CheckPointSW / CheckPointAnsibleMgmtCollection

This Ansible collection provides control over a Check Point Management server using Check Point's web-services APIs.
https://galaxy.ansible.com/check_point/mgmt
Apache License 2.0
40 stars 30 forks source link

check_point.mgmt.cp_mgmt_access_rule timeout #98

Closed tuxonfire closed 1 month ago

tuxonfire commented 1 year ago

The following check_point.mgmt.cp_mgmt_access_rule gives a timeout, even when has been increased to connect_timeout=300 as well as command_timeout=300, it gives the following exception when it modifies a rule already existent:

 "module_stderr": "Traceback (most recent call last):\\n  File \\"/var/lib/awx/.ansible/tmp/ansible-local-28926b1du1w_1/ansible-tmp-1669803295.8063161-28329431802037/AnsiballZ_cp_mgmt_access_rule.py\\", line 102, in <module>\\n    _ansiballz_main()\\n  File \\"/var/lib/awx/.ansible/tmp/ansible-local-28926b1du1w_1/ansible-tmp-1669803295.8063161-28329431802037/AnsiballZ_cp_mgmt_access_rule.py\\", line 94, in _ansiballz_main\\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\\n  File \\"/var/lib/awx/.ansible/tmp/ansible-local-28926b1du1w_1/ansible-tmp-1669803295.8063161-28329431802037/AnsiballZ_cp_mgmt_access_rule.py\\", line 40, in invoke_module\\n    runpy.run_module(mod_name='ansible_collections.check_point.mgmt.plugins.modules.cp_mgmt_access_rule', init_globals=None, run_name='__main__', alter_sys=True)\\n  File \\"/usr/lib64/python3.6/runpy.py\\", line 205, in run_module\\n    return _run_module_code(code, init_globals, run_name, mod_spec)\\n  File \\"/usr/lib64/python3.6/runpy.py\\", line 96, in _run_module_code\\n    mod_name, mod_spec, pkg_name, script_name)\\n  File \\"/usr/lib64/python3.6/runpy.py\\", line 85, in _run_code\\n    exec(code, run_globals)\\n  File \\"/tmp/ansible_check_point.mgmt.cp_mgmt_access_rule_payload_zguhyjqn/ansible_check_point.mgmt.cp_mgmt_access_rule_payload.zip/ansible_collections/check_point/mgmt/plugins/modules/cp_mgmt_access_rule.py\\", line 373, in <module>\\n  File \\"/tmp/ansible_check_point.mgmt.cp_mgmt_access_rule_payload_zguhyjqn/ansible_check_point.mgmt.cp_mgmt_access_rule_payload.zip/ansible_collections/check_point/mgmt/plugins/modules/cp_mgmt_access_rule.py\\", line 367, in main\\n  File \\"/tmp/ansible_check_point.mgmt.cp_mgmt_access_rule_payload_zguhyjqn/ansible_check_point.mgmt.cp_mgmt_access_rule_payload.zip/ansible_collections/check_point/mgmt/plugins/module_utils/checkpoint.py\\", line 523, in api_call_for_rule\\n  File \\"/tmp/ansible_check_point.mgmt.cp_mgmt_access_rule_payload_zguhyjqn/ansible_check_point.mgmt.cp_mgmt_access_rule_payload.zip/ansible_collections/check_point/mgmt/plugins/module_utils/checkpoint.py\\", line 301, in handle_call_and_set_result\\n  File \\"/tmp/ansible_check_point.mgmt.cp_mgmt_access_rule_payload_zguhyjqn/ansible_check_point.mgmt.cp_mgmt_access_rule_payload.zip/ansible_collections/check_point/mgmt/plugins/module_utils/checkpoint.py\\", line 236, in handle_call\\n  File \\"/tmp/ansible_check_point.mgmt.cp_mgmt_access_rule_payload_zguhyjqn/ansible_check_point.mgmt.cp_mgmt_access_rule_payload.zip/ansible_collections/check_point/mgmt/plugins/module_utils/checkpoint.py\\", line 71, in send_request\\n  File \\"/tmp/ansible_check_point.mgmt.cp_mgmt_access_rule_payload_zguhyjqn/ansible_check_point.mgmt.cp_mgmt_access_rule_payload.zip/ansible/module_utils/connection.py\\", line 185, in __rpc__\\nansible.module_utils.connection.ConnectionError: The read operation timed out\\n",
chkp-edenbr commented 1 year ago

Hi @tuxonfire , please share the playbook and the the rule you are trying to edit.

Thanks, Eden

tuxonfire commented 1 year ago

Hi @chkp-edenbr The errors is randomly happening, the higher the number of objects, the longer it takes to modify the rule and then getting the error.

- name: "set-access-rule"
  check_point.mgmt.cp_mgmt_access_rule:
    layer: "{{ network_layer }}"
    name: "{{ rule_uid }}"       # this is the entry point and can be uuid
    comments: "{{ comments }}"
    position: "{{ position_rule }}"
    source: "{{ source }}"
    source_negate: "{{ source_negate }}"
    destination: "{{ destination }}"
    destination_negate: "{{ destination_negate }}"
    service: "{{ service }}"
    service_negate: "{{ service_negate }}"
    action: "{{ action }}"
    state: present
    track:
      type: "{{ type | default(omit) }}"
    auto_publish_session: yes
    wait_for_task: yes
#    wait_for_task_timeout: 5 #  minutes
  register: set_acces_rule_output
#  ignore_errors: yes
  retries: "{{ retries_role_var }}"
  delay: "{{ delay_role_var }}"
  until: set_acces_rule_output is not failed
chkp-edenbr commented 1 year ago

Hi @tuxonfire ,

Which version of Ansible and our collection are you using?

We do not support uuids in our Ansible collection. As specified in the check_point.mgmt.cp_mgmt_access_rule module, the 'name' argument accepts the object's name (if you set the object's name to be its uuid then that's OK).

Also, why use the retries, delay & until params? The command shouldn't fail, and if it has then you should regard the error message. Furthermore, for better performance, it is recommended to publish a number of changes rather than each change.

Once the error occurs, please send me the following log files that reside in the following path /var/log/opt/CPsuite-R81.20/fw1/log/: api.elg, api.csv, cpm.elg

My mail - edenbr@checkpoint.com

Thanks, Eden