This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hugo_vd_Kooij
Advisor
‎2023-04-14 12:36 AM
Jump to solution

Write multiple clish commands in Ansible task

Hi,

I treied to use the shell with the clish interpreter to execute multiple clish commands.

But so far it did not result in a working setup. The tasks itself gives no errors.

 

nameAddHostClish
  ansible.builtin.shell: |
    add host hostname {{ inventory_hostname }} ipv4-address ipv4-address ansible_default_ipv4.address
    add host hostname {{ inventory_hostname }}.local ipv4-address ipv4-address ansible_default_ipv4.address
    save config
  args:
    executable: /usr/bin/clish
<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
0 Kudos
1 Solution

Accepted Solutions
Erik_Lagzdins
Employee Employee
Employee
‎2023-07-25 07:24 AM
Jump to solution

As mentioned previously, using the Gaia modules is the preferred method to accomplish the task. 

If using Gaia modules is not possible, then you can use the shell module and expand on the example I've provided below.

     - name: "Apply Clish DNS Configurations"
       shell: "{{ item }}"
       with_items:
         - clish -c 'set dns primary 1.1.1.1' -s
         - clish -c 'set dns secondary 2.2.2.2' -s

 

View solution in original post

9 Replies
PhoneBoy
Admin
Admin
‎2023-04-14 09:29 AM
Jump to solution

You realize there is an Ansible collection for Gaia itself, right?
https://galaxy.ansible.com/check_point/gaia

0 Kudos
Hugo_vd_Kooij
Advisor
‎2023-04-16 10:49 PM
In response to PhoneBoy
Jump to solution

Yes, I am aware of them. But they don't cover all of my use cases.

To be honest not all firewall are up to spec.(R77.30 is pre API anyway.) And some features are not implemented. And some implemented in an impractical way.

For example cp_gaia_put_file only allows you to insert a file with the text as variable. Not a very practical job in my view.

So as it stands I have to rely on running clich commands by a user that has bash as it's default shell.

THe actual clish command's are just a test case.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Hugo_vd_Kooij
Advisor
‎2023-04-17 07:38 AM
In response to Hugo_vd_Kooij
Jump to solution

Somehow I had to use the long form commands with `clish -c` in front of each command and skip the use of clish as interpretor.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Erik_Lagzdins
Employee Employee
Employee
‎2023-07-25 07:24 AM
Jump to solution

As mentioned previously, using the Gaia modules is the preferred method to accomplish the task. 

If using Gaia modules is not possible, then you can use the shell module and expand on the example I've provided below.

     - name: "Apply Clish DNS Configurations"
       shell: "{{ item }}"
       with_items:
         - clish -c 'set dns primary 1.1.1.1' -s
         - clish -c 'set dns secondary 2.2.2.2' -s

 

FWA-BD
Explorer
‎2023-12-12 04:37 AM
In response to Erik_Lagzdins
Jump to solution

Hi Erik,

if I try your approach, the I get following error:

 

/bin/bash: line 1: clish: command not found.

 

 

My playbook:

 

---
# version 2312121007

- name: Set LLDP to on
  hosts: FW
  
  tasks:
  - name: Set LLDP on management server
    ansible.builtin.shell: "{{item}}"
    with_items:
      - clish -c "set lldp state on"
      - clish -c "save config"
    
    args:
      executable: /bin/bash

 

 

My host file:

 

[FW]
x.x.x.x

[FW:vars]
ansible_connection=httpapi
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=False
ansible_network_os=checkpoint

 

 

What am I doing wrong?

Thanks!

0 Kudos
Ofir_Shikolski
Employee Alumnus
Employee Alumnus
‎2023-12-13 07:14 AM
In response to FWA-BD
Jump to solution

you will need to load the profiles.

try to load one of the below:

source /etc/rc.d/init.d/functions

source /etc/profile.d/CP.sh

source /opt/CPshared/5.0/tmp/.CPprofile.sh

 

source /opt/CPshared/5.0/tmp/.CPprofile.sh && clish  -c "command" 

0 Kudos
FWA-BD
Explorer
‎2023-12-13 11:33 PM
In response to Ofir_Shikolski
Jump to solution

Thanks for the quick response. I have a look into that next week

0 Kudos
Erik_Lagzdins
Employee Employee
Employee
‎2023-12-15 08:45 AM
In response to FWA-BD
Jump to solution

This error is happening because of your FW:vars. Remove "ansible_connection=httpapi" and it should work.

I recommend adding the "ansible_connection=httpapi" variable only to specific playbooks that use the Check Point Gaia/Mgmt Ansible modules. When using a built-in basic Ansible module like command or shell, it's not needed.

0 Kudos
FWA-BD
Explorer
‎2023-12-17 10:13 PM
In response to Erik_Lagzdins
Jump to solution

Hi Erik,

 

thanks for the answer. This is what you get if you don't have your caffeine levels right

0 Kudos
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    Top