-
Notifications
You must be signed in to change notification settings - Fork 2
/
demo_playbook.yml
118 lines (109 loc) · 4.14 KB
/
demo_playbook.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
# To Run
# Add the folllwing admin user to you test check point management server enviroment
# username: api_user
# password: vpn123
#
# Add the IP of your target to your /etc/ansible/hosts inventory file and execute:
# ansible-pull -d /tmp/ansible-pull -U https://github.com/jimoq/demo.git demo_playbook.yml -e "target=192.168.233.71" -l 192.168.233.71
# where 192.168.233.71 should be changed to the IP of your management server
#
# Or clone the repository and execute:
# ansible-playbook demo_playbook.yml -e "target=192.168.233.71" -i 192.168.233.71,
# where 192.168.233.71 should be changed to the IP of your management server
---
- name: Build Ansible demo policy automation_policy on Check Point management server {{ target }}
hosts: "{{ target }}"
connection: httpapi
vars:
# Credentials for cp_mgmt* modules and Settings for the Check Point httpapi plugin that provides methods to connect to Checkpoint devices over a HTTP(S)-based api.
ansible_httpapi_use_ssl: True
ansible_httpapi_validate_certs: False
ansible_network_os: check_point.mgmt.checkpoint #Using Galaxy https://galaxy.ansible.com/check_point collection
ansible_checkpoint_domain: SMC User # Default domain for a SMS (SmartCenter)
ansible_user: api_user # Change to your Check Point management admin user
ansible_ssh_pass: vpn123 # Change to your Check Point management admin password
#ansible_api_key: xxxxxxxxxx # Optionally you can use API key instead of username and password
gather_facts: no
tasks:
- name: Add or delete policy package
check_point.mgmt.cp_mgmt_package:
state: present
access: true
color: blue
comments: Policy automated through ansible and versioned in Git
name: automation_policy
threat_prevention: true
- name: Add, set or delete Check Point host object
check_point.mgmt.cp_mgmt_host:
state: present
name: Mail server
ip_address: 192.168.1.1
color: red
comments: my mail server host objects
- name: Add, set or delete Check Point host object
check_point.mgmt.cp_mgmt_host:
state: present
name: Web server
ip_address: 10.1.1.55
color: yellow
comments: my blue jump host object
- name: Add, set or delete Check Point host object
check_point.mgmt.cp_mgmt_host:
state: present
name: DB server
ip_address: 10.1.2.55
color: red
comments: my ubuntu host object
- name: add-group, set or delete Check Point group object
check_point.mgmt.cp_mgmt_group:
state: present
name: Ansible control node group
color: forest green
- name: add, set, or delete Check Point access rule
check_point.mgmt.cp_mgmt_access_rule:
state: present
layer: automation_policy Network
name: allow access from ansible control node
position: 1
source: Ansible control node group
destination:
- Web server
- Mail server
service:
- http
- https
- ssh
action: Accept
track:
type: log
- name: add, set, or delete Check Point access rule
check_point.mgmt.cp_mgmt_access_rule:
state: present
layer: automation_policy Network
name: allow SMTP access from any where
position: 2
destination:
- mail server
service:
- smtp
action: Accept
track:
type: log
- name: add-set-delete-threat-profile
check_point.mgmt.cp_mgmt_threat_profile:
active_protections_performance_impact: low
active_protections_severity: Low or above
anti_bot: true
anti_virus: true
confidence_level_high: Prevent
confidence_level_medium: Prevent
ips: true
ips_settings:
exclude_protection_with_performance_impact: true
exclude_protection_with_performance_impact_mode: high or lower
newly_updated_protections: staging
name: Ansible Threat Profile
state: present
threat_emulation: true
- name: Publish the changes
cp_mgmt_publish: