Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Unable to login into checkpoint gateway firewall through Ansible

Problem Description: I want to run healthcheck commands on a VSX based checkpoint R80.10 23500 model and 5500 normal checkpoint firewall gateway but i am unable to login into the firewall. 
 
There are 2 simple playbooks i am mentioning here, 1 by using ansible roles (name = cp1.yml) and other is direct access (cp2.yml).
In LAB environment i am getting results for cp1.yml but cp2.yml is failing saying it needs ansible_network_os value. (Want to know what would be the ansible_network_os for checkpoint)
 
In production, none of these 2 are working and i am getting below error:
 
 
 
When login through network_cli then below error is coming while executing both playbooks:
 
-bash-4.2$ ansible-playbook cp2.yml

PLAY [CheckPoint health Status] *************************************************************************************************************************************************************************************************************

TASK [checkpoint healthcheck commands] ******************************************************************************************************************************************************************************************************
fatal: [firewall]: FAILED! => {"msg": "unable to set terminal parameters"}
 
****************************************************************
 
My Playbooks:   (Playbook 1)   cp1.yml
 
in /etc/ansible directory:
---
- name: CheckPoint health Status
  hosts: checkpoint
  gather_facts: no
  serial: 1

  tasks:
    - name: checkpoint healthcheck commands
      import_role:
        name: trib_role
        tasks_from: showbash

      vars:
        cmdfile: show-bash.cmd
 
************
-bash-4.2$ cat show-bash.cmd
fw ver
fw tab -t connections -s
-bash-4.2$
 
*****************
-bash-4.2$ pwd
/etc/ansible/roles/trib_role/tasks   <-------------Roles directory
 
******************
-bash-4.2$ cat showbash.yml
---
- name: SHOW CONFIG
  cli_command:
    command: "{{ item }}"
  with_lines: cat {{ cmdfile }}
  register: result1

- name: show output files
  debug:
    var: result1
 
host file:
[checkpoint]
firewall <---------------------My production firewall name
 
-bash-4.2$ cd host_vars/
-bash-4.2$ cat firewall
---
ansible_host: x.x.x.x                       (My production firewall IP)
ansible_user: admin
ansible_ssh_pass: *********             (admin password)
ansible_connection: network_cli
 
**********************************************************
 
Playbook2  cp2.yml:
 
---
- name: CheckPoint health Status
  hosts: checkpoint
  gather_facts: no
  serial: 1

  tasks:
    - name: checkpoint healthcheck commands
      cli_command:
        command:
            - 'fw ver'
      register: result

    - name: show output
      debug:
        var: result.stdout_lines
-bash-4.2$
 
Here also getting the same error:
 
-bash-4.2$ ansible-playbook cp2.yml -vvvv

PLAYBOOK: cp2.yml ***************************************************************************************************************************************************************************************************************************
1 plays in cp2.yml

PLAY [CheckPoint health Status] *************************************************************************************************************************************************************************************************************
META: ran handlers

TASK [checkpoint healthcheck commands] ******************************************************************************************************************************************************************************************************
task path: /etc/ansible/cp2.yml:8
<x.x.x.x> attempting to start connection
<x.x.x.x> using connection plugin network_cli
<x.x.x.x> local domain socket does not exist, starting it
<x.x.x.x> control socket path is /files0/home/singhtr/.ansible/pc/22a0ffc2f6
<x.x.x.x>
The full traceback is:
Traceback (most recent call last):
  File "/usr/bin/ansible-connection", line 106, in start
    self.connection._connect()
  File "/usr/lib/python2.7/site-packages/ansible/plugins/connection/network_cli.py", line 334, in _connect
    self._terminal.on_open_shell()
  File "/usr/lib/python2.7/site-packages/ansible/plugins/terminal/ios.py", line 58, in on_open_shell
    raise AnsibleConnectionFailure('unable to set terminal parameters')
AnsibleConnectionFailure: unable to set terminal parameters

fatal: [firewall]: FAILED! => {
    "msg": "unable to set terminal parameters"
}
        to retry, use: --limit @/etc/ansible/cp2.retry

PLAY RECAP **********************************************************************************************************************************************************************************************************************************
firewall                 : ok=0    changed=0    unreachable=0    failed=1
 
 
I hope @Ryan_Darst @Ash_Sidhu @PhoneBoy can help me here.
0 Kudos
9 Replies
Highlighted
Admin
Admin

It looks like you expect admin shell to be bash, or am I missing something? It is not bash, unless you change it manually.

0 Kudos
Highlighted

default shell is bash only.
0 Kudos
Employee
Employee

Things I would check since it looks like you are using the standard ansible commands.

1.  Shell setup for the ansible user should be set to /bin/bash on the gateway.

2. Make sure ansible has the path to where python is.  Gaia does not have it in a typical location.  Also this applies to R80.X and later, since in R77.X any python scripts have to be white-listed. 

Here is an example of what I use in my demo R80.X systems in my /etc/ansible/hosts

[Gaia]
10.2.0.221 ansible_python_interpreter="/opt/CPsuite-R80/fw1/Python/bin/python"

[Gaia:vars]
ansible_connection=ssh
ansible_ssh_user=admin
ansible_ssh_pass=vpn123
ansible_python_interpreter=/opt/CPsuite-R80/fw1/Python/bin/python
scp_if_ssh = False

0 Kudos
Highlighted

Strange, i have all these parameters set as you mentioned except hosts, after changing the host file as you mentioned, i am getting below error:
-bash-4.2$ ansible-playbook cp3.yml

PLAY [CheckPoint health Status] ****

TASK [checkpoint healthcheck commands] ******
fatal: [10.x.x.x]: FAILED! => {"msg": "unable to elevate privilege to enable mode, at prompt [\nfirewall:TACP-0> ] with error: failed to elevate privilege to enable mode still at prompt [\nfirewall:TACP-0> ]"}
to retry, use: --limit @/etc/ansible/cp3.retry
--We have below configuration on the firewall:
add rba role TACP-0 domain-type System readwrite-features tacacs_enable
add rba role TACP-15 domain-type System all-features

However default shell is bash.
0 Kudos
Highlighted
Admin
Admin

Can you show TACP0 settings? It does not seem to be full admin account, hence bash access might fail. Does TACP15 work?

0 Kudos
Highlighted

@_Val_ @Ryan_Darst 

This is completed now. I took a different approach to achieve this. I ran the shell script inside the firewall and through Ansible i invoked the shell script and displayed the result on my screen.

This also resolves my issue of how to take VSX specific output.

 

0 Kudos
Highlighted
Admin
Admin

@Tribhawan_Singh good to know you have found the way. Care to share the details here, for outer community members?

0 Kudos
Highlighted

@_Val_  Sure, here is the sample shell and ansible script

Shell inside the firewall /home/admin directory:

For VS1:

[Expert@firewall:0]# cat cp1.sh
#!/bin/bash

source /etc/profile.d/vsenv.sh 2> /dev/null

# First arg passed to script is VSNAME
VSNAME=1
vsenv $VSNAME

cphaprob stat
fw tab -t connections -s
fwaccel stat | grep Status
sleep 2s
fwaccel stats -s
fw ctl multik stat
fw ctl pstat -u

 

Ansible Script:

- name: CheckPoint health Status
hosts: localhost
gather_facts: yes

tasks:
- name: checkpoint healthcheck commands on vs1
shell: "ssh admin@10.x.x.x ' sh /home/admin/cp1.sh'"
args:
executable: /bin/bash
register: check
delegate_to: localhost

- name: CheckPoint healthcheck output for vs1
debug:
var: check.stdout_lines

 

0 Kudos
Highlighted
Employee+
Employee+

Have you tried the healthcheck.sh script from sk121447?

It can be run on gateway from the management server.

0 Kudos