Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Hash1
Contributor
Jump to solution

"Checkpoint device returned error 404 with message" when installing policy through Ansible

I have created some scripts to run when we need to install a policy based on their name.
Let's say we have a policy called "Birds" and other "Reptiles".

I have pretty much the same script for Birds and Reptiles, check the diff:

root@server:/path/to/whatever$ diff policy_Birds.yml policy_Reptiles.yml
2c2
< - name: Policy Birds
---
> - name: Policy Reptiles
9c9
< policy_package: Birds
---
> policy_package: Reptiles
18,20c18,20
< to: hello@email.com
< subject: "Playbook: Birds FAILED"
< body: "Policy Birds Failed"
---
> to: hello2@email.com
> subject: "Playbook: Reptiles  FAILED"
> body: "Policy Reptiles Failed"

But when I run the Reptiles yml I get

fatal: [IP]: FAILED! => {"changed": false, "msg": "Checkpoint device returned error 404 with message {'code': 'generic_err_object_not_found', 'message': 'Requested object [bda64744-c5bf-42f7-b052-36d1aa5757db] not found'} Unpublished changes were discarded"}

This doesn't happen to Birds.
I triple checked all the names, mainly at "policy_package" to see If I didn't mistyped something. But I'd like to say that it used to work a week prior to that. The only change is that we changed the apiuser on the firewall. From a local created account to a RADIUS account.

Here are some of the "codes and configs" we are using:

cat policy_Birds.yml
---
- name: Policy Birds
  hosts: check_point
  connection: httpapi
  tasks:
    - name: Something
      check_point.mgmt.cp_mgmt_install_policy:
        access: true
        policy_package: Birds
        threat_prevention: true
      ignore_errors: True
      register: result
    - name: mail result
      mail:
        host: smtp.server.goes.here
        port: 25
        from: ansible@domain
        to: hello@email.com
        subject: "Birds FAILED"
        body: "Something something.. not relevant"
      delegate_to: localhost
      when: result is failed

Command being used to run

ansible-playbook -i hosts --vault-id checkpoint@ansible-vault  policy_Birds.yml -vvv

Or policy_Reptiles.yml

Hosts

ansible-vault view --vault-id checkpoint@ansible-vault hosts
[check_point]
IP
[check_point:vars]
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=False
ansible_user=RADIUS_USER
ansible_password=ULTRASECRETPASSWORD
ansible_network_os=check_point.mgmt.checkpoint

Ansible Version:

ansible --version
ansible 2.9.16
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /bin/ansible
  python version = 3.6.8 (default, Aug 18 2020, 08:33:21) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]

Said error:

TASK [taskname] *******************************************************
fatal: [IP]: FAILED! => {"changed": false, "msg": "Checkpoint device returned error 404 with message {'code': 'generic_err_object_not_found', 'message': 'Requested object [bda64744-c5bf-42f7-b052-36d1aa5757db] not found'} Unpublished changes were discarded"}
...ignoring

Working on the other guy:

TASK [Instalar politica] *******************************************************
changed: [IP]

Permissions:

-rw-rw-r--.  1 root    root      708 Mar 10 09:43 policy_Birds.yml
-rw-rw-r--.  1 root    root      719 Jul 24  2020 policy_Reptiles.yml
-rw-rw-r--.  1 root    root      607 Mar  9 15:47 verify_Internet.yml

cpinfo -y all:

cpinfo -y all

This is Check Point CPinfo Build 914000202 for GAIA
[IDA]
        No hotfixes..

[CPFC]
        HOTFIX_R80_30_JUMBO_HF_MAIN     Take:  215

[MGMT]
        HOTFIX_R80_30_JUMBO_HF_MAIN     Take:  215

[FW1]
        HOTFIX_R80_30_JUMBO_HF_MAIN     Take:  215

FW1 build number:
This is Check Point Security Management Server R80.30 - Build 031
This is Check Point's software version R80.30 - Build 205

[SecurePlatform]
        HOTFIX_GOGO_LT_HEAT_JHF Take:  215

[CPinfo]
        No hotfixes..

[DIAG]
        No hotfixes..

[Reporting Module]
        HOTFIX_R80_30_JUMBO_HF_MAIN     Take:  215

[CPuepm]
        HOTFIX_R80_30_JUMBO_HF_MAIN     Take:  215

[VSEC]
        HOTFIX_R80_30_JUMBO_HF_MAIN     Take:  215

[SmartLog]
        HOTFIX_R80_30_JUMBO_HF_MAIN     Take:  215

[R7520CMP]
        No hotfixes..

[R7540CMP]
        No hotfixes..

[R76CMP]
        HOTFIX_R80_30_JHF_COMP  Take:  215

[SFWR77CMP]
        No hotfixes..

[R77CMP]
        HOTFIX_R80_30_JHF_COMP  Take:  215

[R75CMP]
        No hotfixes..

[NGXCMP]
        No hotfixes..

[EdgeCmp]
        No hotfixes..

[SFWCMP]
        No hotfixes..

[FLICMP]
        No hotfixes..

[SFWR75CMP]
        No hotfixes..

[MGMTAPI]
        No hotfixes..

[CPUpdates]
        BUNDLE_HCP_AUTOUPDATE   Take:  24
        BUNDLE_INFRA_AUTOUPDATE Take:  39
        BUNDLE_DEP_INSTALLER_AUTOUPDATE Take:  20
        BUNDLE_R80_30_JUMBO_HF_MAIN_gogoKernel  Take:  215

[SFWR80CMP]
        No hotfixes..

[CPDepInst]
        No hotfixes..

[AutoUpdater]
        No hotfixes..

[hcp_wrapper]
        HOTFIX_HCP_AUTOUPDATE


Oh yeah, I almost forgot. I even made a new script to verify policy on Reptiles (the one with problem) And it DID work:

 cat verify_Reptiles.yml
---
- name: Verify Reptiles
  hosts: check_point
  connection: httpapi
  tasks:
    - name: verify-policy
      cp_mgmt_verify_policy:
        policy_package: Reptiles
      register: result

 

That's it. HELPPPPP

0 Kudos
1 Solution

Accepted Solutions
Jonas_Rosenboom
Employee
Employee

Use below API command with a privileged user to find the relevant object by UID:

show object uid 'bda64744-c5bf-42f7-b052-36d1aa5757db'

 

The error message can occur when your API user doesn't have permissions on the object. It will report the error by UID, even if you specified NAME in the request. Was there a modification to the profile, possibly during changing the authentication method for the user? 

View solution in original post

21 Replies
PhoneBoy
Admin
Admin

Your playbooks are missing a target for install policy--something required for a policy installation.
It needs to be one or more gateway objects.

Hash1
Contributor

That does not explain how installing policy on Birds works just fine.

I will try it at night today and let you know how it went.

Hash1
Contributor
myuser@ansible-server:/path/to/script$ ls -la | grep _new
-rw-rw-r--.  1 root    root      732 Mar 15 19:33 install_reptiles_new.yml

 

myuser@ansible-server:/path/to/script $ cat install_reptiles_new.yml
---
- name: Internet
  hosts: check_point
  connection: httpapi
  tasks:
    - name: Install Reptiles
      check_point.mgmt.cp_mgmt_install_policy:
        access: true
        policy_package: Reptiles
        targets:
        - 255.255.255.255
        threat_prevention: false
      ignore_errors: true
      register: result

 Of course the target IP is not 255 and so on, I just used the Cluster IP. This is the IP that shows on SmartConsole, yada yada.
Same error.

0 Kudos
PhoneBoy
Admin
Admin

Use the gateway/cluster name (not IP address).

0 Kudos
Hash1
Contributor
myuser@ansible-server:/path/to/script $ cat install_reptiles_new.yml
---
- name: Internet
  hosts: check_point
  connection: httpapi
  tasks:
    - name: Install Reptiles
      check_point.mgmt.cp_mgmt_install_policy:
        access: true
        policy_package: Reptiles
        targets:
        - Reptiles
        threat_prevention: false
      ignore_errors: true
      register: result

 

I get

"msg": "Checkpoint device returned error 400 with message {'code': 'generic_err_invalid_parameter', 'message': 'Invalid parameter for [targets]. Input installation target [Reptiles] does not exist, or is not an installable target'} Unpublished changes were discarded"
}
PhoneBoy
Admin
Admin

You need to use the name of the gateway/cluster object the policy package is to be installed on.
If this is what you've done, I recommend engaging with the TAC.

Hash1
Contributor

I'll be contacting CP through the TAC.
I have a quick question, how do I check the UID of my policy?

0 Kudos
PhoneBoy
Admin
Admin

It comes as part of the output of "show policy-package name Foobar" command.

0 Kudos
Hash1
Contributor

show package name Reptiles
Worked for me. I got the UID and tested with verify. Will test at night an install using the UID as a target. Meanwhile our partner is engaging with a TAC for us.

0 Kudos
the_rock
Legend
Legend

Phoneboy makes very legit point...seems like indeed you are missing a policy install target, hence why it fails.

Andy

0 Kudos
Hash1
Contributor

Please refer to my answer to Phoneboy.

0 Kudos
Bob_Zimmerman
Authority
Authority

This may be a silly question, but can you find any references to bda64744-c5bf-42f7-b052-36d1aa5757db in the problem policy? Based on the error, it sounds like something in the problem policy is trying (and failing) to reference it, and nothing in the working policy references it.

I would dump all of your groups and groups-with-exclusions, as well as all of the access rules in every layer and all of the NAT rules in the policy package, then search the resulting data for that UUID. It may also be worth looking for the UUID in $FWDIR/log/api.elg* to see if you can find the API request triggering the failure.

0 Kudos
Hash1
Contributor

What is the best way or how can I dump all groups, acess rules, NATs to try to find that UID?

I was unable to find any api.elg in $FWDIR/log/.
Edit: Was looking at the wrong direction. All I managed to find was when it first started pretty much.

0 Kudos
Bob_Zimmerman
Authority
Authority

This should work for groups:

( apiCommand="show groups"
mgmt_cli login read-only true -r true > sessionFile.txt
firstJSON=$(mgmt_cli -s sessionFile.txt --format json ${apiCommand} details-level full limit 500)
echo "${firstJSON}" | jq -c '.objects[]|.'
numberOfObjects=$(echo "${firstJSON}" | jq ".total")
offset=500
echo "${numberOfObjects} objects to export." >&2
while [ $offset -lt $numberOfObjects ]
do echo "Exporting up to $(($offset+500))" >&2
mgmt_cli -s sessionFile.txt --format json ${apiCommand} details-level full limit 500 offset ${offset} | jq -c '.objects[]|.'
offset=$(($offset+500))
done
mgmt_cli -s sessionFile.txt logout>/dev/null
/bin/rm sessionFile.txt ) > output.json

The value of apiCommand in the top line and the name "output.json" in the bottom should be modified for each category of thing you want to see. I think the others you would need to use are "show groups-with-exclusion" and "show service-groups".

For the rules, I think the script above would need a little modification. apiCommand would be "show access-rulebase name <layer name>", and "show nat-rulebase package <policy package name>". If the layer name or policy package name have spaces in them, you will need to quote-delimit them. The quotes will probably need to be escaped. You will also need to change the two instances of '.objects[]|.' to '.rulebase[]|.'. I think it should work otherwise.

Once you have all the JSON files, it should be relatively simple to tell whether that UUID shows up in them:

grep bda64744-c5bf-42f7-b052-36d1aa5757db *.json
0 Kudos
Hash1
Contributor

show groups, groups-with-exclusion, service-groups scripts are working just fine.
Tested one for show access-rulebase name <layer name> with a layer that doesn't have space on it and worked. I will be creating the rest of the outputs which will take a bit of time because we have a bunch of layers. I'll be checking even for layers not related to Reptiles just to make sure.
After that will do for nat and the grep to see if we can get that weird UID that "doesn't exist".

Thanks a lot Bob! Will reply again when we're done.

 

Edit:I'm sorry for my ignorance, but how do I escape the quotation marks?

( apiCommand="show access-rulebase name \"layer one\""

or
( apiCommand=\"show access-rulebase name "layer one"\"

Doesn't seem to work.

 

0 Kudos
Bob_Zimmerman
Authority
Authority

This should work and may be the easiest fix:

( apiCommand='show access-rulebase name "layer one"'

To be clear, I'm not sure the reference will show up. I just find it really, really weird that the actual error message you're getting when you try to install the policy says it can't find a particular UUID. Where is that UUID coming from? As far as I'm aware, Ansible shouldn't just be making up UUIDs and asking for data about them, so surely it must come from somewhere in the Check Point API server, right?

Seems like wherever it comes from will have more answers about why it comes from there, which may lead to why you can't push the policy.

Though on a related note, can you push the problem policy from SmartConsole?

0 Kudos
Hash1
Contributor

Yeah, that's how we are doing it. Installing manually with SmartConsole. And I just tried doing:

install-policy policy-package "Reptiles" access true threat-prevention true targets.1 "clustername"
and it installed with no problem.

 

But with

 

tasks:
    - name: Install Reptiles
      check_point.mgmt.cp_mgmt_install_policy:
        access: true
        policy_package: Reptiles
        threat_prevention: true
        targets:
        - clustername
      ignore_errors: True
      register: result

 

I get that same &*^*(#$#!$@#  bda64744-c5bf-42f7-b052-36d1aa5757db "not found".

I will continue the scripts tomorrow to try to find this bda guy.

0 Kudos
Hash1
Contributor

Sorry for the late response but I'm busy this week. I'm still having trouble with all these quotes. Suggested fix didn't work. I keep getting with all tries to escape it:

Error: The parameters of show-access-rulebase command should be provided in pairs (key and value). You have provided an odd number of parameters which suggests that you are probably missing a parameter.
objects to export.
script5: line 8: [: 500: unary operator expected

0 Kudos
Bob_Zimmerman
Authority
Authority

Clearly I don't remember how to keep quotes in strings in BASH. Oh well. Try this instead:

( mgmt_cli login read-only true -r true > sessionFile.txt
numberOfObjects=1
offset=0
while [ $offset -lt $numberOfObjects ]; do
echo "Exporting up to $(($offset+500))" >&2
jsonOutput=$(mgmt_cli -s sessionFile.txt --format json show access-rulebase name "Policy_the_Second Network" details-level full limit 500 offset ${offset})
echo "${jsonOutput}" | jq -c '.rulebase[]|.'
numberOfObjects=$(echo "${jsonOutput}" | jq ".total")
offset=$(($offset+500))
done
mgmt_cli -s sessionFile.txt logout>/dev/null
/bin/rm sessionFile.txt ) > output.json

Replace `Policy_the_Second Network` with the name of the access layer you are trying to dump. This version worked on my development SmartCenter.

Jonas_Rosenboom
Employee
Employee

Use below API command with a privileged user to find the relevant object by UID:

show object uid 'bda64744-c5bf-42f7-b052-36d1aa5757db'

 

The error message can occur when your API user doesn't have permissions on the object. It will report the error by UID, even if you specified NAME in the request. Was there a modification to the profile, possibly during changing the authentication method for the user? 

Hash1
Contributor

I've been trying to reply to you since 10 minutes after you gave us an answer but this forum is acting weird and won't let me do it.

Anyways, We've been working on the user policy to get this to work and used that command which showed us a "CpmiFloodgatePolicy" type.

I changed the user policy to Read on "QoS Policy" which then made my ansible scripts work.

0 Kudos
Upcoming Events

    CheckMates Events