Automate your management server using "Ansible"

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk114661
Technical Level
Product	Quantum Security Management
Version	R80.10 (EOL), R80.20, R80.30, R80.40, R81, R81.10
Date Created	08-Feb-2017
Last Modified	11-May-2022

Solution

This article describes how to automate your management server using "Ansible".

Ansible (www.ansible.com) is a popular automation tool.

The "Ansible Check Point Management" module lets you automate Check Point management tasks (e.g. add objects, manipulate the Rule Base, install policy) into the Ansible automation platform.

Description

Provide Ansible "playbooks" with simple access to Check Point Management APIs.

The ansible module is written in Python and its source code is available. You are welcome to review code, suggest enhancements or modify it by opening a issue or send a pull request to:
https://github.com/CheckPointSW/CheckPointAnsibleMgmtCollection

Instructions

To enable the integration, install the necessary Hotfix, based on your Management Server version:

Management Server Version	Hotfix information
R80.10	Available from R80.10 JHF take 270
R80.20	Available from R80.20 JHF take 134
R80.30	Available from R80.30 JHF take 135
R80.40 and later	Integrated. No JHF installation required.

Usage

We recommend that you download the latest Check Point management collection from Ansible Galaxy, available here: https://galaxy.ansible.com/check_point/mgmt

The Ansible inventory (for example /etc/ansible/hosts needs to contain a section similar to this:
Note - The example uses the collection from Ansible Galaxy.

[checkpoint] # Check Point Security Management server's IP address 172.27.254.10 [checkpoint:vars] # If the Gaia web portal on your Security Management server is not setup with proper CA certificates that can be verified from the Ansible server, then it is necessary to disable validation of these certificates by using the ansible_httpapi_validate_certs. To do this you need to set ansible_httpapi_validate_certs=False in your inventory.ansible_httpapi_validate_certs=False ansible_httpapi_use_ssl=True ansible_network_os=check_point.mgmt.checkpoint ansible_user=[Check Point admin username] ansible_password=[Check Point admin password]

The playbook needs to use "connection httpapi"

---
hosts: 172.27.254.10
connection: httpapi

# Add or delete host object in Check Point management server
- name: add-host or delete-host
check_point.mgmt.cp_mgmt_host:
color: red
name: My test host
ip_address: 192.168.1.1

For more information on the community supported Check Point network modules in Ansible, refer to https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/index.html#plugins-in-check-point-mgmt

Latest version of Check Point management collection for Ansible and examples

For more information and installation instructions, refer to the Read Me under: https://galaxy.ansible.com/check_point/mgmt.
The source code an be found in Check Points official GitHub account: https://github.com/CheckPointSW/CheckPointAnsibleMgmtCollection

Use case example in a playbook can be found in Check Points community GitHub account: https://github.com/CheckPointSW-Community/AnsibleFest2020-Demos

Limitations

Sensitive fields, such as vpn-community shared-secret, or lsm-gateway sic, cannot be updated via Ansible.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating