- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi,
Goal: I am trying to Verify Access Control Policy using Ansible for a particular domain
I used the documentation https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_verify_policy_module.ht...
- name: verify-policy cp_mgmt_verify_policy: policy_package: standard
I set
- name: verify-policy cp_mgmt_verify_policy: policy_package: #the UID or String of the device
I got an error message when I ran my playbook
Playbook.yml
---
- hosts: check_point
connection: httpapi
gather_facts: False
vars_files:
- 'my_var.yaml'
- 'login.yml' tasks:
- name: verify-policy
check_point.mgmt.cp_mgmt_verify_policy:
policy_package: #device name or UID added here
#cp_mgmt_verify_policy: #policy_package: standard
my_var.yaml
ansible_httpapi_validate_certs: False
ansible_httpapi_use_ssl: True
ansible_network_os: check_point.mgmt.checkpoint
ansible_python_interpreter: /usr/bin/python3
login.yml
ansible_user: #checkpoint username
ansible_password: #checkpoint password
host inventory
[check_point]
#ip address of my checkpoint device
Error Message
$ ansible-playbook Playbook.yml
PLAY [check_point] **************************************************************************************
TASK [verify-policy]
fatal: [checkpoint]: FAILED! => {"changed": false, "msg": "Checkpoint device returned error 404 with message {'code: 'generic_err_object_not_found'} Unpublished chnages were dicharged"}
PLAY RECAP **********************************************************************************************
checkpoint :ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0
I'm I doing anything wrong here, is there anything I should be aware of?
policy_package:
i guess that it refers to the policy/security package that you are running the verification for.
dunno if it's case sensitive.
L.E. just saw that you are doing it for a specific domain in an MDS env. try and add at end
---
- hosts: check_point
connection: httpapi
gather_facts: False
vars_files:
- 'my_var.yaml'
- 'login.yml' tasks:
- name: verify-policy
check_point.mgmt.cp_mgmt_verify_policy:
policy_package: policy-name
vars:
ansible_checkpoint_domain: "domain"
hi,
the name of the policy package that you are setting rules in and installing on the gateways.
you can see it in Security Policies ( default name is Standard ) or from the firewall with fw stat.
You said you are executing against the domain, so you are in MDS environment. You have to provide the CMA/Domain/DMS name as in the MDS as well. See the README and search for ansible_checkpoint_domain: https://galaxy.ansible.com/check_point/mgmt
In short, you have to give the variable ansible_checkpoint_domain the CMA domain name as in the MDS at either the inventory level, the playbook, or the task level.
Inventory file for your host:
mds-cma-name ansible_host=192.168.1.111 ansible_checkpoint_domain=CMA1
That should be it.
Also, when you execute the playbook, add 1 verbosity level (-v) so that you can see more stdout than just "changed".
Furthermore, as this is just a verify and no changes are made, consider adding changed_when: false to the root level of the task.
---
- name: Verify Policy
hosts: mds-cma1
connection: httpapi
tasks:
- name: verify-policy
check_point.mgmt.cp_mgmt_verify_policy:
policy_package: "My_Policy"
changed_when: false
well, in the ini format you can list the hosts as if they are CMAs with the variable ansible_checkpoint_domain
[cmas]
cma1 ansible_host=192.168.1.11 ansible_checkpoint_domain=cma1
cma2 ansible_host=192.168.1.11 ansible_checkpoint_domain=cma2
cma3 ansible_host=192.168.1.11 ansible_checkpoint_domain=cma3
I believe there is a bug in the login/discard/logout process of each httpapi plugin connection instantiation, because if in the playbook we call hosts: cmas or multi-host execution, we don't relogin but reuse the same session. That is a bug. So for now if you want to loop all hosts in the cmas hosts group, you will have to write a separate playbook and call it for each CMA, or can still have the same playbook with the same hosts-group cmas, and limit the execution to a host in the group like ansible-playbook ... --limit=cma2
Sorry, but this is the workaround for now.
policy_package:
i guess that it refers to the policy/security package that you are running the verification for.
dunno if it's case sensitive.
L.E. just saw that you are doing it for a specific domain in an MDS env. try and add at end
---
- hosts: check_point
connection: httpapi
gather_facts: False
vars_files:
- 'my_var.yaml'
- 'login.yml' tasks:
- name: verify-policy
check_point.mgmt.cp_mgmt_verify_policy:
policy_package: policy-name
vars:
ansible_checkpoint_domain: "domain"
Hi,
I am very confused, it in terms of policy/security package, can you give me an example?
Would I say
policy_package: Access Control
hi,
the name of the policy package that you are setting rules in and installing on the gateways.
you can see it in Security Policies ( default name is Standard ) or from the firewall with fw stat.
Technically, access control is an ordered layer and policy package would be the name of the policy that you gave (I dont know, could be standard, or companyname_policy or whatever you named it)
Andy
You said you are executing against the domain, so you are in MDS environment. You have to provide the CMA/Domain/DMS name as in the MDS as well. See the README and search for ansible_checkpoint_domain: https://galaxy.ansible.com/check_point/mgmt
In short, you have to give the variable ansible_checkpoint_domain the CMA domain name as in the MDS at either the inventory level, the playbook, or the task level.
Inventory file for your host:
mds-cma-name ansible_host=192.168.1.111 ansible_checkpoint_domain=CMA1
That should be it.
Also, when you execute the playbook, add 1 verbosity level (-v) so that you can see more stdout than just "changed".
Furthermore, as this is just a verify and no changes are made, consider adding changed_when: false to the root level of the task.
---
- name: Verify Policy
hosts: mds-cma1
connection: httpapi
tasks:
- name: verify-policy
check_point.mgmt.cp_mgmt_verify_policy:
policy_package: "My_Policy"
changed_when: false
Thanks, everyone. Everyone's contribution on here was a solution. It works!!!
Hi,
what if I have multiple domains with many policies in them. How do I write my inventories to contain those domains and policies?
well, in the ini format you can list the hosts as if they are CMAs with the variable ansible_checkpoint_domain
[cmas]
cma1 ansible_host=192.168.1.11 ansible_checkpoint_domain=cma1
cma2 ansible_host=192.168.1.11 ansible_checkpoint_domain=cma2
cma3 ansible_host=192.168.1.11 ansible_checkpoint_domain=cma3
I believe there is a bug in the login/discard/logout process of each httpapi plugin connection instantiation, because if in the playbook we call hosts: cmas or multi-host execution, we don't relogin but reuse the same session. That is a bug. So for now if you want to loop all hosts in the cmas hosts group, you will have to write a separate playbook and call it for each CMA, or can still have the same playbook with the same hosts-group cmas, and limit the execution to a host in the group like ansible-playbook ... --limit=cma2
Sorry, but this is the workaround for now.
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY