topic Re: Unable to login into checkpoint gateway firewall through Ansible in General Topics

Unable to login into checkpoint gateway firewall through Ansible

Tribhawan_Singh — Tue, 30 Jul 2019 06:36:44 GMT

Problem Description: I want to run healthcheck commands on a VSX based checkpoint R80.10 23500 model and 5500 normal checkpoint firewall gateway but i am unable to login into the firewall.

There are 2 simple playbooks i am mentioning here, 1 by using ansible roles (name = cp1.yml) and other is direct access (cp2.yml).

In LAB environment i am getting results for cp1.yml but cp2.yml is failing saying it needs ansible_network_os value. (Want to know what would be the ansible_network_os for checkpoint)

In production, none of these 2 are working and i am getting below error:

When login through network_cli then below error is coming while executing both playbooks:

-bash-4.2$ ansible-playbook cp2.yml

PLAY [CheckPoint health Status] *************************************************************************************************************************************************************************************************************

TASK [checkpoint healthcheck commands] ******************************************************************************************************************************************************************************************************
fatal: [firewall]: FAILED! => {"msg": "unable to set terminal parameters"}

****************************************************************

My Playbooks: (Playbook 1) cp1.yml

in /etc/ansible directory:

---
- name: CheckPoint health Status
hosts: checkpoint
gather_facts: no
serial: 1

tasks:
- name: checkpoint healthcheck commands
import_role:
name: trib_role
tasks_from: showbash

vars:
cmdfile: show-bash.cmd

************

-bash-4.2$ cat show-bash.cmd
fw ver
fw tab -t connections -s
-bash-4.2$

*****************

-bash-4.2$ pwd
/etc/ansible/roles/trib_role/tasks <-------------Roles directory

******************

-bash-4.2$ cat showbash.yml
---
- name: SHOW CONFIG
cli_command:
command: "{{ item }}"
with_lines: cat {{ cmdfile }}
register: result1

- name: show output files
debug:
var: result1

host file:

[checkpoint]
firewall <---------------------My production firewall name

-bash-4.2$ cd host_vars/
-bash-4.2$ cat firewall
---
ansible_host: x.x.x.x (My production firewall IP)
ansible_user: admin
ansible_ssh_pass: ********* (admin password)
ansible_connection: network_cli

**********************************************************

Playbook2 cp2.yml:

---
- name: CheckPoint health Status
hosts: checkpoint
gather_facts: no
serial: 1

tasks:
- name: checkpoint healthcheck commands
cli_command:
command:
- 'fw ver'
register: result

- name: show output
debug:
var: result.stdout_lines
-bash-4.2$

Here also getting the same error:

-bash-4.2$ ansible-playbook cp2.yml -vvvv

PLAYBOOK: cp2.yml ***************************************************************************************************************************************************************************************************************************
1 plays in cp2.yml

PLAY [CheckPoint health Status] *************************************************************************************************************************************************************************************************************
META: ran handlers

TASK [checkpoint healthcheck commands] ******************************************************************************************************************************************************************************************************
task path: /etc/ansible/cp2.yml:8
<x.x.x.x> attempting to start connection
<x.x.x.x> using connection plugin network_cli
<x.x.x.x> local domain socket does not exist, starting it
<x.x.x.x> control socket path is /files0/home/singhtr/.ansible/pc/22a0ffc2f6
<x.x.x.x>
The full traceback is:
Traceback (most recent call last):
File "/usr/bin/ansible-connection", line 106, in start
self.connection._connect()
File "/usr/lib/python2.7/site-packages/ansible/plugins/connection/network_cli.py", line 334, in _connect
self._terminal.on_open_shell()
File "/usr/lib/python2.7/site-packages/ansible/plugins/terminal/ios.py", line 58, in on_open_shell
raise AnsibleConnectionFailure('unable to set terminal parameters')
AnsibleConnectionFailure: unable to set terminal parameters

fatal: [firewall]: FAILED! => {
"msg": "unable to set terminal parameters"
}
to retry, use: --limit @/etc/ansible/cp2.retry

PLAY RECAP **********************************************************************************************************************************************************************************************************************************
firewall : ok=0 changed=0 unreachable=0 failed=1

I hope @Ryan_Darst @Ash_Sidhu @PhoneBoy can help me here.

Re: Unable to login into checkpoint gateway firewall through Ansible

_Val_ — Tue, 30 Jul 2019 10:50:30 GMT

It looks like you expect admin shell to be bash, or am I missing something? It is not bash, unless you change it manually.

Re: Unable to login into checkpoint gateway firewall through Ansible

Tribhawan_Singh — Tue, 30 Jul 2019 11:02:33 GMT

default shell is bash only.

Re: Unable to login into checkpoint gateway firewall through Ansible

Ryan_Darst — Tue, 30 Jul 2019 12:43:29 GMT

Things I would check since it looks like you are using the standard ansible commands.

1. Shell setup for the ansible user should be set to /bin/bash on the gateway.

2. Make sure ansible has the path to where python is. Gaia does not have it in a typical location. Also this applies to R80.X and later, since in R77.X any python scripts have to be white-listed.

Here is an example of what I use in my demo R80.X systems in my /etc/ansible/hosts

[Gaia]
10.2.0.221 ansible_python_interpreter="/opt/CPsuite-R80/fw1/Python/bin/python"

[Gaia:vars]
ansible_connection=ssh
ansible_ssh_user=admin
ansible_ssh_pass=vpn123
ansible_python_interpreter=/opt/CPsuite-R80/fw1/Python/bin/python
scp_if_ssh = False

Re: Unable to login into checkpoint gateway firewall through Ansible

Tribhawan_Singh — Tue, 30 Jul 2019 13:14:25 GMT

Strange, i have all these parameters set as you mentioned except hosts, after changing the host file as you mentioned, i am getting below error:
-bash-4.2$ ansible-playbook cp3.yml

PLAY [CheckPoint health Status] ****

TASK [checkpoint healthcheck commands] ******
fatal: [10.x.x.x]: FAILED! => {"msg": "unable to elevate privilege to enable mode, at prompt [\nfirewall:TACP-0> ] with error: failed to elevate privilege to enable mode still at prompt [\nfirewall:TACP-0> ]"}
to retry, use: --limit @/etc/ansible/cp3.retry
--We have below configuration on the firewall:
add rba role TACP-0 domain-type System readwrite-features tacacs_enable
add rba role TACP-15 domain-type System all-features

However default shell is bash.

Re: Unable to login into checkpoint gateway firewall through Ansible

_Val_ — Wed, 31 Jul 2019 11:10:47 GMT

Can you show TACP0 settings? It does not seem to be full admin account, hence bash access might fail. Does TACP15 work?

Re: Unable to login into checkpoint gateway firewall through Ansible

Tribhawan_Singh — Wed, 31 Jul 2019 20:28:47 GMT

@_Val_ @Ryan_Darst

This is completed now. I took a different approach to achieve this. I ran the shell script inside the firewall and through Ansible i invoked the shell script and displayed the result on my screen.

This also resolves my issue of how to take VSX specific output.

Re: Unable to login into checkpoint gateway firewall through Ansible

_Val_ — Fri, 02 Aug 2019 10:38:36 GMT

@Tribhawan_Singh good to know you have found the way. Care to share the details here, for outer community members?

Re: Unable to login into checkpoint gateway firewall through Ansible

Tribhawan_Singh — Mon, 05 Aug 2019 14:38:42 GMT

@_Val_ Sure, here is the sample shell and ansible script

Shell inside the firewall /home/admin directory:

For VS1:

[Expert@firewall:0]# cat cp1.sh
#!/bin/bash

source /etc/profile.d/vsenv.sh 2> /dev/null

# First arg passed to script is VSNAME
VSNAME=1
vsenv $VSNAME

cphaprob stat
fw tab -t connections -s
fwaccel stat | grep Status
sleep 2s
fwaccel stats -s
fw ctl multik stat
fw ctl pstat -u

Ansible Script:

- name: CheckPoint health Status
hosts: localhost
gather_facts: yes

tasks:
- name: checkpoint healthcheck commands on vs1
shell: "ssh admin@10.x.x.x ' sh /home/admin/cp1.sh'"
args:
executable: /bin/bash
register: check
delegate_to: localhost

- name: CheckPoint healthcheck output for vs1
debug:
var: check.stdout_lines

Re: Unable to login into checkpoint gateway firewall through Ansible

Nathan_Davieau — Mon, 23 Sep 2019 20:32:37 GMT

Have you tried the healthcheck.sh script from sk121447?

It can be run on gateway from the management server.