check_point.mgmt.cp_mgmt_vsx_provisioning_tool module – Run the VSX provisioning tool with the specified parameters.

Note

This module is part of the check_point.mgmt collection (version 6.5.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install check_point.mgmt.

To use it in a playbook, specify: check_point.mgmt.cp_mgmt_vsx_provisioning_tool.

New in check_point.mgmt 6.0.0

Synopsis

  • Run the VSX provisioning tool with the specified parameters. Note - An automatic session publish is part of all the operations in this API.

  • All operations are performed over Web Services API.

  • Available from R82 management version.

Parameters

Parameter

Comments

add_physical_interface_params

dictionary

Parameters for the operation to add a physical interface to a VSX gateway or VSX Cluster.

name

string

Name of the interface.

vlan_trunk

boolean

True if this interface is a VLAN trunk.

Choices:

  • false

  • true

vsx_name

string

Name of the VSX Gateway or Cluster object.

add_route_params

dictionary

Parameters for the operation to add a route to a Virtual System or Virtual Router.

destination

string

Route destination. To specify the default route, use ‘default’ for IPv4 and ‘default6’ for IPv6.

leads_to

string

Virtual Router for this route<br/>This VD must have an existing connection to the VR.

netmask

string

Subnet mask for this route.

next_hop

string

Next hop IP address.

prefix

string

CIDR prefix for this route.

propagate

boolean

Propagate this route to adjacent virtual devices.

Choices:

  • false

  • true

vd

string

Name of the Virtual System, Virtual Switch, or Virtual Router.

add_vd_interface_params

dictionary

Parameters for the operation to add a new interface to a Virtual Device.

anti_spoofing

string

The anti-spoofing enforcement setting of this interface.

Choices:

  • "prevent"

  • "detect"

  • "off"

anti_spoofing_tracking

string

The anti-spoofing tracking setting of this interface.

Choices:

  • "none"

  • "alert"

  • "log"

ipv4_address

string

IPv4 Address of this interface with optional CIDR prefix.<br/>Required if this interface belongs to a Virtual System or Virtual Router.

ipv4_netmask

string

IPv4 Subnet mask of this interface.

ipv4_prefix

string

IPv4 CIDR prefix of this interface.

ipv6_address

string

IPv6 Address of this interface<br/>Required if this interface belongs to a Virtual System or Virtual Router.

ipv6_netmask

string

IPv6 Subnet mask of this interface.

ipv6_prefix

string

IPv6 CIDR prefix of this interface.

leads_to

string

Virtual Switch or Virtual Router for this interface.

mtu

integer

MTU of this interface.

name

string

Name of the interface.

propagate

boolean

Propagate IPv4 route to adjacent virtual devices.

Choices:

  • false

  • true

propagate6

boolean

Propagate IPv6 route to adjacent virtual devices.

Choices:

  • false

  • true

specific_group

string

Specific group for interface topology.<br/>Only for use with topology option ‘internal_specific’.

topology

string

Topology of this interface.<br/>Automatic topology calculation based on routes must be disabled for this VS.

Choices:

  • "external"

  • "internal_undefined"

  • "internal_this_network"

  • "internal_specific"

  • "defined_by_routes"

vd

string

Name of the Virtual System, Virtual Switch, or Virtual Router.

vti_settings

dictionary

VTI settings for this interface. This Virtual System must have VPN blade enabled.

local_ipv4_address

string

The IPv4 address of the VPN tunnel on this Virtual System.

peer_name

string

The name of the remote peer object as defined in the VPN community.

remote_ipv4_address

string

The IPv4 address of the VPN tunnel on the remote VPN peer.

tunnel_id

string

Optional unique Tunnel ID.<br/>Automatically assigned by the system if empty.

add_vd_params

dictionary

Parameters for the operation to add a new Virtual Device (VS/VSB/VSW/VR).

calc_topology_auto

boolean

Calculate interface topology automatically based on routes.<br/>Relevant only for Virtual Systems.<br/>Do not use for virtual devices.

Choices:

  • false

  • true

interfaces

list / elements=dictionary

The list of interfaces for this new Virtual Device.<br/>Optional if this new VD is a Virtual Switch.

anti_spoofing

string

The anti-spoofing enforcement setting of this interface.

Choices:

  • "prevent"

  • "detect"

  • "off"

anti_spoofing_tracking

string

The anti-spoofing tracking setting of this interface.

Choices:

  • "none"

  • "alert"

  • "log"

ipv4_address

string

IPv4 Address of this interface with optional CIDR prefix.<br/>Required if this interface belongs to a Virtual System or Virtual Router.

ipv4_netmask

string

IPv4 Subnet mask of this interface.

ipv4_prefix

string

IPv4 CIDR prefix of this interface.

ipv6_address

string

IPv6 Address of this interface<br/>Required if this interface belongs to a Virtual System or Virtual Router.

ipv6_netmask

string

IPv6 Subnet mask of this interface.

ipv6_prefix

string

IPv6 CIDR prefix of this interface.

leads_to

string

Virtual Switch or Virtual Router for this interface.

mtu

integer

MTU of this interface.

name

string

Name of the interface.

propagate

boolean

Propagate IPv4 route to adjacent virtual devices.

Choices:

  • false

  • true

propagate6

boolean

Propagate IPv6 route to adjacent virtual devices.

Choices:

  • false

  • true

specific_group

string

Specific group for interface topology.<br/>Only for use with topology option ‘internal_specific’.

topology

string

Topology of this interface.<br/>Automatic topology calculation based on routes must be disabled for this VS.

Choices:

  • "external"

  • "internal_undefined"

  • "internal_this_network"

  • "internal_specific"

  • "defined_by_routes"

ipv4_address

string

Main IPv4 Address.<br/>Required if this device is a Virtual System.<br/>Do not use for other virtual devices.

ipv4_instances

integer

Number of IPv4 instances for the Virtual System.<br/>Must be greater or equal to 1.<br/>Only relevant for Virtual Systems and Virtual Systems in bridge mode.

ipv6_address

string

Main IPv6 Address.<br/>Required if this device is a Virtual System.<br/>Do not use for other virtual devices.

ipv6_instances

integer

Number of IPv6 instances for the Virtual System.<br/>Only relevant for Virtual Systems and Virtual Systems in bridge mode.

routes

list / elements=dictionary

The list of routes for this new Virtual Device (VS or VR only).

destination

string

Route destination. To specify the default route, use ‘default’ for IPv4 and ‘default6’ for IPv6.

leads_to

string

Virtual Router for this route<br/>This VD must have an existing connection to the VR.

netmask

string

Subnet mask for this route.

next_hop

string

Next hop IP address.

prefix

string

CIDR prefix for this route.

propagate

boolean

Propagate this route to adjacent virtual devices.

Choices:

  • false

  • true

type

string

Type of the Virtual Device <br><br>vs - Virtual Firewall<br>vr - Virtual Router<br>vsw - Virtual Switch<br>vsbm - Virtual Firewall in bridge mode.

Choices:

  • "vs"

  • "vr"

  • "vsw"

  • "vsbm"

vd

string

Name of the Virtual System, Virtual Switch, or Virtual Router.

vs_mtu

integer

MTU of the Virtual System.<br/>Only relevant for Virtual Systems in bridge mode.<br/>Do not use for other virtual devices.

vsx_name

string

Name of the VSX Gateway or Cluster object.

add_vsx_cluster_params

dictionary

Parameters for the operation to add a new VSX Cluster.

cluster_type

string

Cluster type for the VSX Cluster Object.<br/>Starting in R81.10, only VSLS can be configured during cluster creation.<br/>To use High Availability (‘ha’), first create the cluster as VSLS and then run vsx_util on the Management.

Choices:

  • "vsls"

  • "ha"

ipv4_address

string

Main IPv4 Address of the VSX Gateway or Cluster object.<br/>Optional if main IPv6 Address is defined.

ipv6_address

string

Main IPv6 Address of the VSX Gateway or Cluster object.<br/>Optional if main IPv4 Address is defined.

members

list / elements=dictionary

The list of cluster members for this new VSX Cluster. Minimum, 2.

ipv4_address

string

Main IPv4 Address of the VSX Cluster member.<br/>Mandatory if the VSX Cluster has an IPv4 Address.

ipv6_address

string

Main IPv6 Address of the VSX Cluster member.<br/>Mandatory if the VSX Cluster has an IPv6 Address.

name

string

Name of the new VSX Cluster member.

sic_otp

string

SIC one-time-password of the VSX Gateway or Cluster member.<br/>Password must be between 4-127 characters in length.

sync_ip

string

Sync IP address for the VSX Cluster member.

rule_drop

string

Add a default drop rule to the VSX Gateway or Cluster initial policy.

Choices:

  • "enable"

  • "disable"

rule_https

string

Add a rule to allow HTTPS traffic to the VSX Gateway or Cluster initial policy.

Choices:

  • "enable"

  • "disable"

rule_ping

string

Add a rule to allow ping traffic to the VSX Gateway or Cluster initial policy.

Choices:

  • "enable"

  • "disable"

rule_ping6

string

Add a rule to allow ping6 traffic to the VSX Gateway or Cluster initial policy.

Choices:

  • "enable"

  • "disable"

rule_snmp

string

Add a rule to allow SNMP traffic to the VSX Gateway or Cluster initial policy.

Choices:

  • "enable"

  • "disable"

rule_ssh

string

Add a rule to allow SSH traffic to the VSX Gateway or Cluster initial policy.

Choices:

  • "enable"

  • "disable"

sync_if_name

string

Sync interface name for the VSX Cluster.

sync_netmask

string

Sync interface netmask for the VSX Cluster.

vsx_name

string

Name of the VSX Gateway or Cluster object.

vsx_version

string

Version of the VSX Gateway or Cluster object.

add_vsx_gateway_params

dictionary

Parameters for the operation to add a new VSX Gateway.

ipv4_address

string

Main IPv4 Address of the VSX Gateway or Cluster object.<br/>Optional if main IPv6 Address is defined.

ipv6_address

string

Main IPv6 Address of the VSX Gateway or Cluster object.<br/>Optional if main IPv4 Address is defined.

rule_drop

string

Add a default drop rule to the VSX Gateway or Cluster initial policy.

Choices:

  • "enable"

  • "disable"

rule_https

string

Add a rule to allow HTTPS traffic to the VSX Gateway or Cluster initial policy.

Choices:

  • "enable"

  • "disable"

rule_ping

string

Add a rule to allow ping traffic to the VSX Gateway or Cluster initial policy.

Choices:

  • "enable"

  • "disable"

rule_ping6

string

Add a rule to allow ping6 traffic to the VSX Gateway or Cluster initial policy.

Choices:

  • "enable"

  • "disable"

rule_snmp

string

Add a rule to allow SNMP traffic to the VSX Gateway or Cluster initial policy.

Choices:

  • "enable"

  • "disable"

rule_ssh

string

Add a rule to allow SSH traffic to the VSX Gateway or Cluster initial policy.

Choices:

  • "enable"

  • "disable"

sic_otp

string

SIC one-time-password of the VSX Gateway or Cluster member.<br/>Password must be between 4-127 characters in length.

vsx_name

string

Name of the VSX Gateway or Cluster object.

vsx_version

string

Version of the VSX Gateway or Cluster object.

attach_bridge_params

dictionary

Parameters for the operation to attach a new bridge interface to a Virtual System.

ifs1

string

Name of the first interface for the bridge.

ifs2

string

Name of the second interface for the bridge.

vd

string

Name of the Virtual System, Virtual Switch, or Virtual Router.

auto_publish_session

boolean

Publish the current session if changes have been performed after task completes.

Choices:

  • false ← (default)

  • true

operation

string

The name of the provisioning operation to run. Each operation has its own specific parameters.<br> The available operations are,<ul><li><i>add-vsx-gateway</i> - Adds a new VSX gateway</li><li><i>add-vsx-cluster</i> - Adds a new VSX cluster*</li><li><i>add-vsx-cluster-member</i> - Adds a new VSX cluster member*</li><li><i>add-vd</i> - Adds a new Virtual Device (VS/VSB/VSW/VR) to a VSX gateway or VSX cluster</li><li><i>add-vd-interface</i> - Adds a new virtual interface to a Virtual Device</li><li><i>add-physical-interface</i> - Adds a physical interface to a VSX gateway or VSX cluster</li><li><i>add-route</i> - Adds a route to a Virtual Device</li><li><i>attach-bridge</i> - Attaches a bridge interface to a Virtual System</li><li><i>remove-vsx</i> - Removes a VSX gateway or VSX cluster</li><li><i>remove-vd</i> - Removes a Virtual Device</li><li><i>remove-vd-interface</i> - Removes an interface from a Virtual Device</li><li><i>remove-physical-interface</i> - Removes a physical interface from a VSX gateway or VSX cluster</li><li><i>remove-route</i> - Removes a route from a Virtual Device</li><li><i>set-vd</i> - Modifies a Virtual Device</li><li><i>set-vd-interface</i> - Modifies an interface on a Virtual Device</li><li><i>set-physical-interface</i> - Modifies a physical interface on a VSX cluster or VSX gateway</li></ul><br> * When adding a VSX Cluster, you must also add at least 2 cluster members<br> * Adding cluster members is only allowed when adding a new VSX cluster<br> * To add members to an existing cluster, use vsx-run-operation.

Choices:

  • "attach-bridge"

  • "add-route"

  • "add-physical-interface"

  • "add-vd-interface"

  • "add-vsx-gateway"

  • "add-vsx-cluster"

  • "add-vd"

  • "remove-route"

  • "remove-vd"

  • "remove-vsx"

  • "remove-physical-interface"

  • "remove-vd-interface"

  • "set-vd"

  • "set-physical-interface"

  • "set-vd-interface"

remove_physical_interface_params

dictionary

Parameters for the operation to remove a physical interface from a VSX (Gateway or Cluster).

name

string

Name of the interface.

vsx_name

string

Name of the VSX Gateway or Cluster object.

remove_route_params

dictionary

Parameters for the operation to remove a route from a Virtual System or Virtual Router.

destination

string

Route destination. To specify the default route, use ‘default’ for IPv4 and ‘default6’ for IPv6.

netmask

string

Subnet mask for this route.

prefix

string

CIDR prefix for this route.

vd

string

Name of the Virtual System, Virtual Switch, or Virtual Router.

remove_vd_interface_params

dictionary

Parameters for the operation to remove a logical interface from a Virtual Device.

leads_to

string

Virtual Switch or Virtual Router for this interface.

name

string

Name of the interface.

vd

string

Name of the Virtual System, Virtual Switch, or Virtual Router.

remove_vd_params

dictionary

Parameters for the operation to remove a Virtual Device.

vd

string

Name of the Virtual System, Virtual Switch, or Virtual Router.

remove_vsx_params

dictionary

Parameters for the operation to remove a VSX Gateway or VSX Cluster.

vsx_name

string

Name of the VSX Gateway or Cluster object.

set_physical_interface_params

dictionary

Parameters for the operation to change the configuration of a physical interface.

name

string

Name of the interface.

vlan_trunk

boolean

True if this interface is a VLAN trunk.

Choices:

  • false

  • true

vsx_name

string

Name of the VSX Gateway or Cluster object.

set_vd_interface_params

dictionary

Parameters for the operation to change the configuration of a logical interface.

anti_spoofing

string

The anti-spoofing enforcement setting of this interface.

Choices:

  • "prevent"

  • "detect"

  • "off"

anti_spoofing_tracking

string

The anti-spoofing tracking setting of this interface.

Choices:

  • "none"

  • "alert"

  • "log"

ipv4_address

string

IPv4 Address of this interface with optional CIDR prefix.<br/>Required if this interface belongs to a Virtual System or Virtual Router.

ipv6_address

string

IPv6 Address of this interface<br/>Required if this interface belongs to a Virtual System or Virtual Router.

leads_to

string

Virtual Switch or Virtual Router for this interface.

mtu

integer

MTU of this interface.

name

string

Name of the interface.

new_leads_to

string

New Virtual Switch or Virtual Router for this interface.

propagate

boolean

Propagate IPv4 route to adjacent virtual devices.

Choices:

  • false

  • true

propagate6

boolean

Propagate IPv6 route to adjacent virtual devices.

Choices:

  • false

  • true

specific_group

string

Specific group for interface topology.<br/>Only for use with topology option ‘internal_specific’.

topology

string

Topology of this interface.<br/>Automatic topology calculation based on routes must be disabled for this VS.

Choices:

  • "external"

  • "internal_undefined"

  • "internal_this_network"

  • "internal_specific"

  • "defined_by_routes"

vd

string

Name of the Virtual System, Virtual Switch, or Virtual Router.

set_vd_params

dictionary

Parameters for the operation to change the configuration of a Virtual Device.

calc_topology_auto

boolean

Calculate interface topology automatically based on routes.<br/>Relevant only for Virtual Systems.<br/>Do not use for virtual devices.

Choices:

  • false

  • true

ipv4_address

string

Main IPv4 Address.<br/>Relevant only if this device is a Virtual System.<br/>Do not use for other virtual devices.

ipv4_instances

integer

Number of IPv4 instances for the Virtual System.<br/>Must be greater or equal to 1.<br/>Only relevant for Virtual Systems and Virtual Systems in bridge mode.

ipv6_address

string

Main IPv6 Address.<br/>Relevant only if this device is a Virtual System.<br/>Do not use for other virtual devices.

ipv6_instances

integer

Number of IPv6 instances for the Virtual System.<br/>Only relevant for Virtual Systems and Virtual Systems in bridge mode.

vd

string

Name of the Virtual System, Virtual Switch, or Virtual Router.

vs_mtu

integer

MTU of the Virtual System.<br/>Only relevant for Virtual Systems in bridge mode.<br/>Do not use for other virtual devices.

version

string

Version of checkpoint. If not given one, the latest version taken.

wait_for_task

boolean

Wait for the task to end. Such as publish task.

Choices:

  • false

  • true ← (default)

wait_for_task_timeout

integer

How many minutes to wait until throwing a timeout error.

Default: 30

Examples

- name: vsx-provisioning-tool
  cp_mgmt_vsx_provisioning_tool:
    add_vsx_cluster_params:
      cluster_type: vsls
      ipv4_address: 10.1.1.15
      members:
        - ipv4_address: 10.1.1.1
          name: VSX1
          sic_otp: sicotp123
          sync_ip: 192.168.1.1
        - ipv4_address: 10.1.1.2
          name: VSX2
          sic_otp: sicotp123
          sync_ip: 192.168.1.2
      rule_drop: enable
      rule_ping: enable
      sync_if_name: eth3
      sync_netmask: 255.255.255.0
      vsx_version: R81.10
      vsx_name: VSX_CLUSTER
    operation: add-vsx-cluster

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

cp_mgmt_vsx_provisioning_tool

dictionary

The checkpoint vsx-provisioning-tool output.

Returned: always.

Authors

  • Eden Brillant (@chkp-edenbr)