This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
boneyard
Contributor
‎2023-03-27 08:55 AM
Jump to solution

Working with NAT rules

Anyone found a way around the issues I encounter with trying to create the NAT policy?

 

### Name

I'm unable to set the name of a NAT rule. This is possible manually in Smart Console.

 

### Position

I'm unable to get rules above the Automatic Generated Rules. This is possible in Smart Console.

I can't use position 1 or 2 because those are for default rules. Can't use 0 as error states must be great equal 1. So when I create the rule on position 3 it is below the others. I really miss an insert above / below position X kinda option. Or a move rule option. That goes for access policies also.

Possibly with check_point.mgmt.cp_mgmt_set_nat_rule and new position option, but zero documentation on if at all and if so how. The fact i have to do it according to the document by "Edit existing object using object name or uid." and the example not showing either doesn't give me a warm feeling ...

 

### Multiple modules

I can't use state present / absent as with a regular access policy and many other Ansible modules. So have to use cp_mgmt_add_nat_rule AND cp_mgmt_delete_nat_rule, why this difference?

0 Kudos
1 Solution

Accepted Solutions
Jim_Oqvist
Employee
Employee
‎2023-03-27 10:49 AM
Jump to solution

Hi,

Starting from R81 API version 1.7 and later we started supporting to use name in the NAT rule which enables you to create a idempotent module for our ansible collection to add, change and delete NAT rules. 

This module has been developed by R&D and is going to be added to Galaxy repository in the next version we release of the collection.

https://github.com/CheckPointSW/CheckPointAnsibleMgmtCollection/blob/master/plugins/modules/cp_mgmt_...

The new module allows you to use relative position such as "top" and "bottom" to overcome the challenges of creating a rule above or below the automatic generated NAT rules in a situation when there is no manual NAT rule already in place in that location.

If you want to find an example on how to use it you can find that here:
(this example uses the relative position "top" to be able to create the first rule in a new NAT rule base above the automatic NAT rule)

https://github.com/checkpointsw-devsec/enterprise-automation-poc/blob/main/ansible/roles/chkp-nat-po...

Please note as described in the module the management server needs to have a JHF that addresses PMTR-88097

https://support.checkpoint.com/search#q=PMTR-88097 

View solution in original post

4 Replies
the_rock
MVP Platinum
MVP Platinum
‎2023-03-27 09:34 AM
Jump to solution

Hi there,

Not sure I understand your poitns 1 and 2. Name can be configured, as well as position.

Andy

Best,
Andy
0 Kudos
boneyard
Contributor
‎2023-03-27 10:56 AM
In response to the_rock
Jump to solution

If I use name: "name" in my Ansible playbook I get an error stating name isnt valid option for a NAT rule.

  • "msg": "Unsupported parameters for (cp_mgmt_add_nat_rule) module: name. Supported parameters include: ignore_errors, translated_destination, translated_source, original_destination, ignore_warnings, package, wait_for_task_timeout, install_on, version, comments, enabled, original_source, translated_service, original_service, details_level, wait_for_task, position, method."}

 

Position isn't really position it seems, just a value which must be unique. So if I have

1 - first NAT rule

2 - second NAT rule

3 - third NAT rule

 

I can only use position 4 (which will put it below 3), if I use any of the other positions I get an error. That is my experience at least.

 

Oh 81.10 BTW, forgot to add that.

the_rock
MVP Platinum
MVP Platinum
‎2023-03-27 11:01 AM
In response to boneyard
Jump to solution

Ok, disregard what I said then, I thought you were strictly referring to smart console.

Andy

Best,
Andy
0 Kudos
Jim_Oqvist
Employee
Employee
‎2023-03-27 10:49 AM
Jump to solution

Hi,

Starting from R81 API version 1.7 and later we started supporting to use name in the NAT rule which enables you to create a idempotent module for our ansible collection to add, change and delete NAT rules. 

This module has been developed by R&D and is going to be added to Galaxy repository in the next version we release of the collection.

https://github.com/CheckPointSW/CheckPointAnsibleMgmtCollection/blob/master/plugins/modules/cp_mgmt_...

The new module allows you to use relative position such as "top" and "bottom" to overcome the challenges of creating a rule above or below the automatic generated NAT rules in a situation when there is no manual NAT rule already in place in that location.

If you want to find an example on how to use it you can find that here:
(this example uses the relative position "top" to be able to create the first rule in a new NAT rule base above the automatic NAT rule)

https://github.com/checkpointsw-devsec/enterprise-automation-poc/blob/main/ansible/roles/chkp-nat-po...

Please note as described in the module the management server needs to have a JHF that addresses PMTR-88097

https://support.checkpoint.com/search#q=PMTR-88097 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events