This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Kim_Moberg
Advisor
‎2024-05-02 04:23 AM

CME Custom Gateway Script fails when resetting the RADIUS settings while redeploying script against

Hi

We have been using CP CME for a couple of years and I have been looking into what can be done smarter.

When we make changes to autoprovision.json via cmd autoprov-cfg it triggers an update/redeplyment on Cloudguards in our VMSS Scale Sets.

For example update / redeploying could be to add new log servers it will also trigger running the attached custom gateway script.

With the custom gateway script we might be setting banner for compliance purposes or time servers and DNS etc.. 

What we have added are also RADIUS authentication and that is were the problem happens.

When the script runs on the running VMSS Scale Sets Gloudguards the RADIUS breaks the run-script.

The error is:

WARNING Please make sure you do not configure the same user names on this RADIUS server and locally
WARNING Please make sure you do not configure the same user names on this RADIUS server and locally
  GAIA0101  Host already exist

Error exception are shown in below output.

################################ output from cme.log ######################################


2024-05-01 13:59:56,774 CME_SERVICE INFO Running script: "/bin/cg-azsea-script.sh " on target: SEATST


2024-05-01 14:00:07,043 CME_SERVICE INFO Resetting gateway SEATST
2024-05-01 14:00:07,121 CME_SERVICE INFO Deleting objects for gateway: SEATST-
2024-05-01 14:00:07,121 CME_SERVICE INFO Deleting objects with Policy Destructor Network Group
2024-05-01 14:00:11,445 CME_SERVICE INFO Gateway instance SEATST was removed successfully from CME_SEATST network group
2024-05-01 14:00:11,446 CME_SERVICE ERROR Failed to provision the Security Gateway instance SEATST
2024-05-01 14:00:11,462 CME_SERVICE ERROR Error traceback: Traceback (most recent call last):
File "/opt/CPcme/cp_handlers/mgmt_autoprovision_handler.py", line 1124, in run_post_customize instance.name)
File "/opt/CPcme/cp_handlers/mgmt_autoprovision_handler.py", line 1066, in run_custom_gateway_script put_file_dict=put_file_dict)
File "/opt/CPcme/cp_handlers/mgmt_handler.py", line 275, in run_script
response = self(CPMCommand.RUN_SCRIPT, body).get(
File "/opt/CPcme/cp_handlers/mgmt_handler.py", line 178, in __call__
silent=silent)
File "/opt/CPcme/cp_handlers/mgmt_api_handler.py", line 245, in __call__
CMEExceptionCodes.MGMT_API, command=command)
cme_exceptions.cme_exceptions.ManagementApiException: Error Code: Management API error

API call failed with command: run-script
Payload: {'script-name': '/bin/cg-azsea-script.sh ', 'script': '/bin/cg-azsea-script.sh ', 'targets': ['SEATST']}
Error details: WARNING Please make sure you do not configure the same user names on this RADIUS server and locally, WARNING Please make sure you do not configure the same user name
s on this RA...

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
File "/opt/CPcme/service/cme_service.py", line 533, in sync
is_setup_gw_succeed = management.autoprovision_handler.set_gateway(instance, gw, auto_hf)
File "/opt/CPcme/cp_handlers/mgmt_autoprovision_handler.py", line 1473, in set_gateway
self.provision_gateway(instance, gw, auto_hf, gw_tags, simple_gateway)
File "/opt/CPcme/cp_handlers/mgmt_autoprovision_handler.py", line 2857, in provision_gateway
self.run_post_customize(instance=instance, gw=gw, gw_tags=gw_tags)
File "/opt/CPcme/cp_handlers/mgmt_autoprovision_handler.py", line 1133, in run_post_customize
raise Exception(f'post-customize gateway failed: {str(e)}')
Exception: post-customize gateway failed: Error Code: Management API error

API call failed with command: run-script
Payload: {'script-name': '/bin/cg-azsea-script.sh ', 'script': '/bin/cg-azsea-script.sh ', 'targets': ['SEATST']}
Error details: WARNING Please make sure you do not configure the same user names on this RADIUS server and locally, WARNING Please make sure you do not configure the same user name
s on this RA...
2024-05-01 14:00:13,499 CME_SERVICE INFO VMSS hub-cldgd-dev-scaleset, is managed by private ip address through eth1

################################ output from cme.log ######################################

 

How can this be solved? I have added the script as an attachment

 

Best Regards
Kim
Labels
Preview file
2 KB
0 Kudos
2 Replies
Shay_Levin
Admin
Admin
‎2024-05-12 07:00 AM

Hello Kim, 

Based on my examination of the SR, we suspect the problem lies within the script due to an erroneous in the  management API call.

Needs to verify that the script run successfully when invoked from the management using mgmt_cli run-script.

 

0 Kudos
Kim_Moberg
Advisor
‎2024-05-13 02:19 AM
In response to Shay_Levin

Hello Shay,

I can also see mgmt api call generate an error but I do now run any Mgmt CLI commands via the script in itself.

If I run the script directly on the gateway I do not get the error other than standard RADIUS warning.

Basically my impression is a pure error handling of such condition and if we any one working on with cloudguards and using custom gateways script might have an experienced similar issue, or am I wrong here?

 

Best Regards
Kim
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events