Re: Issue creating a host with Ansible

mervin16 · ‎2020-10-31

I am trying to create a host on my SMS using Ansible but i am encountering some issues.

Below are some information that might be helpful.

Playbook:

---
- name: Checkpoint Hosts Management
  hosts: firewalls_checkpoint
  tasks:
    - name: Add a new Host
      check_point.mgmt.cp_mgmt_host:
        ip_address: 192.0.2.1
        name: New Host 1
        state: present
        auto_publish_session: yes

Inventory

#This is a group of remote servers for Checkpoint SMS
[firewalls_checkpoint]
ckp_sms

#These are global variables for the group firewalls
[firewalls_checkpoint:vars]
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=False
ansible_user=admin
ansible_password=*****
ansible_ssh_pass=*****
ansible_network_os=check_point.mgmt.checkpoint
ansible_ssh_transfer_method=scp

ansible.cfg

[defaults]
host_key_checking = False

[ssh_connection]
scp_if_ssh=True
timeout = 100

However, when i run my playbook with command ansible-playbook /etc/ansible/playbooks/checkpoint/network_create.yml, i get the following error:

fatal: [ckp_sms]: FAILED! => {
    "msg": "failed to transfer file to /root/.ansible/tmp/ansible-local-71858l7zedua/tmpj8i_7uay CLINFR0711  Command insecure/AnsiballZ_setup.py:\n\nCLINFR0329  Invalid command:'scp -t 'CLINFR0711  Command insecure/AnsiballZ_setup.py''.\n"
}

If i ssh directly on a terminal to the SMS, it works fine.

I get the same error message when i try to ping the sms using ansible -m ping

Can someone please help me out.

mervin16 · ‎2020-10-31

Can someone please help out ?

funkylicious · ‎2020-11-01

Did you follow this configuration guide ?

Maybe try

- name: add-host
  cp_mgmt_host:
    ip_address: 192.0.2.1
    name: New Host 1
    state: present

mervin16 · ‎2020-11-05

Hello, Yes i did follow the configuration guide and no, this too doesn't work 😞 Please help me

Jim_Oqvist · ‎2020-11-06

Hi,

Under the hosts section you are missing the connection parameter

connection: httpapi

Also, did you download the latest collection from galaxy?

https://galaxy.ansible.com/check_point/mgmt

You can find a working example here:

https://github.com/jimoq/demo

Kind Regards

Jim

mervin16 · ‎2020-11-06

Hi,

I did what you said and encountered this error:

rpc__\nansible.module_utils.connection.ConnectionError: Invalid JSON response: <!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>400 Bad Request</title>\n</head><body>\n<h1>Bad Request</h1>\n<p>Your browser sent a request that this server could not understand.<br />\n</p>\n<p>Additionally, a 400 Bad Request\nerror was encountered while trying to use an ErrorDocument to handle the request.</p>\n</body></html>\n\n"

We usually get this error when we try to send a request without login to SMS but from Ansible documentation, it specifies that the login and logout is done automatically. So i don't know what's going wrong here. If i run the same command in Check Mode (ansible-playbook -C playbook.yml) it works.

Can you please help ?

My updated playbook is :

---
- name: playbook name
  hosts: firewalls_checkpoint
  connection: httpapi
  tasks:
    - name: task to have network
      check_point.mgmt.cp_mgmt_network:
        name: "network name"
        subnet: "4.1.76.0"
        mask_length: 24
        auto_publish_session: true

      vars:
        ansible_checkpoint_domain: "SMC User"

Jim_Oqvist · ‎2020-11-07

Hi Mervin,

Your playbook is correct.
Please just not that the variable 'ansible_checkpoint_domain: "SMC User"' is not required when connecting to a SMS

Your /etc/ansible/hosts is not entirely correct.
I noticed that you have not assigned any ansible_host ip address to ckp_sms, Is chk_sms host name resolving to the IP of your Check Point management server?
If not you need to set the IP for this host.
Here is a correct /etc/ansible/hosts section where I removed some lines from the one you posted and added ansible_host ip address.

#This is a group of remote servers for Checkpoint SMS
[firewalls_checkpoint]
ckp_sms ansible_host=X.X.X.X

#These are global variables for the group firewalls
[firewalls_checkpoint:vars]
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=False
ansible_user=admin
ansible_password=XXXXX
ansible_network_os=check_point.mgmt.checkpoint

mervin16 · ‎2020-11-07

Hi,

Thank you for replying, the ckp_sms is indeed resolving to my IP address. I set this in my host file (windows host file).

My SMS is R80.30.

Jim_Oqvist · ‎2020-11-07

Okay, please take a look at my response here, I think there is a problem with the Ansible httpapi connection plugin.

https://community.checkpoint.com/t5/Ansible/Ansible-Connection-Error/m-p/101387/highlight/true#M400

mervin16 · ‎2020-11-08

This solution worked with my R80.40 but not my R80.30.

Does it have something to do with a JHF that has not been installed ?

Jim_Oqvist · ‎2020-11-08

To orchestrate R80.30 version with Ansible, you need JHF 135 or later installed.

You can find more information here:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Are you a member of CheckMates?

Issue creating a host with Ansible