Solved: Ansible: Remove Host object from Group

Sannet · ‎2020-04-16

Hi all,

I have a problem when I try to remove an Host object from a Group of objects.

For example, I have a group with this members:

Group_1:
- Host_1.1.1.1
- Host_2.2.2.2
- Host_3.3.3.3
- Host_4.4.4.4

And I want to remove the object "Host_3.3.3.3" from that "Group_1".

The logic from my playbook is:

1 - To get all members from that group and save them inside a list.
list = [Host_1.1.1.1, Host_2.2.2.2, Host_3.3.3.3, Host_4.4.4.4]

2 - Remove from that list, the object that I want to delete.
list = [Host_1.1.1.1, Host_2.2.2.2, Host_4.4.4.4]

3 - Call "cp_mgmt_group" module and set the members parameter with the list. I am editing the Group object with a new list of members.
cp_mgmt_group:
   name: Group_1
   members: "{{ list }}"
   state: present
   auto_publish_session: yes

All playbook runs OK, but when I go to the SmartConsole to see the changes, the "Group_1" still having the object "Host_3.3.3.3" that I removed with the Ansible playbook.
I publish all changes in the playbook, and install the policy successfuly. And also, I have checked that the steps 1 and 2 works fine.

In other playbooks, I follow the same logic when I want to add some new object to the group, changing the second step by Add to that list the new object, and it works fine. Why when I pass the list with less members, the action doesn't work?

Does "cp_mgmt_group" module support to delete just one object inside of it? Or is there any simple way to do this? Any comment will be appreciated.

Thanks

PhoneBoy · ‎2020-04-21

Did the group object you use for this exist prior to use of Ansible or was it created entirely in Ansible?

View solution in original post

Sannet · ‎2020-04-17

I reply myself, but unfortunately not with the final answer.

I think that the problem is related with the fact that as the members already exists in the group, the module doesn't make any change (See the"changed": false ) even if I am passing less members than the members that already have the group at that time.

"cp_mgmt_group" output:

ok: [fw] => {
       "changed": false,
       "checkpoint_session_uid": "1ae46488-c031-4426-b7df-ff435f81a5c3",
       "invocation": {
             "module_args": {
                   "auto_publish_session": true,
                   "color": null,
                   "comments": null,
                   "details_level": null,
                   "groups": null,
                   "ignore_errors": null,
                   "ignore_warnings": null,
                   "members": [
                         "Host_1.1.1.1",
                         "Host_1.1.1.2",
                         "Host_1.1.1.4"
                   ],
                   "name": "Group1",
                   "state": "present",
                   "tags": null,
                   "version": null,
                   "wait_for_task": true
             }
       }
}

Could be any other form to remove that object from the group or to force the module to make the changes?

Thanks

PhoneBoy · ‎2020-04-18

What version of Check Point management?
What errors (if any) are shown when you try and run the playbook after you've removed Host_1.1.1.3 from it?
Also, what does $FWDIR/log/api.elg say?

Sannet · ‎2020-04-20

-What version of Check Point management?
I have installed the Check_Point_R80_10_JUMBO_HF_Bundle_T259 a few weeks ago:
FW> fw ver
This is Check Point's software version R80.10 - Build 223
FW> fwm ver
This is Check Point Security Management Server R80.10 - Build 054

-What errors (if any) are shown when you try and run the playbook after you've removed Host_1.1.1.3 from it?
There is no error while running the playbook.

-Also, what does $FWDIR/log/api.elg say?
Follow the log when I try to remove object "Block_1.1.1.2" from the group "Blacklist" that contains the members ["Block_1.1.1.1", "Block_1.1.1.2", "Block_1.1.1.3", "Block_1.1.1.4", "Block_1.1.1.5", "Block_1.1.1.6"]
I'm using the module cp_mgmt_group passing all objects except the object I want to remove.

--------------------------------------
2020-04-20 11:11:05,407 INFO org.apache.cxf.interceptor.LoggingInInterceptor.log:250 [qtp1746170792-30] - Inbound Message
----------------------------
ID: 922
Address: http://127.0.0.1:50276/web_api/equals
Encoding: ISO-8859-1
Http-Method: POST
Content-Type: application/json
Headers: {accept-encoding=[identity], connection=[keep-alive], Content-Length=[148], content-type=[application/json], Host=[127.0.0.1:50276], User-Agent=[Python-urllib/3.6], X-Chkp-Sid=[fxH3s_SgVrU5ZACbmSo2Xvj0fM2N171NddKIQOdTeK0], X-Forwarded-For=[192.168.3.2], X-Forwarded-Host=[192.168.3.7:443], X-Forwarded-Host-Port=[443], X-Forwarded-Server=[192.168.3.7]}
Payload: {"params": {"name": "Blacklist", "members": ["Block_1.1.1.1", "Block_1.1.1.3", "Block_1.1.1.4", "Block_1.1.1.5", "Block_1.1.1.6"]}, "type": "group"}
--------------------------------------
2020-04-20 11:11:05,414 WARN com.checkpoint.management.web_api_is.utils.helpers.RequestHeadersHelper.getMediaType_aroundBody6:21 [qtp1746170792-30] - No Accept header received. Falling back to default media type [application/json].
2020-04-20 11:11:05,415 INFO com.checkpoint.management.web_api_is.utils.helpers.ApiCache.<init>:13 [qtp1746170792-30] - Cache created and initialized
2020-04-20 11:11:05,415 INFO com.checkpoint.management.web_api.web_services.WebApiEntryPoint.logRequestedCommandInfo:33 [qtp1746170792-30] - Executing [equals] of version 1.1 (references 1)
2020-04-20 11:11:05,655 INFO com.checkpoint.management.web_api_is.utils.CsvFileWriterUtils.writeCsvLine:3 [qtp1746170792-30] - 2020-04-20,11:11:05 +0200,equals,PASSED,241
2020-04-20 11:11:05,657 INFO org.apache.cxf.interceptor.LoggingOutInterceptor.log:250 [qtp1746170792-30] - Outbound Message
---------------------------
ID: 922
Response-Code: 200
Content-Type: application/json
Headers: {Content-Type=[application/json], Date=[Mon, 20 Apr 2020 09:11:05 GMT]}
Payload: {
"equals" : true
}
--------------------------------------

I think that the problem is related with the way that how Ansible works.
When you try to update the members of a group, if inside the members there is at least one new member that wasn't there before, the task "changes" the group object, adding the new member. (That works ok in my playbook)
But if inside the members there is no one new (because you only have removed one of them, the rest still there) it doesn't make any change because the members that you are trying to add now are already there, and nothing changes in the group object.

Maybe this logic is not valid.

I hope I have explained myself well.

Thank you

PhoneBoy · ‎2020-04-20

Ansible is not formally supported with R80.10 Management until JHF 270 per https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
It's possible that's the issue here.

If you created the group with Ansible, it should work to simply remove the item from the group definition in the playbook.
If the group existed prior to your use of Ansible, it's possible (but I'm not certain) that it's working the way you describe.
In any case, before proceeding further, it's best to upgrade to the JHF supported with Ansible.

Sannet · ‎2020-04-21

Thank you for your replies.

I have the latest JHF dated last month "take 272" (I'm not sure why it just displays "build 057") so it must be enough as it requires "take 270", right?

Check_Point_R80_10_JUMBO_HF_Bundle_T272_sk116380_FULL.tgz

The Security Gateway and the Security Management are on the same VM.

PhoneBoy · ‎2020-04-21

Did the group object you use for this exist prior to use of Ansible or was it created entirely in Ansible?

Sannet · ‎2020-04-22

I've tried both ways: with a new group created by the Ansible playbook, and with an existing group created through the SmartConsole.
Unfortunately with the same result.

Sannet · ‎2020-04-22

I was wrong in my last post. I didn't check it well.

You are right @PhoneBoy. If the group has been previously created with Ansible, I can remove one host inside of it without problems with "cp_mgmt_group". But if the group was created by the SmartConsole the playbook doesn't remove it.

It's weird ... but it works.

Thank you for your help.

PhoneBoy · ‎2020-04-22

Pretty sure that behavior is "by design."
When an object is created in Ansible, it is assumed that Ansible will control its existence and configuration.
When a pre-existing object is merely manipulated by Ansible, it's not possible for Ansible to know whether it should make a destructive change or not because it may have been modified by a human.

Arenaos · ‎2020-08-05

Hi @Sannet, sorry to dig up the topic.. I'am having the same issue and the only way to modify object in group for me, is using cp_mgmt_group with the present state and the members already existing in the group minus the object i don't want anymore... Is there any other solution ? More efficient ones ?

PhoneBoy · ‎2020-08-05

Again, by design.
There is no explicit "delete" command in Ansible, there is only adding and removing from the playbook and rerunning the playbook.

Arenaos · ‎2020-08-06

@PhoneBoy, thanks for your answer. Is there a will in the futur to make it work with a delete command ? Also, I think there is a way through the Smart Console API to do it ? Right ?

Our compagny have thousands of objects and thousands of groups, so i assume if i do the trick with ansible it will impact all the rules with these groups... This is not a solution for us 😕

Gary

PhoneBoy · ‎2020-08-06

Yes, it is possible to issue a delete command from the API and SmartConsole.

Ansible operates under the assumption it is entirely responsible for creating/removing the relevant infrastructure and configuration.
A direct "delete" operation from Ansible, therefore, doesn't make a lot of sense.

Luis_Miguel_Mig · ‎2021-08-20

I don't understand why there is not an api and ansible command to delete a specific host from an specific group.
It is quite a limitation

PhoneBoy · ‎2021-08-20

Those kinds of operations are not consistent with the Ansible philosophy, which is why we do not provide them.
I provide a more detailed answer here:
https://community.checkpoint.com/t5/Ansible/Ansible-Add-Host-Object-to-Existing-Network-Group/m-p/12...

Are you a member of CheckMates?

Ansible: Remove Host object from Group