cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Unable to login into checkpoint gateway firewall through Ansible

Problem Description: I want to run healthcheck commands on a VSX based checkpoint R80.10 23500 model and 5500 normal checkpoint firewall gateway but i am unable to login into the firewall. 
 
There are 2 simple playbooks i am mentioning here, 1 by using ansible roles (name = cp1.yml) and other is direct access (cp2.yml).
In LAB environment i am getting results for cp1.yml but cp2.yml is failing saying it needs ansible_network_os value. (Want to know what would be the ansible_network_os for checkpoint)
 
In production, none of these 2 are working and i am getting below error:
 
 
 
When login through network_cli then below error is coming while executing both playbooks:
 
-bash-4.2$ ansible-playbook cp2.yml

PLAY [CheckPoint health Status] *************************************************************************************************************************************************************************************************************

TASK [checkpoint healthcheck commands] ******************************************************************************************************************************************************************************************************
fatal: [firewall]: FAILED! => {"msg": "unable to set terminal parameters"}
 
****************************************************************
 
My Playbooks:   (Playbook 1)   cp1.yml
 
in /etc/ansible directory:
---
- name: CheckPoint health Status
  hosts: checkpoint
  gather_facts: no
  serial: 1

  tasks:
    - name: checkpoint healthcheck commands
      import_role:
        name: trib_role
        tasks_from: showbash

      vars:
        cmdfile: show-bash.cmd
 
************
-bash-4.2$ cat show-bash.cmd
fw ver
fw tab -t connections -s
-bash-4.2$
 
*****************
-bash-4.2$ pwd
/etc/ansible/roles/trib_role/tasks   <-------------Roles directory
 
******************
-bash-4.2$ cat showbash.yml
---
- name: SHOW CONFIG
  cli_command:
    command: "{{ item }}"
  with_lines: cat {{ cmdfile }}
  register: result1

- name: show output files
  debug:
    var: result1
 
host file:
[checkpoint]
firewall <---------------------My production firewall name
 
-bash-4.2$ cd host_vars/
-bash-4.2$ cat firewall
---
ansible_host: x.x.x.x                       (My production firewall IP)
ansible_user: admin
ansible_ssh_pass: *********             (admin password)
ansible_connection: network_cli
 
**********************************************************
 
Playbook2  cp2.yml:
 
---
- name: CheckPoint health Status
  hosts: checkpoint
  gather_facts: no
  serial: 1

  tasks:
    - name: checkpoint healthcheck commands
      cli_command:
        command:
            - 'fw ver'
      register: result

    - name: show output
      debug:
        var: result.stdout_lines
-bash-4.2$
 
Here also getting the same error:
 
-bash-4.2$ ansible-playbook cp2.yml -vvvv

PLAYBOOK: cp2.yml ***************************************************************************************************************************************************************************************************************************
1 plays in cp2.yml

PLAY [CheckPoint health Status] *************************************************************************************************************************************************************************************************************
META: ran handlers

TASK [checkpoint healthcheck commands] ******************************************************************************************************************************************************************************************************
task path: /etc/ansible/cp2.yml:8
<x.x.x.x> attempting to start connection
<x.x.x.x> using connection plugin network_cli
<x.x.x.x> local domain socket does not exist, starting it
<x.x.x.x> control socket path is /files0/home/singhtr/.ansible/pc/22a0ffc2f6
<x.x.x.x>
The full traceback is:
Traceback (most recent call last):
  File "/usr/bin/ansible-connection", line 106, in start
    self.connection._connect()
  File "/usr/lib/python2.7/site-packages/ansible/plugins/connection/network_cli.py", line 334, in _connect
    self._terminal.on_open_shell()
  File "/usr/lib/python2.7/site-packages/ansible/plugins/terminal/ios.py", line 58, in on_open_shell
    raise AnsibleConnectionFailure('unable to set terminal parameters')
AnsibleConnectionFailure: unable to set terminal parameters

fatal: [firewall]: FAILED! => {
    "msg": "unable to set terminal parameters"
}
        to retry, use: --limit @/etc/ansible/cp2.retry

PLAY RECAP **********************************************************************************************************************************************************************************************************************************
firewall                 : ok=0    changed=0    unreachable=0    failed=1
 
 
I hope @Ryan_Darst @Ash_Sidhu @PhoneBoy can help me here.
0 Kudos
9 Replies
Highlighted

Re: Unable to login into checkpoint gateway firewall through Ansible

It looks like you expect admin shell to be bash, or am I missing something? It is not bash, unless you change it manually.

0 Kudos
Highlighted

Re: Unable to login into checkpoint gateway firewall through Ansible

default shell is bash only.
0 Kudos
Highlighted
Employee
Employee

Re: Unable to login into checkpoint gateway firewall through Ansible

Things I would check since it looks like you are using the standard ansible commands.

1.  Shell setup for the ansible user should be set to /bin/bash on the gateway.

2. Make sure ansible has the path to where python is.  Gaia does not have it in a typical location.  Also this applies to R80.X and later, since in R77.X any python scripts have to be white-listed. 

Here is an example of what I use in my demo R80.X systems in my /etc/ansible/hosts

[Gaia]
10.2.0.221 ansible_python_interpreter="/opt/CPsuite-R80/fw1/Python/bin/python"

[Gaia:vars]
ansible_connection=ssh
ansible_ssh_user=admin
ansible_ssh_pass=vpn123
ansible_python_interpreter=/opt/CPsuite-R80/fw1/Python/bin/python
scp_if_ssh = False

0 Kudos
Highlighted

Re: Unable to login into checkpoint gateway firewall through Ansible

Strange, i have all these parameters set as you mentioned except hosts, after changing the host file as you mentioned, i am getting below error:
-bash-4.2$ ansible-playbook cp3.yml

PLAY [CheckPoint health Status] ****

TASK [checkpoint healthcheck commands] ******
fatal: [10.x.x.x]: FAILED! => {"msg": "unable to elevate privilege to enable mode, at prompt [\nfirewall:TACP-0> ] with error: failed to elevate privilege to enable mode still at prompt [\nfirewall:TACP-0> ]"}
to retry, use: --limit @/etc/ansible/cp3.retry
--We have below configuration on the firewall:
add rba role TACP-0 domain-type System readwrite-features tacacs_enable
add rba role TACP-15 domain-type System all-features

However default shell is bash.
0 Kudos
Highlighted

Re: Unable to login into checkpoint gateway firewall through Ansible

Can you show TACP0 settings? It does not seem to be full admin account, hence bash access might fail. Does TACP15 work?

0 Kudos
Highlighted

Re: Unable to login into checkpoint gateway firewall through Ansible

@Val_Loukine @Ryan_Darst 

This is completed now. I took a different approach to achieve this. I ran the shell script inside the firewall and through Ansible i invoked the shell script and displayed the result on my screen.

This also resolves my issue of how to take VSX specific output.

 

0 Kudos
Highlighted

Re: Unable to login into checkpoint gateway firewall through Ansible

@Tribhawan_Singh good to know you have found the way. Care to share the details here, for outer community members?

0 Kudos
Highlighted

Re: Unable to login into checkpoint gateway firewall through Ansible

@Val_Loukine  Sure, here is the sample shell and ansible script

Shell inside the firewall /home/admin directory:

For VS1:

[Expert@firewall:0]# cat cp1.sh
#!/bin/bash

source /etc/profile.d/vsenv.sh 2> /dev/null

# First arg passed to script is VSNAME
VSNAME=1
vsenv $VSNAME

cphaprob stat
fw tab -t connections -s
fwaccel stat | grep Status
sleep 2s
fwaccel stats -s
fw ctl multik stat
fw ctl pstat -u

 

Ansible Script:

- name: CheckPoint health Status
hosts: localhost
gather_facts: yes

tasks:
- name: checkpoint healthcheck commands on vs1
shell: "ssh admin@10.x.x.x ' sh /home/admin/cp1.sh'"
args:
executable: /bin/bash
register: check
delegate_to: localhost

- name: CheckPoint healthcheck output for vs1
debug:
var: check.stdout_lines

 

0 Kudos
Highlighted
Employee+
Employee+

Re: Unable to login into checkpoint gateway firewall through Ansible

Have you tried the healthcheck.sh script from sk121447?

It can be run on gateway from the management server.

0 Kudos