Using Ansible for automating tasks on Checkpoint Firewall

This Blog post is to show how to use Ansible for Checkpoint Gateways. Checkpoint hasn’t published Ansible modules for their  products yet. This blog will show you how to use Ansible role “gaia_fw1” . Which can be found here .

Using this role you will be able to do the following : –

  • Take clish config back-ups ( show configuration )
  • Run essential show commands on all your gateways from single playbook. eg.
    • Show route
    • Show asset all
    • Show interfaces
    • Show ospf , etc…
  • Issue configure commands to all your gateways from single playbook.

This procedure assumes that you have some basic knowledge of ansible.

REQUIREMENTS

Ansible Server 

  • Linux server. The role has been tested with RHEL 7+ and Ubuntu, but it should work with other flavours as well.
  • Ansible 2.5 and above running on the Linux server.
  • The server should have direct connection to the checkpoint firewalls (at the moment the role does not support jump box) .

Connection to the firewalls

  • Route to the firewall – You should be able to ssh to all your gateways from the Linux host.
  • SSH keys – It is also important that the public key of the gateways are already stored in your ‘known_hosts’ file.  This is automatically done when you ssh for the first time from the  server to the gateways.
  • Username – the default username for login is ‘admin’, but this can be changed per firewall in the inventory file.
  • Passwords- The role assumes that you have the same password for all the gateways. If you have different logins on gateways then you can set up key-based (passwordless) logins.
  • login Shell – The role assumes that the login shell for the user (used for login) is bash. i.e when you logon you are logged in as expert.                                                        If you have clish set as your login shell, most of the playbooks will run, but the bash playbooks will fail as the playbook cannot change to expert mode.

The Playbooks have been tested with Ansible 2.7 running on Ubuntu 18.04 LTS and on RHEL 7.0. I am pretty sure they will run on other flavors of Linux as long Ansible 2.7 is being used.

Set up

Follow the procedure below once you have installed Ansible on your server. Login to the Linux server as root and follow the steps.

  1. Ansible config file – /etc/ansible/ansible.cfg                                                                                                                                                                                                                                      Edit your Ansible config file (/etc/ansible/ansible.cfg) and make sure the following configuration directives are set to the value shown.
    forks          = 15
    gather_timeout = 60
    roles_path    = /etc/ansible/roles
    timeout = 90
    connect_timeout = 90
    command_timeout = 80
  2. Install the role, by giving the following command.
    ansible-galaxy install ashwin_sid.gaia_fw1
  3. Prepare the Inventory file – /etc/ansible/hosts

Make an entry for each of your gateways in the following format.

[ckp]
GW-perimeter01 ansible_host=192.168.50.2 
GW-Perimeter04-A ansible_host=192.168.89.2
GW-Perimeter04-B ansible_host=192.168.89.3 ansible_port=44 ansible_user=ladmin

The fields are explained below.

  • ‘[ckp]’ – this is the hostgroup. This is the name  used in the sample playbooks provided. You can create your own hostgroup, but make sure to use that in the playbooks.
  • ‘GW-perimeter01’ (2nd line)- This is the name of the gateway as referenced in Ansible. This doesn’t have to be the actual hostname of the firewall.
  • ‘ansible_host=192.168.50.2’ – This is the IP that will be used for making ssh connections. This is the IP of the individual gateways and not the Cluster IPs or VIPs. Cluster IP don’t need to go in here.
  • ‘ansible_port=44’  (4th line)- this is the ssh port, if different from default, 22.
  • ‘ansible_user=ladmin’ (4th line) – if user used to login to the firewall is different than default ‘admin’.

4. Preparing the Playbooks – There are some sample playbooks included with the role. You can find them in folder /etc/ansible/roles/ashwin_sid.gaia_fw1/Sample-Playbooks.

Do not work in the ‘/etc/ansible’ directory. Create your own directory structure to store and run the playbooks. I have created /opt/fw-ansible/playbooks folder on my linux server to run the playbooks.

#mkdir /opt/fw-ansible
#mkdir /opt/fw-ansible/playbooks
#cp /etc/ansible/roles/ashwin_sid.gaia_fw1/Sample-Playbooks/* /opt/fw-ansible/playbooks/

 

Running Playbooks

There are following Playbooks included : –

  • Backup.yml – This play book will backup your gaia config, i.e. output of ‘show configuration’.
  • show.yml – Will run a diagnostic clish command on your gateways & store the output on the ansible server. You can use this playbook as a template and create custom playbook that are more relevant to  your environment. eg. you could copy the file to ‘Show-route.yml’ and change the ‘cmd’ string to ‘show route’.
  • Show_HFA.yml – This playbook will get the installed HFA info from the gateways.
  • show-clish.yml – This is similar to the above playbook, but can run more than 1 command. The commands (1 command on each line) are stored in file ‘show-clish.cmd’ in the same directory.
  • show-bash.yml  – This file will run bash commands on the gateway and store the output on ansible server.
  • configure-clish.yml – This playbook will issue clish commands (stored in file configure-clish.cmd) on the gateways.
  • configure-bash.yml – This playbook will issue bash commands (stored in file configure-clish.cmd) to the gateways.

The playbooks can be run by ordinary user, you DO NOT have to be root to run the playbooks.

Customization

The following can be customized for all the playbooks. The only part that you can customize in the backup.yml playbook are

- hosts: ckp 
  serial: 10
  • ‘hosts: ckp’  – change this value to whatever hostgroup you have set in the inventory file.
  • ‘serial: 10’ – this is the batch size, value of 10 means that the playbook will run all the commands for 10 firewall at a time. If your ansible is beeffy enough, you can set this to 20, which means that playbook will execute the commands simultaneously for 20 hosts.

 

Backup.yml

This will backup your gaia config, i.e. output of ‘show configuration’.

You do not need to touch any other line (apart from the customization above) . Now run the playbook.

#cd /opt/fw-ansible/playbooks/
#ansible-playbook -k backup.yml

Next it will ask you to enter your password. The backup is stored in folder /opt/fw-ansible/BACKUP/<GW-Name>/ . The file is named with timestamp when the backup was run.

show.yml

This playbook will run a single command on your gateway and store the output in a text file on the server.

Customizing the show.yml playbook. The only parts that need to be adjusted in the configure.yml playbook are

@@@@@@@@   TEXT NOT TO BE EDITED @@@@@@@@
        cmd: show asset all

  • ‘cmd: show asset all’ – Here you put your custom show command (clish). Include the single quotes (‘).

You do not need to touch any other line. Now run the playbook.

#ansible-playbook -k show.yml

Next it will ask you to enter your password. This will run your command and stored the output in folder /opt/fw-ansible/SHOW/<TIMESTAMP><GW-Name>.txt . The file is named with gateway name.

configure-clish.yml

This playbook will run and save clish configuration commands.

The commands are stored in a text file named ‘configure-clish.cmd’. Please edit the file and add the commands that you want to run. The sample file has a ‘#’ in front of every line(so you don’t run this commands by error). DO NOT put a ‘#’ for commands that you want to run on your gateways. So, to add 3 static routes to all the gateways, config-clish.cmd file will look like this.

lock database override
set static-route 1.1.1.1/32 nexthop gateway address 192.168.1.2 on
set static-route 1.1.1.2/32 nexthop gateway address 192.168.1.2 on
set static-route 1.1.1.3/32 nexthop gateway address 192.168.1.2 on
save config

Once you have written the commands, run the playbook.

#ansible-playbook -k configure-clish.yml

Next it will ask you to enter your password. It might be useful to run the backup playbook before you run the configure playbook.

 

One Comment Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s