This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Andrew_Rawlinso
Participant
Tuesday

Terraform - Add Static Route on Gateway

Hi,

I have currently deployed an R82 Check Point Management Server and R82 Security Gateway via Terraform in our on-premise VMware environment. We use Jenkins pipelines to deploy the Terraform code that is stored in GitHub Enterprise.

The code works well to provision the Virtual Machines, and run all day one tasks, such as running the first time configuration wizard and adding the gateway into the Management server with the provided SIC one-time password.

I am now looking at how to perform "day 2" tasks for the ongoing management of the security gateway now it has been deployed. One specific scenario is looking at how to add a static route onto the gateway. I have been looking at the "checkpoint_management_gaia_api" terraform command to connect to the Check Point Management server and run the gaia_api command on the gateway to add the static route. Link to Terraform resource below:

checkpoint_management_gaia_api | Resources | CheckPointSW/checkpoint | Terraform | Terraform Registr...

Monitoring the /var/log/gaia_api_server.log file on the Gateway I can see that the Management Server successfully logs into the gateway api and tries to POST the "set-static-route" api call to the gateway. It fails with the error:

"ERROR: Failed to handle request, reason: 'address is required, mask-length is required, type is required'"

The Terraform code I am using is below (X.X.X.X and Y.Y.Y.Y has been used to hide the real IP addresses):

resource "checkpoint_management_command_gaia_api" "add_static_route" {
  target          = checkpoint_management_simple_gateway.cpgw01.name
  command_name    = "set-static-route"
  other_parameter = <<EOT
 '{
  "address" : "X.X.X.X",
  "mask-length" : "22",
  "next-hop" : {
    "gateway" : "Y.Y.Y.Y",
    "priority" : "2"
  },
  "rank" : "25",
  "type" : "gateway",
  "comment" : "Added via Terraform"
 }'
 EOT
 }
 
Does anyone have any suggestions on how to get this working? Is there a different Terraform resource that could be used to perform changes on the gateways after it has been deployed?
 
Thanks in advance for your help,
Andy
0 Kudos
4 Replies
Amir_Senn
Employee
Employee
Tuesday

Have you tried to use GAIA API "run script" API?

https://sc1.checkpoint.com/documents/latest/GaiaAPIs/index.html#web/run-script~v1.8%20

You can also chain some commands together.

Body example I used as part of a collection:

{
  "script": "mgmt_cli -r true set api-settings accepted-api-calls-from \"All IP addresses\" ; api restart"
}
Kind regards, Amir Senn
0 Kudos
PhoneBoy
Admin
Admin
yesterday

Possible this is a bug and it should be brought through TAC.

0 Kudos
Bob_Zimmerman
Authority
Authority
yesterday
In response to PhoneBoy

It seems to me more like a quoting issue. The complaint that "address is required, mask-length is required, type is required" almost certainly comes from the gateway, which means the Terraform/Jenkins system is successfully making a call to the management, and the management is successfully making a call to the gateway, but the body in the call is breaking somewhere.

In the declaration above, other_parameter is a string which contains a JSON blob. It seems likely if it contained an object instead, this would work.

0 Kudos
PhoneBoy
Admin
Admin
yesterday
In response to Bob_Zimmerman

Considering the contents of the other_parameter is being passed via stdin, the presence of the single quotes may, in fact, be what is causing this issue.
It's a simple thing to try @Andrew_Rawlinso 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
UPCOMING CLOUDMATES EVENTS
    All CloudMates Events