cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Ansible for creating NAT Rules, Hosts etc. - getting success but objects are not saved!

Jump to solution

Hi Everyone,

I am a DevOps practitioner, and currently helping a client automate the provisioning and configuration of CheckPoint firewalls in Azure.

I created an Ansible Playbook with sample tasks to add Host, and NAT Rule, with no errors but somehow, these objects are not saved.  Has anyone run into this?

Playbook Contents

---

- name: "login"
check_point_mgmt:
command: login
parameters:
username: "{{mgmt_user}}"
password: "{{mgmt_password}}"
management: "{{mgmt_server}}"
fingerprint: "{{mgmt_fingerprint}}"
register: login_response


- name: "Get TCP Service"
check_point_mgmt:
command: show-service-tcp
parameters:
name: "DAS-Granite-FaceClient-20003-TCP-443"
session-data: "{{login_response}}"

- name: "publish"
check_point_mgmt:
command: publish
session-data: "{{login_response}}"


Execution output

All tasks succeed. Zero errors!

<127.0.0.1> EXEC /bin/sh -c 'rm -f -r /Users/sharepointoscar/.ansible/tmp/ansible-tmp-1526006124.196667-230724803151205/ > /dev/null 2>&1 && sleep 0'
ok: [127.0.0.1] => {
"changed": false,
"invocation": {
"module_args": {
"command": "logout",
"fingerprint": null,
"parameters": null,
"session-data": "{'failed': False, 'changed': False, 'response': {'url': 'ipredacted:443', 'domain': None, 'sid': '-JkGsmtdamz-UqAG067hXCl1tTFQvUvkfDH9KB1_5P4', 'fingerprint':'redacted"
}
},
"response": {
"message": "OK"
}
}
META: ran handlers
META: ran handlers
____________
< PLAY RECAP >
------------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||

127.0.0.1 : ok=7 changed=0 unreachable=0 failed=0

Labels (2)
0 Kudos
1 Solution

Accepted Solutions

Re: Ansible for creating NAT Rules, Hosts etc. - getting success but objects are not saved!

Jump to solution

Thank you Robert Decker‌ . I downloaded and setup that cpAnsible.  I was using an old one.  My environment required for me to specify the ansible interpreter since I have multiple versions of Python.  To do that, I simply added this to the Group VARS as follows:

ansible_python_interpreter: "/usr/local/bin/python2.7"

So two things that helped:

  1. Download and setup the cpAnsible as per Robert Decker‌ suggestion
  2. Ensure that we run Ansible with Python 2.7 as anything in the 3.x will not work.  This is done by specifying it in the group_vars.yml file for a typical ansible project structure.

And that does it, thanks for all of your help Tomer Sole‌ and Robert Decker

This was a weird one Smiley Happy, hope it helps someone.

Cheers,
@SharePointOscar

4 Replies
Employee++
Employee++

Re: Ansible for creating NAT Rules, Hosts etc. - getting success but objects are not saved!

Jump to solution

Hi Oscar,

Have you tried using our cpAnsible library on GitHub?

Robert.

Re: Ansible for creating NAT Rules, Hosts etc. - getting success but objects are not saved!

Jump to solution

Hey Robert Decker‌ . Yes, I essentially grabbed the sample stuff from there and configured my environment accordingly.  

Interesting thing is, PostMan calls with same username/password combination work.  The last call using Postman is "Publish".

I do see the SID and task ID being passed when I execute the Ansible last task of "Publish" as well, and I get a good response...

0 Kudos

Re: Ansible for creating NAT Rules, Hosts etc. - getting success but objects are not saved!

Jump to solution

Exactly. Changes are saved, but not published for everyone else to see. https://community.checkpoint.com/thread/5042-using-mgmtcli-without-automatic-publish#comment-5982 

Re: Ansible for creating NAT Rules, Hosts etc. - getting success but objects are not saved!

Jump to solution

Thank you Robert Decker‌ . I downloaded and setup that cpAnsible.  I was using an old one.  My environment required for me to specify the ansible interpreter since I have multiple versions of Python.  To do that, I simply added this to the Group VARS as follows:

ansible_python_interpreter: "/usr/local/bin/python2.7"

So two things that helped:

  1. Download and setup the cpAnsible as per Robert Decker‌ suggestion
  2. Ensure that we run Ansible with Python 2.7 as anything in the 3.x will not work.  This is done by specifying it in the group_vars.yml file for a typical ansible project structure.

And that does it, thanks for all of your help Tomer Sole‌ and Robert Decker

This was a weird one Smiley Happy, hope it helps someone.

Cheers,
@SharePointOscar