This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Antonio_Opromol
Contributor
‎2024-02-09 03:59 AM
Jump to solution

mgmt_enable_api = "all" don't work anymore in my terraform deployment

Hi, I'm having problems with the deployment with Terraform on Azure of new Management Servers which do not enable web api for all IP addresses despite the mgmt_enable_api = "all" parameter being set. This can also be done using one of the ready-made test modules on your GitHub repositories.
The strange thing is that until a few days ago this setting worked correctly and it was possible to connect via web-api. Has anyone had the same problem?

0 Kudos
1 Solution

Accepted Solutions
Antonio_Opromol
Contributor
‎2024-02-13 08:42 AM
In response to Antonio_Opromol
Jump to solution

Solved, after debug I've found that the problem was due to a FTW that doesn't accept my hash password for serial and maintenance, so passing an empty string the FWA finish correctly and the api access are set correctly to any ip address.

View solution in original post

0 Kudos
7 Replies
Bob_Zimmerman
Authority
Authority
‎2024-02-09 06:55 AM
Jump to solution

The set api-settings call only accepts special values. Try "all ip addresses".

0 Kudos
Antonio_Opromol
Contributor
‎2024-02-09 07:36 AM
In response to Bob_Zimmerman
Jump to solution

I'm using Terraform and pass the parameters of the Management during deployment as follow

custom_data = templatefile("${path.module}/cloud-init.sh", {
installation_type = var.installation_type_mgmt
allow_upload_download = var.allow_upload_download
os_version = var.os_version
template_name = var.template_name
template_version = var.template_version
template_type = var.template_type
is_blink = var.is_blink
bootstrap_script64 = base64encode(var.bootstrap_script)
location = azurerm_resource_group.mainmgmt.location
management_GUI_client_network = var.management_GUI_client_network
enable_api = var.mgmt_enable_api
admin_shell = var.admin_shell
serial_console_password_hash = var.serial_console_password_hash
maintenance_mode_password_hash = var.maintenance_mode_password_hash
})

 

Until 2-3 days ago worked well with enable_api = "all". 

Now seems that this value is no more able to set the value to all ip addresses.

I've already tried with "all ip addresses" and "All", but noting now change and when I try to connect as follow

# Connecting to ckpmgmt
provider "checkpoint" {
server = tostring(local.mgmt_pubip_real)
username = var.default_admin_username_gaia
password = var.admin_password_mgmt
context = var.provider-context
timeout = "180"
}

with context = "web_api" I receive the error that the connection is not possible because is not setted "all ip addresses" infact with SmartConsole I see that is set to accept api connections only from management.

 

For the test I've used the code from the following gihub repository: https://github.com/CheckPointSW/CloudGuardIaaS/tree/master/terraform/azure/management-new-vnet

 

0 Kudos
PhoneBoy
Admin
Admin
‎2024-02-09 05:21 PM
In response to Antonio_Opromol
Jump to solution

If the API is not configured to allow access from the relevant IP, anything relying on the API will fail.
This means you need to fix this issue in SmartConsole before attempting to use Terraform.

0 Kudos
Antonio_Opromol
Contributor
‎2024-02-10 01:34 AM
In response to PhoneBoy
Jump to solution

I know, but why until fee days ago during the vm creation with the cloud-init parametrrs passed as arguments worked?

0 Kudos
Antonio_Opromol
Contributor
‎2024-02-10 08:36 AM
In response to PhoneBoy
Jump to solution

If I look in cloud_configure_azure_instance.py file on the management server instance deployed (R81.20) I see are defined the function to enable api on management and set the access permission:


def accepted_api_calls_from_allowed_value(self, enable_api_to):
"""#TODO fixDocstring"""
switcher = {
object_to_str(EnableApiAllowedValues.ALL):
EnableApiToCommand.ALL,
object_to_str(EnableApiAllowedValues.MANAGEMENT_ONLY):
EnableApiToCommand.
MANAGEMENT_ONLY,
object_to_str(EnableApiAllowedValues.GUI_CLIENTS):
EnableApiToCommand.
GUI_CLIENTS
}
return (switcher.get(enable_api_to))

def run_enable_api_commands(self, enable_api_to):
"""#TODO fixDocstring"""
accepted_api_calls_from = object_to_str(
self.accepted_api_calls_from_allowed_value(
enable_api_to.lower()))
enable_api_commands = ['api start',
'mgmt_cli -r true set-api-settings '
'accepted-api-calls-from "{}" --domain '
'\'System Data\''.format(
accepted_api_calls_from),
'api reconf']
for command in enable_api_commands:
try:
out, status = run_cmd(command)
except Exception as e:
log('{}'.format(e), level=logging.ERROR)

def enable_api(self):
"""#TODO fixDocstring"""
enable_api_to = self.template_vars[ENABLE_API]
is_valid_value = enable_api_to.lower() in (value.lower() for
value in
ENABLE_API_ALLOW_VALUES)
if is_valid_value:
self.run_enable_api_commands(enable_api_to)
else:
log(
"-- Error message: invalid value for 'enableApi' parameter. "
"The invalid value {} should be replaced by one of the "
"following values: {} or 'disable'.".format(
enable_api_to, ENABLE_API_ALLOW_VALUES),
level=logging.ERROR)

def enable_api_if_needed(self):
"""#TODO fixDocstring"""
enable_api = self.template_vars.get(ENABLE_API)
if not enable_api or enable_api == EnableApiAllowedValues.DISABLE:
pass
else:
self.enable_api()

 


In the file cloud_config_globals.py there are defined these two classes that confirm that I need to use the "all" value that is managed as "all ip addresses":


class EnableApiAllowedValues(set):
"""#TODO fixDocstring"""
DISABLE = "disable"
ALL = "all"
MANAGEMENT_ONLY = "management_only"
GUI_CLIENTS = "gui_clients"


class EnableApiToCommand(set):
"""#TODO fixDocstring"""
DISABLE = "disable"
ALL = "all ip addresses"
MANAGEMENT_ONLY = "management server only"
GUI_CLIENTS = "all ip addresses that can be used for gui clients"

 

So I need to understand why in my case the api are correctly enabled and started, but the access permissions are not set to any ip address despite the parameter is set to "all" but only in my latest days instead before was correctly setted to any and not to the default value "management server only".

 

0 Kudos
Antonio_Opromol
Contributor
‎2024-02-10 02:06 PM
In response to Antonio_Opromol
Jump to solution

If I'm looking to the right scrypts, I see that the command used to set the api access is

mgmt_cli -r true set-api-settings '
'accepted-api-calls-from "{}" --domain '
'\'System Data\''.format(
accepted_api_calls_from)

But I can't execute this command on a non MDS management, as say the error if try to run this command manually. I think this is the problem, but I don't understand why before has worked.

0 Kudos
Antonio_Opromol
Contributor
‎2024-02-13 08:42 AM
In response to Antonio_Opromol
Jump to solution

Solved, after debug I've found that the problem was due to a FTW that doesn't accept my hash password for serial and maintenance, so passing an empty string the FWA finish correctly and the api access are set correctly to any ip address.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events