This article describes how to automate your management server using "Ansible".
Ansible (www.ansible.com) is a popular automation tool.
The "Ansible Check Point Management" module lets you automate Check Point management tasks (e.g. add objects, manipulate the Rule Base, install policy) into the Ansible automation platform.
Description
Provide Ansible "playbooks" with simple access to Check Point Management APIs.
The ansible module is written in Python and its source code is available. You are welcome to review code, suggest enhancements or modify it by opening a issue or send a pull request to:
https://github.com/CheckPointSW/CheckPointAnsibleMgmtCollection
Instructions
To enable the integration, install the necessary Hotfix, based on your Management Server version:
Usage
We recommend that you download the latest Check Point management collection from Ansible Galaxy, available here: https://galaxy.ansible.com/check_point/mgmt
The Ansible inventory (for example /etc/ansible/hosts needs to contain a section similar to this:
Note - The example uses the collection from Ansible Galaxy.
[checkpoint]
# Check Point Security Management server's IP address
172.27.254.10
[checkpoint:vars]
# If the Gaia web portal on your Security Management server is not setup with proper CA certificates that can be verified from the Ansible server, then it is necessary to disable validation of these certificates by using the ansible_httpapi_validate_certs. To do this you need to set ansible_httpapi_validate_certs=False in your inventory.
ansible_httpapi_validate_certs=False ansible_httpapi_use_ssl=True
ansible_network_os=check_point.mgmt.checkpoint
ansible_user=[Check Point admin username]
ansible_password=[Check Point admin password]
|
The playbook needs to use "connection httpapi"
--- hosts: 172.27.254.10 connection: httpapi
# Add or delete host object in Check Point management server - name: add-host or delete-host check_point.mgmt.cp_mgmt_host: color: red name: My test host ip_address: 192.168.1.1 |
For more information on the community supported Check Point network modules in Ansible, refer to https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/index.html#plugins-in-check-point-mgmt
Latest version of Check Point management collection for Ansible and examples
For more information and installation instructions, refer to the Read Me under: https://galaxy.ansible.com/check_point/mgmt.
The source code an be found in Check Points official GitHub account: https://github.com/CheckPointSW/CheckPointAnsibleMgmtCollection
Use case example in a playbook can be found in Check Points community GitHub account: https://github.com/CheckPointSW-Community/AnsibleFest2020-Demos
Limitations
|
Sensitive fields, such as vpn-community shared-secret, or lsm-gateway sic, cannot be updated via Ansible. |