Check Point Autmation workshop at CPX 2025, allowing engineers to get hands-on experience on the Check Point management API and the integration with Terraform and Ansible
Environment information. The environment includes a DevSecOps workstation (this virtual machine, Windows Client) installed with Microsoft Visual Studio Code IDE that remotely access the orchestration server (orchestrator virtual machine) to edit the IaC templates and run automation tasks.
The automation tools used in the workshop (terraform and ansible) running on the orchestration server are translating high level orchestration tasks into low-level REST API requests sent to endpoints exposed by (Check Point Quantum R82 Management virtual machine).
The result of automation operations will be verified in the Quantum Security Management Web SmartConsole accessed from the browser installed on Windows Client (this VM).
-
Open the provided link and go to the tab “Windows Client” in in Visual Studio Code IDE. You will be presented with Visual Studio Code IDE already launched.
-
On "Windows Client" click on "Reload Window" to allow Visual Studio Code to reconnect to the Orchestration Server
-
Adjust keyboard layout if needed
-
Follow the instructions in the open README.md in Visual Studio Code
-
In this environment we stored the login information in these environmental variables
- CHECKPOINT_API_KEY
- CHECKPOINT_SERVER
-
Review that the environmental variables contains the necessary values by executing the following command in visual studio code terminal session connected to the orchestration server
printenv CHECKPOINT_API_KEY
printenv CHECKPOINT_SERVER
- Use the Microsoft Edge browser to access management server Web SmartConsole with "admin/Cpwins1!" credentials.
In case the following error message appear: “Web SmartConsole service is not available”
This is because Web SmartConsole was updated to a newer version, just reload the webpage and accepting the new certificate to proceed.
Review the current policy packages and verify that there are no host objects in the objects pane on the right side of SmartConsole
- Review main.tf terraform configuration file. As you can see, we have defined two aliases for the provider configuration, allowing us to login to different domains in the management server in one terraform run.
- The code block
module "admins" {points to the folder system-data containing the terraform configuration to create an admin - The code block
module "policy" {points to the folder policy containing the terraform configuration to create the Security Policy - In the checkpoint_management_publish code blocks you can see that it is configured to trigger when there is a configuration change on the files in the folders system-data and policy, as well as forcing it to run on terraform destroy actions.
- The below command will open the ~/CPX-2025-automation-ws/01-terraform/main.tf file in Visual Studio code
code ~/CPX-2025-automation-ws/01-terraform/main.tf- Review admins.tf, terraform configuration file and review the code block to create an administrator,
The below command will open the file in ~/CPX-2025-automation-ws/01-terraform/system-data/admins.tf Visual Studio code
code ~/CPX-2025-automation-ws/01-terraform/system-data/admins.tf- Review hosts.tf, terraform configuration file and review the code block to add host objects to the security configuration,
The below command will open the file in ~/CPX-2025-automation-ws/01-terraform/policy/hosts.tf Visual Studio code
code ~/CPX-2025-automation-ws/01-terraform/policy/hosts.tfYou are now ready to deploy the policy using terraform
- Change to the 01-terraform folder
cd ~/CPX-2025-automation-ws/01-terraform-
Run
terraform initto download the provider and initialize the corresponding modules -
Run
terraform applyand look at the plan and the 33 changes that will be made -
Accept by answering yes
-
Run
terraform applyagain and see that there will be no changes made since your security infrastructure matches your configuration
You should see the following:
- Go to Web SmartConsole "admin/Cpwins1!", review some of the changes applied by terraform.
- Open hosts.tf, terraform configuration file in in visual studio code and change the color of the host object azure_lb_health_check to red.
The below command will open the file in ~/CPX-2025-automation-ws/01-terraform/policy/hosts.tf Visual Studio code
code ~/CPX-2025-automation-ws/01-terraform/policy/hosts.tf- Save the changes to the file by pressing
ctrl+s - Run
terraform apply, look at the plan and try to understand what changes terraform will make - Accept by answering yes
- Go to Web SmartConsole "admin/Cpwins1!", and see if the color of the host object has changed.
- Open hosts.tf, terraform configuration and remove the code block for the resource "azurelbhealthcheck"
The below command will open the file in ~/CPX-2025-automation-ws/01-terraform/policy/hosts.tf Visual Studio code
code ~/CPX-2025-automation-ws/01-terraform/policy/hosts.tf- Save the changes to the file by pressing
ctrl+s - Run
terraform apply, look at the plan and try to understand what changes terraform will make - Accept by answering yes
- Go to Web SmartConsole "admin/Cpwins1!", and verify that the host object has been removed
Done: Go to next lab in 02-ansible folder by executing this command
cd ~/CPX-2025-automation-ws/02-ansible/Install the Gaia collection with this command:
ansible-galaxy collection install check_point.gaiaR82 introduced a new Dynamic Layer in the Access Control policy to assist customers with highly automated network environments. This Policy Layer serves as a container for rules created directly on the Security Gateway using the Gaia API call "set-dynamic-content", catering to environments where provisioning, configuration, and other IT processes are regularly managed through APIs or Infrastrucutre As Code.
The Dynamic Layer works as a container for rules that you configure on the Security Gateway. You can fill this container with rules using in our case the "cp_gaia_dynamic_content" Ansible module and instruct Ansible to update the Security Gateway directly.
For your convenience and to save time a dynamic layer named "GW1 Dynamic Layer" is already created and applied as an inline layer to the policy gw1-policy-package.
This policy is already installed on GW1
-
Open a command prompt on the windows client and try to ping google DNS on 8.8.8.8. As you see you are not able to reach the server since there is no rule in place accepting the traffic
-
Fill the Dynamic Layer with rules and objects from this playbook dynamic-Layer.yml via ansible using the following command:
ansible-playbook dynamic-Layer.yml -i inventory.yml-
While ansible is working you can open the two files used in this process to review them
- dynamic-Layer.yml - This is the playbook containing the task to execute the cp_gaia_dynamic_content module
- GW1-Dynamic-Layer.json - This is the json structured file containing the information of objects and rules we want to fill the dynamic layer with.
-
Once ansible have executed the task successfully.
-
You should now be able to see that you are able to ping google DNS on 8.8.8.8.
-
There will be a log entry showing that this traffic has been accepted by access rule name Allow ICMP from Windows Client in layer name GW1 Dynamic Layer
-
In the same way as changes are audited when editing the policy on the management server, you can in the same audit log see the changes that were made to the dynamic layer over the API towards the Security Gateway.
Install the Management collection with this command:
ansible-galaxy collection install check_point.mgmtIf you get an notification that "Nothing to do. All requested collections are already installed" run the install of the collection again using --force
ansible-galaxy collection install check_point.mgmt --forceYou are now ready to deploy and maintain an enterprise policy using ansible
- Review inventory.yml, as you can see we are using the environment variables to authenticate.
The below command will open the ~/CPX-2025-automation-ws/02-ansible/inventory.yml file in Visual Studio code
code ~/CPX-2025-automation-ws/02-ansible/inventory.yml- Deploy an enterprise policy from this playbook demo-policy-playbook.yml via ansible using the following command:
ansible-playbook demo-policy-playbook.yml -i inventory.yml- In order to save some time, we will while the enterprise policy is being built continue to Task 4.
To save some time we will use another playbook file in order not run through all the tasks again.
-
Open a new terminal in Visual Studio code by clicking on the + sign in the lower right corner of VS code.
-
Go to the 02-ansible folder by executing this command:
cd ~/CPX-2025-automation-ws/02-ansible/- Open the file myobjects/main.yml and review the code in there
The below command will open the ~/CPX-2025-automation-ws/02-ansible/myobjects/main.yml file in Visual Studio code
code ~/CPX-2025-automation-ws/02-ansible/myobjects/main.ymlIn the example we are creating a VPN community of type meshed with color red:
- name: add-vpn-community-meshed
cp_mgmt_vpn_community_meshed:
name: Jims VPN Community by Ansible
state: present
color: red
encryption_method: prefer ikev2 but support ikev1
encryption_suite: custom
ike_phase_1:
data_integrity: sha1
diffie_hellman_group: group-19
encryption_algorithm: aes-128
ike_phase_2:
data_integrity: aes-xcbc
encryption_algorithm: aes-gcm-128
auto_publish_session: trueNote
auto_publish_session: true will publish the changes for this task when it is being executed
- Save the changes to the file by pressing
ctrl+s - Run the playbook myobject-playbook.yml
ansible-playbook myobject-playbook.yml -i inventory.ymlIn the terminal window monitor the execution of the playbook. Note the order in which objects in IaC files are deployed.
What do you think will happen if you will interrupt the execution of playbook and re-run it?
- Go to Web Smart Console "admin/Cpwins1!", see the changes applied by Ansible.
- Re-run the playbook myobject-playbook.yml, you will see that the modules are idempotent. Since your ansible code (desired state) is equal to the reality (current state). no change is made and ansible responds with ok
ansible-playbook myobject-playbook.yml -i inventory.yml
Note
A request method is considered idempotent if the intended effect on the server of multiple identical requests with that method is the same as the effect for a single such request.
- Change the color to
color: sea greenfor the object in myobjects/main.yml - Save the changes to the file by pressing
ctrl+s - Re-run the playbook, notice that the status reported for the task is "changed: [R82mgmt]".
ansible-playbook myobject-playbook.yml -i inventory.yml- Go to Web Smart Console "admin/Cpwins1!", see the changes applied by Ansible.
- Set the state of the object in myobjects/main.yml to absent
state: absent - Re-run the playbook myobject-playbook.yml
ansible-playbook myobject-playbook.yml -i inventory.yml- Go to Web Smart Console "admin/Cpwins1!", check what happened with your object.
What doesstate: absentmean?
- Use the Browser to go to Web SmartConsole "admin/Cpwins1!", see the changes applied by Ansible.
You should see new gateways as well as a Branch office and Corporate policy similar to SmartConsole demo mode:
Done: If you have some spare time you can go to https://galaxy.ansible.com/ui/namespaces/check_point/, pick an example from the management collection list and try to create that object with Ansible, or make some changes to your terraform configuration to see what happens.
- Self-Managed Security Gateways
- sk121360 - Check Point APIs homepage
- Check Point API Reference Guide
- Check Point AI Copilot
- Check Point Management Terraform Provider
- Check Point Ansible collections
- Github - Check Point Software Technologies Ltd.
- Github - Check Point CheckMates Community
- CheckMates - API / CLI Discussion
- CheckMates - Ansible Discussion
- Check Point Smart-1 Cloud
- Github Codespaces
- VScode