check_point.mgmt.cp_mgmt_access_rule – Manages access-rule objects on Check Point over Web Services API

Note

This plugin is part of the check_point.mgmt collection (version 2.2.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install check_point.mgmt.

To use it in a playbook, specify: check_point.mgmt.cp_mgmt_access_rule.

New in version 2.9: of check_point.mgmt

Synopsis

  • Manages access-rule objects on Check Point devices including creating, updating and removing objects.

  • All operations are performed over Web Services API.

Parameters

Parameter

Comments

action

string

a “Accept”, “Drop”, “Ask”, “Inform”, “Reject”, “User Auth”, “Client Auth”, “Apply Layer”.

action_settings

dictionary

Action settings.

enable_identity_captive_portal

boolean

N/A

Choices:

  • no

  • yes

limit

string

N/A

auto_publish_session

boolean

Publish the current session if changes have been performed after task completes.

Choices:

  • no

  • yes

comments

string

Comments string.

content

list / elements=string

List of processed file types that this rule applies on.

content_direction

string

On which direction the file types processing is applied.

Choices:

  • any

  • up

  • down

content_negate

boolean

True if negate is set for data.

Choices:

  • no

  • yes

custom_fields

dictionary

Custom fields.

field_1

string

First custom field.

field_2

string

Second custom field.

field_3

string

Third custom field.

destination

list / elements=string

Collection of Network objects identified by the name or UID.

destination_negate

boolean

True if negate is set for destination.

Choices:

  • no

  • yes

details_level

string

The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed representation of the object.

Choices:

  • uid

  • standard

  • full

enabled

boolean

Enable/Disable the rule.

Choices:

  • no

  • yes

ignore_errors

boolean

Apply changes ignoring errors. You won’t be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.

Choices:

  • no

  • yes

ignore_warnings

boolean

Apply changes ignoring warnings.

Choices:

  • no

  • yes

inline_layer

string

Inline Layer identified by the name or UID. Relevant only if “Action” was set to “Apply Layer”.

install_on

list / elements=string

Which Gateways identified by the name or UID to install the policy on.

layer

string

Layer that the rule belongs to identified by the name or UID.

name

string / required

Object name.

position

string

Position in the rulebase.

service

list / elements=string

Collection of Network objects identified by the name or UID.

service_negate

boolean

True if negate is set for service.

Choices:

  • no

  • yes

source

list / elements=string

Collection of Network objects identified by the name or UID.

source_negate

boolean

True if negate is set for source.

Choices:

  • no

  • yes

state

string

State of the access rule (present or absent). Defaults to present.

Choices:

  • present ← (default)

  • absent

time

list / elements=string

List of time objects. For example, “Weekend”, “Off-Work”, “Every-Day”.

track

dictionary

Track Settings.

accounting

boolean

Turns accounting for track on and off.

Choices:

  • no

  • yes

alert

string

Type of alert for the track.

Choices:

  • none

  • alert

  • snmp

  • mail

  • user alert 1

  • user alert 2

  • user alert 3

enable_firewall_session

boolean

Determine whether to generate session log to firewall only connections.

Choices:

  • no

  • yes

per_connection

boolean

Determines whether to perform the log per connection.

Choices:

  • no

  • yes

per_session

boolean

Determines whether to perform the log per session.

Choices:

  • no

  • yes

type

string

a “Log”, “Extended Log”, “Detailed Log”, “None”.

user_check

dictionary

User check settings.

confirm

string

N/A

Choices:

  • per rule

  • per category

  • per application/site

  • per data type

custom_frequency

dictionary

N/A

every

integer

N/A

unit

string

N/A

Choices:

  • hours

  • days

  • weeks

  • months

frequency

string

N/A

Choices:

  • once a day

  • once a week

  • once a month

  • custom frequency…

interaction

string

N/A

version

string

Version of checkpoint. If not given one, the latest version taken.

vpn

list / elements=string

Communities or Directional.

community

list / elements=string

List of community name or UID.

directional

list / elements=string

Communities directional match condition.

from

string

From community name or UID.

to

string

To community name or UID.

wait_for_task

boolean

Wait for the task to end. Such as publish task.

Choices:

  • no

  • yes ← (default)

wait_for_task_timeout

integer

How many minutes to wait until throwing a timeout error.

Default: 30

Examples

- name: add-access-rule
  cp_mgmt_access_rule:
    layer: Network
    name: Rule 1
    position: 1
    service:
    - SMTP
    - AOL
    state: present

- name: set-access-rule
  cp_mgmt_access_rule:
    action: Ask
    action_settings:
      enable_identity_captive_portal: true
      limit: Upload_1Gbps
    layer: Network
    name: Rule 1
    state: present

- name: delete-access-rule
  cp_mgmt_access_rule:
    layer: Network
    name: Rule 2
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

cp_mgmt_access_rule

dictionary

The checkpoint object created or updated.

Returned: always, except when deleting the object.

Authors

  • Or Soffer (@chkp-orso)