Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Nuno_Cansado1
Explorer

Ansible rules and sections

Hi all,

I know and how to create sections  through ansible, but my doubt at moment is how to assign rules to sections?

An old version of checkpoint ansible modules it was possible but not now. Can someone give a example how to now?

 

Cheers,

Nuno

0 Kudos
3 Replies
AlekseiShelepov
Advisor

You should use position parameter. For example, using Web-API:

 

  - name: Add rule - Admin access
    uri:
      url: "https://{{ inventory_hostname }}:443/web_api/add-access-rule"
      method: POST
      body_format: json
      validate_certs: no
      headers:
        x-chkp-sid: "{{ cp_mgmt_session.json.sid }}"
      body: '{ "layer": "{{ cp_mgmt_policy }} Network", "position": { "bottom": "Administration and monitoring" }, "name": "Admin access", "service":[ "SSH", "HTTPS" ], "source": "grp_Admins", "action": "Accept", "track": "Log", "custom-fields": { "field-1": "Ansible automation {{ date }}"} }'

 

"position": { "bottom": "Administration and monitoring" }
Administration and monitoring is the name of the section in this case.
0 Kudos
Nuno_Cansado1
Explorer

Hi Aleksei,

Thanks for reply, I know it is possible to make those changes via api, but the purpose of my post is to do it via ansible/checkpoint modules. Not to mention this would require 2 extra tasks on ansible to achieve this result (login and logout).

Kind regards,

N

0 Kudos
AlekseiShelepov
Advisor

Well, you don't have to use URI module. I'm doing it with Ansible but without CheckPoint modules. I believe CheckPoint modules use the same Web-API calls inside so the parameter position should be there too. It has the parameter in the documentation:

https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/checkpoint_access_rule_module.h...

And the cp_mgmt_access_rule module in https://github.com/CheckPointSW/CheckPointAnsibleMgmtCollection includes it too.

 

I decided not to use any of Check Point modules, as they had a bit confusing situation with namings within documents and were not updated for some time.

 

0 Kudos