Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Hi Community,
I am trying to deploy cloudguard in Azure via ARM templates, but I am hitting an issue with the artifacts location parameters.
As I can see in the template, the artifacts location is no longer hard coded, instead it is using the deployment function to call the artifacts uri.
Long store short, when I run the template installation from local files on my computer, I get the error below saying that the templateLink doesn't exist:
Apprantly it happens because the deployment function does not respond with the templateLink information if you run the deployment using local templates.
Anyone ran into this issue before? Trying to install r80.30 using ARM template version below:
"templateVersion": "20190805"
thanks in advance.
Working with Mike, we understood that this missing URI is supposed to be some secure storage account somewhere in Azure cloud or whatever. That holds the missing linking template JSON file. Doing some reverse engineering, I was able to determine that the function of that linking template defines the output for a variable called VNETID. Once I understood that, I realized that I did not need it because I was not interested in creating a new vNET. I wanted to use the existing vNET and Subnets ( we were upgrading it from R8010 to R8030 - database export method ).
This is the variable it created which is needed by the deployment output in the main template JSON file:
"variables": {
"vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]"
},
"resources": [],
"outputs": {
"vnetId": {
"value": "[variables('vnetId')]",
"type": "string"
}
}Just a disclaimer - the above might be different for the new R80.30 based template but looking at the R80.20 linking template, I determined it was trying to get the same information, just different access method ( aka more secure with SAS Tokens and various Cloudy speaks ).
Quite honestly.. this could had been done without a linking template but every programmer have their preferences and reason behind it.
The variable in the main template that is requesting this value is:
The above value being output by it is being fed to the 'networkInterface' resource in the main template:
The 'outputs.vnetId.value' is derived from that linking template outputs.
If you can understand this process, then perhaps you can easily replace this with a more static variable entry. My solution was to extract that data without using linking template, adding this variable ( tweaking is needed to make this work right ) into the main template JSON file:
"variables": {
"vnetId": "[resourceId(parameters('virtualNetworkExistingRGName'),'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]"
As for needing a new vNET, heres the linking template code ( without the parameters )( Sorry I couldnt paste it cleanly 😞
"resources": [
{
"type": "Microsoft.Network/virtualNetworks",
"apiVersion": "[parameters('apiVersion')]",
"location": "[parameters('location')]",
"name": "[parameters('virtualNetworkName')]",
"properties": {
"addressSpace": {
"addressPrefixes": [
"[parameters('virtualNetworkAddressPrefix')]"
]
},
"subnets": [
{
"name": "[parameters('subnet1Name')]",
"properties": {
"addressPrefix": "[parameters('subnet1Prefix')]"
}
}
]
},
"tags": {
"provider": "[toUpper(parameters('Check_PointTags').provider)]"
}
}
],
"outputs": {
"vnetId": {
"value": "[resourceId('Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]",
"type": "string"
}
}
}
You can see that these linking templates only end up gathering the necessary outputs to be extracted for the resources.
I realize this might be a bit more technical for the average user who might not be well versed in ARM Template coding, but that's the gist of it all.
I was also using Azure portal in the Template section to deploy this instead of Powershell - no need to fumble around with Powershell.
Hello,
when I try to deploy the ARM Template with R80.30.
I am using the current Template from github
I just changed the (the rest is default):
https://raw.githubusercontent.com/CheckPointSW/CloudGuardIaaS/master/azure/templates/
I get this error:
2020-06-18T12:54:20.2088705Z Deployment name is CP-R8030-HA_deploymentTemplate-github-20200618-125414-2bfd
2020-06-18T12:54:57.3129967Z There were errors in your deployment. Error code: DeploymentFailed.
2020-06-18T12:54:57.3176457Z ##[error]At least one resource deployment operation failed. Please list deployment operations for details. Please see https://aka.ms/DeployOperations for usage details.
2020-06-18T12:54:57.3189360Z ##[error]Details:
2020-06-18T12:54:57.3191241Z ##[error]NotFound: Resource /subscriptions/47138828-8258-408b-a3d0-f0b99f1c5a34/resourceGroups/GIT-RG-919-FW-HA-R8030-SD-WAN/providers/Microsoft.Network/virtualNetworks/GIT-919-VNET-CP-HA-SD-WAN not found.
2020-06-18T12:54:57.3194055Z ##[error]InvalidResourceReference: Resource /subscriptions/subid/resourceGroups/rgname/providers/Microsoft.Network/virtualNetworks/rgname/subnets/Frontend referenced by resource /subscriptions/subid/resourceGroups/rgname/providers/Microsoft.Network/networkInterfaces/R8030fw-eth0 was not found. Please make sure that the referenced resource exists, and that both resources are in the same region.
2020-06-18T12:54:57.3197571Z ##[error]InvalidResourceReference: Resource /subscriptions/subid/resourceGroups/rgname/providers/Microsoft.Network/virtualNetworks/rgname/subnets/Frontend referenced by resource /subscriptions/subid/resourceGroups/rgname/providers/Microsoft.Network/networkInterfaces/R8030fw-eth0 was not found. Please make sure that the referenced resource exists, and that both resources are in the same region.
2020-06-18T12:54:57.3199856Z ##[error]Check out the troubleshooting guide to see if your issue is addressed: https://docs.microsoft.com/en-us/azure/devops/pipelines/tasks/deploy/azure-resource-group-deployment?view=azure-devops#troubleshooting
2020-06-18T12:54:57.3201559Z ##[error]Task failed while creating or updating the template deployment.
2020-06-18T12:54:57.3272993Z ##[section]Finishing: ARM Template deployment: Resource Group scope
I can see that the NICs are not created. In the screenshot you can see which Ressource Types are created.
Or is there any better way to deploy the Check Point Solution as infrastructure as code in an easy and supported way?
Can anyone help me here?
Hello there, the errors you are seeing is as a result of missing resources that did not get created when the ARM Template deployment went through its process. It has its pro and cons - cons being its very annoying when one thing isn't right, it has a cascading effect where everything just falls apart. But pro being, you know exactly where it started to fail.
Its very hard for me to see why it failed for you as you did not list exactly what changes were made. If you changed the locations of something that need to phone home that you do not own, it will break and then the rest of the creation fails.
I am not sure if you know that you can create the resources within Azure Marketplace? This is the easiest way to create the resources. You lose some control of the naming of resources, but its easier.
How are you deploying the ARM Template? Powershell? Or Template in Azure?
First thing would be to make sure that template you grabbed off the Github even works.
Did you test it? Dont customize it, just leave it as it is and see if it works. If it works, we have one less thing to worry about and save all of us a wild goose chase that could go on for days.
If it works, then first thing is to customize your resources one at a time. Don't do too many changes at once...it becomes very difficult to track where it might have broke. Usually that small change will reveal to you what doesn't work. I know its tedious and time consuming, but if you get it right in the long run, you save yourself a lot of trouble when you need to redeploy in the future.
What you wrote in the original post was not clear to me, can you tell me what change you made to this:
What change did you make to that? I tried to hit that link and it came back with Error 400..
I took some time to run it through myself and was successful. I copied and pasted the codes from the maintemplate.json into the Template in Azure Portal. Then I ran the deployment and replaced the string data with the new http URL ( whole URL was truncated in screenshot, so dont copy this as it is - use whole URL 😞
Then I deployed it and it completed without an issue ( new vnet and resource group 😞
Then alternatively, I added it to ARM Template code to make it the default string:
Had same successful results and didnt have to change it at the parameter level. I even did it at the parameter.json side of it and had same good results:
This was all in the Template in Azure portal.
Did you see something you might had done differently compared to what I did? I did not put that same URL in the SAS Token value... that remained NULL or blank.
I would recommend trying the codes stock as it is from maintemplate.json in Github and run it as it, then in the deployment, change that default string to the new URL string.. then purchase it. This would eliminate the possible code side of of it.
Let me know what you get.....thanks.
