check_point.mgmt.cp_mgmt_simple_cluster module – Manages simple-cluster objects on Checkpoint over Web Services API
Note
This module is part of the check_point.mgmt collection (version 5.2.3).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install check_point.mgmt
.
To use it in a playbook, specify: check_point.mgmt.cp_mgmt_simple_cluster
.
New in check_point.mgmt 3.0.0
Synopsis
Manages simple-cluster objects on Checkpoint devices including creating, updating and removing objects.
All operations are performed over Web Services API.
Parameters
Parameter |
Comments |
---|---|
Anti-Bot blade enabled. Choices:
|
|
Anti-Virus blade enabled. Choices:
|
|
Application Control blade enabled. Choices:
|
|
Publish the current session if changes have been performed after task completes. Choices:
|
|
Cluster mode. Choices:
|
|
Cluster platform version. |
|
Color of the object. Should be one of existing colors. Choices:
|
|
Comments string. |
|
Content Awareness blade enabled. Choices:
|
|
The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed representation of the object. Choices:
|
|
Firewall blade enabled. Choices:
|
|
N/A |
|
N/A Choices:
|
|
N/A Choices:
|
|
N/A |
|
N/A |
|
N/A |
|
N/A |
|
Collection of group identifiers. |
|
Cluster platform hardware. |
|
Apply changes ignoring errors. You won’t be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored. Choices:
|
|
Apply changes ignoring warnings. Choices:
|
|
N/A |
|
N/A Choices:
|
|
N/A |
|
If packets will be rejected (the Prevent option) or whether the packets will be monitored (the Detect option). Choices:
|
|
Don’t check packets from excluded network. Choices:
|
|
Excluded network name. |
|
Excluded network UID. |
|
Spoof tracking. Choices:
|
|
Color of the object. Should be one of existing colors. Choices:
|
|
Comments string. |
|
The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed representation of the object. Choices:
|
|
Apply changes ignoring errors. You won’t be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored. Choices:
|
|
Apply changes ignoring warnings. Choices:
|
|
Cluster interface type. Choices:
|
|
IPv4 or IPv6 address. If both addresses are required use ipv4-address and ipv6-address fields explicitly. |
|
IPv4 address. |
|
IPv4 network mask length. |
|
IPv4 network address. |
|
IPv6 address. |
|
IPv6 network mask length. |
|
IPv6 network address. |
|
IPv4 or IPv6 network mask length. |
|
Multicast IP Address. |
|
Multicast Address Type. Choices:
|
|
Object name. |
|
IPv4 or IPv6 network mask. If both masks are required use ipv4-network-mask and ipv6-network-mask fields explicitly. Instead of providing mask itself it is possible to specify IPv4 or IPv6 mask length in mask-length field. If both masks length are required use ipv4-mask-length and ipv6-mask-length fields explicitly. |
|
N/A Choices:
|
|
N/A |
|
Security Zone is calculated according to where the interface leads to. Choices:
|
|
Security Zone specified manually. |
|
Collection of tag identifiers. |
|
N/A Choices:
|
|
N/A |
|
Whether this interface leads to demilitarized zone (perimeter network). Choices:
|
|
Network settings behind this interface. Choices:
|
|
Network behind this interface. |
|
IPv4 or IPv6 address. If both addresses are required use ipv4-address and ipv6-address fields explicitly. |
|
Intrusion Prevention System blade enabled. Choices:
|
|
IPv4 address. |
|
IPv6 address. |
|
Cluster members list. Only new cluster member can be added. Adding existing gateway is not supported. |
|
Color of the object. Should be one of existing colors. Choices:
|
|
Comments string. |
|
The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed representation of the object. Choices:
|
|
Apply changes ignoring errors. You won’t be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored. Choices:
|
|
Apply changes ignoring warnings. Choices:
|
|
Cluster Member network interfaces. |
|
N/A Choices:
|
|
N/A |
|
If packets will be rejected (the Prevent option) or whether the packets will be monitored (the Detect option). Choices:
|
|
Don’t check packets from excluded network. Choices:
|
|
Excluded network name. |
|
Excluded network UID. |
|
Spoof tracking. Choices:
|
|
Color of the object. Should be one of existing colors. Choices:
|
|
Comments string. |
|
The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed representation of the object. Choices:
|
|
Apply changes ignoring errors. You won’t be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored. Choices:
|
|
Apply changes ignoring warnings. Choices:
|
|
IPv4 or IPv6 address. If both addresses are required use ipv4-address and ipv6-address fields explicitly. |
|
IPv4 address. |
|
IPv4 network mask length. |
|
IPv4 network address. |
|
IPv6 address. |
|
IPv6 network mask length. |
|
IPv6 network address. |
|
IPv4 or IPv6 network mask length. |
|
Object name. |
|
IPv4 or IPv6 network mask. If both masks are required use ipv4-network-mask and ipv6-network-mask fields explicitly. Instead of providing mask itself it is possible to specify IPv4 or IPv6 mask length in mask-length field. If both masks length are required use ipv4-mask-length and ipv6-mask-length fields explicitly. |
|
N/A Choices:
|
|
N/A |
|
Security Zone is calculated according to where the interface leads to. Choices:
|
|
Security Zone specified manually. |
|
Collection of tag identifiers. |
|
N/A Choices:
|
|
N/A |
|
Whether this interface leads to demilitarized zone (perimeter network). Choices:
|
|
Network settings behind this interface. Choices:
|
|
Network behind this interface. |
|
IPv4 or IPv6 address. If both addresses are required use ipv4-address and ipv6-address fields explicitly. |
|
IPv4 address. |
|
IPv6 address. |
|
Object name. |
|
N/A |
|
Collection of tag identifiers. |
|
Object name. |
|
Cluster platform operating system. |
|
Platform portal settings. |
|
Configuration of the portal access settings. |
|
Allowed access to the web portal (based on interfaces, or security policy). Choices:
|
|
Configuration of the additional portal access settings for internal interfaces only. |
|
Controls portal access settings for internal interfaces, whose topology is set to ‘DMZ’. Choices:
|
|
Controls portal access settings for internal interfaces, whose topology is set to ‘Undefined’. Choices:
|
|
Controls portal access settings for interfaces that are part of a VPN Encryption Domain. Choices:
|
|
Configuration of the portal certificate settings. |
|
The certificate file encoded in Base64 with padding. This file must be in the *.p12 format. |
|
Password (encoded in Base64 with padding) for the certificate file. |
|
Configuration of the portal web settings. |
|
List of URL aliases that are redirected to the main portal URL. |
|
Optional, IP address for the web portal to use, if your DNS server fails to resolve the main portal URL. Note, If your DNS server resolves the main portal URL, this IP address is ignored. |
|
The main URL for the web portal. |
|
Server(s) to send alerts to. |
|
Backup server(s) to send logs to. |
|
Server(s) to send logs to. |
|
Indicates whether to show the portals certificate value in the reply. Choices:
|
|
State of the access rule (present or absent). Choices:
|
|
Collection of tag identifiers. |
|
Threat Emulation blade enabled. Choices:
|
|
Threat Extraction blade enabled. Choices:
|
|
The mode of Threat Prevention to use. When using Autonomous Threat Prevention, disabling the Threat Prevention blades is not allowed. Choices:
|
|
URL Filtering blade enabled. Choices:
|
|
UserCheck portal settings. |
|
Configuration of the portal access settings. |
|
Allowed access to the web portal (based on interfaces, or security policy). Choices:
|
|
Configuration of the additional portal access settings for internal interfaces only. |
|
Controls portal access settings for internal interfaces, whose topology is set to ‘DMZ’. Choices:
|
|
Controls portal access settings for internal interfaces, whose topology is set to ‘Undefined’. Choices:
|
|
Controls portal access settings for interfaces that are part of a VPN Encryption Domain. Choices:
|
|
Configuration of the portal certificate settings. |
|
The certificate file encoded in Base64 with padding. This file must be in the *.p12 format. |
|
Password (encoded in Base64 with padding) for the certificate file. |
|
State of the web portal (enabled or disabled). The supported blades are, {‘Application Control’, ‘URL Filtering’, ‘Data Loss Prevention’, ‘Anti Virus’, ‘Anti Bot’, ‘Threat Emulation’, ‘Threat Extraction’, ‘Data Awareness’}. Choices:
|
|
Configuration of the portal web settings. |
|
List of URL aliases that are redirected to the main portal URL. |
|
Optional, IP address for the web portal to use, if your DNS server fails to resolve the main portal URL. Note, If your DNS server resolves the main portal URL, this IP address is ignored. |
|
The main URL for the web portal. |
|
Version of checkpoint. If not given one, the latest version taken. |
|
VPN blade enabled. Choices:
|
|
Gateway VPN settings. |
|
Authentication. |
|
Collection of VPN Authentication clients identified by the name or UID. |
|
Link Selection. |
|
DNS Resolving Hostname. Must be set when “ip-selection” was selected to be “dns-resolving-from-hostname”. |
|
IP Address. Must be set when “ip-selection” was selected to be “use-selected-address-from-topology” or “use-statically-nated-ip”. |
|
N/A Choices:
|
|
N/A |
|
N/A |
|
Office Mode. Notation Wide Impact - Office Mode apply IPSec VPN Software Blade clients and to the Mobile Access Software Blade clients. |
|
Allocate IP address Method. Allocate IP address by sequentially trying the given methods until success. |
|
Using either Manual (IP Pool) or Automatic (DHCP). Must be set when “use-allocate-method” is true. Choices:
|
|
Calculated MAC address for DHCP allocation. Must be set when “allocate-method” was selected to be “automatic”. Choices:
|
|
DHCP Server. Identified by name or UID. Must be set when “allocate-method” was selected to be “automatic”. |
|
Manual Network. Identified by name or UID. Must be set when “allocate-method” was selected to be “manual”. |
|
This configuration applies to all Office Mode methods except Automatic (using DHCP) and ipassignment.conf entries which contain this data. |
|
DNS Suffixes. |
|
First Backup DNS Server. Identified by name or UID. Must be set when “use-first-backup-dns-server” is true and can not be set when “use-first-backup-dns-server” is false. |
|
First Backup WINS Server. Identified by name or UID. Must be set when “use-first-backup-wins-server” is true and can not be set when “use-first-backup-wins-server” is false. |
|
IP Lease Duration in Minutes. The value must be in the range 2-32767. |
|
Primary DNS Server. Identified by name or UID. Must be set when “use-primary-dns-server” is true and can not be set when “use-primary-dns-server” is false. |
|
Primary WINS Server. Identified by name or UID. Must be set when “use-primary-wins-server” is true and can not be set when “use-primary-wins-server” is false. |
|
Second Backup DNS Server. Identified by name or UID. Must be set when “use-second-backup-dns-server” is true and can not be set when “use-second-backup-dns-server” is false. |
|
Second Backup WINS Server. Identified by name or UID. Must be set when “use-second-backup-wins-server” is true and can not be set when “use-second-backup-wins-server” is false. |
|
Use First Backup DNS Server. Choices:
|
|
Use First Backup WINS Server. Choices:
|
|
Use Primary DNS Server. Choices:
|
|
Use Primary WINS Server. Choices:
|
|
Use Second Backup DNS Server. Choices:
|
|
Use Second Backup WINS Server. Choices:
|
|
Radius server used to authenticate the user. Choices:
|
|
Use Allocate Method. Choices:
|
|
Virtual IPV4 address for DHCP server replies. Must be set when “allocate-method” was selected to be “automatic”. |
|
Additional IP Addresses for Anti-Spoofing. Identified by name or UID. Must be set when “perform-anti-spoofings” is true. |
|
Group. Identified by name or UID. Must be set when “office-mode-permissions” was selected to be “group”. |
|
Office Mode Permissions.When selected to be “off”, all the other definitions are irrelevant. Choices:
|
|
Perform Anti-Spoofing on Office Mode addresses. Choices:
|
|
Support connectivity enhancement for gateways with multiple external interfaces. Choices:
|
|
Remote Access. |
|
Allow VPN clients to route traffic. Choices:
|
|
L2TP Authentication Method. Must be set when “support-l2tp” is true. Choices:
|
|
L2TP Certificate. Must be set when “l2tp-auth-method” was selected to be “certificate”. Insert “defaultCert” when you want to use the default certificate. |
|
Allocated NAT traversal UDP service. Identified by name or UID. Must be set when “support-nat-traversal-mechanism” is true. |
|
Support L2TP (relevant only when office mode is active). Choices:
|
|
Support NAT traversal mechanism (UDP encapsulation). Choices:
|
|
Support Visitor Mode. Choices:
|
|
Interface for Visitor Mode. Must be set when “support-visitor-mode” is true. Insert IPV4 Address of existing interface or “All IPs” when you want all interfaces. |
|
TCP Service for Visitor Mode. Identified by name or UID. Must be set when “support-visitor-mode” is true. |
|
Gateway VPN domain identified by the name or UID. |
|
Gateway VPN domain type. Choices:
|
|
Wait for the task to end. Such as publish task. Choices:
|
|
How many minutes to wait until throwing a timeout error. Default: |
Examples
- name: add-simple-cluster
cp_mgmt_simple_cluster:
cluster_mode: cluster-xl-ha
color: yellow
firewall: true
interfaces:
- anti_spoofing: true
interface_type: cluster
ip_address: 17.23.5.1
name: eth0
network_mask: 255.255.255.0
topology: EXTERNAL
- interface_type: sync
name: eth1
topology: INTERNAL
topology_settings:
interface_leads_to_dmz: false
ip_address_behind_this_interface: network defined by the interface ip and net
mask
- anti_spoofing: true
interface_type: cluster
ip_address: 192.168.1.1
name: eth2
network_mask: 255.255.255.0
topology: INTERNAL
topology_settings:
interface_leads_to_dmz: false
ip_address_behind_this_interface: network defined by the interface ip and net
mask
ip_address: 17.23.5.1
members:
- interfaces:
- ip_address: 17.23.5.2
name: eth0
network_mask: 255.255.255.0
- ip_address: 1.1.2.4
name: eth1
network_mask: 255.255.255.0
- ip_address: 192.168.1.2
name: eth2
network_mask: 255.255.255.0
ip_address: 17.23.5.2
name: member1
one_time_password: abcd
- interfaces:
- ip_address: 17.23.5.3
name: eth0
network_mask: 255.255.255.0
- ip_address: 1.1.2.5
name: eth1
network_mask: 255.255.255.0
- ip_address: 192.168.1.3
name: eth2
network_mask: 255.255.255.0
ip_address: 17.23.5.3
name: member2
one_time_password: abcd
name: cluster1
os_name: Gaia
state: present
cluster_version: R80.30
- name: set-simple-cluster
cp_mgmt_simple_cluster:
name: cluster1
state: present
- name: delete-simple-cluster
cp_mgmt_simple_cluster:
name: cluster1
state: absent
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
The checkpoint object created or updated. Returned: always, except when deleting the object. |