topic Re: Question: "Ansible Module" for Checkpoint Managment server R80.10 in Ansible

Question: "Ansible Module" for Checkpoint Managment server R80.10

Amit_Chaubey — Sat, 15 Sep 2018 20:22:51 GMT

Hi,

I am creating an "Ansible Module" for Checkpoint Managment server R80.10, I am looking for two solutions

1. How to add any Gateway in the Management server.

2. How to define an instance as the management server, and SIC key for gateways.I know there is a solution is available by using mgmt_cli but in that commands run in expert mode and how I can configure first Expert mode password? I am using bash to define instance as a gateway,

my_user_data: |
#!/bin/bash
clish -c 'set user admin shell /bin/bash' -s
clish -c 'set static-route {{ aws_lb1_subnet_cidr }} nexthop gateway address {{ aws_internal_route }} on' -s
config_system -s 'install_security_gw=true&install_ppak=true&gateway_cluster_member=false&install_security_managment=false&ftw_sic_key=vpn12345';shutdown -r now;

Is there any Ansible module available for this?

Any help would be highly appreciated.

Thank you,

Amit Chaubey

Re: Question: "Ansible Module" for Checkpoint Managment server R80.10

PhoneBoy — Sun, 16 Sep 2018 04:47:24 GMT

The demos here create gateways with an Ansible playbook: CheckMates_Aug15_Demos.zip

But now that I think about it, the gateways here are actually being created (and SICed) using the CloudGuard/vSEC controller.
However, as I pointed to in your other post, it should be possible to make the appropriate API calls to create the gateway.

Establishing the SIC is a different matter, but this can be done on the CLI of the management like so:

push_cert –s Cust_CMA –u admin –p adminpw –o examplegw –k test123

You can use the run-script API to call this from Ansible.

how to use the web api to run the run-script‌

The only thing you can do on the gateway as far as establishing management communication is using the initial SIC password.

When the gateway is created in the management and SIC is established, certificates are generated that are used for communication.

You can't really say "only accept a SIC connection from X host" beforehand.

Setting the expert password is a clish command.

In your user_data script, you'd include a command like:

clish -c 'set expert-password-hash yourhash' -s

where yourhash is computed with openssl passwd -1

Re: Question: "Ansible Module" for Checkpoint Managment server R80.10

Amit_Chaubey — Tue, 18 Sep 2018 09:31:30 GMT

Hi Dameon,

Thank you for sharing the information.

About adding getaway to the management server, I have tried below command and after supplied the username/password of the management server it worked. but I think it can't be used in my user data file for the management server, right? if yes, then is there any way to add this task in user data file?

mgmt_cli add simple-gateway name "gw1" color "yellow" ipv4 -address "192.0.2.230" version "R80" one-time-password "aaaa" firewall true vpn true application-control true url-filtering true ips true anti-bot true anti-vir us true threat-emulation true interfaces.1.name "eth0" interfaces.1.ipv4-address "192.0.2.230" interfaces.1.ipv4-network-mask "255.255.255.128" interfaces.1.ant i-spoofing true interfaces.1.topology "EXTERNAL" interfaces.2.name "eth1" interf aces.2.ipv4-address "192.0.2.88" interfaces.2.ipv4-network-mask "255.255.255.0" interfaces.2.anti-spoofing true interfaces.2.topology "INTERNAL" --version 1.1
Username: ****
Password:********

I have also triedby usinCheckMates_Aug15_Demos.zip , and tried using available ansible playbook(R80_CreateGateway.yml) to accomplished this, and end up with below error,

PLAY [localhost] ****************************************************************************************************************************************************************

TASK [Wait up to 300 seconds for SIC port 18211 to Open] ************************************************************************************************************************
skipping: [localhost]

TASK [login] ********************************************************************************************************************************************************************
ok: [localhost]

TASK [Create SimpleGateway GW01 at 10.107.240.76] *******************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Command 'add-simple-gateway {u'one-time-password': u'vpn12345', u'name': u'GW01', u'color': u'blue', u'interfaces': [{u'ipv4-network-mask': u'255.255.255.0', u'anti-spoofing': u'true', u'ipv4-address': u'10.107.240.76', u'name': u'eth0', u'topology': u'External'}], u'ips': u'true', u'version': u'R80.10', u'ipv4-address': u'10.107.240.76', u'firewall': u'true'}' failed with error message: APIResponse received a response which is not a valid JSON.. All changes are discarded and the session is invalidated."}
[WARNING]: Could not create retry file '/etc/ansible/cpAnsible/Playbooks/CreateGateway.retry'. [Errno 13] Permission denied:
u'/etc/ansible/cpAnsible/Playbooks/CreateGateway.retry'

PLAY RECAP **********************************************************************************************************************************************************************
localhost : ok=1 changed=0 unreachable=0 failed=1

Re: Question: "Ansible Module" for Checkpoint Managment server R80.10

PhoneBoy — Tue, 18 Sep 2018 13:20:02 GMT

If you're using the command on the CLI and logged into the Security Management server, you can simply add an -r true to the comamnd and then you don't need credentials

Also, after creating the gateway, don't forget to publish the session as the gateway (or any other changes) won't show up unless you do that.

As to why the playbook isn't creating a gateway... Ryan Darst‌ any ideas?

Re: Question: "Ansible Module" for Checkpoint Managment server R80.10

Ryan_Darst — Tue, 18 Sep 2018 13:29:05 GMT

Was the gateway up and running when the add-gateway command was run? I see that the wait for the SIC port was canceled/skipped. This check is used to verify that the gateway is up and running, reachable and listening on port 18211. Once this is verified the api call can be made to add the gateway via the API.

To see the error that the API sent, look on the R80 Management server in $FWDIR/log/api.elg and look for this transaction and see what the error shows and it should point you in the right direction.