gabstopper / ansible-stonesoft

Ansible libraries for automating Stonesoft FW Management
Apache License 2.0
10 stars 3 forks source link

Peers #9

Closed meandus closed 6 years ago

meandus commented 6 years ago

"msg": "Missing external BGP Peering elements: [{'msg': 'Cannot find specified element', 'type': 'single_fw,fw_cluster', 'name': 'PEER_NC1_to_Store13'}, {'msg': 'Cannot find specified element', 'type': 'single_fw,fw_cluster', 'name': 'PEER_NC2_to_Store13'}]"

            "bgp_peering": [
                {
                    "engine": "PEER_NC1_to_Store13",
                    "interface_id": "1013",
                    "name": "Store13_to_phmbun1fmuta"
                },
                {
                    "engine": "PEER_NC2_to_Store13",
                    "interface_id": "2013",
                    "name": "Store13_to_phmbun2fmuta"
                }
            ],

How can i create a new Peer Element ?

meandus commented 6 years ago

same error after crearing PEER object manually

gabstopper commented 6 years ago

The error is related to the configuration - there are two peer types that you can specify 'engine' or 'external_bgp_peer'. In your example above you are using 'engine' which is expecting the name of a firewall engine. Change this to look like:

            "bgp_peering": [
                {
                    "external_bgp_peer": "PEER_NC1_to_Store13",
                    "interface_id": "1013",
                    "name": "Store13_to_phmbun1fmuta"
                },
                {
                    "external_bgp_peer": "PEER_NC2_to_Store13",
                    "interface_id": "2013",
                    "name": "Store13_to_phmbun2fmuta"
                }
            ],

Since it is possible to do BGP between two SMC managed devices, engine is also an option to a 3rd party external bgp peer.

meandus commented 6 years ago

I just grab with engine_facts and changed to create a new node.

Le 16 mars 2018 12:32:37 GMT+01:00, David LePage notifications@github.com a écrit :

The error is related to the configuration - there are two peer types that you can specify 'engine' or 'external_bgp_peer'. In your example above you are using 'engine' which is expecting the name of a firewall engine. Change this to look like:

           "bgp_peering": [
               {
                   "external_bgp_peer": "PEER_NC1_to_Store13",
                   "interface_id": "1013",
                   "name": "Store13_to_phmbun1fmuta"
               },
               {
                   "external_bgp_peer": "PEER_NC2_to_Store13",
                   "interface_id": "2013",
                   "name": "Store13_to_phmbun2fmuta"
               }
           ],

-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-373687039

-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

meandus commented 6 years ago

Goal is also to create the external_bgp_peer but impossible to specify the destination Ip of the peer ... and comment as well ;)

Le 16 mars 2018 12:32:37 GMT+01:00, David LePage notifications@github.com a écrit :

The error is related to the configuration - there are two peer types that you can specify 'engine' or 'external_bgp_peer'. In your example above you are using 'engine' which is expecting the name of a firewall engine. Change this to look like:

           "bgp_peering": [
               {
                   "external_bgp_peer": "PEER_NC1_to_Store13",
                   "interface_id": "1013",
                   "name": "Store13_to_phmbun1fmuta"
               },
               {
                   "external_bgp_peer": "PEER_NC2_to_Store13",
                   "interface_id": "2013",
                   "name": "Store13_to_phmbun2fmuta"
               }
           ],

-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-373687039

-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

meandus commented 6 years ago

so the bug is in Engine_facts (engine instead of external_bgp_peer)

gabstopper commented 6 years ago

I just tried the latest posted engine_facts.yml and it appears to display the output properly:

image

Here is the yaml:

bgp_peering:

Can you confirm you have the latest engine_facts?

Understood on creating the BGP Peer. I will add this capability to simplify this.

meandus commented 6 years ago

Wow that one is pretty different of mine

i have no interface, no ip

i confirm, i did update on both pack this morning

Le 16/03/2018 à 17:54, David LePage a écrit :

I just tried the latest posted engine_facts.yml and it appears to display the output properly:

image https://user-images.githubusercontent.com/14811349/37533698-9607817c-2910-11e8-90a6-d37b087883c0.png

Here is the yaml:

bgp_peering:

  • external_bgp_peer: bgppeer interface_id: '21.21' name: bgppeering network: 22.22.22.0/24
  • engine: jackson interface_id: '67' name: bgppeering network: 67.67.67.0/24

Can you confirm you have the latest engine_facts?

Understood on creating the BGP Peer. I will add this capability to simplify this.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-373776947, or mute the thread https://github.com/notifications/unsubscribe-auth/AEEKjDyC7feW3XsIcjWOYoGbr7dxC7xgks5te-5HgaJpZM4Std01.

meandus commented 6 years ago

What about bgp elements like routemap ip prefix external bgp peer. Is it possiblr to have example to create ?

RÉMY

Le 16 mars 2018 17:54:31 GMT+01:00, David LePage notifications@github.com a écrit :

I just tried the latest posted engine_facts.yml and it appears to display the output properly:

image

Here is the yaml:

bgp_peering:

  • external_bgp_peer: bgppeer interface_id: '21.21' name: bgppeering network: 22.22.22.0/24
  • engine: jackson interface_id: '67' name: bgppeering network: 67.67.67.0/24

Can you confirm you have the latest engine_facts?

Understood on creating the BGP Peer. I will add this capability to simplify this.

-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-373776947

-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

meandus commented 6 years ago

-rw-r--r--. 1 adminappli users 6207 Mar 16 18:06 l3fw_cluster.yml

2018_03_16_18_07_38_smc_ro_lm_fwstore14

      bgp_peering:
      -   engine: PEER_NC1
          interface_id: '1014'
          name: XXXX
      -   engine: PEER_NC2
          interface_id: '2014'
          name: XXXX
      bgp_profile: Default BGP Profile
      enabled: true
      router_id: null

PEER_NC1 & PEER_NC2 are external_bgp_peer object

version is latest downloaded this morning from master branch

gabstopper commented 6 years ago

Do you have the latest engine_facts.yml? https://github.com/gabstopper/ansible-stonesoft/blob/master/library/engine_facts.py

Also, which version of SMC are you using? Just want to verify, i'm suspecting maybe the SMC version might be slightly older and the routing element type is not in that version. If you can verify I can adjust on my end if necessary.

gabstopper commented 6 years ago

ok, I have fixed this issue, it appears you may be using an older (i.e. SMC < 6.3.x) version. This will be part of next commit.

meandus commented 6 years ago

Yes im using 6.2.2 right now

Le 18 mars 2018 00:53:04 GMT+01:00, David LePage notifications@github.com a écrit :

ok, I have fixed this issue, it appears you may be using an older (i.e. SMC < 6.3.x) version. This will be part of next commit.

-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-373961484

-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

gabstopper commented 6 years ago

Ok. This is resolved in the latest commit. There was an attribute in earlier versions that was not supported so the default behavior was to interpret as engine. For peers, i've almost finished a module that allows you to create all bgp elements, this will be complete and posted Monday.

meandus commented 6 years ago

Hi

Very good ! Let me know when its posted.

RÉMY POUCHAIN.

Le 19 mars 2018 04:36:18 GMT+01:00, David LePage notifications@github.com a écrit :

Ok. This is resolved in the latest commit. There was an attribute in earlier versions that was not supported so the default behavior was to interpret as engine. For peers, i've almost finished a module that allows you to create all bgp elements, this will be complete and posted Monday.

-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-374092011

-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

gabstopper commented 6 years ago

Hi Remy, I have bgp_element posted, along with an example yaml file. I haven't finished the docs quite yet but those along with bgp_element_facts will be coming shortly. This module will allow you to create all bgp element types. See this yaml for an example for each of the element types: https://github.com/gabstopper/ansible-stonesoft/blob/master/playbooks/bgp_element.yml

You will also need to update smc-python as well. I will complete the bgp_element_facts and docs soon so I can start the interface schema changes.

meandus commented 6 years ago

For ip prefix list best is also to select an object to avoid create static object.

Need to specify route-map in bgppeering and connection profile

Minimum mask length in prefix is not a mandatory field in SMC should the same on Maximum.

RÉMY POUCHAIN.

Le 20 mars 2018 06:30:55 GMT+01:00, David LePage notifications@github.com a écrit :

Hi Remy, I have bgp_element posted, along with an example yaml file. I haven't finished the docs quite yet but those along with bgp_element_facts will be coming shortly. This module will allow you to create all bgp element types. See this yaml for an example for each of the element types: https://github.com/gabstopper/ansible-stonesoft/blob/master/playbooks/bgp_element.yml

You will also need to update smc-python as well. I will complete the bgp_element_facts and docs soon so I can start the interface schema changes.

-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-374481094

-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

meandus commented 6 years ago
"module_stderr": "Traceback (most recent call last):\n  File \"/tmp/ansible_fuCzMq/ansible_module_bgp_element.py\", line 229, in <module>\n    main()\n  File \"/tmp/ansible_fuCzMq/ansible_module_bgp_element.py\", line 226, in main\n    StonesoftBGPElement()\n  File \"/tmp/ansible_fuCzMq/ansible_module_bgp_element.py\", line 54, in __init__\n    super(StonesoftBGPElement, self).__init__(self.module_args, supports_check_mode=True)\n  File \"/tmp/ansible_fuCzMq/ansible_modlib.zip/ansible/module_utils/stonesoft_util.py\", line 367, in __init__\n  File \"/tmp/ansible_fuCzMq/ansible_module_bgp_element.py\", line 73, in exec_module\n    if self.create_or_update_element(element):\n  File \"/tmp/ansible_fuCzMq/ansible_module_bgp_element.py\", line 114, in create_or_update_element\n    with_status=True, **values)\n  File \"/usr/lib/python2.7/site-packages/smc_python-0.6.1_dev.201802262117-py2.7.egg/smc/routing/access_list.py\", line 131, in update_or_create\n    print(\"Class view: %s not in: %s\" % cls._view(**entry))\nTypeError: not all arguments converted during string formatting\n",
"module_stdout": "Entry: {'action': 'permit', 'subnet': 'XX.XX.XX.XX/23', 'max_prefix_length': 32, 'min_prefix_length': 24}\n",
"msg": "MODULE FAILURE",

  - ip_prefix_list:
        name: PREFIX_LIST_FW13 <== this name does not work (accepted by SMC)
        entries:
          - subnet: 1.1.1.0/23
            min_prefix_length: 24 <== i don't want to specify this and need to be greater than mask (not mandatory in SMC)
            max_prefix_length: 32
            action: permit
          - subnet:  2.2.2.0/23
            min_prefix_length: 24 <== i don't want to specify this and need to be greater than mask 
            max_prefix_length: 32
            action: permit
gabstopper commented 6 years ago

Ahh, I didn't realize the prefix mask lengths were optional. I just verified that indeed they are. I will fix this and the errant print bug real quick so you can continue.

gabstopper commented 6 years ago

I just verified, I already support not using those fields in the smc-python API so will make an adjustment to current bgp_element mod. Posting back shortly.

meandus commented 6 years ago

And a little support for group instead of subnet will be appreciated ;)

Le 20 mars 2018 13:44:02 GMT+01:00, David LePage notifications@github.com a écrit :

Ahh, I didn't realize the prefix mask lengths were optional. I just verified that indeed they are. I will fix this and the errant print bug real quick so you can continue.

-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-374583889

-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

gabstopper commented 6 years ago

Hi Remy, I will put that feature request in to the SMC team (i.e. adding groups as the subject of a access list entry).

gabstopper commented 6 years ago

Ok latest ansible commit c863422 posted. That will remove the ip prefix list check for min/max prefixes. Latest smc-python removes the errant print in the new update_or_create access list function. This will all be rolled up into an official smc-python release once I work through the interface schema next.

gabstopper commented 6 years ago

Hi Remy, One other thing you might notice, I am adding a better 'state' description when making an ansible run. For example, when you play the bgp_element task, you should see output from the state attribute like the following:

"state": [
        {
            "action": "created", 
            "name": "PREFIX_LIST_FW13", 
            "type": "ip_prefix_list"
        }, 
        {
            "action": "created", 
            "name": "myservice2", 
            "type": "ip_access_list"
        }, 
        {
            "action": "created", 
            "name": "aprefix", 
            "type": "ip_prefix_list"
        }, 

Or if a change was made:

"state": [
        {
            "action": "modified", 
            "name": "aprefix", 
            "type": "ip_prefix_list"
        }
    ]

Or if deleting (delete by setting state: absent and defining at least the bgp_element type and name: {'ip_access_list': {'name'}}

 "state": [
        {
            "action": "deleted", 
            "name": "PREFIX_LIST_FW13", 
            "type": "ip_prefix_list"
        }, 
meandus commented 6 years ago

Some time i have database error. Did you already see this issue ?

RÉMY POUCHAIN

Le 20 mars 2018 17:18:22 GMT+01:00, David LePage notifications@github.com a écrit :

Hi Remy, One other thing you might notice, I am adding a better 'state' description when making an ansible run. For example, when you play the bgp_element task, you should see output from the state attribute like the following:

"state": [
       {
           "action": "created", 
           "name": "PREFIX_LIST_FW13", 
           "type": "ip_prefix_list"
       }, 
       {
           "action": "created", 
           "name": "myservice2", 
           "type": "ip_access_list"
       }, 
       {
           "action": "created", 
           "name": "aprefix", 
           "type": "ip_prefix_list"
       }, 

Or if a change was made:

"state": [
       {
           "action": "modified", 
           "name": "aprefix", 
           "type": "ip_prefix_list"
       }
   ]

Or if deleting (delete by setting state: absent and defining at least the bgp_element type and name: {'ip_access_list': {'name'}}

"state": [
       {
           "action": "deleted", 
           "name": "PREFIX_LIST_FW13", 
           "type": "ip_prefix_list"
       }, 

-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-374659974

-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

gabstopper commented 6 years ago

I have seen this before - that message would be coming from the SMC API itself. It usually has to do with some sort of invalid input and may be an SMC side bug. Is it reproducible with a specific playbook? i.e. if you re-run the same playbook that causes the error, can you send me the smc.log output? Also, is it related to a specific configuration area (i.e. your running route VPN modifications, etc).

meandus commented 6 years ago

I can send the smc-log but i have to anonymize stuff

Le 21 mars 2018 02:17:27 GMT+01:00, David LePage notifications@github.com a écrit :

I have seen this before - that message would be coming from the SMC API itself. It usually has to do with some sort of invalid input. Is it reproducible with a specific playbook? i.e. if you re-run the same playbook that causes the error, can you send me the smc.log output? Also, is it related to a specific configuration area (i.e. your running route VPN modifications, etc).

-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-374809653

-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

meandus commented 6 years ago

I have this issue when i try to create a lot of elements (>10) And if a task is in error ... scenario still continue (why?)...

Le 21 mars 2018 02:17:27 GMT+01:00, David LePage notifications@github.com a écrit :

I have seen this before - that message would be coming from the SMC API itself. It usually has to do with some sort of invalid input. Is it reproducible with a specific playbook? i.e. if you re-run the same playbook that causes the error, can you send me the smc.log output? Also, is it related to a specific configuration area (i.e. your running route VPN modifications, etc).

-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-374809653

-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

gabstopper commented 6 years ago

Not sure without seeing the audits. We may have to open a support case on it also. When i've seen this issue occur, it has almost always been due to an issue with the SMC side. If you can send me the task you are running and a snippet of the last payload from smc.log I can try to duplicate on my end.

meandus commented 6 years ago

You know i will update you with a full playbook of bgp runnig config ;)

But anyway i can provide you my playbook for objects created. I have so many firewalls and objects in the smc thats why we have some issue.

My question is regarding the result on SMC ... normally a failed status of a task will stop the full scenario. Maybe something is missing for ansible regarding the task status.

RÉMY POUCHAIN.

Le 21 mars 2018 13:12:06 GMT+01:00, David LePage notifications@github.com a écrit :

Not sure without seeing the audits. We may have to open a support case on it also. When i've seen this issue occur, it has almost always been due to an issue with the SMC side. If you can send me the task you are running and a snippet of the last payload from smc.log I can try to duplicate on my end.

-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-374916391

-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

gabstopper commented 6 years ago

You are correct, there is an exception handler in every ansible module that would stop the task if an SMC error occurred. It should also print the task status in a msg attribute. If you run with -vvv you will see that message indicated. I can check to see without -vvv what the result looks like. Also, making progress on the new interface schema. Should have that ready soon.

meandus commented 6 years ago

Ok so far so good. I will update you quickly with error log.

Right now I tested ip prefix list (you have already features needed), external peer ok, bgp peering ok, asn ok, route map (a check rule needed to avoid duplicate) ok.

I cant test access list community list and ipv6 cause i have nothing about this in my config.

RÉMY POUCHAIN

Le 21 mars 2018 14:46:40 GMT+01:00, David LePage notifications@github.com a écrit :

You are correct, there is an exception handler in every ansible module that would stop the task if an SMC error occurred. It should also print the task status in a msg attribute. If you run with -vvv you will see that message indicated. I can check to see without -vvv what the result looks like. Also, making progress on the new interface schema. Should have that ready soon.

-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-374941840

-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

gabstopper commented 6 years ago

ok thanks Remy! I have tested all and now have a solid framework for unittest before I publish these out. I will push bgp_element_facts soon.

meandus commented 6 years ago

And have you any task for monitoring ... validate tunnels works etc etc ;)

Or do a sh ip bgp sum or sh ip route bgp with filter to check redistribute on quagga ...

RÉMY POUCHAIN

Le 22 mars 2018 14:20:55 GMT+01:00, David LePage notifications@github.com a écrit :

ok thanks Remy! I have tested all and now have a solid framework for unittest before I publish these out. I will push bgp_element_facts soon.

-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-375303142

-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

gabstopper commented 6 years ago

routing_facts should dump the routing table (same that you see when going into SMC->monitoring->routing). On your SMC does this show the BGP routing details? Here is an example: https://github.com/gabstopper/ansible-stonesoft/blob/master/playbooks/routing_facts.yml

meandus commented 6 years ago

For routing table in BGP not sure because its manage by quagga :(

Routing table will show the static table but anyway i will ask stonesoft if its in api.

Monitoring could be interesting to have a good view about vpn tunnels up or not before starting others checks.

RÉMY POUCHAIN.

Le 22 mars 2018 20:44:10 GMT+01:00, David LePage notifications@github.com a écrit :

routing_facts should dump the routing table (same that you see when going into SMC->monitoring->routing). On your SMC does this show the BGP routing details? Here is an example: https://github.com/gabstopper/ansible-stonesoft/blob/master/playbooks/routing_facts.yml

-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-375433330

-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

gabstopper commented 6 years ago

It will show routing entries created by BGP also from Monitoring->Routing but likely not exactly the same level of detail as quagga. I'd have to test. Also, another option (since we're using Ansible) is a library to make the connection directly to the engine and execute the relevant quagga commands if the API doesn't provide what we need. Also, I have a package smc-python-monitoring that does allow you to query the VPN tunnels as shown from Monitoring->VPN SA's. Maybe that would be adequate?

meandus commented 6 years ago

Yes right thats what i do for quagga for peering status and route as well.

Smc monitoring should be a better view yes. Just to check.

RÉMY POUCHAIN

Le 22 mars 2018 23:31:50 GMT+01:00, David LePage notifications@github.com a écrit :

It will show routing entries created by BGP also from Monitoring->Routing but likely not exactly the same level of detail as quagga. I'd have to test. Also, another option (since we're using Ansible) is a library to make the connection directly to the engine and execute the relevant quagga commands if the API doesn't provide what we need. Also, I have a package smc-python-monitoring that does allow you to query the VPN tunnels as shown from Monitoring->VPN SA's. Maybe that would be adequate?

-- You are receiving this because you authored the thread. Reply to this email directly or view it on GitHub: https://github.com/gabstopper/ansible-stonesoft/issues/9#issuecomment-375479034

-- Envoyé de mon appareil Android avec K-9 Mail. Veuillez excuser ma brièveté.

gabstopper commented 6 years ago

Hi Remy, Following up on this one. Do you still need a solution for retrieving routes? Did you see the routing_facts module? There is an example called routing_facts.yml that allows you to query the SMC which will pull all routes as you see in SMC under Monitoring->Routing.

gabstopper commented 6 years ago

Resolved in latest develop branch