topic Re: Gateway First-time wizard through Ansible Playbook in Ansible

Gateway First-time wizard through Ansible Playbook

Aathi — Wed, 03 Apr 2019 09:25:00 GMT

Hi Team,

I am trying to automate the gateway first time wizard through ansible .while connecting the gateway from ansible i am getting the below error.

hostfile:

Gaia:vars]
ansible_connection=ssh
ansible_ssh_user=admin
ansible_sudo_pass=Infy123+
ansible_python_interpreter=/opt/CPsuite-R80/fw1/Python/bin/python
#export ansible_user='admin'
#export ansible_ssh_pass='Infy123+'

[Gaia]
10.X.X.X ansible_python_interpreter="/opt/CPsuite-R80/fw1/Python/bin/python"

Playbook:

---
- hosts: Gaia
gather_facts: no
tasks:
- name: Present working directory
command: pwd
- name: to check the route
command: netstat -nr

Error:

PLAY [Gaia] ************************************************************************************************************************************************************

TASK [Present working directory] ***************************************************************************************************************************************
fatal: [10.66.40.162]: UNREACHABLE! => {"changed": false, "msg": "SSH Error: data could not be sent to remote host \"10.66.40.162\". Make sure this host can be reached over ssh", "unreachable": true}
to retry, use: --limit @/etc/ansible/gateway.retry

PLAY RECAP *************************************************************************************************************************************************************
10.66.40.162 : ok=0 changed=0 unreachable=1 failed=0

But i am able to SSH the gateway from ansible server manually

Re: Gateway First-time wizard through Ansible Playbook

_Val_ — Wed, 03 Apr 2019 09:29:18 GMT

That won't work. FTW is supposed to be done through WebUI. To deploy a new GW through ansible, you have to add GAIA API first. Look it up here, there is a couple of costs with examples already on CheckMates

Re: Gateway First-time wizard through Ansible Playbook

Aathi — Wed, 03 Apr 2019 11:09:26 GMT

HI Valeri,

Thanks for the update.Can you help me how i have to add GAIA API .
Regards
Aathi

Re: Gateway First-time wizard through Ansible Playbook

PhoneBoy — Fri, 05 Apr 2019 16:57:24 GMT

You don't sudo on Gaia, you need to login as admin.
Also the Python included on the appliance does not contain many libraries and may not work with Ansible.

The Gaia API is here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk143612
However I'm not sure it can be used to run the First Time Wizard.

Re: Gateway First-time wizard through Ansible Playbook

Aathi — Fri, 05 Apr 2019 11:34:17 GMT

Hi ,

The below mentioned script is not working for fresh gateways

---
- hosts: "{{ target }}"
gather_facts: no
connection: local
tasks:

- name: "Create config_system on the gateway"
raw: echo "config_system --config-string \"hostname={{ hostname }}&ftw_sic_key={{ sickey }}&timezone='America/New_York'&install_security_managment=false&install_mgmt_primary=false&install_security_gw=true&gateway_daip=false&install_ppak=true&gateway_cluster_member=false&download_info=true\" >> ftw.output & " > /home/admin/ftwstart

- name: "Change permissions"
raw: chmod 755 ftwstart

- name: "Run the FTW Setup"
command: "/bin/bash /home/admin/ftwstart"

- name: Wait until the FTW completes
wait_for:
path: /etc/.wizard_accepted
register: exists
until: exists|success
retries: 20
delay: 15

- name: Waiting for 10 seconds before reboot
pause:
seconds: 10

- name: Rebooting
command: "shutdown -r now"

I am getting the below error while executing from ansible server.

Apr 5 07:31:29 2019 Gateway01 ansible-wait_for: Invoked with active_connection_states=['ESTABLISHED', 'FIN_WAIT1', 'FIN_WAIT2', 'SYN_RECV', 'SYN_SENT', 'TIME_WAIT'] state=started connect_timeout=5 delay=0 msg=None host=127.0.0.1 sleep=1 timeout=300 exclude_hosts=None search_regex=None path=/etc/.wizard_accepted port=None

But first-time wizard already installed gateways the playbook is working fine .Kindly help on this

Re: Gateway First-time wizard through Ansible Playbook

PhoneBoy — Fri, 05 Apr 2019 16:56:19 GMT

You said that the script is not working.
Yet, at the same time, you said the First Time Wizard completed successfully.
What is the issue, exactly?

Re: Gateway First-time wizard through Ansible Playbook

Aathi — Fri, 05 Apr 2019 19:16:42 GMT

For fresh gateways it is not working. not able to configure the first time wizard using this playbook .can you help to solve the issue as i am having demo on monday.do let me know if you have any other scripts or playbook to deploy the firsttime wizard

Thanks in advance.

Re: Gateway First-time wizard through Ansible Playbook

PhoneBoy — Fri, 05 Apr 2019 21:20:18 GMT

You're doing a level of indirection in your playbook that I'm not sure you need to do.
Why aren't you just invoking config_system directly versus running it directly?

Re: Gateway First-time wizard through Ansible Playbook

Aathi — Sat, 06 Apr 2019 04:32:17 GMT

we are automating checkpoint related tasks through ansible.Please let me know whether we can automate first time wizard through ansible and if there is any other ways also please do let me know if will be more helpful.

Thanks in advance.

Re: Gateway First-time wizard through Ansible Playbook

PhoneBoy — Sat, 06 Apr 2019 17:47:40 GMT

You’re not giving any details are the starting state of these appliances, what kind of appliances these are, version of code, etc. Based on that, we might be able to provide some alternatives.

What I tried to say before (but failed) is your playbook appears to create a script on the appliance to call config_system when you could just have the playbook call config_system directly. Since the default shell (clish) does NOT support output redirection, your approach won't work. Likewise, checking for the existence of a file won't work since clish doesn't expose the filesystem.

Before you write an Ansible playbook to automate something, try to do the same steps as a human first and see if they work.

Re: Gateway First-time wizard through Ansible Playbook

_Val_ — Mon, 08 Apr 2019 09:01:23 GMT

For info about GAIA API, please start here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk143612

There are also plenty of articles and demos around this topic in the community. Just look it up, user "Search all content" tool above.

Re: Gateway First-time wizard through Ansible Playbook

_Val_ — Mon, 08 Apr 2019 09:03:37 GMT

@PhoneBoy , CLI based script will not work on the fresh installation. One needs to install API first. Our CPX demo actually includes API based First Wizard GW initialisation.

The flow should be:

1. Fresh install

2. API deployment

3. Ansible config

Re: Gateway First-time wizard through Ansible Playbook

PhoneBoy — Mon, 08 Apr 2019 18:48:18 GMT

If I read his playbook correctly, he's executing config_system over SSH, which should be doable before the API is installed.

Re: Gateway First-time wizard through Ansible Playbook

_Val_ — Wed, 10 Apr 2019 08:20:01 GMT

Correct. Cause ssh on a freshly installed device does not give you bash. He needs to set up expert access or a direct bash enabled account beforehand. I was proposing an alternative which is supposed to be better for Ansible and other automation tools.

Re: Gateway First-time wizard through Ansible Playbook

Aathi — Thu, 11 Apr 2019 13:31:13 GMT

HI,

Thanks for your support for this issue. the below ansible script is working for me.

---
- hosts: Gaia
gather_facts: no
connection: local
vars_files:
- vars.yml
tasks:

- name: "Create config_system on the gateway"
command: config_system --config-string "hostname=myhost&domainname=nnm.com&timezone='America/Indiana/Indianapolis'&ftw_sic_key=aaaa&install_security_gw=true&gateway_daip=false&install_ppak=true&gateway_cluster_member=false&install_security_managment=false"
ignore_unreachable: true
- name: reboot the gateway
command: shutdown -r now
- name: wait for server to come back
wait_for_connection:
timeout: 120
- name: THE FIRST-TIME WIZARD COMPLETED SUCCESSFULLY
command: uptime

Regards

Aathi