This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Govind135438
Contributor
‎2025-10-23 06:02 AM
Jump to solution

Adding security zone to gateway interface using Ansible

I am trying to automate assigning security zone to Security Gateway ethernet bonding interface. 

Using Check Point R82.

 

Here is the code snippet from my Ansible playbook:

- name: Update security zone for interface
  check_point.mgmt.cp_mgmt_simple_gateway:
    name: gw-893628
    interfaces:
      - name: eth0
        security-zone-settings:
          "specific-zone": "{{ security_zone }}"
        security-zone: true
    state: present

The output looks like this indicating no changes to 

TASK [Debug update_result] ******************************************************************************************************************************************
ok: [10.25.58.51] => {
    "msg": {
        "changed": false,
        "checkpoint_session_uid": "113f422c-8e32-41fd-9288-e6f275372336",
        "failed": false
    }
}

Please help me correct code.

 

0 Kudos
2 Solutions

Accepted Solutions
Duane_Toler
MVP Silver
MVP Silver
‎2025-10-23 10:57 AM
Jump to solution

Careful.  If you're doing the interfaces property to a gateway, you MUST include ALL of the interfaces in the list.  Otherwise, this will overwrite your existing interfaces with what you include in the list.   As @the_rock pasted (from ChatGPT 😉), you don't put quotes around the property key names (on the left side of the ":" character). 

You also don't need to use "state: present"; this is assumed.

Be sure you follow up this task with a call to "cp_mgmt_simple_gateway_facts" and register it to a variable, then print that variable with a "debug" task.  Until you are certain you have the task written correctly, with the expected results, you should use the cp_mgmt_discard module at the end.  Once you are happy with the results, then you can use cp_mgmt_publish to commit your changes.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

View solution in original post

(1)
PhoneBoy
Admin
Admin
‎2025-10-23 06:25 PM
In response to Duane_Toler
Jump to solution

It's worth noting that R82 has separate API endpoints for managing the interfaces on a gateway object.
For example, there is an explicit add-interface endpoint.
It appears this is also reflected in our Ansible collection: https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_interface_module.html#a... 

While I didn't test this in Ansible, I did test it through the API and it works.
Even found a bug 🙂 

If you use the interface options as part of the gateway object in R82, you get the same behavior as before (i.e. must specify ALL interfaces as part of the call).

View solution in original post

(1)
13 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-10-23 10:31 AM
Jump to solution

Just a "messenger", but here is what AI gave...

**********

You're very close — the problem is with how the security-zone-settings field is structured in the cp_mgmt_simple_gateway module.

In the Check Point Management API (and Ansible collection check_point.mgmt), the correct field names and hierarchy are slightly different from what you used. The field security-zone-settings expects a dictionary, and the correct key for assigning a specific zone is specific-zone, not "specific-zone": "value"and you must not use both security-zone and security-zone-settings together incorrectly.

Let’s fix it step by step 👇

Corrected Playbook Example

- name: Update security zone for interface
  check_point.mgmt.cp_mgmt_simple_gateway:
    name: gw-893628
    interfaces:
      - name: eth0
        security_zone_settings:
          specific_zone: "{{ security_zone }}"
    state: present
  register: update_result

- debug:
    msg: "{{ update_result }}"

⚙️ Key Points

  1. Use underscores instead of hyphens in YAML keys for Ansible modules (Python interprets field names with underscores).

    • security_zone_settings

    • 🚫 security-zone-settings

  2. Nested structure:

    • The correct field is security_zone_settings.specific_zone, not security-zone or security-zone: true.

  3. You don’t need the line security-zone: true; that flag doesn’t exist in this context.

Example with a bonding interface

If your interface is a bonding interface, just specify the bond name:

- name: Update security zone for bond interface
  check_point.mgmt.cp_mgmt_simple_gateway:
    name: gw-893628
    interfaces:
      - name: bond0
        security_zone_settings:
          specific_zone: "Internal_Zone"
    state: present

🔍 Optional: Force an update

Sometimes, Check Point’s API won’t mark a change unless you explicitly use ignore_warnings: true or ignore_errors: true:

  check_point.mgmt.cp_mgmt_simple_gateway:
    name: gw-893628
    interfaces:
      - name: eth0
        security_zone_settings:
          specific_zone: "{{ security_zone }}"
    state: present
    ignore_warnings: true

Summary

Wrong Key Correct Key Notes
security-zone-settings security_zone_settings Use underscores
"specific-zone": "{{ security_zone }}" specific_zone: "{{ security_zone }}" No quotes or hyphen
security-zone: true (remove) Not needed

Would you like me to show a full playbook example including session login/logout (cp_mgmt_login / cp_mgmt_publish/ cp_mgmt_logout)? That’s often required for changes to persist.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2025-10-23 10:57 AM
Jump to solution

Careful.  If you're doing the interfaces property to a gateway, you MUST include ALL of the interfaces in the list.  Otherwise, this will overwrite your existing interfaces with what you include in the list.   As @the_rock pasted (from ChatGPT 😉), you don't put quotes around the property key names (on the left side of the ":" character). 

You also don't need to use "state: present"; this is assumed.

Be sure you follow up this task with a call to "cp_mgmt_simple_gateway_facts" and register it to a variable, then print that variable with a "debug" task.  Until you are certain you have the task written correctly, with the expected results, you should use the cp_mgmt_discard module at the end.  Once you are happy with the results, then you can use cp_mgmt_publish to commit your changes.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
(1)
the_rock
MVP Diamond
MVP Diamond
‎2025-10-23 11:04 AM
In response to Duane_Toler
Jump to solution

I would always trust Duane Toler genius over AI 🙂

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2025-10-23 11:13 AM
In response to the_rock
Jump to solution

hah! thanks 😁  ChatGPT wasn't entirely wrong, tho.  It just didn't catch the interface list.  The rest of my info was largely about "style" (and safety/caution), too.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
the_rock
MVP Diamond
MVP Diamond
‎2025-10-23 11:15 AM
In response to Duane_Toler
Jump to solution

I speak the truth 🙂

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2025-10-23 06:25 PM
In response to Duane_Toler
Jump to solution

It's worth noting that R82 has separate API endpoints for managing the interfaces on a gateway object.
For example, there is an explicit add-interface endpoint.
It appears this is also reflected in our Ansible collection: https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_interface_module.html#a... 

While I didn't test this in Ansible, I did test it through the API and it works.
Even found a bug 🙂 

If you use the interface options as part of the gateway object in R82, you get the same behavior as before (i.e. must specify ALL interfaces as part of the call).

(1)
Govind135438
Contributor
‎2025-10-24 03:24 AM
In response to PhoneBoy
Jump to solution

Thank you very much @PhoneBoy for suggesting add_interface module. It worked. However I see a problem. The security zone gets assigned to the interface but not enabled. 

See the screenshots after running the playbook:

Zone assigned but not displayed in SmartConsoleZone assigned but not displayed in SmartConsoleZone assigned but not enabledZone assigned but not enabled

Is this related to the bug you have observed or am I missing something?

Here is my code snippet from the playbook:

    - name: add-interface
      check_point.mgmt.cp_mgmt_interface:
        anti_spoofing: true
        anti_spoofing_settings:
          action: detect
          exclude_packets: false
          spoof_tracking: log
        cluster_network_type: cluster
        gateway_uid: eb095b8b-a78c-9c4c-8e36-7c30b45f8878
        name: eth1
        security_zone_settings:
          auto_calculated: false
          specific_zone: "{{ security_zone }}"
      register: update_result

    - name: Debug update_result
      ansible.builtin.debug:
        msg: "{{ update_result }}"

    - name: Publish the changes
      check_point.mgmt.cp_mgmt_publish:
        #when: update_result is changed

 

 

0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2025-10-24 06:03 AM
In response to Govind135438
Jump to solution

Are you certain your variable "security_zone" is defined as you expect it to be, and is that zone defined already?  Add yourself a debug call just prior your module to be sure.

 

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
0 Kudos
Govind135438
Contributor
‎2025-10-24 06:59 AM
In response to Duane_Toler
Jump to solution

The variable "security_zone" is hardcoded with valid value. I am testing the scripts in local Check Point environment before testing in the production environment. 

the_rock
MVP Diamond
MVP Diamond
‎2025-10-24 07:07 AM
In response to Govind135438
Jump to solution

Thats super smart!

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Duane_Toler
MVP Silver
MVP Silver
‎2025-10-24 06:07 AM
In response to Govind135438
Jump to solution

If you have access to the management server via SSH, you can look in the API debug log in $MDS_FWDIR/log/api.elg for any errors.  

If your server is R82 or R81.20 JHF 101 and higher, you can get API usage details and info with $FWDIR/scripts/api_log_to_json.py.  See sk181906 for details.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack
the_rock
MVP Diamond
MVP Diamond
‎2025-10-24 06:21 AM
In response to Duane_Toler
Jump to solution

Yea, that file should contain any related errors.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2025-10-24 02:13 PM
In response to Govind135438
Jump to solution

I believe it did have something to do with adding a Zone, though my internal email thread wasn't clear on this point.
In any case, suggest a TAC case and I'm flagging @Omer_Kleinstern on the underlying API bug.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events