This Ansible collection provides control over a Check Point Management server using Check Point's web-services APIs.
The Ansible Check Point modules reference can be found here:
https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/index.html#plugins-in-check-point-mgmt
Note - look only at the cp_mgmt_* modules, cause the checkpoint_* will be deprecated.
This is the repository of the mgmt collection which can be found here - https://galaxy.ansible.com/check_point/mgmt
Run ansible-galaxy collection install check_point.mgmt
- Ansible 2.9+ is required.
- The Check Point server should be using the versions detailed in this SK: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk114661
- The Check Point server should be open for API communication from the Ansible server. Open SmartConsole and check "Manage & Settings > Blades > Management API > Advanced settings".
- Edit the
hostsso that it will contain a section similar to this one:
[check_point]
%CHECK_POINT_MANAGEMENT_SERVER_IP%
[check_point:vars]
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=False
ansible_user=%CHECK_POINT_MANAGEMENT_SERVER_USER%
ansible_password=%CHECK_POINT_MANAGEMENT_SERVER_PASSWORD%
ansible_network_os=check_point.mgmt.checkpoint
Note - If you want to run against Ansible version 2.9 instead of the collection, just replace ansible_network_os=check_point.mgmt.checkpoint with ansible_network_os=checkpoint
2. Run a playbook:
ansible-playbook your_ansible_playbook.ymlor
Run a playbook in "check mode":
ansible-playbook -C your_ansible_playbook.ymlExample playbook:
---
- name: playbook name
hosts: check_point
connection: httpapi
tasks:
- name: task to have network
check_point.mgmt.cp_mgmt_network:
name: "network name"
subnet: "4.1.76.0"
mask_length: 24
auto_publish_session: true
vars:
ansible_checkpoint_domain: "SMC User"
Note - If you want to run against Ansible version 2.9 instead of the collection, just replace check_point.mgmt.cp_mgmt_network with cp_mgmt_network
- Because this Ansible module is controlling the management server remotely via the web API,
the Ansible server needs to have access to the Check Point API server.
Open
SmartConsole, navigate to "Manage & Settings > Blades > Management API > Advanced settings" and check the API server's accessibility set - Ansible has a feature called "Check Mode" that enables you to test the changes without actually changing anything.
- The login and logout happens automatically.
- If you want to login to a specific domain, in the playbook above in the
varssection change the domain name toansible_checkpoint_domain - There are two ways to publish changes:
a. Set the
auto_publish_sessiontotrueas displayed in the example playbook above. This option will publish only the task which this parameter belongs to. b. Add the task to publish to thecp_mgmt_publishmodule. This option will publish all the tasks above this task. - It is recommended by Check Point to use this collection over the modules of Ansible version 2.9
- If you still want to use Ansible version 2.9 instead of this collection (not recommended):
a. In the
hostsfile replaceansible_network_os=check_point.mgmt.checkpointwithansible_network_os=checkpointb. In the task in the playbook replace the modulecheck_point.mgmt.cp_mgmt_*with the modulecp_mgmt_* - Starting from version 1.0.6, when running a command which returns a task-id, and the user chooses to wait for that task to finish (the default is to wait), then the output of the command will be the output of the show-task command (instead of the task-id).
This collection is tested with the most current Ansible releases. Ansible versions from 2.15.0 and above are supported.
For reporting issue or requests for enhancements please open a GitHub issue.
https://github.com/CheckPointSW/CheckPointAnsibleMgmtCollection/blob/master/CHANGELOG.rst
For further information please see - https://support.checkpoint.com/results/sk/sk114661
Apache-2.0 license