This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ukohae
Contributor
‎2021-02-09 10:15 AM
Jump to solution

Verify Policy Ansible with Checkpoint

Hi,


 Goal: I am trying to Verify Access Control Policy using Ansible for a particular domain 

I used the documentation https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_verify_policy_module.ht...


- name: verify-policy
  cp_mgmt_verify_policy:
    policy_package: standard

I set 

- name: verify-policy
  cp_mgmt_verify_policy:
    policy_package: #the UID or String of the device


I got an error message when I ran my playbook





Playbook.yml

---
- hosts: check_point
  connection: httpapi
  gather_facts: False
  vars_files:
    - 'my_var.yaml'
    - 'login.yml'
  tasks:
  - name: verify-policy
    check_point.mgmt.cp_mgmt_verify_policy:
      policy_package: #device name or UID added here
    #cp_mgmt_verify_policy:
       #policy_package: standard


my_var.yaml

ansible_httpapi_validate_certs: False
ansible_httpapi_use_ssl: True
ansible_network_os: check_point.mgmt.checkpoint
ansible_python_interpreter: /usr/bin/python3


login.yml

ansible_user: #checkpoint username
ansible_password: #checkpoint password


host inventory

[check_point]
#ip address of my checkpoint device  

 

 

Error Message

$ ansible-playbook Playbook.yml

PLAY [check_point] **************************************************************************************

TASK [verify-policy]
fatal: [checkpoint]: FAILED! => {"changed": false, "msg": "Checkpoint device returned error 404 with message {'code: 'generic_err_object_not_found'} Unpublished chnages were dicharged"}

PLAY RECAP **********************************************************************************************
checkpoint        :ok=0     changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0


I'm I doing anything wrong here, is there anything  I should be aware of?

0 Kudos
4 Solutions

Accepted Solutions
funkylicious
Advisor
‎2021-02-09 11:31 AM
Jump to solution 

policy_package:

i guess that it refers to the policy/security package that you are running the verification for.

dunno if it's case sensitive.

L.E. just saw that you are doing it for a specific domain in an MDS env. try and add at end

---
- hosts: check_point
  connection: httpapi
  gather_facts: False
  vars_files:
    - 'my_var.yaml'
    - 'login.yml'
  tasks:
  - name: verify-policy
    check_point.mgmt.cp_mgmt_verify_policy:
      policy_package: policy-name
    
    vars:
      ansible_checkpoint_domain: "domain"

 

View solution in original post

0 Kudos
funkylicious
Advisor
‎2021-02-09 11:55 AM
In response to ukohae
Jump to solution

hi,

the name of the policy package that you are setting rules in and installing on the gateways.

you can see it in Security Policies ( default name is Standard ) or from the firewall with fw stat.

Screenshot 2021-02-09 at 21.55.29.png

 

View solution in original post

0 Kudos
Art_Zalenekas
Employee
Employee
‎2021-02-09 02:12 PM
Jump to solution

You said you are executing against the domain, so you are in MDS environment. You have to provide the CMA/Domain/DMS name as in the MDS as well. See the README and search for ansible_checkpoint_domainhttps://galaxy.ansible.com/check_point/mgmt

In short, you have to give the variable ansible_checkpoint_domain the CMA domain name as in the MDS at either the inventory level, the playbook, or the task level.

Inventory file for your host:
mds-cma-name ansible_host=192.168.1.111 ansible_checkpoint_domain=CMA1

That should be it.
Also, when you execute the playbook, add 1 verbosity level (-v) so that you can see more stdout than just "changed".
Furthermore, as this is just a verify and no changes are made, consider adding changed_when: false to the root level of the task.

---
- name: Verify Policy
  hosts: mds-cma1
  connection: httpapi
  tasks:
    - name: verify-policy
      check_point.mgmt.cp_mgmt_verify_policy:
        policy_package: "My_Policy"
      changed_when: false

View solution in original post

0 Kudos
Art_Zalenekas
Employee
Employee
‎2021-02-09 08:36 PM
In response to ukohae
Jump to solution

well, in the ini format you can list the hosts as if they are CMAs with the variable ansible_checkpoint_domain

[cmas]
cma1 ansible_host=192.168.1.11 ansible_checkpoint_domain=cma1
cma2 ansible_host=192.168.1.11 ansible_checkpoint_domain=cma2
cma3 ansible_host=192.168.1.11 ansible_checkpoint_domain=cma3

I believe there is a bug in the login/discard/logout process of each httpapi plugin connection instantiation, because if in the playbook we call hosts: cmas or multi-host execution, we don't relogin but reuse the same session. That is a bug. So for now if you want to loop all hosts in the cmas hosts group, you will have to write a separate playbook and call it for each CMA, or can still have the same playbook with the same hosts-group cmas, and limit the execution to a host in the group like ansible-playbook ... --limit=cma2

Sorry, but this is the workaround for now.

View solution in original post

0 Kudos
8 Replies
funkylicious
Advisor
‎2021-02-09 11:31 AM
Jump to solution 

policy_package:

i guess that it refers to the policy/security package that you are running the verification for.

dunno if it's case sensitive.

L.E. just saw that you are doing it for a specific domain in an MDS env. try and add at end

---
- hosts: check_point
  connection: httpapi
  gather_facts: False
  vars_files:
    - 'my_var.yaml'
    - 'login.yml'
  tasks:
  - name: verify-policy
    check_point.mgmt.cp_mgmt_verify_policy:
      policy_package: policy-name
    
    vars:
      ansible_checkpoint_domain: "domain"

 

0 Kudos
ukohae
Contributor
‎2021-02-09 11:47 AM
In response to funkylicious
Jump to solution

Hi,

I am very confused, it in terms of policy/security package,  can you give me an example?


 

Would I say

policy_package: Access Control


0 Kudos
funkylicious
Advisor
‎2021-02-09 11:55 AM
In response to ukohae
Jump to solution

hi,

the name of the policy package that you are setting rules in and installing on the gateways.

you can see it in Security Policies ( default name is Standard ) or from the firewall with fw stat.

Screenshot 2021-02-09 at 21.55.29.png

 
0 Kudos
the_rock
Legend
Legend
‎2021-02-09 01:09 PM
In response to ukohae
Jump to solution

Technically, access control is an ordered layer and policy package would be the name of the policy that you gave (I dont know, could be standard, or companyname_policy or whatever you named it)

Andy

0 Kudos
Art_Zalenekas
Employee
Employee
‎2021-02-09 02:12 PM
Jump to solution

You said you are executing against the domain, so you are in MDS environment. You have to provide the CMA/Domain/DMS name as in the MDS as well. See the README and search for ansible_checkpoint_domainhttps://galaxy.ansible.com/check_point/mgmt

In short, you have to give the variable ansible_checkpoint_domain the CMA domain name as in the MDS at either the inventory level, the playbook, or the task level.

Inventory file for your host:
mds-cma-name ansible_host=192.168.1.111 ansible_checkpoint_domain=CMA1

That should be it.
Also, when you execute the playbook, add 1 verbosity level (-v) so that you can see more stdout than just "changed".
Furthermore, as this is just a verify and no changes are made, consider adding changed_when: false to the root level of the task.

---
- name: Verify Policy
  hosts: mds-cma1
  connection: httpapi
  tasks:
    - name: verify-policy
      check_point.mgmt.cp_mgmt_verify_policy:
        policy_package: "My_Policy"
      changed_when: false
0 Kudos
ukohae
Contributor
‎2021-02-09 02:23 PM
In response to Art_Zalenekas
Jump to solution

Thanks, everyone. Everyone's contribution on here was a solution. It works!!!

0 Kudos
ukohae
Contributor
‎2021-02-09 03:40 PM
In response to Art_Zalenekas
Jump to solution

Hi,

what if I have multiple domains with many policies in them. How do I write my inventories to contain those domains and policies?

0 Kudos
Art_Zalenekas
Employee
Employee
‎2021-02-09 08:36 PM
In response to ukohae
Jump to solution

well, in the ini format you can list the hosts as if they are CMAs with the variable ansible_checkpoint_domain

[cmas]
cma1 ansible_host=192.168.1.11 ansible_checkpoint_domain=cma1
cma2 ansible_host=192.168.1.11 ansible_checkpoint_domain=cma2
cma3 ansible_host=192.168.1.11 ansible_checkpoint_domain=cma3

I believe there is a bug in the login/discard/logout process of each httpapi plugin connection instantiation, because if in the playbook we call hosts: cmas or multi-host execution, we don't relogin but reuse the same session. That is a bug. So for now if you want to loop all hosts in the cmas hosts group, you will have to write a separate playbook and call it for each CMA, or can still have the same playbook with the same hosts-group cmas, and limit the execution to a host in the group like ansible-playbook ... --limit=cma2

Sorry, but this is the workaround for now.

0 Kudos
Upcoming Events

    Sort by:
    CheckMates Events