages/ansible/plugins/callback/default.py
Skipping callback 'default', as we already have a stdout callback.
Skipping callback 'minimal', as we already have a stdout callback.
Skipping callback 'oneline', as we already have a stdout callback.

PLAYBOOK: hardening.yml ***********************************************************************************************************************************
Positional arguments: hardening.yml
verbosity: 4
connection: ssh
become_method: sudo
tags: ('all',)
check: True
inventory: ('/etc/ansible/checkpoint/hosts',)
forks: 5
1 plays in hardening.yml

PLAY [Playbook Hardening] *********************************************************************************************************************************

TASK [Change password policy] *****************************************************************************************************************************
task path: /etc/ansible/checkpoint/hardening.yml:8
redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
Loading collection ansible.netcommon from /home/kiran/.local/lib/python3.10/site-packages/ansible_collections/ansible/netcommon
Loading collection ansible.utils from /home/kiran/.local/lib/python3.10/site-packages/ansible_collections/ansible/utils
setting up inventory plugins
host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
yaml declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
ini declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
Skipping due to inventory source not existing or not being readable by the current user
toml declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
[WARNING]: No inventory was parsed, only implicit localhost is available
<192.168.17.82> attempting to start connection
<192.168.17.82> using connection plugin ansible.netcommon.httpapi
Found ansible-connection at path /home/kiran/.local/bin/ansible-connection
<192.168.17.82> local domain socket does not exist, starting it
<192.168.17.82> control socket path is /home/kiran/.ansible/pc/072ccabe0a
<192.168.17.82> Loading collection ansible.builtin from
<192.168.17.82> redirecting (type: connection) ansible.builtin.httpapi to ansible.netcommon.httpapi
<192.168.17.82> Loading collection ansible.netcommon from /home/kiran/.local/lib/python3.10/site-packages/ansible_collections/ansible/netcommon
<192.168.17.82> Loading collection ansible.utils from /home/kiran/.local/lib/python3.10/site-packages/ansible_collections/ansible/utils
<192.168.17.82> Loading collection check_point.gaia from /home/kiran/.ansible/collections/ansible_collections/check_point/gaia
<192.168.17.82> setting up inventory plugins
<192.168.17.82> host_list declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
<192.168.17.82> Skipping due to inventory source not existing or not being readable by the current user
<192.168.17.82> script declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
<192.168.17.82> auto declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
<192.168.17.82> Skipping due to inventory source not existing or not being readable by the current user
<192.168.17.82> yaml declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
<192.168.17.82> Skipping due to inventory source not existing or not being readable by the current user
<192.168.17.82> ini declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
<192.168.17.82> Skipping due to inventory source not existing or not being readable by the current user
<192.168.17.82> toml declined parsing /etc/ansible/hosts as it did not pass its verify_file() method
<192.168.17.82> local domain socket listeners started successfully
<192.168.17.82> loaded API plugin ansible_collections.check_point.gaia.plugins.httpapi.checkpoint from path /home/kiran/.ansible/collections/ansible_collections/check_point/gaia/plugins/httpapi/checkpoint.py for platform type check_point.gaia.checkpoint
<192.168.17.82> Loading collection ansible.builtin from
<192.168.17.82> local domain socket path is /home/kiran/.ansible/pc/072ccabe0a
<192.168.17.82> ESTABLISH LOCAL CONNECTION FOR USER: kiran
<192.168.17.82> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/kiran/.ansible/tmp/ansible-local-356412n_fgbn4x `"&& mkdir "` echo /home/kiran/.ansible/tmp/ansible-local-356412n_fgbn4x/ansible-tmp-1772385020.2378345-356415-34115409735767 `" && echo ansible-tmp-1772385020.2378345-356415-34115409735767="` echo /home/kiran/.ansible/tmp/ansible-local-356412n_fgbn4x/ansible-tmp-1772385020.2378345-356415-34115409735767 `" ) && sleep 0'
Using module file /home/kiran/.ansible/collections/ansible_collections/check_point/gaia/plugins/modules/cp_gaia_password_policy.py
<192.168.17.82> PUT /home/kiran/.ansible/tmp/ansible-local-356412n_fgbn4x/tmpm49al_zn TO /home/kiran/.ansible/tmp/ansible-local-356412n_fgbn4x/ansible-tmp-1772385020.2378345-356415-34115409735767/AnsiballZ_cp_gaia_password_policy.py
<192.168.17.82> EXEC /bin/sh -c 'chmod u+rwx /home/kiran/.ansible/tmp/ansible-local-356412n_fgbn4x/ansible-tmp-1772385020.2378345-356415-34115409735767/ /home/kiran/.ansible/tmp/ansible-local-356412n_fgbn4x/ansible-tmp-1772385020.2378345-356415-34115409735767/AnsiballZ_cp_gaia_password_policy.py && sleep 0'
<192.168.17.82> EXEC /bin/sh -c '/usr/bin/python3 /home/kiran/.ansible/tmp/ansible-local-356412n_fgbn4x/ansible-tmp-1772385020.2378345-356415-34115409735767/AnsiballZ_cp_gaia_password_policy.py && sleep 0'
<192.168.17.82> EXEC /bin/sh -c 'rm -f -r /home/kiran/.ansible/tmp/ansible-local-356412n_fgbn4x/ansible-tmp-1772385020.2378345-356415-34115409735767/ > /dev/null 2>&1 && sleep 0'
fatal: [192.168.17.82]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"lock_settings": {
"failed_attempts_settings": {
"failed_attempts_allowed": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"failed_lock_duration_seconds": 600,
"failed_lock_enabled": true,
"failed_lock_enforced_on_admin": true
},
"inactivity_settings": {
"inactivity_threshold_days": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"lock_unused_accounts_enabled": true
},
"must_one_time_password_enabled": true,
"password_expiration_days": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"password_expiration_maximum_days_before_lock": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"password_expiration_warning_days": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
},
"password_history": {
"check_history_enabled": true,
"repeated_history_length": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER"
},
"password_strength": {
"complexity": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"minimum_length": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
"palindrome_check_enabled": true
},
"version": null,
"virtual_system_id": null
}
},
"msg": "Checkpoint device returned error ********00 with message {'code': 'generic_error', 'errors': 'not well-formed (invalid token): line ********4, column 29', 'msg': 'General Exception'}"
}

PLAY RECAP ************************************************************************************************************************************************
192.168.17.82 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

kiran@DESKTOP-LBRMDFD:/etc/ansible/checkpoint$

Duane_Toler · ‎2026-03-02

Oh, I see your error for real now. It's your "connection" line. You have a space after "connection" and before the colon:

  connection : httpapi

Remove the extra space and that will fix it. Another thing to note: Be careful after run this task. If you have any existing users created, they will be subject to this policy immediately, including the 'admin' user. If you have any other tasks to run in this playbook, they may fail because you are enforcing this policy on the 'admin' user as well:

            failed_lock_enforced_on_admin: true

Be sure you understand the effects this policy will have. If you lock out your user, then you will need to SSH to the host (or login via Gaia Portal) and you'll be prompted to change the password immediately.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

Kirankatariya · ‎2026-03-08

@Duane_Toler

i corrected the same still i am getting the error .

can you try attempting the code in your lab and hep me with the resolutions.

- name: Playbook Hardening

hosts: mgmt

connection: httpapi

gather_facts: false

tasks:

- name: Change password policy

check_point.gaia.cp_gaia_password_policy:

lock_settings:

must_one_time_password_enabled: true

password_expiration_days: 90

password_expiration_warning_days: 7

password_expiration_maximum_days_before_lock: 10

inactivity_settings:

lock_unused_accounts_enabled: true

inactivity_threshold_days: 365

failed_attempts_settings:

failed_lock_enabled: true

failed_attempts_allowed: 5

failed_lock_duration_seconds: 600

password_history:

check_history_enabled: true

repeated_history_length: 5

password_strength:

minimum_length: 12

complexity: 3

palindrome_check_enabled: true

kiran@DESKTOP-LBRMDFD:/etc/ansible/checkpoint$ ansible-playbook hardening.yml

PLAY [Playbook Hardening] *************************************************************************************************************************************************

TASK [Change password policy] *********************************************************************************************************************************************
[WARNING]: No inventory was parsed, only implicit localhost is available
fatal: [192.168.17.82]: FAILED! => {"changed": false, "msg": "Checkpoint device returned error ********00 with message {'code': 'generic_error', 'errors': 'not well-formed (invalid token): line ********4, column 29', 'msg': 'General Exception'}"}

PLAY RECAP ****************************************************************************************************************************************************************
192.168.17.82 : ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0

kiran@DESKTOP-LBRMDFD:/etc/ansible/checkpoint$

Duane_Toler · ‎2026-03-09

In your output with the failure message, are you obscuring any of that text with the "****" characters? That shouldn't be sensitive information, but if you think it is, you can send me a private message with the extra details. The error line still says line 4 column 29, but your line 4 does not have that many characters. Is this the only play in your playbook?

I ran yamllint and ansible-lint on your example, and the formatting now passes cleanly with no errors. You must have something else configured that is not shown here. Feel free to send more details in the private message if you think that's necessary.

As requested, I did run your playbook against a lab host using my Docker collection. I used your Ansible version (2.17) with Python 3.11 (I don't have an image built for 3.10, but I can make one if necessary). I used the Check Point Gaia module collection version 6.0.0, but I can use several other versions. The playbook ran successfully.

I obscured some irrelevant status info that my script emits, which isn't relevant for this exercise. My script at the top runs against my Docker host, checks out a new git branch I named kiran/gaia-password-policy, runs the Docker image for ansible-2.17-python-3.11, loads the Ansible collection named check_point.gaia, and executes the playbook in the specified path and name, with the lab testing inventory hosts.

I also ran with the Check Point Gaia collection version 7.0.0 and it also ran successfully.

Your playbook (but I had to add my own authentication variables; you have these in your own inventory already):

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

Are you a member of CheckMates?

Setting Checkpoint gaia Password policy through ansible || getting error