This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Tribhawan_Singh
Contributor
‎2019-07-29 11:36 PM

Unable to login into checkpoint gateway firewall through Ansible

Problem Description: I want to run healthcheck commands on a VSX based checkpoint R80.10 23500 model and 5500 normal checkpoint firewall gateway but i am unable to login into the firewall. 
 
There are 2 simple playbooks i am mentioning here, 1 by using ansible roles (name = cp1.yml) and other is direct access (cp2.yml).
In LAB environment i am getting results for cp1.yml but cp2.yml is failing saying it needs ansible_network_os value. (Want to know what would be the ansible_network_os for checkpoint)
 
In production, none of these 2 are working and i am getting below error:
 
 
 
When login through network_cli then below error is coming while executing both playbooks:
 
-bash-4.2$ ansible-playbook cp2.yml

PLAY [CheckPoint health Status] *************************************************************************************************************************************************************************************************************

TASK [checkpoint healthcheck commands] ******************************************************************************************************************************************************************************************************
fatal: [firewall]: FAILED! => {"msg": "unable to set terminal parameters"}
 
****************************************************************
 
My Playbooks:   (Playbook 1)   cp1.yml
 
in /etc/ansible directory:
---
- name: CheckPoint health Status
  hosts: checkpoint
  gather_facts: no
  serial: 1

  tasks:
    - name: checkpoint healthcheck commands
      import_role:
        name: trib_role
        tasks_from: showbash

      vars:
        cmdfile: show-bash.cmd
 
************
-bash-4.2$ cat show-bash.cmd
fw ver
fw tab -t connections -s
-bash-4.2$
 
*****************
-bash-4.2$ pwd
/etc/ansible/roles/trib_role/tasks   <-------------Roles directory
 
******************
-bash-4.2$ cat showbash.yml
---
- name: SHOW CONFIG
  cli_command:
    command: "{{ item }}"
  with_lines: cat {{ cmdfile }}
  register: result1

- name: show output files
  debug:
    var: result1
 
host file:
[checkpoint]
firewall <---------------------My production firewall name
 
-bash-4.2$ cd host_vars/
-bash-4.2$ cat firewall
---
ansible_host: x.x.x.x                       (My production firewall IP)
ansible_user: admin
ansible_ssh_pass: *********             (admin password)
ansible_connection: network_cli
 
**********************************************************
 
Playbook2  cp2.yml:
 
---
- name: CheckPoint health Status
  hosts: checkpoint
  gather_facts: no
  serial: 1

  tasks:
    - name: checkpoint healthcheck commands
      cli_command:
        command:
            - 'fw ver'
      register: result

    - name: show output
      debug:
        var: result.stdout_lines
-bash-4.2$
 
Here also getting the same error:
 
-bash-4.2$ ansible-playbook cp2.yml -vvvv

PLAYBOOK: cp2.yml ***************************************************************************************************************************************************************************************************************************
1 plays in cp2.yml

PLAY [CheckPoint health Status] *************************************************************************************************************************************************************************************************************
META: ran handlers

TASK [checkpoint healthcheck commands] ******************************************************************************************************************************************************************************************************
task path: /etc/ansible/cp2.yml:8
<x.x.x.x> attempting to start connection
<x.x.x.x> using connection plugin network_cli
<x.x.x.x> local domain socket does not exist, starting it
<x.x.x.x> control socket path is /files0/home/singhtr/.ansible/pc/22a0ffc2f6
<x.x.x.x>
The full traceback is:
Traceback (most recent call last):
  File "/usr/bin/ansible-connection", line 106, in start
    self.connection._connect()
  File "/usr/lib/python2.7/site-packages/ansible/plugins/connection/network_cli.py", line 334, in _connect
    self._terminal.on_open_shell()
  File "/usr/lib/python2.7/site-packages/ansible/plugins/terminal/ios.py", line 58, in on_open_shell
    raise AnsibleConnectionFailure('unable to set terminal parameters')
AnsibleConnectionFailure: unable to set terminal parameters

fatal: [firewall]: FAILED! => {
    "msg": "unable to set terminal parameters"
}
        to retry, use: --limit @/etc/ansible/cp2.retry

PLAY RECAP **********************************************************************************************************************************************************************************************************************************
firewall                 : ok=0    changed=0    unreachable=0    failed=1
 
 
I hope @Ryan_Darst @Ash_Sidhu @PhoneBoy can help me here.
0 Kudos
9 Replies
_Val_
Admin
Admin
‎2019-07-30 03:50 AM

It looks like you expect admin shell to be bash, or am I missing something? It is not bash, unless you change it manually.

0 Kudos
Tribhawan_Singh
Contributor
‎2019-07-30 04:02 AM
In response to _Val_

default shell is bash only.
0 Kudos
Ryan_Darst
Employee
Employee
‎2019-07-30 05:43 AM

Things I would check since it looks like you are using the standard ansible commands.

1.  Shell setup for the ansible user should be set to /bin/bash on the gateway.

2. Make sure ansible has the path to where python is.  Gaia does not have it in a typical location.  Also this applies to R80.X and later, since in R77.X any python scripts have to be white-listed. 

Here is an example of what I use in my demo R80.X systems in my /etc/ansible/hosts

[Gaia]
10.2.0.221 ansible_python_interpreter="/opt/CPsuite-R80/fw1/Python/bin/python"

[Gaia:vars]
ansible_connection=ssh
ansible_ssh_user=admin
ansible_ssh_pass=vpn123
ansible_python_interpreter=/opt/CPsuite-R80/fw1/Python/bin/python
scp_if_ssh = False

0 Kudos
Tribhawan_Singh
Contributor
‎2019-07-30 06:14 AM
In response to Ryan_Darst

Strange, i have all these parameters set as you mentioned except hosts, after changing the host file as you mentioned, i am getting below error:
-bash-4.2$ ansible-playbook cp3.yml

PLAY [CheckPoint health Status] ****

TASK [checkpoint healthcheck commands] ******
fatal: [10.x.x.x]: FAILED! => {"msg": "unable to elevate privilege to enable mode, at prompt [\nfirewall:TACP-0> ] with error: failed to elevate privilege to enable mode still at prompt [\nfirewall:TACP-0> ]"}
to retry, use: --limit @/etc/ansible/cp3.retry
--We have below configuration on the firewall:
add rba role TACP-0 domain-type System readwrite-features tacacs_enable
add rba role TACP-15 domain-type System all-features

However default shell is bash.
0 Kudos
_Val_
Admin
Admin
‎2019-07-31 04:10 AM
In response to Tribhawan_Singh

Can you show TACP0 settings? It does not seem to be full admin account, hence bash access might fail. Does TACP15 work?

0 Kudos
Tribhawan_Singh
Contributor
‎2019-07-31 01:28 PM
In response to _Val_

@_Val_ @Ryan_Darst 

This is completed now. I took a different approach to achieve this. I ran the shell script inside the firewall and through Ansible i invoked the shell script and displayed the result on my screen.

This also resolves my issue of how to take VSX specific output.

 

0 Kudos
_Val_
Admin
Admin
‎2019-08-02 03:38 AM
In response to Tribhawan_Singh

@Tribhawan_Singh good to know you have found the way. Care to share the details here, for outer community members?

0 Kudos
Tribhawan_Singh
Contributor
‎2019-08-05 07:38 AM
In response to _Val_

@_Val_  Sure, here is the sample shell and ansible script

Shell inside the firewall /home/admin directory:

For VS1:

[Expert@firewall:0]# cat cp1.sh
#!/bin/bash

source /etc/profile.d/vsenv.sh 2> /dev/null

# First arg passed to script is VSNAME
VSNAME=1
vsenv $VSNAME

cphaprob stat
fw tab -t connections -s
fwaccel stat | grep Status
sleep 2s
fwaccel stats -s
fw ctl multik stat
fw ctl pstat -u

 

Ansible Script:

- name: CheckPoint health Status
hosts: localhost
gather_facts: yes

tasks:
- name: checkpoint healthcheck commands on vs1
shell: "ssh admin@10.x.x.x ' sh /home/admin/cp1.sh'"
args:
executable: /bin/bash
register: check
delegate_to: localhost

- name: CheckPoint healthcheck output for vs1
debug:
var: check.stdout_lines

 

0 Kudos
Nathan_Davieau
Employee
Employee
‎2019-09-23 01:32 PM
In response to Tribhawan_Singh

Have you tried the healthcheck.sh script from sk121447?

It can be run on gateway from the management server.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events