Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Aathi
Contributor

Gateway First-time wizard through Ansible Playbook

Jump to solution

Hi Team,

 

I am trying to automate the gateway first time wizard  through ansible .while connecting the gateway from ansible i am getting the below error.

 

hostfile:

Gaia:vars]
ansible_connection=ssh
ansible_ssh_user=admin
ansible_sudo_pass=Infy123+
ansible_python_interpreter=/opt/CPsuite-R80/fw1/Python/bin/python
#export ansible_user='admin'
#export ansible_ssh_pass='Infy123+'


[Gaia]
10.X.X.X ansible_python_interpreter="/opt/CPsuite-R80/fw1/Python/bin/python"

 

Playbook:

---
- hosts: Gaia
gather_facts: no
tasks:
- name: Present working directory
command: pwd
- name: to check the route
command: netstat -nr

Error:

PLAY [Gaia] ************************************************************************************************************************************************************

TASK [Present working directory] ***************************************************************************************************************************************
fatal: [10.66.40.162]: UNREACHABLE! => {"changed": false, "msg": "SSH Error: data could not be sent to remote host \"10.66.40.162\". Make sure this host can be reached over ssh", "unreachable": true}
to retry, use: --limit @/etc/ansible/gateway.retry

PLAY RECAP *************************************************************************************************************************************************************
10.66.40.162 : ok=0 changed=0 unreachable=1 failed=0

 

But i am able to SSH the gateway from ansible server manually

 

1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

If I read his playbook correctly, he's executing config_system over SSH, which should be doable before the API is installed.

View solution in original post

0 Kudos
14 Replies
_Val_
Admin
Admin

That won't work. FTW is supposed to be done through WebUI. To deploy a new GW through ansible, you have to add GAIA API first. Look it up here, there is a couple of costs with examples already on CheckMates

Aathi
Contributor
HI Valeri,

Thanks for the update.Can you help me how i have to add GAIA API .
Regards
Aathi
0 Kudos
_Val_
Admin
Admin

For info about GAIA API, please start here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

There are also plenty of articles and demos around this topic in the community. Just look it up, user "Search all content" tool above.

 

0 Kudos
PhoneBoy
Admin
Admin

You don't sudo on Gaia, you need to login as admin.
Also the Python included on the appliance does not contain many libraries and may not work with Ansible.

The Gaia API is here: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
However I'm not sure it can be used to run the First Time Wizard.

0 Kudos
Aathi
Contributor

Hi ,

The below mentioned script is not working for fresh gateways 

 

---
- hosts: "{{ target }}"
gather_facts: no
connection: local
tasks:

- name: "Create config_system on the gateway"
raw: echo "config_system --config-string \"hostname={{ hostname }}&ftw_sic_key={{ sickey }}&timezone='America/New_York'&install_security_managment=false&install_mgmt_primary=false&install_security_gw=true&gateway_daip=false&install_ppak=true&gateway_cluster_member=false&download_info=true\" >> ftw.output & " > /home/admin/ftwstart

- name: "Change permissions"
raw: chmod 755 ftwstart

- name: "Run the FTW Setup"
command: "/bin/bash /home/admin/ftwstart"

- name: Wait until the FTW completes
wait_for:
path: /etc/.wizard_accepted
register: exists
until: exists|success
retries: 20
delay: 15

- name: Waiting for 10 seconds before reboot
pause:
seconds: 10

- name: Rebooting
command: "shutdown -r now"

I am getting the below error while executing from ansible server.

 

Apr 5 07:31:29 2019 Gateway01 ansible-wait_for: Invoked with active_connection_states=['ESTABLISHED', 'FIN_WAIT1', 'FIN_WAIT2', 'SYN_RECV', 'SYN_SENT', 'TIME_WAIT'] state=started connect_timeout=5 delay=0 msg=None host=127.0.0.1 sleep=1 timeout=300 exclude_hosts=None search_regex=None path=/etc/.wizard_accepted port=None

 

But first-time wizard already installed gateways  the playbook is working fine .Kindly help on this

 

PhoneBoy
Admin
Admin
You said that the script is not working.
Yet, at the same time, you said the First Time Wizard completed successfully.
What is the issue, exactly?
0 Kudos
Aathi
Contributor

Hi 

 

 For fresh gateways it is not working. not able to configure the first time wizard using this  playbook .can you help to solve the issue as i am having demo on monday.do let me know if you have any other scripts or playbook to deploy the firsttime wizard

Thanks in advance.

 

 

 

 

 

 

 

0 Kudos
PhoneBoy
Admin
Admin
You're doing a level of indirection in your playbook that I'm not sure you need to do.
Why aren't you just invoking config_system directly versus running it directly?
0 Kudos
Aathi
Contributor

HI 

 

we are automating checkpoint related tasks through ansible.Please let me know whether we can automate first time wizard through ansible and if there is any other ways also please do let me know if will be more helpful.

 

Thanks in advance.

 

0 Kudos
PhoneBoy
Admin
Admin

You’re not giving any details are the starting state of these appliances, what kind of appliances these are, version of code, etc. Based on that, we might be able to provide some alternatives.

What I tried to say before (but failed) is your playbook appears to create a script on the appliance to call config_system when you could just have the playbook call config_system directly. Since the default shell (clish) does NOT support output redirection, your approach won't work. Likewise, checking for the existence of a file won't work since clish doesn't expose the filesystem.

Before you write an Ansible playbook to automate something, try to do the same steps as a human first and see if they work.

_Val_
Admin
Admin

@PhoneBoy , CLI based script will not work on the fresh installation. One needs to install API first. Our CPX demo actually includes API based First Wizard GW initialisation. 

 

The flow should be:

1. Fresh install

2. API deployment

3. Ansible config

 

0 Kudos
PhoneBoy
Admin
Admin

If I read his playbook correctly, he's executing config_system over SSH, which should be doable before the API is installed.

View solution in original post

0 Kudos
_Val_
Admin
Admin

Correct. Cause ssh on a freshly installed device does not give you bash. He needs to set up expert access or a direct bash enabled account beforehand. I was proposing an alternative which is supposed to be better for Ansible and other automation tools.

0 Kudos
Aathi
Contributor

HI,

 

Thanks for your support for this issue. the below ansible script is working for me.

 

---
- hosts: Gaia
gather_facts: no
connection: local
vars_files:
- vars.yml
tasks:

- name: "Create config_system on the gateway"
command: config_system --config-string "hostname=myhost&domainname=nnm.com&timezone='America/Indiana/Indianapolis'&ftw_sic_key=aaaa&install_security_gw=true&gateway_daip=false&install_ppak=true&gateway_cluster_member=false&install_security_managment=false"
ignore_unreachable: true
- name: reboot the gateway
command: shutdown -r now
- name: wait for server to come back
wait_for_connection:
timeout: 120
- name: THE FIRST-TIME WIZARD COMPLETED SUCCESSFULLY
command: uptime

 

Regards

Aathi

0 Kudos