Solved: Adding security zone to gateway interface using An...

Govind135438 · ‎2025-10-23

I am trying to automate assigning security zone to Security Gateway ethernet bonding interface.

Using Check Point R82.

Here is the code snippet from my Ansible playbook:

- name: Update security zone for interface
  check_point.mgmt.cp_mgmt_simple_gateway:
    name: gw-893628
    interfaces:
      - name: eth0
        security-zone-settings:
          "specific-zone": "{{ security_zone }}"
        security-zone: true
    state: present

The output looks like this indicating no changes to

TASK [Debug update_result] ******************************************************************************************************************************************
ok: [10.25.58.51] => {
    "msg": {
        "changed": false,
        "checkpoint_session_uid": "113f422c-8e32-41fd-9288-e6f275372336",
        "failed": false
    }
}

Please help me correct code.

Duane_Toler · ‎2025-10-23

Careful. If you're doing the interfaces property to a gateway, you MUST include ALL of the interfaces in the list. Otherwise, this will overwrite your existing interfaces with what you include in the list. As @the_rock pasted (from ChatGPT 😉), you don't put quotes around the property key names (on the left side of the ":" character).

You also don't need to use "state: present"; this is assumed.

Be sure you follow up this task with a call to "cp_mgmt_simple_gateway_facts" and register it to a variable, then print that variable with a "debug" task. Until you are certain you have the task written correctly, with the expected results, you should use the cp_mgmt_discard module at the end. Once you are happy with the results, then you can use cp_mgmt_publish to commit your changes.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

View solution in original post

PhoneBoy · ‎2025-10-23

It's worth noting that R82 has separate API endpoints for managing the interfaces on a gateway object.
For example, there is an explicit add-interface endpoint.
It appears this is also reflected in our Ansible collection: https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_interface_module.html#a...

While I didn't test this in Ansible, I did test it through the API and it works.
Even found a bug 🙂

If you use the interface options as part of the gateway object in R82, you get the same behavior as before (i.e. must specify ALL interfaces as part of the call).

View solution in original post

the_rock · ‎2025-10-23

Just a "messenger", but here is what AI gave...

**********

You're very close — the problem is with how the security-zone-settings field is structured in the cp_mgmt_simple_gateway module.

In the Check Point Management API (and Ansible collection check_point.mgmt), the correct field names and hierarchy are slightly different from what you used. The field security-zone-settings expects a dictionary, and the correct key for assigning a specific zone is specific-zone, not "specific-zone": "value" — and you must not use both security-zone and security-zone-settings together incorrectly.

Let’s fix it step by step 👇

✅ Corrected Playbook Example

- name: Update security zone for interface
  check_point.mgmt.cp_mgmt_simple_gateway:
    name: gw-893628
    interfaces:
      - name: eth0
        security_zone_settings:
          specific_zone: "{{ security_zone }}"
    state: present
  register: update_result

- debug:
    msg: "{{ update_result }}"

⚙️ Key Points

Use underscores instead of hyphens in YAML keys for Ansible modules (Python interprets field names with underscores).
- ✅ security_zone_settings
- 🚫 security-zone-settings
Nested structure:
- The correct field is security_zone_settings.specific_zone, not security-zone or security-zone: true.
You don’t need the line security-zone: true; that flag doesn’t exist in this context.

✅ Example with a bonding interface

If your interface is a bonding interface, just specify the bond name:

- name: Update security zone for bond interface
  check_point.mgmt.cp_mgmt_simple_gateway:
    name: gw-893628
    interfaces:
      - name: bond0
        security_zone_settings:
          specific_zone: "Internal_Zone"
    state: present

🔍 Optional: Force an update

Sometimes, Check Point’s API won’t mark a change unless you explicitly use ignore_warnings: true or ignore_errors: true:

  check_point.mgmt.cp_mgmt_simple_gateway:
    name: gw-893628
    interfaces:
      - name: eth0
        security_zone_settings:
          specific_zone: "{{ security_zone }}"
    state: present
    ignore_warnings: true

✅ Summary

Wrong Key	Correct Key	Notes
`security-zone-settings`	`security_zone_settings`	Use underscores
`"specific-zone": "{{ security_zone }}"`	`specific_zone: "{{ security_zone }}"`	No quotes or hyphen
`security-zone: true`	(remove)	Not needed

Would you like me to show a full playbook example including session login/logout (cp_mgmt_login / cp_mgmt_publish/ cp_mgmt_logout)? That’s often required for changes to persist.

Best,
Andy

Duane_Toler · ‎2025-10-23

Careful. If you're doing the interfaces property to a gateway, you MUST include ALL of the interfaces in the list. Otherwise, this will overwrite your existing interfaces with what you include in the list. As @the_rock pasted (from ChatGPT 😉), you don't put quotes around the property key names (on the left side of the ":" character).

You also don't need to use "state: present"; this is assumed.

Be sure you follow up this task with a call to "cp_mgmt_simple_gateway_facts" and register it to a variable, then print that variable with a "debug" task. Until you are certain you have the task written correctly, with the expected results, you should use the cp_mgmt_discard module at the end. Once you are happy with the results, then you can use cp_mgmt_publish to commit your changes.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

the_rock · ‎2025-10-23

I would always trust Duane Toler genius over AI 🙂

Best,
Andy

Duane_Toler · ‎2025-10-23

hah! thanks 😁 ChatGPT wasn't entirely wrong, tho. It just didn't catch the interface list. The rest of my info was largely about "style" (and safety/caution), too.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

the_rock · ‎2025-10-23

I speak the truth 🙂

Best,
Andy

PhoneBoy · ‎2025-10-23

It's worth noting that R82 has separate API endpoints for managing the interfaces on a gateway object.
For example, there is an explicit add-interface endpoint.
It appears this is also reflected in our Ansible collection: https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_interface_module.html#a...

While I didn't test this in Ansible, I did test it through the API and it works.
Even found a bug 🙂

If you use the interface options as part of the gateway object in R82, you get the same behavior as before (i.e. must specify ALL interfaces as part of the call).

Govind135438 · ‎2025-10-24

Thank you very much @PhoneBoy for suggesting add_interface module. It worked. However I see a problem. The security zone gets assigned to the interface but not enabled.

See the screenshots after running the playbook:

Zone assigned but not displayed in SmartConsoleZone assigned but not enabled

Is this related to the bug you have observed or am I missing something?

Here is my code snippet from the playbook:

    - name: add-interface
      check_point.mgmt.cp_mgmt_interface:
        anti_spoofing: true
        anti_spoofing_settings:
          action: detect
          exclude_packets: false
          spoof_tracking: log
        cluster_network_type: cluster
        gateway_uid: eb095b8b-a78c-9c4c-8e36-7c30b45f8878
        name: eth1
        security_zone_settings:
          auto_calculated: false
          specific_zone: "{{ security_zone }}"
      register: update_result

    - name: Debug update_result
      ansible.builtin.debug:
        msg: "{{ update_result }}"

    - name: Publish the changes
      check_point.mgmt.cp_mgmt_publish:
        #when: update_result is changed

Duane_Toler · ‎2025-10-24

Are you certain your variable "security_zone" is defined as you expect it to be, and is that zone defined already? Add yourself a debug call just prior your module to be sure.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

Govind135438 · ‎2025-10-24

The variable "security_zone" is hardcoded with valid value. I am testing the scripts in local Check Point environment before testing in the production environment.

the_rock · ‎2025-10-24

Thats super smart!

Best,
Andy

Duane_Toler · ‎2025-10-24

If you have access to the management server via SSH, you can look in the API debug log in $MDS_FWDIR/log/api.elg for any errors.

If your server is R82 or R81.20 JHF 101 and higher, you can get API usage details and info with $FWDIR/scripts/api_log_to_json.py. See sk181906 for details.

--
Ansible for Check Point APIs series: https://www.youtube.com/@EdgeCaseScenario and Substack

the_rock · ‎2025-10-24

Yea, that file should contain any related errors.

Best,
Andy

PhoneBoy · ‎2025-10-24

I believe it did have something to do with adding a Zone, though my internal email thread wasn't clear on this point.
In any case, suggest a TAC case and I'm flagging @Omer_Kleinstern on the underlying API bug.

Are you a member of CheckMates?

Adding security zone to gateway interface using Ansible

✅ Corrected Playbook Example

⚙️ Key Points

✅ Example with a bonding interface

🔍 Optional: Force an update

✅ Summary