This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
nhfoste
Explorer
‎2022-06-01 01:08 PM

ansible_checkpoint_domain does not change while looping through domains

Hello,

I'm using cp_mgmt_install_policy in the Check_Point.Mgmt collection to install policy to a specified list of domains in our MDS environment. 

I've tried specifying ansible_checkpoint_domain in both the inventory file and also within the playbook.

Both solutions work fine on the first domain, but the httpapi session does not honor the updated ansible_checkpoint_domain variable and repeatedly installs policy on the first domain with each loop iteration.

Is there a work around for this?

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2022-06-02 09:18 PM

What is your precise playbook?
Keep in mind that each domain requires a separate login/session to execute commands on it.
If your playbook isn’t built with that in mind, then it will probably fail.

0 Kudos
nhfoste
Explorer
‎2022-06-03 07:55 AM
In response to PhoneBoy

Essentially, the main task is:

- name: Set domain
  set_fact:
  domain_names: ["CMA1", "CMA2", "CMA3"]

- include_tasks: ./single_install.yml
  loop: "{{ domain_names }}"
 
And single_install.yml is:
 
- name: verify policy
  cp_mgmt_verify_policy:
    policy_package: standard
 
  vars:
    ansible_checkpoint_domain: {{ item }}
 
It doesn't fail, it just runs on the first domain only, and I do see it log in/out of the same domain for each iteration.
 
Also, I've tried using a list of hosts in the inventory:
[cmas]
cma1 ansible_host=p1lab.corp.com ansible_checkpoint_domain=cma1
cma2 ansible_host=p1lab.corp.com ansible_checkpoint_domain=cma2
cma3 ansible_host=p1lab.corp.com ansible_checkpoint_domain=cma3
 
With the same result, it only runs on the first domain, but 3 times...
 
 
 
 
 
 
 
 
 
0 Kudos
PhoneBoy
Admin
Admin
‎2022-06-03 09:34 AM
In response to nhfoste

I don't see anything in your playbook that says you are logging into each domain before you execute the relevant task(s) on that domain.
I'll admit, I'm not familiar with how to do that in Ansible, but this is how it works with the API.

0 Kudos
nhfoste
Explorer
‎2022-06-03 09:52 AM
In response to PhoneBoy

That's the beauty of the collection IMO, login/logout etc is handled by one task that calls the module.

Automate your management server using "Ansible" (checkpoint.com)

The problem though is once the httpapi session is built it doesn't seem possible to modify the ansible_checkpoint_domain setting to switch between domains.

 

 

 

0 Kudos
nhfoste
Explorer
‎2022-06-15 12:01 PM
In response to nhfoste

As an update, The key to cycling through domains using the inventory is to specify 'serial=1' before beginning the httpapi session.

But doesn't it resolve the issue when trying to loop through an array of domains within the playbook.

 

 

 

 

0 Kudos
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    li.common.scroll-to.top