CME Custom Gateway Script fails when resetting the RADIUS settings while redeploying script against

Kim_Moberg — Fri, 03 May 2024 05:04:05 GMT

We have been using CP CME for a couple of years and I have been looking into what can be done smarter.

When we make changes to autoprovision.json via cmd autoprov-cfg it triggers an update/redeplyment on Cloudguards in our VMSS Scale Sets.

For example update / redeploying could be to add new log servers it will also trigger running the attached custom gateway script.

With the custom gateway script we might be setting banner for compliance purposes or time servers and DNS etc..

What we have added are also RADIUS authentication and that is were the problem happens.

When the script runs on the running VMSS Scale Sets Gloudguards the RADIUS breaks the run-script.

The error is:

WARNING Please make sure you do not configure the same user names on this RADIUS server and locally
WARNING Please make sure you do not configure the same user names on this RADIUS server and locally
GAIA0101 Host already exist

Error exception are shown in below output.

################################ output from cme.log ######################################

2024-05-01 13:59:56,774 CME_SERVICE INFO Running script: "/bin/cg-azsea-script.sh " on target: SEATST

2024-05-01 14:00:07,043 CME_SERVICE INFO Resetting gateway SEATST
2024-05-01 14:00:07,121 CME_SERVICE INFO Deleting objects for gateway: SEATST-
2024-05-01 14:00:07,121 CME_SERVICE INFO Deleting objects with Policy Destructor Network Group
2024-05-01 14:00:11,445 CME_SERVICE INFO Gateway instance SEATST was removed successfully from CME_SEATST network group
2024-05-01 14:00:11,446 CME_SERVICE ERROR Failed to provision the Security Gateway instance SEATST
2024-05-01 14:00:11,462 CME_SERVICE ERROR Error traceback: Traceback (most recent call last):
File "/opt/CPcme/cp_handlers/mgmt_autoprovision_handler.py", line 1124, in run_post_customize instance.name)
File "/opt/CPcme/cp_handlers/mgmt_autoprovision_handler.py", line 1066, in run_custom_gateway_script put_file_dict=put_file_dict)
File "/opt/CPcme/cp_handlers/mgmt_handler.py", line 275, in run_script
response = self(CPMCommand.RUN_SCRIPT, body).get(
File "/opt/CPcme/cp_handlers/mgmt_handler.py", line 178, in __call__
silent=silent)
File "/opt/CPcme/cp_handlers/mgmt_api_handler.py", line 245, in __call__
CMEExceptionCodes.MGMT_API, command=command)
cme_exceptions.cme_exceptions.ManagementApiException: Error Code: Management API error

API call failed with command: run-script
Payload: {'script-name': '/bin/cg-azsea-script.sh ', 'script': '/bin/cg-azsea-script.sh ', 'targets': ['SEATST']}
Error details: WARNING Please make sure you do not configure the same user names on this RADIUS server and locally, WARNING Please make sure you do not configure the same user name
s on this RA...

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/opt/CPcme/service/cme_service.py", line 533, in sync
is_setup_gw_succeed = management.autoprovision_handler.set_gateway(instance, gw, auto_hf)
File "/opt/CPcme/cp_handlers/mgmt_autoprovision_handler.py", line 1473, in set_gateway
self.provision_gateway(instance, gw, auto_hf, gw_tags, simple_gateway)
File "/opt/CPcme/cp_handlers/mgmt_autoprovision_handler.py", line 2857, in provision_gateway
self.run_post_customize(instance=instance, gw=gw, gw_tags=gw_tags)
File "/opt/CPcme/cp_handlers/mgmt_autoprovision_handler.py", line 1133, in run_post_customize
raise Exception(f'post-customize gateway failed: {str(e)}')
Exception: post-customize gateway failed: Error Code: Management API error

################################ output from cme.log ######################################

How can this be solved? I have added the script as an attachment

Re: CME Custom Gateway Script fails when resetting the RADIUS settings while redeploying script agai

Shay_Levin — Sun, 12 May 2024 15:24:40 GMT

Hello Kim,

Based on my examination of the SR, we suspect the problem lies within the script due to an erroneous in the management API call.

Needs to verify that the script run successfully when invoked from the management using mgmt_cli run-script.

Re: CME Custom Gateway Script fails when resetting the RADIUS settings while redeploying script agai

Kim_Moberg — Mon, 13 May 2024 09:19:34 GMT

Hello Shay,

I can also see mgmt api call generate an error but I do now run any Mgmt CLI commands via the script in itself.

If I run the script directly on the gateway I do not get the error other than standard RADIUS warning.

Basically my impression is a pure error handling of such condition and if we any one working on with cloudguards and using custom gateways script might have an experienced similar issue, or am I wrong here?

topic CME Custom Gateway Script fails when resetting the RADIUS settings while redeploying script against in Cloud Firewall

CME Custom Gateway Script fails when resetting the RADIUS settings while redeploying script against

Re: CME Custom Gateway Script fails when resetting the RADIUS settings while redeploying script agai

Re: CME Custom Gateway Script fails when resetting the RADIUS settings while redeploying script agai