This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Amit_Chaubey
Contributor
‎2018-09-15 01:22 PM

Question: "Ansible Module" for Checkpoint Managment server R80.10

Hi, 

I am creating an "Ansible Module" for Checkpoint Managment server R80.10, I am looking for two solutions 

1. How to add any Gateway in the Management server. 

2. How to define an instance as the management server, and SIC key for gateways.I know there is a solution is available by using mgmt_cli but in that commands run in expert mode and how I can configure first Expert mode password? I am using bash to define instance as a gateway, 

my_user_data: |
#!/bin/bash
clish -c 'set user admin shell /bin/bash' -s
clish -c 'set static-route {{ aws_lb1_subnet_cidr }} nexthop gateway address {{ aws_internal_route }} on' -s
config_system -s 'install_security_gw=true&install_ppak=true&gateway_cluster_member=false&install_security_managment=false&ftw_sic_key=vpn12345';shutdown -r now;

Is there any Ansible module available for this? 

Any help would be highly appreciated. 

Thank you, 

Amit Chaubey

Labels
4 Replies
PhoneBoy
Admin
Admin
‎2018-09-15 09:47 PM

The demos here create gateways with an Ansible playbook: CheckMates_Aug15_Demos.zip 

But now that I think about it, the gateways here are actually being created (and SICed) using the CloudGuard/vSEC controller. 
However, as I pointed to in your other post, it should be possible to make the appropriate API calls to create the gateway.

Establishing the SIC is a different matter, but this can be done on the CLI of the management like so:

push_cert –s Cust_CMA –u admin –p adminpw –o examplegw –k test123

You can use the run-script API to call this from Ansible.

how to use the web api to run the run-script

The only thing you can do on the gateway as far as establishing management communication is using the initial SIC password.

When the gateway is created in the management and SIC is established, certificates are generated that are used for communication.

You can't really say "only accept a SIC connection from X host" beforehand.

Setting the expert password is a clish command.

In your user_data script, you'd include a command like:

clish -c 'set expert-password-hash yourhash' -s

where yourhash is computed with openssl passwd -1

0 Kudos
Amit_Chaubey
Contributor
‎2018-09-18 02:31 AM

Hi Dameon,

Thank you for sharing the information. 

About adding getaway to the management server, I have tried below command and after supplied the username/password of the management server it worked. but I think it can't be used in my user data file for the management server, right? if yes, then is there any way to add this task in user data file? 

mgmt_cli add simple-gateway name "gw1" color "yellow" ipv4 -address "192.0.2.230" version "R80" one-time-password "aaaa" firewall true vpn true application-control true url-filtering true ips true anti-bot true anti-vir us true threat-emulation true interfaces.1.name "eth0" interfaces.1.ipv4-address "192.0.2.230" interfaces.1.ipv4-network-mask "255.255.255.128" interfaces.1.ant i-spoofing true interfaces.1.topology "EXTERNAL" interfaces.2.name "eth1" interf aces.2.ipv4-address "192.0.2.88" interfaces.2.ipv4-network-mask "255.255.255.0" interfaces.2.anti-spoofing true interfaces.2.topology "INTERNAL" --version 1.1
Username: ****
Password:********

I have also triedby usinCheckMates_Aug15_Demos.zip , and tried using available ansible playbook(R80_CreateGateway.yml) to accomplished this, and end up with below error, 

PLAY [localhost] ****************************************************************************************************************************************************************

TASK [Wait up to 300 seconds for SIC port 18211 to Open] ************************************************************************************************************************
skipping: [localhost]

TASK [login] ********************************************************************************************************************************************************************
ok: [localhost]

TASK [Create SimpleGateway GW01 at 10.107.240.76] *******************************************************************************************************************************
fatal: [localhost]: FAILED! => {"changed": false, "msg": "Command 'add-simple-gateway {u'one-time-password': u'vpn12345', u'name': u'GW01', u'color': u'blue', u'interfaces': [{u'ipv4-network-mask': u'255.255.255.0', u'anti-spoofing': u'true', u'ipv4-address': u'10.107.240.76', u'name': u'eth0', u'topology': u'External'}], u'ips': u'true', u'version': u'R80.10', u'ipv4-address': u'10.107.240.76', u'firewall': u'true'}' failed with error message: APIResponse received a response which is not a valid JSON.. All changes are discarded and the session is invalidated."}
[WARNING]: Could not create retry file '/etc/ansible/cpAnsible/Playbooks/CreateGateway.retry'. [Errno 13] Permission denied:
u'/etc/ansible/cpAnsible/Playbooks/CreateGateway.retry'


PLAY RECAP **********************************************************************************************************************************************************************
localhost : ok=1 changed=0 unreachable=0 failed=1

0 Kudos
PhoneBoy
Admin
Admin
‎2018-09-18 06:20 AM
In response to Amit_Chaubey

If you're using the command on the CLI and logged into the Security Management server, you can simply add an -r true to the comamnd and then you don't need credentials Smiley Happy

Also, after creating the gateway, don't forget to publish the session as the gateway (or any other changes) won't show up unless you do that.

As to why the playbook isn't creating a gateway... Ryan Darst‌ any ideas?

0 Kudos
Ryan_Darst
Employee
Employee
‎2018-09-18 06:29 AM
In response to PhoneBoy

Was the gateway up and running when the add-gateway command was run?  I see that the wait for the SIC port was canceled/skipped.  This check is used to verify that the gateway is up and running, reachable and listening on port 18211.  Once this is verified the api call can be made to add the gateway via the API.

To see the error that the API sent, look on the R80 Management server in $FWDIR/log/api.elg and look for this transaction and see what the error shows and it should point you in the right direction.

0 Kudos
Upcoming Events

    Sort by:
    CheckMates Events