Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ukohae
Contributor

Verify Policy Ansible with Checkpoint

Jump to solution

Hi,


 Goal: I am trying to Verify Access Control Policy using Ansible for a particular domain 

I used the documentation https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_verify_policy_module.ht...


- name: verify-policy
  cp_mgmt_verify_policy:
    policy_package: standard

I set 

- name: verify-policy
  cp_mgmt_verify_policy:
    policy_package: #the UID or String of the device


I got an error message when I ran my playbook





Playbook.yml

---
- hosts: check_point
connection: httpapi
gather_facts: False
vars_files:
- 'my_var.yaml'
- 'login.yml' tasks:
- name: verify-policy
check_point.mgmt.cp_mgmt_verify_policy:
policy_package: #device name or UID added here
#cp_mgmt_verify_policy: #policy_package: standard


my_var.yaml

ansible_httpapi_validate_certs: False
ansible_httpapi_use_ssl: True
ansible_network_os: check_point.mgmt.checkpoint
ansible_python_interpreter: /usr/bin/python3


login.yml

ansible_user: #checkpoint username
ansible_password: #checkpoint password


host inventory

[check_point]
#ip address of my checkpoint device
  

 

 

Error Message

$ ansible-playbook Playbook.yml

PLAY [check_point] **************************************************************************************

TASK [verify-policy]
fatal: [checkpoint]: FAILED! => {"changed": false, "msg": "Checkpoint device returned error 404 with message {'code: 'generic_err_object_not_found'} Unpublished chnages were dicharged"}

PLAY RECAP **********************************************************************************************
checkpoint :ok=0 changed=0 unreachable=0 failed=1 skipped=0 rescued=0 ignored=0


I'm I doing anything wrong here, is there anything  I should be aware of?

0 Kudos
4 Solutions

Accepted Solutions
funkylicious
Advisor
policy_package: 

i guess that it refers to the policy/security package that you are running the verification for.

dunno if it's case sensitive.

L.E. just saw that you are doing it for a specific domain in an MDS env. try and add at end

---
- hosts: check_point
connection: httpapi
gather_facts: False
vars_files:
- 'my_var.yaml'
- 'login.yml' tasks:
- name: verify-policy
check_point.mgmt.cp_mgmt_verify_policy:
policy_package: policy-name

vars:
ansible_checkpoint_domain: "domain"

 

View solution in original post

0 Kudos
funkylicious
Advisor

hi,

the name of the policy package that you are setting rules in and installing on the gateways.

you can see it in Security Policies ( default name is Standard ) or from the firewall with fw stat.

Screenshot 2021-02-09 at 21.55.29.png

 

View solution in original post

0 Kudos
Art_Zalenekas
Employee
Employee

You said you are executing against the domain, so you are in MDS environment. You have to provide the CMA/Domain/DMS name as in the MDS as well. See the README and search for ansible_checkpoint_domainhttps://galaxy.ansible.com/check_point/mgmt

In short, you have to give the variable ansible_checkpoint_domain the CMA domain name as in the MDS at either the inventory level, the playbook, or the task level.

Inventory file for your host:
mds-cma-name ansible_host=192.168.1.111 ansible_checkpoint_domain=CMA1

That should be it.
Also, when you execute the playbook, add 1 verbosity level (-v) so that you can see more stdout than just "changed".
Furthermore, as this is just a verify and no changes are made, consider adding changed_when: false to the root level of the task.

---
- name: Verify Policy
  hosts: mds-cma1
  connection: httpapi
  tasks:
    - name: verify-policy
      check_point.mgmt.cp_mgmt_verify_policy:
        policy_package: "My_Policy"
      changed_when: false

View solution in original post

0 Kudos
Art_Zalenekas
Employee
Employee

well, in the ini format you can list the hosts as if they are CMAs with the variable ansible_checkpoint_domain

[cmas]
cma1 ansible_host=192.168.1.11 ansible_checkpoint_domain=cma1
cma2 ansible_host=192.168.1.11 ansible_checkpoint_domain=cma2
cma3 ansible_host=192.168.1.11 ansible_checkpoint_domain=cma3

I believe there is a bug in the login/discard/logout process of each httpapi plugin connection instantiation, because if in the playbook we call hosts: cmas or multi-host execution, we don't relogin but reuse the same session. That is a bug. So for now if you want to loop all hosts in the cmas hosts group, you will have to write a separate playbook and call it for each CMA, or can still have the same playbook with the same hosts-group cmas, and limit the execution to a host in the group like ansible-playbook ... --limit=cma2

Sorry, but this is the workaround for now.

View solution in original post

0 Kudos
8 Replies
funkylicious
Advisor
policy_package: 

i guess that it refers to the policy/security package that you are running the verification for.

dunno if it's case sensitive.

L.E. just saw that you are doing it for a specific domain in an MDS env. try and add at end

---
- hosts: check_point
connection: httpapi
gather_facts: False
vars_files:
- 'my_var.yaml'
- 'login.yml' tasks:
- name: verify-policy
check_point.mgmt.cp_mgmt_verify_policy:
policy_package: policy-name

vars:
ansible_checkpoint_domain: "domain"

 

0 Kudos
ukohae
Contributor

Hi,

I am very confused, it in terms of policy/security package,  can you give me an example?


 

Would I say

policy_package: Access Control 


0 Kudos
funkylicious
Advisor

hi,

the name of the policy package that you are setting rules in and installing on the gateways.

you can see it in Security Policies ( default name is Standard ) or from the firewall with fw stat.

Screenshot 2021-02-09 at 21.55.29.png

 
0 Kudos
the_rock
Champion
Champion

Technically, access control is an ordered layer and policy package would be the name of the policy that you gave (I dont know, could be standard, or companyname_policy or whatever you named it)

Andy

0 Kudos
Art_Zalenekas
Employee
Employee

You said you are executing against the domain, so you are in MDS environment. You have to provide the CMA/Domain/DMS name as in the MDS as well. See the README and search for ansible_checkpoint_domainhttps://galaxy.ansible.com/check_point/mgmt

In short, you have to give the variable ansible_checkpoint_domain the CMA domain name as in the MDS at either the inventory level, the playbook, or the task level.

Inventory file for your host:
mds-cma-name ansible_host=192.168.1.111 ansible_checkpoint_domain=CMA1

That should be it.
Also, when you execute the playbook, add 1 verbosity level (-v) so that you can see more stdout than just "changed".
Furthermore, as this is just a verify and no changes are made, consider adding changed_when: false to the root level of the task.

---
- name: Verify Policy
  hosts: mds-cma1
  connection: httpapi
  tasks:
    - name: verify-policy
      check_point.mgmt.cp_mgmt_verify_policy:
        policy_package: "My_Policy"
      changed_when: false
0 Kudos
ukohae
Contributor

Thanks, everyone. Everyone's contribution on here was a solution. It works!!!

0 Kudos
ukohae
Contributor

Hi,

what if I have multiple domains with many policies in them. How do I write my inventories to contain those domains and policies?

0 Kudos
Art_Zalenekas
Employee
Employee

well, in the ini format you can list the hosts as if they are CMAs with the variable ansible_checkpoint_domain

[cmas]
cma1 ansible_host=192.168.1.11 ansible_checkpoint_domain=cma1
cma2 ansible_host=192.168.1.11 ansible_checkpoint_domain=cma2
cma3 ansible_host=192.168.1.11 ansible_checkpoint_domain=cma3

I believe there is a bug in the login/discard/logout process of each httpapi plugin connection instantiation, because if in the playbook we call hosts: cmas or multi-host execution, we don't relogin but reuse the same session. That is a bug. So for now if you want to loop all hosts in the cmas hosts group, you will have to write a separate playbook and call it for each CMA, or can still have the same playbook with the same hosts-group cmas, and limit the execution to a host in the group like ansible-playbook ... --limit=cma2

Sorry, but this is the workaround for now.

0 Kudos