Re: no session-name with Ansible playbook

System_Adminis4 · ‎2019-06-19

Hello everyone,

I would want to have the session name appear in the audit logs when pushing or publishing changes with the web-services API via Ansible.

Basically, what is done automatically when publishing in SmartConsole (see Capture.PNG).

However, session name is not set when using the session-name parameter in the login command (see Capture2.PNG), and therefore not in the logs neither (Capture3.PNG)

This is the login task I use (I want the session to use the ansible user and date, as well as a change ticket that the user will be prompted for):

- name: login into SmartConsole API
  check_point_mgmt:
    command: login
    parameters:
      username: "{{ cpuser }}"
      password: "{{ cppassword }}"
      management: "{{ cpserver }}"
      session-name: "{{ change_ticket | upper }} - {{ ansible_user_id | lower}} - {{ ansible_date_time.date }}"
    fingerprint: "{{ cpfingerprint }}"
  register: login_response

The session-name parameter is not rejected and the user is correctly logged in. It doesn't seem that the publish command permits to set a session name.

My management station is 80.10 and Ansible is in version 2.7.10.

What am I doing wrong? Or is it some kind of bug? I did not find doc about this outside of

I don't have the issue I use the mgmt_cli tool in expert mode (Capture4.PNG).

Any help will be appreciated, thank you in advance.

PhoneBoy · ‎2019-06-19

Only the login command allows you to set a session-name.
When you do the publish action, you specify the UID of the session.

What is it you specify in the publish part of your playbook?

System_Adminis4 · ‎2019-06-19

thanks for the confirmation, PhoneBoy!

I publish using the registered login-response from the login command

- name: publish changes
  check_point_mgmt:
    command: publish
    session-data: "{{ login_response }}"

presumably to use, I thought, the SID of the session (~= --session-id in mgmt_cli command).

But you say I should use the UID? I'll give it try tomorrow, will keep you posted.

thanks for the fast answer!

System_Adminis4 · ‎2019-06-20

hello,

I actually did not try to specify a UID when publishing as I couldn't even see one in the login-response.

I however found a way to get what I wanted: use the set-session command with a new-name parameter after login. This successfully set a Name I could see in the Sessions tab of SmartConsole, as well as a Session Name in the changes and publish audit logs entries.

In summary, the session-name parameter doesn't work with the login command, but set-session one is happy to push the new-name parameter. So now, I use this instead of the single login from my original post:

- name: login into CP WebServices API
  check_point_mgmt:
    command: login
    parameters:
      username: "{{ cpuser }}"
      password: "{{ cppassword }}"
      management: "{{ cpserver }}"
    fingerprint: "{{ cpfingerprint }}"
  register: login_response

- name: set a session-name
  check_point_mgmt:
    command: set-session
    parameters:
      new-name: "{{ change_ticket | upper }} - {{ ansible_user_id | lower}} - {{ ansible_date_time.date}}"
    session-data: "{{ login_response }}"

Thanks for the help, I'll mark this as a solution.

PhoneBoy · ‎2019-06-23

What version of the API were you trying to do this against?
It might very well be there's a bug when setting the session name on the login action.

Are you a member of CheckMates?

no session-name with Ansible playbook