topic Error Publishing Changes with Ansible in Ansible

Error Publishing Changes with Ansible

BJ_Brooks — Fri, 26 Mar 2021 21:10:11 GMT

All,

I'm having trouble tracking down my issue publishing the changes I've made in a playbook. Playbook is below as well as inventory. I've attempted to auto_publish_session when creating the host object, I've attempted removing the vars: from the publish task and various combinations but nothing has worked. My session appears in the MDS as Disconnected after the playbook has run and shows I have 2 changes and locks. I have to manually publish from MDS (right click, publish) for the changes to be applied.

If I run the host creation task and policy install task independently, they work fine. It's only when the publish comes into play. Running in verbose mode provides no additional useful information.

Thoughts?

Error:

FAILED! => {"changed": false, "msg": "Task Publish operation with task id 01234567-7843-cdef-a872-9b93c41e3005 failed. Look at the logs for more details"}

It should be noted, I'm running MDS and 80.40 (JHF 94).

---
- hosts: cma
connection: httpapi
tasks:

- name: Create Host Object
cp_mgmt_host:
name: some-object-name
ipv4_address: 10.10.10.10
state: present
color: firebrick
comments: ChangeRequest#
ignore_warnings: yes
groups:
- Some-Group-Name

vars:
ansible_checkpoint_domain: MDS-Domain

- name: Publish Changes
cp_mgmt_publish:

vars:
ansible_checkpoint_domain: MDS-Domain

- name: Install Policy on MDS-Domain
cp_mgmt_install_policy:
policy_package: FW_Policy
install_on_all_cluster_members_or_fail: yes
targets:
- target1-fw
- target2-fw

vars:
ansible_checkpoint_domain: MDS-Domain

Inventory:

[cma]
10.10.10.10

[cma:vars]
ansible_httpapi_validate_certs=False
ansible_httpapi_use_ssl=True
ansible_network_os=check_point.mgmt.checkpoint
#ansible_network_os=checkpoint
ansible_user=myuser-name

Re: Error Publishing Changes with Ansible

PhoneBoy — Fri, 26 Mar 2021 21:49:18 GMT

What does $FWDIR/log/api.elg say when you try to publish?

Re: Error Publishing Changes with Ansible

BJ_Brooks — Fri, 26 Mar 2021 22:27:26 GMT

There is no api.elg to be found... in all of /opt.

Re: Error Publishing Changes with Ansible

BJ_Brooks — Fri, 26 Mar 2021 22:30:11 GMT

I'll add that the audit log from the CMA only shows a login/logout.

Re: Error Publishing Changes with Ansible

Art_Zalenekas — Fri, 26 Mar 2021 22:37:21 GMT

Please use the ENV variable $FWDIR to get to that directory. At the end of the day, it will be in /var/log/opt/CPsuite-R80.40/fw1/log/api.elg
If you use the $FWDIR/log/api.elg it will point to the same location.

Re: Error Publishing Changes with Ansible

Vincent_Bacher — Sat, 27 Mar 2021 06:55:53 GMT

He also can modify api log level using "api log debug" and after replication of issue "api log warn" or whatever.

Re: Error Publishing Changes with Ansible

BJ_Brooks — Mon, 29 Mar 2021 17:53:01 GMT

Thanks... was able to locate. Issue is session description.

"fault-message" : "Publish cannot be performed without entering a session name and description."

Re: Error Publishing Changes with Ansible

BJ_Brooks — Wed, 31 Mar 2021 19:33:46 GMT

Still haven't cracked this one... api.elg is displaying the below.

"fault-message" : "Publish cannot be performed without entering a session name and description."

I have include a task to set the session... have attempted auto publish on the object creation task to no avail.

- name: set-session
cp_mgmt_set_session:
description: "CR123456789"

Any thoughts? The MDS is set to have a session name generated on publish. If we do it through the CMA, we can set the session name to whatever we want, but through ansible, not so much.

Re: Error Publishing Changes with Ansible

PhoneBoy — Thu, 01 Apr 2021 00:43:44 GMT

There's a setting on the management side to not require a description.
It's possible this may be required to use the auto-publish feature.
Paging @Or_Soffer

Re: Error Publishing Changes with Ansible

Jonas_Rosenboom — Fri, 09 Apr 2021 12:59:06 GMT

If your management requires All sessions must have a description you need to explicitly set both description and new_name for the session through Ansible.

If you want to use auto_publish just make sure that `set_session` is performed prior to the task with auto_publish.

The requirement for both name and description is not limited to Ansible, but affects all API usage (including `mgmt_cli`) when All sessions must have a description is enabled.