Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
mervin16
Participant

Issue creating a host with Ansible

I am trying to create a host on my SMS using Ansible but i am encountering some issues.

Below are some information that might be helpful.

 

Playbook:

---
- name: Checkpoint Hosts Management
  hosts: firewalls_checkpoint
  tasks:
    - name: Add a new Host
      check_point.mgmt.cp_mgmt_host:
        ip_address: 192.0.2.1
        name: New Host 1
        state: present
        auto_publish_session: yes

 

 Inventory

#This is a group of remote servers for Checkpoint SMS
[firewalls_checkpoint]
ckp_sms

#These are global variables for the group firewalls
[firewalls_checkpoint:vars]
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=False
ansible_user=admin
ansible_password=*****
ansible_ssh_pass=*****
ansible_network_os=check_point.mgmt.checkpoint
ansible_ssh_transfer_method=scp

 

ansible.cfg

[defaults]
host_key_checking = False

[ssh_connection]
scp_if_ssh=True
timeout = 100

 

However, when i run my playbook with command ansible-playbook /etc/ansible/playbooks/checkpoint/network_create.yml, i get the following error:

fatal: [ckp_sms]: FAILED! => {
    "msg": "failed to transfer file to /root/.ansible/tmp/ansible-local-71858l7zedua/tmpj8i_7uay CLINFR0711  Command insecure/AnsiballZ_setup.py:\n\nCLINFR0329  Invalid command:'scp -t 'CLINFR0711  Command insecure/AnsiballZ_setup.py''.\n"
}

 

If i ssh directly on a terminal to the SMS, it works fine.

I get the same error message when i try to ping the sms using ansible -m ping

Can someone please help me out.

 

0 Kudos
10 Replies
mervin16
Participant

Can someone please help out ?
0 Kudos
funkylicious
Advisor

Did you follow this configuration guide ?

Maybe try

- name: add-host
  cp_mgmt_host:
    ip_address: 192.0.2.1
    name: New Host 1
    state: present
0 Kudos
mervin16
Participant

Hello, Yes i did follow the configuration guide and no, this too doesn't work 😞 Please help me
0 Kudos
Jim_Oqvist
Employee
Employee

Hi, 

Under the hosts section you are missing the connection parameter

connection: httpapi

Also, did you download the latest collection from galaxy?

https://galaxy.ansible.com/check_point/mgmt

You can find a working example here:

https://github.com/jimoq/demo 

Kind Regards

Jim

0 Kudos
mervin16
Participant

Hi,

I did what you said and encountered this error:

 

rpc__\nansible.module_utils.connection.ConnectionError: Invalid JSON response: <!DOCTYPE HTML PUBLIC \"-//IETF//DTD HTML 2.0//EN\">\n<html><head>\n<title>400 Bad Request</title>\n</head><body>\n<h1>Bad Request</h1>\n<p>Your browser sent a request that this server could not understand.<br />\n</p>\n<p>Additionally, a 400 Bad Request\nerror was encountered while trying to use an ErrorDocument to handle the request.</p>\n</body></html>\n\n"

 

We usually get this error when we try to send a request without login to SMS but from Ansible documentation, it specifies that the login and logout is done automatically. So i don't know what's going wrong here. If i run the same command in Check Mode (ansible-playbook -C playbook.yml) it works.

 

Can you please help ?

 


My updated playbook is :

 

---
- name: playbook name
  hosts: firewalls_checkpoint
  connection: httpapi
  tasks:
    - name: task to have network
      check_point.mgmt.cp_mgmt_network:
        name: "network name"
        subnet: "4.1.76.0"
        mask_length: 24
        auto_publish_session: true

      vars:
        ansible_checkpoint_domain: "SMC User"

 

0 Kudos
Jim_Oqvist
Employee
Employee

Hi Mervin,

Your playbook is correct.
Please just not that the variable 'ansible_checkpoint_domain: "SMC User"' is not required when connecting to a SMS

Your /etc/ansible/hosts is not entirely correct.
I noticed that you have not assigned any ansible_host ip address to ckp_sms, Is chk_sms host name resolving to the IP of your Check Point management server?
If not you need to set the IP for this host.
Here is a correct /etc/ansible/hosts section where I removed some lines from the one you posted and added ansible_host ip address.

#This is a group of remote servers for Checkpoint SMS
[firewalls_checkpoint]
ckp_sms ansible_host=X.X.X.X

#These are global variables for the group firewalls
[firewalls_checkpoint:vars]
ansible_httpapi_use_ssl=True
ansible_httpapi_validate_certs=False
ansible_user=admin
ansible_password=XXXXX
ansible_network_os=check_point.mgmt.checkpoint

 

0 Kudos
mervin16
Participant

Hi,

 

Thank you for replying, the ckp_sms is indeed resolving to my IP address. I set this in my host file (windows host file).

My SMS is R80.30.

0 Kudos
Jim_Oqvist
Employee
Employee

Okay, please take a look at my response here, I think there is a problem with the Ansible httpapi connection plugin.

https://community.checkpoint.com/t5/Ansible/Ansible-Connection-Error/m-p/101387/highlight/true#M400

0 Kudos
mervin16
Participant

This solution worked with my R80.40 but not my R80.30.

Does it have something to do with a JHF that has not been installed ?

0 Kudos
Jim_Oqvist
Employee
Employee

To orchestrate R80.30 version with Ansible, you need JHF 135 or later installed.

You can find more information here:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

0 Kudos