CheckPointAnsibleGAIACollection icon indicating copy to clipboard operation
CheckPointAnsibleGAIACollection copied to clipboard
verified publisher icon CheckPointSW

cp_gaia_initial_setup fails due to GRUB password is missing (even though grub password has already been set).

Open ktbyers opened this issue 1 month ago • 7 comments 

- name: Run the first time wizard
  hosts: pod5-fw
  gather_facts: false
  tasks:
    - name: Set grub password
      check_point.gaia.cp_gaia_grub_password:
        password: bogus

    - name: Gaia Save Config
      check_point.gaia.cp_gaia_run_script:
        script: "save config"

    - name: Initial setup
      check_point.gaia.cp_gaia_initial_setup:
        security_gateway:
          activation_key: my_activation_key
          cluster_member: false
        security_management:
          activation_key: my_activation_key
          gui_clients:
            range:
              first_IPv4_range: 0.0.0.0
              last_IPv4_range: 255.255.255.255
          type: primary
        wait_for_task: true

$ ansible-playbook first_time_wizard.yml 

PLAY [Run the first time wizard] **************************************************************************************************

TASK [Set grub password] **********************************************************************************************************
changed: [pod5-fw]

TASK [Gaia Save Config] ***********************************************************************************************************
changed: [pod5-fw]

TASK [Initial setup] **************************************************************************************************************
fatal: [pod5-fw]: FAILED! => {"changed": false, "msg": "Task /set-initial-setup with task id 6ed6ca33-dc33-4705-abd0-eac453211281 failed: GRUB password is missing, default initial password for GRUB must be changed"}

PLAY RECAP ************************************************************************************************************************
pod5-fw                    : ok=2    changed=2    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

I have also separately tried setting Grub password using set grub2-password from clish and I still run into the same issue.

> show version all
Product version Check Point Gaia R82
OS build 777
OS kernel version 4.18.0-372.9.1cpx86_64
OS edition 64-bit

# Gaia collection version
check_point.gaia                         7.0.0

ktbyers avatar Nov 02 '25 17:11 ktbyers

I am also experiencing this issue.

I can confirm there is no allowed "grub-password" parameter in cp_gaia_initial_setup to set the value.

doritoes avatar Nov 18 '25 23:11 doritoes

Yep, the module doesn’t support that parameter yet. In fact, neither did the Gaia API until v1.8 (current version), so this is a new thing on both ends. If you need it bad enough, I made an edit to the module and created a PR for it.

You can pull it from my repo if you’d like. https://github.com/duanetoler/CheckPointAnsibleGAIACollection/tree/master

You can install galaxy collections directly from GitHub repos, too:

https://docs.ansible.com/projects/ansible/2.10/user_guide/collections_using.html#installing-a-collection-from-a-git-repository

Give it a test and let us know how it works! Unfortunately, I don’t have an immediately available fresh host to test it right now.

duanetoler avatar Nov 19 '25 02:11 duanetoler

Without this fix, cannot do cp_gaia_initial_setup for FTCW. Will have to revert to mgmt_cli.

I will try the patch after I get mgmt_cli working.

doritoes avatar Nov 19 '25 02:11 doritoes

@duanetoler Yeah, I didn't care about the new parameter, but the cp_gaia_initial_setup now completely fails and you have no way to make it work.

ktbyers avatar Nov 19 '25 17:11 ktbyers

It's possible there's a bug of some kind with the server-side Gaia API code, too. Check the log file in /var/log/gaia_api_server.log to see if there are any useful error messages there. If you find something, then you'll need to open a TAC case so the R&D team can investigate it. Server-side API errors have to go through TAC (not here on this forum) so they can update it with either a custom hotfix for you, or push it via AutoUpater (or both).

Have you been able to test the module with my patch from last night to include the grub_password parameter by chance?

If it still fails with that patch, and you still need this to work, there are other avenues. You can create an FTW config (using J2 templates or writing it manually) and send it over with cp_gaia_put_file, then call cp_gaia_run_script to execute it with /bin/config_system -f <filename>. It's not as ideal, but it works. You can configure the file to not reboot (setting reboot_if_required = false), then handle the reboot in a separate task with the Ansible reboot module.

There is a slight bug in the the config_system script, too, if you don't have the maintenance_hash configured in the FTW config script, so be sure you include that.

duanetoler avatar Nov 19 '25 18:11 duanetoler

@duanetoler I will test the module with the patch. Haven't had a chance to do this yet.

ktbyers avatar Nov 19 '25 19:11 ktbyers

The API is fine https://sc1.checkpoint.com/documents/latest/GaiaAPIs/index.html?#cli/set-initial-setup~v1.8%20

mgmt_cli -f json set initial-setup grub-password '${PASSWORD}' security-management.type 'primary' --context gaia_api --version 1.8

doritoes avatar Nov 19 '25 21:11 doritoes