This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mervin16
Participant
‎2020-10-31 08:00 AM

Issue creating a host with Ansible

I am trying to create a host on my SMS using Ansible but i am encountering some issues.

Below are some information that might be helpful.

 

Playbook:

---
- name: Checkpoint Hosts Management
  hosts: firewalls_checkpoint
  tasks:
    - name: Add a new Host
      check_point.mgmt.cp_mgmt_host:
        ip_address: 192.0.2.1
        name: New Host 1
        state: present
        auto_publish_session: yes

 

 Inventory

#This is a group of remote servers for Checkpoint SMS
[firewalls_checkpoint]
ckp_sms

#These are global variables for the group firewalls
[firewalls_checkpoint:vars]
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=False
ansible_user=admin
ansible_password=*****
ansible_ssh_pass=*****
ansible_network_os=check_point.mgmt.checkpoint
ansible_ssh_transfer_method=scp

 

ansible.cfg

[defaults]
host_key_checking = False

[ssh_connection]
scp_if_ssh=True
timeout = 100

 

However, when i run my playbook with command ansible-playbook /etc/ansible/playbooks/checkpoint/network_create.yml, i get the following error:

fatal: [ckp_sms]: FAILED! => {
    "msg": "failed to transfer file to /root/.ansible/tmp/ansible-local-71858l7zedua/tmpj8i_7uay CLINFR0711  Command insecure/AnsiballZ_setup.py:\n\nCLINFR0329  Invalid command:'scp -t 'CLINFR0711  Command insecure/AnsiballZ_setup.py''.\n"
}

 

If i ssh directly on a terminal to the SMS, it works fine.

I get the same error message when i try to ping the sms using ansible -m ping

Can someone please help me out.

 

0 Kudos
10 Replies
mervin16
Participant
‎2020-10-31 11:05 PM

Can someone please help out ?
0 Kudos
funkylicious
Advisor
‎2020-11-01 12:52 AM
In response to mervin16

Did you follow this configuration guide ?

Maybe try

- name: add-host
  cp_mgmt_host:
    ip_address: 192.0.2.1
    name: New Host 1
    state: present
0 Kudos
mervin16
Participant
‎2020-11-05 11:44 AM
In response to funkylicious

Hello, Yes i did follow the configuration guide and no, this too doesn't work 😞 Please help me
0 Kudos
Jim_Oqvist
Employee
Employee
‎2020-11-06 08:21 AM

Hi, 

Under the hosts section you are missing the connection parameter

connection: httpapi

Also, did you download the latest collection from galaxy?

https://galaxy.ansible.com/check_point/mgmt

You can find a working example here:

https://github.com/jimoq/demo 

Kind Regards

Jim

0 Kudos
mervin16
Participant
‎2020-11-06 01:18 PM
In response to Jim_Oqvist

Hi,

I did what you said and encountered this error:

 

rpc__\nansible.module_utils.connection.ConnectionError: Invalid JSON response: <!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>400 Bad Request</title>\n</head><body>\n<h1>Bad Request</h1>\n<p>Your browser sent a request that this server could not understand.<br />\n</p>\n<p>Additionally, a 400 Bad Request\nerror was encountered while trying to use an ErrorDocument to handle the request.</p>\n</body></html>\n\n"

 

We usually get this error when we try to send a request without login to SMS but from Ansible documentation, it specifies that the login and logout is done automatically. So i don't know what's going wrong here. If i run the same command in Check Mode (ansible-playbook -C playbook.yml) it works.

 

Can you please help ?

 


My updated playbook is :

 

---
- name: playbook name
  hosts: firewalls_checkpoint
  connection: httpapi
  tasks:
    - name: task to have network
      check_point.mgmt.cp_mgmt_network:
        name: "network name"
        subnet: "4.1.76.0"
        mask_length: 24
        auto_publish_session: true

      vars:
        ansible_checkpoint_domain: "SMC User"

 

0 Kudos
Jim_Oqvist
Employee
Employee
‎2020-11-07 11:47 AM
In response to mervin16

Hi Mervin,

Your playbook is correct.
Please just not that the variable 'ansible_checkpoint_domain: "SMC User"' is not required when connecting to a SMS

Your /etc/ansible/hosts is not entirely correct.
I noticed that you have not assigned any ansible_host ip address to ckp_sms, Is chk_sms host name resolving to the IP of your Check Point management server?
If not you need to set the IP for this host.
Here is a correct /etc/ansible/hosts section where I removed some lines from the one you posted and added ansible_host ip address.

#This is a group of remote servers for Checkpoint SMS
[firewalls_checkpoint]
ckp_sms ansible_host=X.X.X.X

#These are global variables for the group firewalls
[firewalls_checkpoint:vars]
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=False
ansible_user=admin
ansible_password=XXXXX
ansible_network_os=check_point.mgmt.checkpoint

 

0 Kudos
mervin16
Participant
‎2020-11-07 11:52 AM
In response to Jim_Oqvist

Hi,

 

Thank you for replying, the ckp_sms is indeed resolving to my IP address. I set this in my host file (windows host file).

My SMS is R80.30.

0 Kudos
Jim_Oqvist
Employee
Employee
‎2020-11-07 01:54 PM
In response to mervin16

Okay, please take a look at my response here, I think there is a problem with the Ansible httpapi connection plugin.

https://community.checkpoint.com/t5/Ansible/Ansible-Connection-Error/m-p/101387/highlight/true#M400

0 Kudos
mervin16
Participant
‎2020-11-08 02:17 AM
In response to Jim_Oqvist

This solution worked with my R80.40 but not my R80.30.

Does it have something to do with a JHF that has not been installed ?

0 Kudos
Jim_Oqvist
Employee
Employee
‎2020-11-08 11:21 AM
In response to mervin16

To orchestrate R80.30 version with Ansible, you need JHF 135 or later installed.

You can find more information here:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos
Upcoming Events

    CheckMates Events
    Top