Solved: Re: Deploying Domain on VSX

ias_gc-dk · ‎2020-03-05

I am trying to deploy a new domain through the web api on R80.20 but I am stuck with an error:

curl -s -k -H "Content-Type: application/json" -H "X-chkp-sid: $SID" -X POST -d '{ "name" : "Domain01", "servers" : { "ip-address" : "10.11.12.10", "name" : "Domain01-mgmt", "multi-domain-server" : "CPMGT03", "comments" : "Customer01" }}' $cp_api_url/add-domain
!{
! "code" : "generic_err_invalid_parameter",
! "message" : "Invalid parameter for [servers]. Invalid value"

As far as I can tell from the API reference, it should be fine: https://sc1.checkpoint.com/documents/latest/APIs/#web/add-domain~v1.3%20

Another thing:

When it comes time to deploy the VS, I will be using a command that looks something like this:

curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -H "X-chkp-sid: $SID" -X POST -d '{"script-name":"VSX Provisioning","script":"vsx_provisioning_tool -s localhost -u admin -p admin-password -o add vd name $cp_vs_name vsx $VSX_Cluster type vs main_ip $NB_VM_PRI_IP, $NB_VS_INT","targets":"$MDM_Server"}' $cp_api_url/run-script | ./jq

What do I define '"targets":"$MDM_Server"' as? Where do I find the information that is to go in my variable $MDM-server? It might be simple answer, but I cannot see it logically.

All this is on a R80.20 MDM-server.

ias_gc-dk · ‎2020-04-03

Breaktrough!!

I needed to set target to the CMA that is created during the domain deployment in /add-domain. That made it work!

View solution in original post

Maarten_Sjouw · ‎2020-03-05

You need to use servers.multi-domain-server.
The VS script I don't know but you do need to make sure that the provioning is done in the correct domain.

Regards, Maarten

ias_gc-dk · ‎2020-03-05

Ok, I'll give that a try for the Domain deployment.

As for VSX deployment I have been leaning up against this post: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Creating-VSX-Virtual-Systems-usin...

Which has lead me to do a sequence like this:

SID=`curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -X POST "$cp_api_url/login" -d "{\"user\":\"$cp_user\",\"password\":\"$password\"}" -s | awk -F\" '/sid/ {print $4}'`

< above Domain deployment to $cp_api_url/add-domain >
< above VSX deployment using $cp_api_url/run-script >

And then afterwards logging out of MDS and then into domain to do stuff like add objects, rules, sections etc., which works fine.

Should I do the following instead:

1. Login to MDS using above command
2. Deploy Domain
3. Logout of MDS ($cp_api_url/logout)
4. Login to Domain like this: SID=`curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -X POST "$cp_api_url/login" -d "{\"user\":\"$cp_user\",\"password\":"\"$password\"",\"domain\":\"$CP_Domain\"}" | awk -F\" '/sid/ {print $4}'`
5. Deploy VSX
6. Wait for task to finish
7. Deploy objects, rules, sections etc.

Still need to figure out what the "target": refers to though... 😞

PhoneBoy · ‎2020-03-05

vsx_provisioning_tool runs on the VSX gateway, which would be the target for your run-script API call.

ias_gc-dk · ‎2020-03-05

Still not sure I understand, because the vsx_provisioning_tool runs on the MDM server.

Example: If I have my multi Domain Server to be fwmgmt01 and each node in the cluster (called VSX_Cluster_1) is called fw01a and fw01b.Should my target then be VSX_Cluster_1 or fw01a+fw01b ?

Kaspars_Zibarts · ‎2020-03-05

not too sure if I understood correctly but vsx_provisioning_tool runs on mgmt and it pushes out config to actual gateway 🙂

PhoneBoy · ‎2020-03-06

Hm, yeah, I clearly got that wrong.
The run-script API can only target physical devices (MDS server, gateways), not a CMA or VS.
Your run-script command will therefore have to account for this (e.g. switch to appropriate domain context, then run vsx_provisioning_tool).

ias_gc-dk · ‎2020-04-03

After a while of testing I am not any further with this vsx_provisioning_tool via web api at all. It's fighting me all the way!

After logging into domain I tryed running this command:

$SID is login id.

curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -H "X-chkp-sid: $SID" -X POST -d '{"script-name":"VSX Provisioning","script":"vsx_provisioning_tool -s 10.64.54.250 -u testuser -p testpass -o add vd name vs-Test vsx VSX_Cluster_2 type vs main_ip 7.7.7.1, add interface name bond1.3333 ip 7.7.7.1/29, add interface name bond1.3334 ip 192.168.100.1/24","targets":"MDM-server"}' $cp_api_url/run-script | jq

I get this error:

{

"code": "generic_err_object_not_found",

"message": "Requested object [MDM-server] not found"

}

I have tried the following as value for MDM-server:

MDM-server name (which I successfully deployed a domain to)

hostname

DNS-name

cluster-name

firewall-node A

firewall-node B

Nothing works.

API defines target as: On what targets to execute this command. Targets may be identified by their name, or object unique identifier.

What does that mean?!? Can someone tell me what name I am looking for?

ias_gc-dk · ‎2020-04-03

Breaktrough!!

I needed to set target to the CMA that is created during the domain deployment in /add-domain. That made it work!

Kaspars_Zibarts · ‎2020-03-06

I agree with @Maarten_Sjouw seems like domain / CMA is not set correctly in your command

url -s -k -H "Content-Type: application/json" -H "Accept: bla" -H "X-chkp-sid: $SID" -X POST -d '{"script-name":"VSX Provisioning","script":"vsx_provisioning_tool -s ~~localhost~~ -u admin -p admin-password -o add vd name $cp_vs_name vsx $VSX_Cluster type vs main_ip $NB_VM_PRI_IP, $NB_VS_INT","targets":"$MDM_Server"}' $cp_api_url/run-script | ./jq

so you would need to supply correct CMA IP (where actual VS will belong) instead of localhost.

Plus I'm not entirely sure why do you have to variables passed two main_ip? it should be jus a single IP of that VS.

Maarten_Sjouw · ‎2020-03-06

Normally when you run the provisioning tool you FIRST run the mdsenv 'domain' to make sure the right domain is set.
Then on the management server you execute a command like this:
vsx_provisioning_tool -s localhost -u admin -p add vd name VS-01 vsx VSX_cluster_1 type vs main_ip 100.100.100.100
This will then create the VS in Management and on the VSX cluster. The interaction between API and the tool is the part that I have no clue about, but it could be that the target in this case would be the DMS.

Regards, Maarten

Kaspars_Zibarts · ‎2020-03-06

you can avoid mdsenv step if you specify -s option and then CMA IP address 🙂
so it's hard to say how it would interact with API run script. I would try running with -s plus IP addr as it's more explicit

ias_gc-dk · ‎2020-03-11

Thanks, I have corrected the localhost parameter. Makes sense too.

As for the two main ip variables, there are only one. They are seperated by a komma. $NB_VM_PRI_IP is the primary ip fetched from Netbox IPAM in an earlier step and $NB_VS_INT is the generated string for adding interfaces to the vs, fetched from Netbox IPAM. I had to make sure that I could deploy a random amount of interfaces, based on how many was documented in our IPAM.

The idea is to document first, then deploy in production based on what is documented in our IPAM. That could be 1 nic or 8.

ias_gc-dk · ‎2020-03-18

I have now tried a few things to try and deploy a new domain, none of which have worked.

cp_api_url="https://fwmgmt.mydomain.net/web_api"

SID=`curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -X POST "$cp_api_url/login" -d "{\"user\":\"cp_username\",\"password\":\"$password\"}" -s | awk -F\" '/sid/ {print $4}'`

Above works just fine, below is fubar:

First attempt is by the book, according to API reference guide (API Reference link) :

curl -s -k -H "Content-Type: application/json" -H "X-chkp-sid: $SID" -X POST -d '{ "name" : "Domain01", "servers" : { "ip-address" : "172.20.20.1", "name" : "Domain01-mgmt", "multi-domain-server" : "cpMGT01", "comments" : "Domain-test" }}' $cp_api_url/add-domain

Second attempt is from suggestions in this thread:
curl -s -k -H "Content-Type: application/json" -H "X-chkp-sid: $SID" -X POST -d '{ "name" : "Domain01", "servers.ip-address" : "172.20.20.1", "servers.name" : "Domain01-mgmt", "servers.multi-domain-server" : "cpMGT01", "servers.comments" : "Domain-test" }' $cp_api_url/add-domain

The error code I get is "generic_err_invalid_parameter" and it is frustrating as h...!

I am beginning to think something is completely wrong in the documentation!

Can someone shed any light on this?

ias_gc-dk · ‎2020-04-03

I finally got the domain-deployment working:

The test-script is like this:

cp_user=$1
password=$2
CP_Domain=TestDomain
CMA_IP=10.64.54.250
CMA=Test-mgmt
MDM_Server=CPMGT01
cp_api_url="https://fwmgmt/web_api"
cp_vs_name=vs-Test
VSX_Cluster=VSX_Cluster_1
NB_VM_PRI_IP=7.7.7.1
NB_VS_INT="add interface name bond1.3333 ip 7.7.7.1/29, add interface name bond1.3334 ip 192.168.100.1/24"

# check if an array contains a specific value
containsElement () {
local array="${@:2}"
for((i=0;i<${#array[@]};i++))
do
if [ "${array[$i]}" == "$1" ]; then
return 0
fi
done
return 1
}

# check the status of a task. is it "in progress"? if 'yes' return 0, else return '1'
is_status_in_progress() {
# call the 'show-task' API, save result to a JSON file.
curl -s -k -H "Content-Type: application/json" -H "X-chkp-sid: $SID" -X POST -d '{ "task-id" : "'$CP_TASKID'" }' $cp_api_url/show-task | jq > show_task_result.json
# use JQ to get the status. $STATUS is an array becuase there could be 'child' tasks.
STATUS=$(jq -r '.tasks[].status' show_task_result.json)
PERCENTAGE=$(jq -r '.tasks[]."progress-percentage"' show_task_result.json)
# go over the array look for 'in progress'
containsElement "in progress" ${STATUS[@]}
IS_IN_PROGRESS=$?
}

# as long as the task is in progress, wait 3 seconds and check again.
wait_for_task() {
is_status_in_progress
while [ $IS_IN_PROGRESS == "0" ]
do
echo "in progress. $PERCENTAGE Percent completed"
is_status_in_progress
sleep 3
done
}

SID=`curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -X POST "$cp_api_url/login" -d "{\"user\":\"$cp_user\",\"password\":\"$password\"}" -s | awk -F\" '/sid/ {print $4}'`

CP_TASKID=`curl -s -k -H "Content-Type: application/json" -H "X-chkp-sid: $SID" -X POST -d '{"name":"'$CP_Domain'","servers":{"ip-address":"'$CMA_IP'","name":"'$CMA'","multi-domain-server":"'$MDM_Server'"}}' $cp_api_url/add-domain | jq | grep '"task-id"' | awk -F'["]' '{ print $4 }'`
#Wait for deployment is done
echo "Deploying new domain $CP_Domain"
wait_for_task
#Add domain to trusted-client
echo "Deployment status for domain $CP_Domain: ${STATUS[@]}"
#reset task-id variable
CP_TASKID=
echo "Adding Domain to trusted-client AnyHost"
curl -s -k -H "Content-Type: application/json" -H "X-chkp-sid: $SID" -X POST -d '{"name":"AnyHost","domains-assignment":{"add":"'$CP_Domain'"}}' $cp_api_url/set-trusted-client # send to log
#publish Trusted client addition
CP_TASKID=`curl -s -k -H "Content-Type: application/json" -H "Accept: bla" -H "X-chkp-sid: $SID" -X POST -d '{}' $cp_api_url/publish | jq | grep '"task-id"' | awk -F'["]' '{ print $4 }'`
echo "Publishing new trusted client config"
wait_for_task
echo "Publishing status for trusted client AnyHost for $CP_Domain: ${STATUS[@]}"

echo "logging out"
#curl -k -H "Content-Type: application/json" -H "Accept: bla" -H "X-chkp-sid: $SID" -X POST -d '{}' $cp_api_url/logout

rm ./show_task_result.json

Hopefully someone else can make use of this somewhere.

genisis__ · ‎2020-10-05

Hi,

I'm attempting to use the vsx_provisioning tool for the first time. I've created a script which contains the following:

add vd name TestVS vsx VSXCL type vs instances 4 instance6 0 main_ip 1.1.1.1 calc_topo_auto false, which running this I get

Failed to get object <One of the VSX cluster nodes> (table=network_object,uid=)

Failed to execute line number 2.

Any ideas how to troubleshoot this?

Are you a member of CheckMates?

Deploying Domain on VSX