cp_mgmt_threat_profile – Manages threat-profile objects on Check Point over Web Services API

New in version 2.9.

Synopsis

  • Manages threat-profile objects on Check Point devices including creating, updating and removing objects.

  • All operations are performed over Web Services API.

Parameters

Parameter Choices/Defaults Comments
activate_protections_by_extended_attributes
list
Activate protections by these extended attributes.
category
string
IPS tag category name.
name
string
IPS tag name.
active_protections_performance_impact
string
    Choices:
  • high
  • medium
  • low
  • very_low
Protections with this performance impact only will be activated in the profile.
active_protections_severity
string
    Choices:
  • Critical
  • High
  • Medium or above
  • Low or above
Protections with this severity only will be activated in the profile.
anti_bot
boolean
    Choices:
  • no
  • yes
Is Anti-Bot blade activated.
anti_virus
boolean
    Choices:
  • no
  • yes
Is Anti-Virus blade activated.
auto_publish_session
boolean
    Choices:
  • no
  • yes
Publish the current session if changes have been performed after task completes.
color
string
    Choices:
  • aquamarine
  • black
  • blue
  • crete blue
  • burlywood
  • cyan
  • dark green
  • khaki
  • orchid
  • dark orange
  • dark sea green
  • pink
  • turquoise
  • dark blue
  • firebrick
  • brown
  • forest green
  • gold
  • dark gold
  • gray
  • dark gray
  • light green
  • lemon chiffon
  • coral
  • sea green
  • sky blue
  • magenta
  • purple
  • slate blue
  • violet red
  • navy blue
  • olive
  • orange
  • red
  • sienna
  • yellow
Color of the object. Should be one of existing colors.
comments
string
Comments string.
confidence_level_high
string
    Choices:
  • Inactive
  • Ask
  • Prevent
  • Detect
Action for protections with high confidence level.
confidence_level_low
string
    Choices:
  • Inactive
  • Ask
  • Prevent
  • Detect
Action for protections with low confidence level.
confidence_level_medium
string
    Choices:
  • Inactive
  • Ask
  • Prevent
  • Detect
Action for protections with medium confidence level.
deactivate_protections_by_extended_attributes
list
Deactivate protections by these extended attributes.
category
string
IPS tag category name.
name
string
IPS tag name.
details_level
string
    Choices:
  • uid
  • standard
  • full
The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed representation of the object.
ignore_errors
boolean
    Choices:
  • no
  • yes
Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
ignore_warnings
boolean
    Choices:
  • no
  • yes
Apply changes ignoring warnings.
indicator_overrides
list
Indicators whose action will be overridden in this profile.
action
string
    Choices:
  • Inactive
  • Ask
  • Prevent
  • Detect
The indicator's action in this profile.
indicator
string
The indicator whose action is to be overridden.
ips
boolean
    Choices:
  • no
  • yes
Is IPS blade activated.
ips_settings
dictionary
IPS blade settings.
exclude_protection_with_performance_impact
boolean
    Choices:
  • no
  • yes
Whether to exclude protections depending on their level of performance impact.
exclude_protection_with_performance_impact_mode
string
    Choices:
  • very low
  • low or lower
  • medium or lower
  • high or lower
Exclude protections with this level of performance impact.
exclude_protection_with_severity
boolean
    Choices:
  • no
  • yes
Whether to exclude protections depending on their level of severity.
exclude_protection_with_severity_mode
string
    Choices:
  • low or above
  • medium or above
  • high or above
  • critical
Exclude protections with this level of severity.
newly_updated_protections
string
    Choices:
  • active
  • inactive
  • staging
Activation of newly updated protections.
malicious_mail_policy_settings
dictionary
Malicious Mail Policy for MTA Gateways.
add_customized_text_to_email_body
boolean
    Choices:
  • no
  • yes
Add customized text to the malicious email body.
add_email_subject_prefix
boolean
    Choices:
  • no
  • yes
Add a prefix to the malicious email subject.
add_x_header_to_email
boolean
    Choices:
  • no
  • yes
Add an X-Header to the malicious email.
email_action
string
    Choices:
  • allow
  • block
Block - block the entire malicious email<br>Allow - pass the malicious email and apply email changes (like, remove attachments and links, add x-header, etc...).
email_body_customized_text
string
Customized text for the malicious email body.<br> Available predefined fields,<br> $verdicts$ - the malicious/error attachments/links verdict.
email_subject_prefix_text
string
Prefix for the malicious email subject.
failed_to_scan_attachments_text
string
Replace attachments that failed to be scanned with this text.<br> Available predefined fields,<br> $filename$ - the malicious file name.<br> $md5$ - MD5 of the malicious file.
malicious_attachments_text
string
Replace malicious attachments with this text.<br> Available predefined fields,<br> $filename$ - the malicious file name.<br> $md5$ - MD5 of the malicious file.
malicious_links_text
string
Replace malicious links with this text.<br> Available predefined fields,<br> $neutralized_url$ - neutralized malicious link.
remove_attachments_and_links
boolean
    Choices:
  • no
  • yes
Remove attachments and links from the malicious email.
send_copy
boolean
    Choices:
  • no
  • yes
Send a copy of the malicious email to the recipient list.
send_copy_list
list
Recipient list to send a copy of the malicious email.
name
string / required
Object name.
overrides
list
Overrides per profile for this protection.
action
string
    Choices:
  • Threat Cloud: Inactive
  • Detect
  • Prevent <br> Core: Drop
  • Inactive
  • Accept
Protection action.
capture_packets
boolean
    Choices:
  • no
  • yes
Capture packets.
protection
string
IPS protection identified by name or UID.
track
string
    Choices:
  • none
  • log
  • alert
  • mail
  • snmp trap
  • user alert
  • user alert 1
  • user alert 2
Tracking method for protection.
state
string
    Choices:
  • present ←
  • absent
State of the access rule (present or absent). Defaults to present.
tags
list
Collection of tag identifiers.
threat_emulation
boolean
    Choices:
  • no
  • yes
Is Threat Emulation blade activated.
use_extended_attributes
boolean
    Choices:
  • no
  • yes
Whether to activate/deactivate IPS protections according to the extended attributes.
use_indicators
boolean
    Choices:
  • no
  • yes
Indicates whether the profile should make use of indicators.
version
string
Version of checkpoint. If not given one, the latest version taken.
wait_for_task
boolean
    Choices:
  • no
  • yes ←
Wait for the task to end. Such as publish task.

Examples

- name: add-threat-profile
  cp_mgmt_threat_profile:
    active_protections_performance_impact: low
    active_protections_severity: low or above
    anti_bot: true
    anti_virus: true
    confidence_level_high: prevent
    confidence_level_medium: prevent
    ips: true
    ips_settings:
      exclude_protection_with_performance_impact: true
      exclude_protection_with_performance_impact_mode: high or lower
      newly_updated_protections: staging
    name: New Profile 1
    state: present
    threat_emulation: true

- name: set-threat-profile
  cp_mgmt_threat_profile:
    active_protections_performance_impact: low
    active_protections_severity: low or above
    anti_bot: true
    anti_virus: false
    comments: update recommended profile
    confidence_level_high: prevent
    confidence_level_low: prevent
    confidence_level_medium: prevent
    ips: false
    ips_settings:
      exclude_protection_with_performance_impact: true
      exclude_protection_with_performance_impact_mode: high or lower
      newly_updated_protections: active
    name: New Profile 1
    state: present
    threat_emulation: true

- name: delete-threat-profile
  cp_mgmt_threat_profile:
    name: New Profile 1
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
cp_mgmt_threat_profile
dictionary
always, except when deleting the object.
The checkpoint object created or updated.



Status

Authors

  • Or Soffer (@chkp-orso)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.