This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Govind135438
Contributor
3 weeks ago

Timeout while installing policy using Ansible

Problem: Unable to execute Ansible task for installing security policy. Getting timeout.

 

The below code works until publish and I can see the policy in the SmartConsole. However the last step for installing the policy on the gateways is failing.

The code is tested using a VM running CheckPoint R82 with both mgmt and gateway running with trial license.

 

 

- name: Create Security Play
  hosts: check_point_mgmt
  connection: httpapi
  gather_facts: no
  vars: 
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_command_timeout: 180

  tasks:
    - name: Check Point vars
      ansible.builtin.include_vars:
        file: global_vars/check_point_vars.yml

# 1) Create a section for this zone (near the top of the layer)
    - name: Ensure policy section exists for the zone
      check_point.mgmt.cp_mgmt_access_section:
        layer: "{{ g_access_layer | default('Network') }}"
        name: "{{ pb_security_zone_name }} Section"
        position: top
        state: present
        wait_for_task: true
        wait_for_task_timeout: "{{ g_wait_for_task_timeout | default(600) }}"
      register: reg_zone_section

    # 2) Add a default deny-all rule at the TOP of that section
    - name: Add default deny-all rule in the zone section
      check_point.mgmt.cp_mgmt_access_rule:
        layer: "{{ g_access_layer | default('Network') }}"
        name: "Deny All - {{ pb_security_zone_name }}"
        action: "Drop"
        source: ["Any"]
        destination: ["Any"]
        service: ["Any"]
        track:
          type: "Log"            # <-- dict, not a string
        enabled: true
        # Place the rule INSIDE the section, at the top:
        relative_position:
          top: "{{ pb_security_zone_name }} Section"
        search_entire_rulebase: true
        state: present
        wait_for_task: true
        wait_for_task_timeout: "{{ g_wait_for_task_timeout | default(600) }}"
      register: reg_zone_deny_rule

    # 3) Publish
    - name: Publish policy changes
      check_point.mgmt.cp_mgmt_publish:
        wait_for_task: true
        wait_for_task_timeout: "{{ g_wait_for_task_timeout | default(600) }}"

    # 4) Install policy on the target gateway
    - name: Install policy on gateway
      check_point.mgmt.cp_mgmt_install_policy:
        policy_package: "{{ g_policy_package | default('standard') }}"
        targets:
          - "{{ g_site_gateway_mapping[pb_site] }}"
        wait_for_task: true
        wait_for_task_timeout: "{{ g_wait_for_task_timeout | default(60) }}"

 

Error:

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: TypeError: string indices must be integers
fatal: [10.25.58.51]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/home/avireddi/.ansible/tmp/ansible-local-9305292rr7xdd/ansible-tmp-1776420120.9631252-93492-187597626660727/AnsiballZ_cp_mgmt_install_policy.py\", line 107, in <module>\n    _ansiballz_main()\n  File \"/home/avireddi/.ansible/tmp/ansible-local-9305292rr7xdd/ansible-tmp-1776420120.9631252-93492-187597626660727/AnsiballZ_cp_mgmt_install_policy.py\", line 99, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/home/avireddi/.ansible/tmp/ansible-local-9305292rr7xdd/ansible-tmp-1776420120.9631252-93492-187597626660727/AnsiballZ_cp_mgmt_install_policy.py\", line 47, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.check_point.mgmt.plugins.modules.cp_mgmt_install_policy', init_globals=dict(_module_fqn='ansible_collections.check_point.mgmt.plugins.modules.cp_mgmt_install_policy', _modlib_path=modlib_path),\n  File \"/usr/lib/python3.10/runpy.py\", line 224, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib/python3.10/runpy.py\", line 96, in _run_module_code\n    _run_code(code, mod_globals, init_globals,\n  File \"/usr/lib/python3.10/runpy.py\", line 86, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_check_point.mgmt.cp_mgmt_install_policy_payload_m5l067ne/ansible_check_point.mgmt.cp_mgmt_install_policy_payload.zip/ansible_collections/check_point/mgmt/plugins/modules/cp_mgmt_install_policy.py\", line 138, in <module>\n  File \"/tmp/ansible_check_point.mgmt.cp_mgmt_install_policy_payload_m5l067ne/ansible_check_point.mgmt.cp_mgmt_install_policy_payload.zip/ansible_collections/check_point/mgmt/plugins/modules/cp_mgmt_install_policy.py\", line 133, in main\n  File \"/tmp/ansible_check_point.mgmt.cp_mgmt_install_policy_payload_m5l067ne/ansible_check_point.mgmt.cp_mgmt_install_policy_payload.zip/ansible_collections/check_point/mgmt/plugins/module_utils/checkpoint.py\", line 551, in api_command\n  File \"/tmp/ansible_check_point.mgmt.cp_mgmt_install_policy_payload_m5l067ne/ansible_check_point.mgmt.cp_mgmt_install_policy_payload.zip/ansible_collections/check_point/mgmt/plugins/module_utils/checkpoint.py\", line 353, in wait_for_task\nTypeError: string indices must be integers\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

Please help.

Labels
0 Kudos
2 Replies
Vincent_Bacher
MVP Silver
MVP Silver
3 weeks ago

This error 

TypeError: string indices must be integers

 shows that ansible / script receives a string but expects an integer. So it's not an issue of the Check Point device.

Not familiar with ansible as i usually do own python scripts to access the API.
Maybe there es a debug option in ansible to show the raw json response when performing the steps?
Maybe you doulc set wait_for_response to false.

and now to something completely different - CCVS, CCAS, CCTE, CCCS, CCSM elite
0 Kudos
Govind135438
Contributor
3 weeks ago
In response to Vincent_Bacher

Thank you for your reply. 

We found the issue caused by the policy we were trying to create. The example code was dropping connections from "Any" to "Any" which caused blocking of SSH and HTTPS connectivity to checkpoint server.

We fixed the issue by changing the source to the new security zone we created.  

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Thu 07 May 2026 @ 01:30 PM (AEST)

    CheckMates Live Sydney
    In-Person

    Thu 07 May 2026 @ 11:30 AM (CDT)

    Nashville: Humans & AI: A Real Conversation
    In-Person

    Tue 19 May 2026 @ 08:00 AM (EDT)

    Montreal: P’tits déj Cyber! | Cyber Breakfasts!
    In-Person

    Tue 02 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Aarhus
    In-Person

    Wed 03 Jun 2026 @ 09:00 AM (CEST)

    CheckMates Live Denmark - Copenhagen
    CheckMates Events