check_point.mgmt.cp_mgmt_vpn_community_star module – Manages vpn-community-star objects on Check Point over Web Services API

Note

This module is part of the check_point.mgmt collection (version 6.5.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install check_point.mgmt.

To use it in a playbook, specify: check_point.mgmt.cp_mgmt_vpn_community_star.

New in check_point.mgmt 1.0.0

Synopsis

• Manages vpn-community-star objects on Check Point devices including creating, updating and removing objects.

• All operations are performed over Web Services API.

• Available from R80 management version.

Parameters

Parameter	Comments
advanced_properties dictionary added in check_point.mgmt 6.5.0	Advanced properties. Available from R82 JHF management version.
support_ip_compression boolean	Indicates whether to support IP compression. Choices: false true
use_aggressive_mode boolean	Indicates whether to use aggressive mode. Choices: false true
auto_publish_session boolean	Publish the current session if changes have been performed after task completes. Choices: false ← (default) true
center_gateways list / elements=string	Collection of center VPN Gateway and VPN Device objects identified by the name or UID.
color string	Color of the object. Should be one of existing colors. Choices: "aquamarine" "black" "blue" "crete blue" "burlywood" "cyan" "dark green" "khaki" "orchid" "dark orange" "dark sea green" "pink" "turquoise" "dark blue" "firebrick" "brown" "forest green" "gold" "dark gold" "gray" "dark gray" "light green" "lemon chiffon" "coral" "sea green" "sky blue" "magenta" "purple" "slate blue" "violet red" "navy blue" "olive" "orange" "red" "sienna" "yellow"
comments string	Comments string.
details_level string	The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed representation of the object. Choices: "uid" "standard" "full"
disable_nat boolean added in check_point.mgmt 6.5.0	Indicates whether to disable NAT inside the VPN Community. Available from R82 JHF management version. Choices: false true
disable_nat_on string added in check_point.mgmt 6.5.0	Indicates on which gateways to disable NAT inside the VPN Community. Available from R82 JHF management version. Choices: "satellite gateways only" "both center and satellite gateways"
encrypted_traffic dictionary added in check_point.mgmt 6.5.0	Encrypted traffic settings. Available from R82 JHF management version.
community_members string	Indicates on which community members to accept all encrypted traffic. Choices: "satellite gateways only" "both center and satellite gateways"
enabled boolean	Indicates whether to accept all encrypted traffic. Choices: false true
encryption_method string	The encryption method to be used. Available from R80.10 management version. Choices: "prefer ikev2 but support ikev1" "ikev2 only" "ikev1 for ipv4 and ikev2 for ipv6 only"
encryption_suite string	The encryption suite to be used. Available from R80.10 management version. Choices: "suite-b-gcm-256" "custom" "vpn b" "vpn a" "suite-b-gcm-128"
excluded_services list / elements=string added in check_point.mgmt 6.5.0	Collection of services that are excluded from the community identified by the name or UID.<br> Connections with these services will not be encrypted and will not match rules specifying the community in the VPN community. Available from R82 JHF management version.
granular_encryptions list / elements=dictionary added in check_point.mgmt 5.1.0	VPN granular encryption settings. Available from R81 management version.
encryption_method string	The encryption method to be used. Choices: "prefer ikev2 but support ikev1" "ikev2 only" "ikev1 for ipv4 and ikev2 for ipv6 only"
encryption_suite string	The encryption suite to be used. Choices: "suite-b-gcm-256" "custom" "vpn b" "vpn a" "suite-b-gcm-128"
external_gateway string	Externally managed or 3rd party gateway identified by name or UID.
ike_phase_1 dictionary	Ike Phase 1 settings. Only applicable when the encryption-suite is set to [custom].
data_integrity string	The hash algorithm to be used. Choices: "aes-xcbc" "sha1" "sha256" "sha384" "sha512" "md5"
diffie_hellman_group string	The Diffie-Hellman group to be used. Choices: "group-1" "group-2" "group-5" "group-14" "group-15" "group-16" "group-17" "group-18" "group-19" "group-20" "group-24"
encryption_algorithm string	The encryption algorithm to be used. Choices: "cast" "aes-256" "des" "aes-128" "3des"
ike_p1_rekey_time integer	Indicates the time interval for IKE phase 1 renegotiation. Available from R81 management version.
ike_p1_rekey_time_unit string	Indicates the time unit for [ike-p1-rekey-time-unit] parameter, rounded up to minutes scale. Available from R81 management version. Choices: "days" "hours" "minutes" "seconds"
ike_phase_2 dictionary	Ike Phase 2 settings. Only applicable when the encryption-suite is set to [custom].
data_integrity string	The hash algorithm to be used. Choices: "aes-xcbc" "sha1" "sha256" "sha384" "sha512" "md5"
encryption_algorithm string	The encryption algorithm to be used. Choices: "cast" "aes-gcm-256" "cast-40" "aes-256" "des" "aes-128" "3des" "des-40cp" "aes-gcm-128" "none"
ike_p2_pfs_dh_grp string	The Diffie-Hellman group to be used. Choices: "group-1" "group-2" "group-5" "group-14" "group-15" "group-16" "group-17" "group-18" "group-19" "group-20" "group-24"
ike_p2_rekey_time integer	Indicates the time interval for IKE phase 2 renegotiation. Available from R81 management version.
ike_p2_rekey_time_unit string	Indicates the time unit for [ike-p2-rekey-time-unit] parameter. Available from R81 management version. Choices: "days" "hours" "minutes" "seconds"
ike_p2_use_pfs boolean	Indicates whether Perfect Forward Secrecy (PFS) is being used for IKE phase 2. Choices: false true
internal_gateway string	Internally managed Check Point gateway identified by name or UID, or ‘Any’ for all internal-gateways participants in this community.
ignore_errors boolean	Apply changes ignoring errors. You won’t be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored. Choices: false true
ignore_warnings boolean	Apply changes ignoring warnings. Choices: false true
ike_phase_1 dictionary	Ike Phase 1 settings. Only applicable when the encryption-suite is set to [custom]. Available from R80.10 management version.
data_integrity string	The hash algorithm to be used. Choices: "aes-xcbc" "sha1" "sha256" "sha384" "sha512" "md5"
diffie_hellman_group string	The Diffie-Hellman group to be used. Choices: "group-1" "group-2" "group-5" "group-14" "group-19" "group-20"
encryption_algorithm string	The encryption algorithm to be used. Choices: "cast" "aes-256" "des" "aes-128" "3des"
ike_p1_rekey_time integer added in check_point.mgmt 5.1.0	Indicates the time interval for IKE phase 1 renegotiation. Available from R81 management version.
ike_p1_rekey_time_unit string added in check_point.mgmt 5.1.0	Indicates the time unit for [ike-p1-rekey-time-unit] parameter, rounded up to minutes scale. Available from R81 management version. Choices: "days" "hours" "minutes" "seconds"
ike_phase_2 dictionary	Ike Phase 2 settings. Only applicable when the encryption-suite is set to [custom]. Available from R80.10 management version.
data_integrity string	The hash algorithm to be used. Choices: "aes-xcbc" "sha1" "sha256" "sha384" "sha512" "md5"
encryption_algorithm string	The encryption algorithm to be used. Choices: "cast" "aes-gcm-256" "cast-40" "aes-256" "des" "aes-128" "3des" "des-40cp" "aes-gcm-128" "none"
ike_p2_pfs_dh_grp string added in check_point.mgmt 5.1.0	The Diffie-Hellman group to be used. Choices: "group-1" "group-2" "group-5" "group-14" "group-15" "group-16" "group-17" "group-18" "group-19" "group-20" "group-24"
ike_p2_rekey_time integer added in check_point.mgmt 5.1.0	Indicates the time interval for IKE phase 2 renegotiation. Available from R81 management version.
ike_p2_rekey_time_unit string added in check_point.mgmt 5.1.0	Indicates the time unit for [ike-p2-rekey-time-unit] parameter. Available from R81 management version. Choices: "days" "hours" "minutes" "seconds"
ike_p2_use_pfs boolean added in check_point.mgmt 5.1.0	Indicates whether Perfect Forward Secrecy (PFS) is being used for IKE phase 2. Available from R81 management version. Choices: false true
mep dictionary added in check_point.mgmt 6.5.0	Multiple Entry Point properties. Available from R82 JHF management version.
default_priority_rule dictionary	Priority rule for all satellite gateways. Relevant only if ‘entry-point-selection-mechanism’ is set to ‘manual’.
first_priority_center_gateways list / elements=string	Collection of first priority center gateways identified by the name or UID.
second_priority_center_gateways list / elements=string	Collection of second priority center gateways identified by the name or UID.
third_priority_center_gateways list / elements=string	Collection of third priority center gateways identified by the name or UID.
enabled boolean	Enable center gateways as Multiple Entry Points. Choices: false true
entry_point_final_selection_mechanism string	The method by which the final entry point gateway will be chosen when the chosen mechanism returns more than one optional entry point. Choices: "random selection" "first to respond"
entry_point_selection_mechanism string	The method by which the entry point gateway will be chosen from the gateways in the center. Choices: "closest gateway to source" "closest gateway to destination" "random selection" "manual"
exception_priority_rules list / elements=dictionary	Exception priority rules for specific satellites gateways. Relevant only if ‘entry-point-selection-mechanism’ is set to ‘manual’.
first_priority_center_gateways list / elements=string	Collection of first priority center gateways identified by the name or UID.
satellite_gateways list / elements=string	Collection of satellite gateways to apply priority rules on identified by the name or UID.
second_priority_center_gateways list / elements=string	Collection of second priority center gateways identified by the name or UID.
third_priority_center_gateways list / elements=string	Collection of third priority center gateways identified by the name or UID.
tracking string	Tracking option for the MEP. Choices: "none" "log" "popup alert" "mail alert" "snmp trap alert" "user defined alert no.1" "user defined alert no.2" "user defined alert no.3"
mesh_center_gateways boolean	Indicates whether the meshed community is in center. Choices: false true
name string / required	Object name.
override_vpn_domains list / elements=dictionary added in check_point.mgmt 5.1.0	The Overrides VPN Domains of the participants GWs. Available from R80.40 management version.
gateway string	Participant gateway in override VPN domain identified by the name or UID.
vpn_domain string	VPN domain network identified by the name or UID.
permanent_tunnels dictionary added in check_point.mgmt 6.5.0	Permanent tunnels properties. Available from R82 JHF management version.
gateways list / elements=dictionary	List of gateways to set all their tunnels to permanent with specified track options. Will take effect only if set-permanent-tunnels-on is set to all-tunnels-of-specific-gateways.
gateway string	Gateway to set all is tunnels to permanent with specified track options.<br> Identified by name or UID.
override_tunnel_down_track string	Gateway tunnel down track option. Relevant only if the track-options is set to ‘override track options’. Choices: "none" "log" "popup alert" "mail alert" "snmp trap alert" "user defined alert no.1" "user defined alert no.2" "user defined alert no.3"
override_tunnel_up_track string	Gateway tunnel up track option. Relevant only if the track-options is set to ‘override track options’. Choices: "none" "log" "popup alert" "mail alert" "snmp trap alert" "user defined alert no.1" "user defined alert no.2" "user defined alert no.3"
track_options string	Indicates whether to use the community track options or to override track options for the permanent tunnels. Choices: "according to community track options" "override track options"
rim dictionary	Route Injection Mechanism settings.
enable_on_center_gateways boolean	Indicates whether to enable automatic Route Injection Mechanism on center gateways. Choices: false true
enable_on_satellite_gateways boolean	Indicates whether to enable automatic Route Injection Mechanism on satellite gateways. Choices: false true
enabled boolean	Indicates whether Route Injection Mechanism is enabled. Choices: false true
route_injection_track string	Route injection track method. Choices: "none" "log" "popup alert" "mail alert" "snmp trap alert" "user defined alert no.1" "user defined alert no.2" "user defined alert no.3"
set_permanent_tunnels string	Indicates which tunnels to set as permanent. Choices: "on all tunnels in the community" "on all tunnels of specific gateways" "on specific tunnels in the community" "off"
tunnel_down_track string	VPN community permanent tunnels down track option. Choices: "none" "log" "popup alert" "mail alert" "snmp trap alert" "user defined alert no.1" "user defined alert no.2" "user defined alert no.3"
tunnel_up_track string	Permanent tunnels up track option. Choices: "none" "log" "popup alert" "mail alert" "snmp trap alert" "user defined alert no.1" "user defined alert no.2" "user defined alert no.3"
tunnels list / elements=dictionary	List of tunnels to set as permanent with specified track options. Will take effect only if set-permanent-tunnels-on is set to specific-tunnels-in-the-community.
first_tunnel_endpoint string	First tunnel endpoint (center gateway). Identified by name or UID.
override_tunnel_down_track string	Gateway tunnel down track option. Relevant only if the track-options is set to ‘override track options’. Choices: "none" "log" "popup alert" "mail alert" "snmp trap alert" "user defined alert no.1" "user defined alert no.2" "user defined alert no.3"
override_tunnel_up_track string	Gateway tunnel up track option. Relevant only if the track-options is set to ‘override track options’. Choices: "none" "log" "popup alert" "mail alert" "snmp trap alert" "user defined alert no.1" "user defined alert no.2" "user defined alert no.3"
second_tunnel_endpoint string	Second tunnel endpoint (center gateway for meshed VPN community and satellite gateway for star VPN community). Identified by name or UID.
track_options string	Indicates whether to use the community track options or to override track options for the permanent tunnels. Choices: "according to community track options" "override track options"
routing_mode string added in check_point.mgmt 6.5.0	VPN Community Routing Mode. Available from R82 JHF management version. Choices: "domain_based" "route_based"
satellite_gateways list / elements=string	Collection of Gateway objects representing satellite gateways identified by the name or UID.
shared_secrets list / elements=dictionary	Shared secrets for external gateways. Available from R80.10 management version.
external_gateway string	External gateway identified by the name or UID.
shared_secret string	Shared secret.
state string	State of the access rule (present or absent). Choices: "present" ← (default) "absent"
tags list / elements=string	Collection of tag identifiers.
tunnel_granularity string added in check_point.mgmt 5.1.0	VPN tunnel sharing option to be used. Available from R81 management version. Choices: "per_host" "per_subnet" "universal"
use_shared_secret boolean	Indicates whether the shared secret should be used for all external gateways. Available from R80.10 management version. Choices: false true
version string	Version of checkpoint. If not given one, the latest version taken.
vpn_routing string added in check_point.mgmt 6.5.0	Enable VPN routing to satellites. Available from R82 JHF management version. Choices: "to center only" "to center and to other satellites" "to center other satellites and internet"
wait_for_task boolean	Wait for the task to end. Such as publish task. Choices: false true ← (default)
wait_for_task_timeout integer	How many minutes to wait until throwing a timeout error. Default: 30
wire_mode dictionary added in check_point.mgmt 6.5.0	VPN Community Wire mode properties. Available from R82 JHF management version.
allow_uninspected_encrypted_routing boolean	Allow members to route uninspected encrypted traffic in VPN routing configurations. Choices: false true
allow_uninspected_encrypted_traffic boolean	Allow uninspected encrypted traffic between Wire mode interfaces of this Community members. Choices: false true

Examples

- name: add-vpn-community-star
  cp_mgmt_vpn_community_star:
    center_gateways: Second_Security_Gateway
    encryption_method: prefer ikev2 but support ikev1
    encryption_suite: custom
    ike_phase_1:
      data_integrity: sha1
      diffie_hellman_group: group 19
      encryption_algorithm: aes-128
    ike_phase_2:
      data_integrity: aes-xcbc
      encryption_algorithm: aes-gcm-128
    name: New_VPN_Community_Star_1
    state: present

- name: set-vpn-community-star
  cp_mgmt_vpn_community_star:
    encryption_method: ikev2 only
    encryption_suite: custom
    ike_phase_1:
      data_integrity: sha1
      diffie_hellman_group: group 19
      encryption_algorithm: aes-128
    ike_phase_2:
      data_integrity: aes-xcbc
      encryption_algorithm: aes-gcm-128
    name: New_VPN_Community_Star_1
    state: present

- name: delete-vpn-community-star
  cp_mgmt_vpn_community_star:
    name: New_VPN_Community_Star_1
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
cp_mgmt_vpn_community_star dictionary	The checkpoint object created or updated. Returned: always, except when deleting the object.

Authors

• Or Soffer (@chkp-orso)

Collection links

• Issue Tracker
• Repository (Sources)