topic Re: "Checkpoint device returned error 404 with message" when installing policy through Ans in Ansible

"Checkpoint device returned error 404 with message" when installing policy through Ansible

Hash1 — Wed, 10 Mar 2021 13:18:31 GMT

I have created some scripts to run when we need to install a policy based on their name.
Let's say we have a policy called "Birds" and other "Reptiles".

I have pretty much the same script for Birds and Reptiles, check the diff:

root@server:/path/to/whatever$ diff policy_Birds.yml policy_Reptiles.yml 2c2 < - name: Policy Birds --- > - name: Policy Reptiles 9c9 < policy_package: Birds --- > policy_package: Reptiles 18,20c18,20 < to: hello@email.com < subject: "Playbook: Birds FAILED" < body: "Policy Birds Failed" --- > to: hello2@email.com > subject: "Playbook: Reptiles FAILED" > body: "Policy Reptiles Failed"

But when I run the Reptiles yml I get

fatal: [IP]: FAILED! => {"changed": false, "msg": "Checkpoint device returned error 404 with message {'code': 'generic_err_object_not_found', 'message': 'Requested object [bda64744-c5bf-42f7-b052-36d1aa5757db] not found'} Unpublished changes were discarded"}

This doesn't happen to Birds.
I triple checked all the names, mainly at "policy_package" to see If I didn't mistyped something. But I'd like to say that it used to work a week prior to that. The only change is that we changed the apiuser on the firewall. From a local created account to a RADIUS account.

Here are some of the "codes and configs" we are using:

cat policy_Birds.yml --- - name: Policy Birds hosts: check_point connection: httpapi tasks: - name: Something check_point.mgmt.cp_mgmt_install_policy: access: true policy_package: Birds threat_prevention: true ignore_errors: True register: result - name: mail result mail: host: smtp.server.goes.here port: 25 from: ansible@domain to: hello@email.com subject: "Birds FAILED" body: "Something something.. not relevant" delegate_to: localhost when: result is failed

Command being used to run

ansible-playbook -i hosts --vault-id checkpoint@ansible-vault policy_Birds.yml -vvv Or policy_Reptiles.yml

Hosts

ansible-vault view --vault-id checkpoint@ansible-vault hosts [check_point] IP [check_point:vars] ansible_httpapi_use_ssl=True ansible_httpapi_validate_certs=False ansible_user=RADIUS_USER ansible_password=ULTRASECRETPASSWORD ansible_network_os=check_point.mgmt.checkpoint

Ansible Version:

ansible --version ansible 2.9.16 config file = /etc/ansible/ansible.cfg configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /usr/lib/python3.6/site-packages/ansible executable location = /bin/ansible python version = 3.6.8 (default, Aug 18 2020, 08:33:21) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]

Said error:

TASK [taskname] ******************************************************* fatal: [IP]: FAILED! => {"changed": false, "msg": "Checkpoint device returned error 404 with message {'code': 'generic_err_object_not_found', 'message': 'Requested object [bda64744-c5bf-42f7-b052-36d1aa5757db] not found'} Unpublished changes were discarded"} ...ignoring

Working on the other guy:

TASK [Instalar politica] ******************************************************* changed: [IP]

Permissions:

-rw-rw-r--. 1 root root 708 Mar 10 09:43 policy_Birds.yml -rw-rw-r--. 1 root root 719 Jul 24 2020 policy_Reptiles.yml -rw-rw-r--. 1 root root 607 Mar 9 15:47 verify_Internet.yml

cpinfo -y all:

cpinfo -y all This is Check Point CPinfo Build 914000202 for GAIA [IDA] No hotfixes.. [CPFC] HOTFIX_R80_30_JUMBO_HF_MAIN Take: 215 [MGMT] HOTFIX_R80_30_JUMBO_HF_MAIN Take: 215 [FW1] HOTFIX_R80_30_JUMBO_HF_MAIN Take: 215 FW1 build number: This is Check Point Security Management Server R80.30 - Build 031 This is Check Point's software version R80.30 - Build 205 [SecurePlatform] HOTFIX_GOGO_LT_HEAT_JHF Take: 215 [CPinfo] No hotfixes.. [DIAG] No hotfixes.. [Reporting Module] HOTFIX_R80_30_JUMBO_HF_MAIN Take: 215 [CPuepm] HOTFIX_R80_30_JUMBO_HF_MAIN Take: 215 [VSEC] HOTFIX_R80_30_JUMBO_HF_MAIN Take: 215 [SmartLog] HOTFIX_R80_30_JUMBO_HF_MAIN Take: 215 [R7520CMP] No hotfixes.. [R7540CMP] No hotfixes.. [R76CMP] HOTFIX_R80_30_JHF_COMP Take: 215 [SFWR77CMP] No hotfixes.. [R77CMP] HOTFIX_R80_30_JHF_COMP Take: 215 [R75CMP] No hotfixes.. [NGXCMP] No hotfixes.. [EdgeCmp] No hotfixes.. [SFWCMP] No hotfixes.. [FLICMP] No hotfixes.. [SFWR75CMP] No hotfixes.. [MGMTAPI] No hotfixes.. [CPUpdates] BUNDLE_HCP_AUTOUPDATE Take: 24 BUNDLE_INFRA_AUTOUPDATE Take: 39 BUNDLE_DEP_INSTALLER_AUTOUPDATE Take: 20 BUNDLE_R80_30_JUMBO_HF_MAIN_gogoKernel Take: 215 [SFWR80CMP] No hotfixes.. [CPDepInst] No hotfixes.. [AutoUpdater] No hotfixes.. [hcp_wrapper] HOTFIX_HCP_AUTOUPDATE

Oh yeah, I almost forgot. I even made a new script to verify policy on Reptiles (the one with problem) And it DID work:

cat verify_Reptiles.yml --- - name: Verify Reptiles hosts: check_point connection: httpapi tasks: - name: verify-policy cp_mgmt_verify_policy: policy_package: Reptiles register: result

That's it. HELPPPPP

Re: "Checkpoint device returned error 404 with message" when installing policy through Ans

PhoneBoy — Sat, 13 Mar 2021 00:02:30 GMT

Your playbooks are missing a target for install policy--something required for a policy installation.
It needs to be one or more gateway objects.

Re: "Checkpoint device returned error 404 with message" when installing policy through Ans

the_rock — Sat, 13 Mar 2021 10:56:53 GMT

Phoneboy makes very legit point...seems like indeed you are missing a policy install target, hence why it fails.

Andy

Re: "Checkpoint device returned error 404 with message" when installing policy through Ans

Hash1 — Mon, 15 Mar 2021 14:17:20 GMT

That does not explain how installing policy on Birds works just fine.

I will try it at night today and let you know how it went.

Re: "Checkpoint device returned error 404 with message" when installing policy through Ans

Hash1 — Tue, 16 Mar 2021 13:32:07 GMT

myuser@ansible-server:/path/to/script$ ls -la | grep _new -rw-rw-r--. 1 root root 732 Mar 15 19:33 install_reptiles_new.yml

myuser@ansible-server:/path/to/script $ cat install_reptiles_new.yml --- - name: Internet hosts: check_point connection: httpapi tasks: - name: Install Reptiles check_point.mgmt.cp_mgmt_install_policy: access: true policy_package: Reptiles targets: - 255.255.255.255 threat_prevention: false ignore_errors: true register: result

Of course the target IP is not 255 and so on, I just used the Cluster IP. This is the IP that shows on SmartConsole, yada yada.
Same error.

Re: "Checkpoint device returned error 404 with message" when installing policy through Ans

Hash1 — Tue, 16 Mar 2021 13:32:31 GMT

Please refer to my answer to Phoneboy.

Re: "Checkpoint device returned error 404 with message" when installing policy through Ans

PhoneBoy — Tue, 16 Mar 2021 16:43:32 GMT

Use the gateway/cluster name (not IP address).

Re: "Checkpoint device returned error 404 with message" when installing policy through Ans

Hash1 — Tue, 16 Mar 2021 19:54:53 GMT

myuser@ansible-server:/path/to/script $ cat install_reptiles_new.yml --- - name: Internet hosts: check_point connection: httpapi tasks: - name: Install Reptiles check_point.mgmt.cp_mgmt_install_policy: access: true policy_package: Reptiles targets: - Reptiles threat_prevention: false ignore_errors: true register: result

I get

"msg": "Checkpoint device returned error 400 with message {'code': 'generic_err_invalid_parameter', 'message': 'Invalid parameter for [targets]. Input installation target [Reptiles] does not exist, or is not an installable target'} Unpublished changes were discarded" }

Re: "Checkpoint device returned error 404 with message" when installing policy through Ans

PhoneBoy — Tue, 16 Mar 2021 23:22:15 GMT

You need to use the name of the gateway/cluster object the policy package is to be installed on.
If this is what you've done, I recommend engaging with the TAC.

Re: "Checkpoint device returned error 404 with message" when installing policy through Ans

Hash1 — Wed, 17 Mar 2021 12:20:55 GMT

I'll be contacting CP through the TAC.
I have a quick question, how do I check the UID of my policy?

Re: "Checkpoint device returned error 404 with message" when installing policy through Ans

PhoneBoy — Wed, 17 Mar 2021 20:16:37 GMT

It comes as part of the output of "show policy-package name Foobar" command.

Re: "Checkpoint device returned error 404 with message" when installing policy through Ans

Bob_Zimmerman — Wed, 17 Mar 2021 20:32:14 GMT

This may be a silly question, but can you find any references to bda64744-c5bf-42f7-b052-36d1aa5757db in the problem policy? Based on the error, it sounds like something in the problem policy is trying (and failing) to reference it, and nothing in the working policy references it.

I would dump all of your groups and groups-with-exclusions, as well as all of the access rules in every layer and all of the NAT rules in the policy package, then search the resulting data for that UUID. It may also be worth looking for the UUID in $FWDIR/log/api.elg* to see if you can find the API request triggering the failure.

Re: "Checkpoint device returned error 404 with message" when installing policy through Ans

Hash1 — Thu, 18 Mar 2021 12:58:28 GMT

show package name Reptiles
Worked for me. I got the UID and tested with verify. Will test at night an install using the UID as a target. Meanwhile our partner is engaging with a TAC for us.

Re: "Checkpoint device returned error 404 with message" when installing policy through Ans

Hash1 — Thu, 18 Mar 2021 14:18:24 GMT

What is the best way or how can I dump all groups, acess rules, NATs to try to find that UID?

I was unable to find any api.elg in $FWDIR/log/.
Edit: Was looking at the wrong direction. All I managed to find was when it first started pretty much.

Re: "Checkpoint device returned error 404 with message" when installing policy through Ans

Bob_Zimmerman — Thu, 18 Mar 2021 15:33:25 GMT

This should work for groups:

( apiCommand="show groups" mgmt_cli login read-only true -r true > sessionFile.txt firstJSON=$(mgmt_cli -s sessionFile.txt --format json ${apiCommand} details-level full limit 500) echo "${firstJSON}" | jq -c '.objects[]|.' numberOfObjects=$(echo "${firstJSON}" | jq ".total") offset=500 echo "${numberOfObjects} objects to export." >&2 while [ $offset -lt $numberOfObjects ] do echo "Exporting up to $(($offset+500))" >&2 mgmt_cli -s sessionFile.txt --format json ${apiCommand} details-level full limit 500 offset ${offset} | jq -c '.objects[]|.' offset=$(($offset+500)) done mgmt_cli -s sessionFile.txt logout>/dev/null /bin/rm sessionFile.txt ) > output.json

The value of apiCommand in the top line and the name "output.json" in the bottom should be modified for each category of thing you want to see. I think the others you would need to use are "show groups-with-exclusion" and "show service-groups".

For the rules, I think the script above would need a little modification. apiCommand would be "show access-rulebase name <layer name>", and "show nat-rulebase package <policy package name>". If the layer name or policy package name have spaces in them, you will need to quote-delimit them. The quotes will probably need to be escaped. You will also need to change the two instances of '.objects[]|.' to '.rulebase[]|.'. I think it should work otherwise.

Once you have all the JSON files, it should be relatively simple to tell whether that UUID shows up in them:

grep bda64744-c5bf-42f7-b052-36d1aa5757db *.json

Re: "Checkpoint device returned error 404 with message" when installing policy through Ans

Hash1 — Thu, 18 Mar 2021 18:29:14 GMT

show groups, groups-with-exclusion, service-groups scripts are working just fine.
Tested one for show access-rulebase name <layer name> with a layer that doesn't have space on it and worked. I will be creating the rest of the outputs which will take a bit of time because we have a bunch of layers. I'll be checking even for layers not related to Reptiles just to make sure.
After that will do for nat and the grep to see if we can get that weird UID that "doesn't exist".

Thanks a lot Bob! Will reply again when we're done.

Edit:I'm sorry for my ignorance, but how do I escape the quotation marks?

( apiCommand="show access-rulebase name \"layer one\"" or ( apiCommand=\"show access-rulebase name "layer one"\" Doesn't seem to work.

Re: "Checkpoint device returned error 404 with message" when installing policy through Ans

Bob_Zimmerman — Thu, 18 Mar 2021 18:45:45 GMT

This should work and may be the easiest fix:

( apiCommand='show access-rulebase name "layer one"'

To be clear, I'm not sure the reference will show up. I just find it really, really weird that the actual error message you're getting when you try to install the policy says it can't find a particular UUID. Where is that UUID coming from? As far as I'm aware, Ansible shouldn't just be making up UUIDs and asking for data about them, so surely it must come from somewhere in the Check Point API server, right?

Seems like wherever it comes from will have more answers about why it comes from there, which may lead to why you can't push the policy.

Though on a related note, can you push the problem policy from SmartConsole?

Re: "Checkpoint device returned error 404 with message" when installing policy through Ans

Hash1 — Thu, 18 Mar 2021 23:28:38 GMT

Yeah, that's how we are doing it. Installing manually with SmartConsole. And I just tried doing:

install-policy policy-package "Reptiles" access true threat-prevention true targets.1 "clustername"
and it installed with no problem.

But with

tasks: - name: Install Reptiles check_point.mgmt.cp_mgmt_install_policy: access: true policy_package: Reptiles threat_prevention: true targets: - clustername ignore_errors: True register: result

I get that same &*^*(#$#!$@# bda64744-c5bf-42f7-b052-36d1aa5757db "not found".

I will continue the scripts tomorrow to try to find this bda guy.

Re: "Checkpoint device returned error 404 with message" when installing policy through Ans

Hash1 — Wed, 24 Mar 2021 12:52:41 GMT

Sorry for the late response but I'm busy this week. I'm still having trouble with all these quotes. Suggested fix didn't work. I keep getting with all tries to escape it:

Error: The parameters of show-access-rulebase command should be provided in pairs (key and value). You have provided an odd number of parameters which suggests that you are probably missing a parameter.
objects to export.
script5: line 8: [: 500: unary operator expected

Re: "Checkpoint device returned error 404 with message" when installing policy through Ans

Bob_Zimmerman — Wed, 24 Mar 2021 13:36:18 GMT

Clearly I don't remember how to keep quotes in strings in BASH. Oh well. Try this instead:

( mgmt_cli login read-only true -r true > sessionFile.txt numberOfObjects=1 offset=0 while [ $offset -lt $numberOfObjects ]; do echo "Exporting up to $(($offset+500))" >&2 jsonOutput=$(mgmt_cli -s sessionFile.txt --format json show access-rulebase name "Policy_the_Second Network" details-level full limit 500 offset ${offset}) echo "${jsonOutput}" | jq -c '.rulebase[]|.' numberOfObjects=$(echo "${jsonOutput}" | jq ".total") offset=$(($offset+500)) done mgmt_cli -s sessionFile.txt logout>/dev/null /bin/rm sessionFile.txt ) > output.json

Replace `Policy_the_Second Network` with the name of the access layer you are trying to dump. This version worked on my development SmartCenter.