Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
tawsif
Participant

Ansible Checkpoint Module - check_point.mgmt.cp_mgmt_host

Hi All,

 

I'm running into an issue when I try to use the above mentioned module. In my Firewall environment, we have 5 domains and hence we use Global domain for a Global assignment on all 5 domains. However when I use this module, if the hosts are not present in any domain, it tends to create the host and adds it to the assigned group that is mentioned on the script. But if the hosts are already present on the firewalls and already exist on different groups, it tends to move the existing hosts from the other groups and puts it in the new group that is mentioned on the script. This is creating an outage on our firewall rules. Is there a workaround for this? Below is the sample script that I'm using:

 

 - nameadd-host-object
    check_point.mgmt.cp_mgmt_host:                    
      name"{{ item.value.Name | quote }}"          
      ip_address"{{ item.value.IP | quote }}"       
      comments"{{ item.value.Comments }}"           
      groupsgTest1A
    loop"{{ user.dict | dict2items }}"              
    ignore_errorsyes
    delegate_toGlobal

  - nameadd-network-group
    check_point.mgmt.cp_mgmt_group:
      namegTest1A
      comments"anything"
      statepresent
      auto_publish_sessionyes
    ignore_errorsyes
    delegate_toGlobal                            
 
  - namewait for session to be refreshed
    wait_for:
      timeout30
      
  - nameglobal-assignment
    check_point.mgmt.cp_mgmt_assign_global_assignment:
      dependent_domains
          - xxx
      global_domainsGlobal
      wait_for_taskyes
      wait_for_task_timeout30
    ignore_errorsyes
0 Kudos
5 Replies
Jonas_Rosenboom
Employee
Employee

Hi,

this happens because when you specify

groups: gTest1A

you tell it to make sure the host is in the listed groups (gTest1A) and ONLY in those groups.

Depending on your setup, the correct solution could be to configure the group members with the cp_mgmt_group module.

This will work if the group is not supposed to contain any members that are configured outside of your Ansible script. Otherwise it would have the same effect, where it will remove all hosts and only leave the ones specified as members.

0 Kudos
tawsif
Participant

Hi Jonas,

 

So in my environment, IP's get re-used all the time and there may be cases where the hostnames have changed but IP's remained the same and the firewall has the existing host object with the same IP in a different group. When we get a new request to create a new group with new hostnames but with the same IP's that are already present on the firewall in other groups, how can we avoid them being not moved from their group but just instead add the new hosts to the new group that is specified in the script?

0 Kudos
Jonas_Rosenboom
Employee
Employee

If you have the same IP, but a different name for the host object, it will emit a warning regarding the duplicate IP, but Ansible would not consider them the same object (and therefore not try to update the groups for the old object).

The conflict only occurs if you are trying to create host objects with the same name as an existing one.

As long as the group is managed only by Ansible and the script is aware of the entire list of members for that group, that is not a problem either way if you change the membership configuration from being done per host, to being done with the group module:

 

    - name: add-network-group
      check_point.mgmt.cp_mgmt_group:
          name: ExampleGroup
          comments: "anything"
          state: present
          members:
            "{{ list_of_hosts }}"
          auto_publish_session: yes

 

Also, check out our Generic Data Center feature. If you have a very dynamic environment this might be even better than updating objects and groups. There is no need to install policy for the updates to take effect.

PS: If you don't have a lab environment to test your Ansible script against, you can use the SmartConsole demo mode for that.
After starting a new demo session from SmartConsole, copy the server IP address and use admin/demo123 as your credentials.

0 Kudos
tawsif
Participant

Is there a way, may be another module which can check if the same host exist then it can just error out? What if I want to create different groups with the same hosts but the same hosts can exist in multiple groups? Because there are different team members who works on different tasks and may not be able to check if the host is already present on the Firewall.

0 Kudos
Jonas_Rosenboom
Employee
Employee

If you don't specify ignore_errors: yes the cp_mgmt_host  module will error out and not continue if an object with the same IP already exists.

"msg": "Checkpoint device returned error 400 with message {u'message': u'Validation failed with 1 warning', u'code': u'err_validation_failed', u'warnings': [{u'message': u'Multiple objects have the same IP address 203.0.113.1'}]} Unpublished changes were discarded"}

If you want to have different groups with the same hosts in them, you can repeat the cp_mgmt_group module:

  - name: add-network-group
    check_point.mgmt.cp_mgmt_group:
      name: FirstExampleGroup
      state: present
      members: "{{ hosts_in_group }}"
      auto_publish_session: yes

  - name: add-network-group
    check_point.mgmt.cp_mgmt_group:
      name: SecondExampleGroup
      state: present
      members: "{{ hosts_in_group }}"
      auto_publish_session: yes

 

The key is to NOT specify the groups parameter for the cp_mgmt_host module, as that would change all group memberships to match your input.

0 Kudos