You are reading an unmaintained version of the Ansible documentation. Unmaintained Ansible versions can contain unfixed security vulnerabilities (CVE). Please upgrade to a maintained version. See the latest Ansible documentation.

check_point.mgmt.cp_mgmt_access_rule module – Manages access-rule objects on Check Point over Web Services API

Note

This module is part of the check_point.mgmt collection (version 2.3.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install check_point.mgmt.

To use it in a playbook, specify: check_point.mgmt.cp_mgmt_access_rule.

New in version 2.9: of check_point.mgmt

Synopsis

• Manages access-rule objects on Check Point devices including creating, updating and removing objects.

• All operations are performed over Web Services API.

Parameters

Parameter	Comments
action string	a “Accept”, “Drop”, “Ask”, “Inform”, “Reject”, “User Auth”, “Client Auth”, “Apply Layer”.
action_settings dictionary	Action settings.
enable_identity_captive_portal boolean	N/A Choices: no yes
limit string	N/A
auto_publish_session boolean	Publish the current session if changes have been performed after task completes. Choices: no yes
comments string	Comments string.
content list / elements=string	List of processed file types that this rule applies on.
content_direction string	On which direction the file types processing is applied. Choices: any up down
content_negate boolean	True if negate is set for data. Choices: no yes
custom_fields dictionary	Custom fields.
field_1 string	First custom field.
field_2 string	Second custom field.
field_3 string	Third custom field.
destination list / elements=string	Collection of Network objects identified by the name or UID.
destination_negate boolean	True if negate is set for destination. Choices: no yes
details_level string	The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed representation of the object. Choices: uid standard full
enabled boolean	Enable/Disable the rule. Choices: no yes
ignore_errors boolean	Apply changes ignoring errors. You won’t be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored. Choices: no yes
ignore_warnings boolean	Apply changes ignoring warnings. Choices: no yes
inline_layer string	Inline Layer identified by the name or UID. Relevant only if “Action” was set to “Apply Layer”.
install_on list / elements=string	Which Gateways identified by the name or UID to install the policy on.
layer string	Layer that the rule belongs to identified by the name or UID.
name string / required	Object name.
position string	Position in the rulebase.
position_by_rule dictionary	Position in the rulebase. Use of this field may not be idempotent.
above string	Add rule above specific rule identified by uid or name (limited to 500 rules).
below string	Add rule below specific rule identified by uid or name (limited to 500 rules).
service list / elements=string	Collection of Network objects identified by the name or UID.
service_negate boolean	True if negate is set for service. Choices: no yes
source list / elements=string	Collection of Network objects identified by the name or UID.
source_negate boolean	True if negate is set for source. Choices: no yes
state string	State of the access rule (present or absent). Defaults to present. Choices: present ← (default) absent
time list / elements=string	List of time objects. For example, “Weekend”, “Off-Work”, “Every-Day”.
track dictionary	Track Settings.
accounting boolean	Turns accounting for track on and off. Choices: no yes
alert string	Type of alert for the track. Choices: none alert snmp mail user alert 1 user alert 2 user alert 3
enable_firewall_session boolean	Determine whether to generate session log to firewall only connections. Choices: no yes
per_connection boolean	Determines whether to perform the log per connection. Choices: no yes
per_session boolean	Determines whether to perform the log per session. Choices: no yes
type string	a “Log”, “Extended Log”, “Detailed Log”, “None”.
user_check dictionary	User check settings.
confirm string	N/A Choices: per rule per category per application/site per data type
custom_frequency dictionary	N/A
every integer	N/A
unit string	N/A Choices: hours days weeks months
frequency string	N/A Choices: once a day once a week once a month custom frequency…
interaction string	N/A
version string	Version of checkpoint. If not given one, the latest version taken.
vpn list / elements=string	Communities or Directional.
community list / elements=string	List of community name or UID.
directional list / elements=string	Communities directional match condition.
from string	From community name or UID.
to string	To community name or UID.
wait_for_task boolean	Wait for the task to end. Such as publish task. Choices: no yes ← (default)
wait_for_task_timeout integer	How many minutes to wait until throwing a timeout error. Default: 30

Examples

- name: add-access-rule
  cp_mgmt_access_rule:
    layer: Network
    name: Rule 1
    position: 1
    service:
    - SMTP
    - AOL
    state: present

- name: set-access-rule
  cp_mgmt_access_rule:
    action: Ask
    action_settings:
      enable_identity_captive_portal: true
      limit: Upload_1Gbps
    layer: Network
    name: Rule 1
    state: present

- name: delete-access-rule
  cp_mgmt_access_rule:
    layer: Network
    name: Rule 2
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
cp_mgmt_access_rule dictionary	The checkpoint object created or updated. Returned: always, except when deleting the object.

Authors

• Or Soffer (@chkp-orso)

Collection links

Issue Tracker Repository (Sources)