Ash Sidhu

Ansible for Gaia gateways

Discussion created by Ash Sidhu on Nov 8, 2018

Ansible role to manage Checkpoint Gaia Gateways.

 

The following Ansible role will enable you to execute commands on multiple nodes in parallel. 

Using this role you will be able to do the following : -

  • Take clish config back-ups ( show configuration )
  • Run essential show commands on all your gateways from single playbook. eg.
    • Show route
    • Show asset all
    • Show interfaces
    • Show ospf , etc…
  • Issue configure commands to all your gateways from single playbook.

 In my case, I can backup 100 odd gateways in under 5 minutes. So, here it is ... 

 

REQUIREMENTS

Ansible Server 

  • Linux server. The role has been tested with RHEL 7+ and Ubuntu, but it should work with other flavours as well.
  • Ansible 2.5 and above running on the Linux server.
  • The server should have direct connection to the checkpoint firewalls (at the moment the role does not support jump box) .

Connection to the firewalls

  • Route to the firewall - You should be able to ssh to all your gateways from the Linux host.
  • SSH keys - It is also important that the public key of the gateways are already stored in your 'known_hosts' file.  This is automatically done when you ssh for the first time from the  server to the gateways.
  • Username - the default username for login is 'admin', but this can be changed per firewall in the inventory file.
  • Passwords- The role assumes that you have the same password for all the gateways. If you have different logins on gateways then you can set up key-based (passwordless) logins.
  • login Shell - The role assumes that the login shell for the user (used for login) is bash. i.e when the user logs on he is logged in as expert.                                                                                                                                                    If you have clish set as your login shell, most of the playbooks will run, but the bash playbooks will fail as the playbook cannot change to expert mode.

 

The Playbooks have been tested with Ansible 2.7 running on Ubuntu 18.04 LTS and on RHEL 7.0. I am pretty sure they will run on other flavors of Linux as long Ansible 2.7 is being used.

 

Set up

Follow the procedure below once you have installed Ansible on your server. Login to the Linux server as root and follow the steps.

  1. Ansible config file - /etc/ansible/ansible.cfg                                                                                                                    Edit your Ansible config file (/etc/ansible/ansible.cfg) and make sure the following configuration directives are set to the value shown.

    forks          = 15
    gather_timeout = 60
    roles_path    = /etc/ansible/roles
    timeout = 90
    connect_timeout = 90
    command_timeout = 80

  2. Install the role, by giving the following command.
    ansible-galaxy install ashwin_sid.gaia_fw1 --force

  3. Prepare the Inventory file - /etc/ansible/hosts

Make an entry for each of your gateways in the following format.

[ckp] 
GW-perimeter01 ansible_host=192.168.50.2 
GW-Perimeter04-A ansible_host=192.168.89.2
GW-Perimeter04-B ansible_host=192.168.89.3 ansible_port=44 ansible_user=ladmin

 

 

The fields are explained below.

  • '[ckp]' - this is the hostgroup. This is the name  used in the sample playbooks provided. You can create your own hostgroup, but make sure to use that in the playbooks.
  • 'GW-perimeter01' (2nd line)- This is the name of the gateway as referenced in Ansible. This doesn't have to be the actual hostname of the firewall.
  • 'ansible_host=192.168.50.2' - This is the IP that will be used for making ssh connections. This is the IP of the individual gateways and not the Cluster IPs or VIPs. Cluster IP don't need to go in here.
  • 'ansible_port=44'  (4th line)- this is the ssh port, if different from default, 22.
  • 'ansible_user=ladmin' (4th line) - if user used to login to the firewall is different than default 'admin'.

4. Preparing the Playbooks - There are some sample playbooks included with the role. You can find them in folder /etc/ansible/roles/ashwin_sid.gaia_fw1/Sample-Playbooks.

Do not work in the '/etc/ansible' directory. Create your own directory structure to store and run the playbooks. I have created /opt/fw-ansible/playbooks folder on my linux server to run the playbooks.

#mkdir /opt/fw-ansible 
#mkdir /opt/fw-ansible/playbooks
#cp /etc/ansible/roles/ashwin_sid.gaia_fw1/Sample-Playbooks/* /opt/fw-ansible/playbooks/

 

 

Running Playbooks

There are following Playbooks included : - 

  • Backup.yml - This play book will backup your gaia config, i.e. output of 'show configuration'.
  • show.yml - Will run a diagnostic clish command on your gateways & store the output on the ansible server. You can use this playbook as a template and create custom playbook that are more relevant to  your environment. eg. you could copy the file to 'Show-route.yml' and change the 'cmd' string to 'show route'.
  • Show_HFA.yml - This playbook will get the installed HFA info from the gateways. 
  • show-clish.yml - This is similar to the above playbook, but can run more than 1 command. The commands (1 command on each line) are stored in file 'show-clish.cmd' in the same directory.
  • show-bash.yml  - This file will run bash commands on the gateway and store the output on ansible server. 
  • configure-clish.yml - This playbook will issue clish commands (stored in file configure-clish.cmd) on the gateways.
  • configure-bash.yml - This playbook will issue bash commands (stored in file configure-clish.cmd) to the gateways.

The playbooks can be run by ordinary user, you DO NOT have to be root to run the playbooks.

 

Customization

The following can be customized for all the playbooks. 

- hosts: ckp 
  serial: 10
  • 'hosts: ckp'  - change this value to whatever hostgroup you have set in the inventory file.
  • 'serial: 10' - this is the batch size, value of 10 means that the playbook will run all the commands for 10 firewall at a time and then the next 10 until all gateways are done. If your ansible is beeffy enough, you can set this to 20 or higher, which means that playbook will execute the commands simultaneously for 20 hosts.

 

Backup.yml

This will backup your gaia config, i.e. output of 'show configuration'.

You do not need to touch any other line (apart from the customization above) . Now run the playbook.

#cd /opt/fw-ansible/playbooks/ #ansible-playbook -k backup.yml


Next it will ask you to enter your password. The backup is stored in folder /opt/fw-ansible/BACKUP/<GW-Name>/ . The file is named with timestamp when the backup was run.

 

show.yml

This playbook will run a single command on your gateway and store the output in a text file on the server.

Customizing the show.yml playbook. The only parts that need to be adjusted in the configure.yml playbook are

@@@@@@@@   TEXT NOT TO BE EDITED @@@@@@@@         
cmd: show asset all

 

  • 'cmd: show asset all' - Here you put your custom show command (clish). 

You do not need to touch any other line. Now run the playbook.

#ansible-playbook -k show.yml

 

Next it will ask you to enter your password. This will run your command and stored the output in folder /opt/fw-ansible/SHOW/<TIMESTAMP><GW-Name>.txt . The file is named with gateway name.

 


configure-clish.yml

This playbook will run and save clish configuration commands.

The commands are stored in a text file named 'configure-clish.cmd'. Please edit the file and add the commands that you want to run. The sample file has a '#' in front of every line(so you don't run this commands by error). DO NOT put a '#' for commands that you want to run on your gateways. So, to add 3 static routes to all the gateways, config-clish.cmd file will look like this.

lock database override 
set static-route 1.1.1.1/32 nexthop gateway address 192.168.1.2 on
set static-route 1.1.1.2/32 nexthop gateway address 192.168.1.2 on
set static-route 1.1.1.3/32 nexthop gateway address 192.168.1.2 on
save config



Once you have written the commands, run the playbook.

#ansible-playbook -k configure-clish.yml

 

Next it will ask you to enter your password. It might be useful to run the backup playbook before you run the configure playbook.

You can similarly run the other playbooks ... 

 

You should start with the Backup playbook (& test firewall) and once that is running smoothly, you can experiment with other playbooks and create your own. 

 

Ansible Role Page 

Blog explaining how to use the role.

Outcomes