Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

Deploying Domain on VSX

Jump to solution

I am trying to deploy a new domain through the web api on R80.20 but I am stuck with an error:

 

curl -s -k -H "Content-Type: application/json" -H "X-chkp-sid: $SID" -X POST -d '{ "name" : "Domain01", "servers" : { "ip-address" : "10.11.12.10", "name" : "Domain01-mgmt", "multi-domain-server" : "CPMGT03", "comments" : "Customer01" }}' $cp_api_url/add-domain
!{
! "code" : "generic_err_invalid_parameter",
! "message" : "Invalid parameter for [servers]. Invalid value"

As far as I can tell from the API reference, it should be fine: https://sc1.checkpoint.com/documents/latest/APIs/#web/add-domain~v1.3%20

 

Another thing:

When it comes time to deploy the VS, I will be using a command that looks something like this:

 

curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -H "X-chkp-sid: $SID" -X POST -d '{"script-name":"VSX Provisioning","script":"vsx_provisioning_tool -s localhost -u admin -p admin-password -o add vd name $cp_vs_name vsx $VSX_Cluster type vs main_ip $NB_VM_PRI_IP, $NB_VS_INT","targets":"$MDM_Server"}' $cp_api_url/run-script | ./jq

What do I define '"targets":"$MDM_Server"' as? Where do I find the information that is to go in my variable $MDM-server? It might be simple answer, but I cannot see it logically.

 

All this is on a R80.20 MDM-server.

1 Solution

Accepted Solutions
Highlighted
Nickel

Breaktrough!!

I needed to set target to the CMA that is created during the domain deployment in /add-domain. That made it work!

 

 

View solution in original post

14 Replies
Highlighted
You need to use servers.multi-domain-server.
The VS script I don't know but you do need to make sure that the provioning is done in the correct domain.
Regards, Maarten
Highlighted
Nickel

Ok, I'll give that a try for the Domain deployment.

 

As for VSX deployment I have been leaning up against this post: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Creating-VSX-Virtual-Systems-usin...

Which has lead me to do a sequence like this:

SID=`curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -X POST "$cp_api_url/login" -d "{\"user\":\"$cp_user\",\"password\":\"$password\"}" -s | awk -F\" '/sid/ {print $4}'`

< above Domain deployment to $cp_api_url/add-domain >
< above VSX deployment using $cp_api_url/run-script >

And then afterwards logging out of MDS and then into domain to do stuff like add objects, rules, sections etc., which works fine.

Should I do the following instead:

1. Login to MDS using above command
2. Deploy Domain
3. Logout of MDS  ($cp_api_url/logout)
4. Login to Domain like this: SID=`curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -X POST "$cp_api_url/login" -d "{\"user\":\"$cp_user\",\"password\":"\"$password\"",\"domain\":\"$CP_Domain\"}" | awk -F\" '/sid/ {print $4}'`
5. Deploy VSX
6. Wait for task to finish
7. Deploy objects, rules, sections etc.

Still need to figure out what the "target": refers to though... 😞

 

Highlighted
Admin
Admin
vsx_provisioning_tool runs on the VSX gateway, which would be the target for your run-script API call.
0 Kudos
Highlighted
Nickel

Still not sure I understand, because the vsx_provisioning_tool runs on the MDM server.

Example: If I have my multi Domain Server to be fwmgmt01 and each node in the cluster (called VSX_Cluster_1) is called fw01a and fw01b.Should my target then be VSX_Cluster_1 or fw01a+fw01b ?

 

0 Kudos
Highlighted
not too sure if I understood correctly but vsx_provisioning_tool runs on mgmt and it pushes out config to actual gateway 🙂
Highlighted
Admin
Admin
Hm, yeah, I clearly got that wrong.
The run-script API can only target physical devices (MDS server, gateways), not a CMA or VS.
Your run-script command will therefore have to account for this (e.g. switch to appropriate domain context, then run vsx_provisioning_tool).
Highlighted
Nickel

After a while of testing I am not any further with this vsx_provisioning_tool via web api at all. It's fighting me all the way!

After logging into domain I tryed running this command:
$SID is login id.
 
curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -H "X-chkp-sid: $SID" -X POST -d '{"script-name":"VSX Provisioning","script":"vsx_provisioning_tool -s 10.64.54.250 -u testuser -p testpass -o add vd name vs-Test vsx VSX_Cluster_2 type vs main_ip 7.7.7.1, add interface name bond1.3333 ip 7.7.7.1/29, add interface name bond1.3334 ip 192.168.100.1/24","targets":"MDM-server"}' $cp_api_url/run-script | jq
 
I get this error:
{
  "code": "generic_err_object_not_found",
  "message": "Requested object [MDM-server] not found"
}
 
I have tried the following as value for MDM-server:
MDM-server name (which I successfully deployed a domain to)
hostname
DNS-name
cluster-name
firewall-node A
firewall-node B
 
Nothing works.
API defines target as: On what targets to execute this command. Targets may be identified by their name, or object unique identifier.
What does that mean?!? Can someone tell me what name I am looking for?
0 Kudos
Highlighted
Nickel

Breaktrough!!

I needed to set target to the CMA that is created during the domain deployment in /add-domain. That made it work!

 

 

View solution in original post

Highlighted

I agree with @Maarten_Sjouw seems like domain / CMA is not set correctly in your command

url -s -k -H "Content-Type: application/json" -H "Accept: bla" -H "X-chkp-sid: $SID" -X POST -d '{"script-name":"VSX Provisioning","script":"vsx_provisioning_tool -s localhost -u admin -p admin-password -o add vd name $cp_vs_name vsx $VSX_Cluster type vs main_ip $NB_VM_PRI_IP, $NB_VS_INT","targets":"$MDM_Server"}' $cp_api_url/run-script | ./jq

so you would need to supply correct CMA IP (where actual VS will belong) instead of localhost.

Plus I'm not entirely sure why do you have to variables passed two main_ip? it should be jus a single IP of that VS.

Highlighted
Normally when you run the provisioning tool you FIRST run the mdsenv 'domain' to make sure the right domain is set.
Then on the management server you execute a command like this:
vsx_provisioning_tool -s localhost -u admin -p add vd name VS-01 vsx VSX_cluster_1 type vs main_ip 100.100.100.100
This will then create the VS in Management and on the VSX cluster. The interaction between API and the tool is the part that I have no clue about, but it could be that the target in this case would be the DMS.
Regards, Maarten
0 Kudos
Highlighted
you can avoid mdsenv step if you specify -s option and then CMA IP address 🙂
so it's hard to say how it would interact with API run script. I would try running with -s plus IP addr as it's more explicit
0 Kudos
Highlighted
Nickel

Thanks, I have corrected the localhost parameter. Makes sense too.

 

As for the two main ip variables, there are only one. They are seperated by a komma. $NB_VM_PRI_IP is the primary ip fetched from Netbox IPAM in an earlier step and $NB_VS_INT is the generated string for adding interfaces to the vs, fetched from Netbox IPAM. I had to make sure that I could deploy a random amount of interfaces, based on how many was documented in our IPAM.

The idea is to document first, then deploy in production based on what is documented in our IPAM. That could be 1 nic or 8.

0 Kudos
Highlighted
Nickel

I have now tried a few things to try and deploy a new domain, none of which have worked.

cp_api_url="https://fwmgmt.mydomain.net/web_api"

SID=`curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -X POST "$cp_api_url/login" -d "{\"user\":\"cp_username\",\"password\":\"$password\"}" -s | awk -F\" '/sid/ {print $4}'`

Above works just fine, below is fubar:

First attempt is by the book, according to API reference guide (API Reference link) :

curl -s -k -H "Content-Type: application/json" -H "X-chkp-sid: $SID" -X POST -d '{ "name" : "Domain01", "servers" : { "ip-address" : "172.20.20.1", "name" : "Domain01-mgmt", "multi-domain-server" : "cpMGT01", "comments" : "Domain-test" }}' $cp_api_url/add-domain

Second attempt is from suggestions in this thread:
curl -s -k -H "Content-Type: application/json" -H "X-chkp-sid: $SID" -X POST -d '{ "name" : "Domain01", "servers.ip-address" : "172.20.20.1", "servers.name" : "Domain01-mgmt", "servers.multi-domain-server" : "cpMGT01", "servers.comments" : "Domain-test" }' $cp_api_url/add-domain

The error code I get is "generic_err_invalid_parameter" and it is frustrating as h...!

I am beginning to think something is completely wrong in the documentation!

Can someone shed any light on this?

Highlighted
Nickel

I finally got the domain-deployment working:

The test-script is like this:

cp_user=$1
password=$2
CP_Domain=TestDomain
CMA_IP=10.64.54.250
CMA=Test-mgmt
MDM_Server=CPMGT01
cp_api_url="https://fwmgmt/web_api"
cp_vs_name=vs-Test
VSX_Cluster=VSX_Cluster_1
NB_VM_PRI_IP=7.7.7.1
NB_VS_INT="add interface name bond1.3333 ip 7.7.7.1/29, add interface name bond1.3334 ip 192.168.100.1/24"

# check if an array contains a specific value
containsElement () {
local array="${@:2}"
for((i=0;i<${#array[@]};i++))
do
if [ "${array[$i]}" == "$1" ]; then
return 0
fi
done
return 1
}

# check the status of a task. is it "in progress"? if 'yes' return 0, else return '1'
is_status_in_progress() {
# call the 'show-task' API, save result to a JSON file.
curl -s -k -H "Content-Type: application/json" -H "X-chkp-sid: $SID" -X POST -d '{ "task-id" : "'$CP_TASKID'" }' $cp_api_url/show-task | jq > show_task_result.json
# use JQ to get the status. $STATUS is an array becuase there could be 'child' tasks.
STATUS=$(jq -r '.tasks[].status' show_task_result.json)
PERCENTAGE=$(jq -r '.tasks[]."progress-percentage"' show_task_result.json)
# go over the array look for 'in progress'
containsElement "in progress" ${STATUS[@]}
IS_IN_PROGRESS=$?
}

# as long as the task is in progress, wait 3 seconds and check again.
wait_for_task() {
is_status_in_progress
while [ $IS_IN_PROGRESS == "0" ]
do
echo "in progress. $PERCENTAGE Percent completed"
is_status_in_progress
sleep 3
done
}

SID=`curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -X POST "$cp_api_url/login" -d "{\"user\":\"$cp_user\",\"password\":\"$password\"}" -s | awk -F\" '/sid/ {print $4}'`

CP_TASKID=`curl -s -k -H "Content-Type: application/json" -H "X-chkp-sid: $SID" -X POST -d '{"name":"'$CP_Domain'","servers":{"ip-address":"'$CMA_IP'","name":"'$CMA'","multi-domain-server":"'$MDM_Server'"}}' $cp_api_url/add-domain | jq | grep '"task-id"' | awk -F'["]' '{ print $4 }'`
#Wait for deployment is done
echo "Deploying new domain $CP_Domain"
wait_for_task
#Add domain to trusted-client
echo "Deployment status for domain $CP_Domain: ${STATUS[@]}"
#reset task-id variable
CP_TASKID=
echo "Adding Domain to trusted-client AnyHost"
curl -s -k -H "Content-Type: application/json" -H "X-chkp-sid: $SID" -X POST -d '{"name":"AnyHost","domains-assignment":{"add":"'$CP_Domain'"}}' $cp_api_url/set-trusted-client # send to log
#publish Trusted client addition
CP_TASKID=`curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -H "X-chkp-sid: $SID" -X POST -d '{}' $cp_api_url/publish | jq | grep '"task-id"' | awk -F'["]' '{ print $4 }'`
echo "Publishing new trusted client config"
wait_for_task
echo "Publishing status for trusted client AnyHost for $CP_Domain: ${STATUS[@]}"

<here would go further deployment scripting, like VSX deployment>

echo "logging out"
#curl -k -H "Content-Type: application/json" -H "Accept: bla" -H "X-chkp-sid: $SID" -X POST -d '{}' $cp_api_url/logout


rm ./show_task_result.json

 

Hopefully someone else can make use of this somewhere.

0 Kudos