check_point.mgmt.cp_mgmt_set_https_advanced_settings module – Configure advanced settings for HTTPS Inspection.

Note

This module is part of the check_point.mgmt collection (version 6.2.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install check_point.mgmt.

To use it in a playbook, specify: check_point.mgmt.cp_mgmt_set_https_advanced_settings.

New in check_point.mgmt 6.1.0

Synopsis

• Configure advanced settings for HTTPS Inspection.

• All operations are performed over Web Services API.

Parameters

Parameter	Comments
auto_publish_session boolean	Publish the current session if changes have been performed after task completes. Choices: false ← (default) true
blocked_certificate_tracking string	Controls whether to log and send a notification for dropped traffic.<br><ul style=”list-style-type,square”><li>None - Does not record the event.</li><li>Log - Records the event details in SmartView.</li><li>Alert - Logs the event and executes a command.</li><li>Mail - Sends an email to the administrator.</li><li>SNMP Trap - Sends an SNMP alert to the SNMP GU.</li><li>User Defined Alert - Sends customized alerts.</li></ul>. Choices: "none" "log" "popup alert" "mail alert" "snmp trap alert" "user defined alert no.1" "user defined alert no.2" "user defined alert no.3"
blocked_certificates list / elements=dictionary	Collection of certificates objects identified by serial number.<br>Drop traffic from servers using the blocked certificate.
cert_serial_number string	Certificate Serial Number (unique) in hexadecimal format HH,HH.
comments string	Describes the certificate by default, can be overridden by any text.
name string	Describes the name, cannot be overridden.
bypass_on_client_failure boolean	Whether all requests should be bypassed or blocked-in case of client errors (Client closes the connection due to authentication issues during handshake)<br><ul style=”list-style-type,square”><li>true - Fail-open (bypass all requests).</li><li>false - Fail-close (block all requests.</li></ul><br>The default value is true. Choices: false true
bypass_on_failure boolean	Whether all requests should be bypassed or blocked-in case of server errors (for example validation error during GW-Server authentication)<br><ul style=”list-style-type,square”><li>true - Fail-open (bypass all requests).</li><li>false - Fail-close (block all requests.</li></ul><br>The default value is true. Choices: false true
bypass_under_load dictionary	Bypass the HTTPS Inspection temporarily to improve connectivity during a heavy load on the Security Gateway. The HTTPS Inspection would resume as soon as the load decreases.
track string	Whether to log and send a notification for the bypass under load,<ul style=”list-style-type,square”><li>None - Does not record the event.</li><li>Log - Records the event details. Use SmartConsole or SmartView to see the logs.</li><li>Alert - Logs the event and executes a command you configured.</li><li>Mail - Sends an email to the administrator.</li><li>SNMP Trap - Sends an SNMP alert to the configured SNMP Management Server.</li><li>User Defined Alert - Sends a custom alert.</li></ul>. Choices: "none" "log" "popup alert" "mail alert" "snmp trap alert" "user defined alert no.1" "user defined alert no.2" "user defined alert no.3"
bypass_update_services boolean	Configure the value “true” to bypass traffic to well-known software update services.<br>The default value is true. Choices: false true
certificate_pinned_apps_action string	Configure the value “bypass” to bypass traffic from certificate-pinned applications approved by Check Point.<br>HTTPS Inspection cannot inspect connections initiated by certificate-pinned applications.<br>Configure the value “detect” to send logs for traffic from certificate-pinned applications approved by Check Point.<br>The default value is bypass. Choices: "bypass" "detect" "none"
details_level string	The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed representation of the object. Choices: "uid" "standard" "full"
domains_to_process list / elements=string	Indicates which domains to process the commands on. It cannot be used with the details-level full, must be run from the System Domain only and with ignore-warnings true. Valid values are, CURRENT_DOMAIN, ALL_DOMAINS_ON_THIS_SERVER.
ignore_errors boolean	Apply changes ignoring errors. You won’t be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored. Choices: false true
ignore_warnings boolean	Apply changes ignoring warnings. Choices: false true
log_sessions boolean	The value “true” configures the Security Gateway to send HTTPS Inspection session logs.<br>The default value is true. Choices: false true
retrieve_intermediate_ca_certificates boolean	Configure the value “true” to use the “Certificate Authority Information Access” extension to retrieve certificates that are missing from the certificate chain.<br>The default value is true. Choices: false true
server_certificate_validation_actions dictionary	When a Security Gateway receives an untrusted certificate from a website server, define when to drop the connection and how to track it.
block_expired boolean	Set to be true in order to drop traffic from servers with expired server certificate. Choices: false true
block_revoked boolean	Set to be true in order to drop traffic from servers with revoked server certificate (validate CRL). Choices: false true
block_untrusted boolean	Set to be true in order to drop traffic from servers with untrusted server certificate. Choices: false true
track_errors string	Whether to log and send a notification for the server validation errors,<br><ul style=”list-style-type,square”><li>None - Does not record the event.</li><li>Log - Records the event details in SmartView.</li><li>Alert - Logs the event and executes a command.</li><li>Mail - Sends an email to the administrator.</li><li>SNMP Trap - Sends an SNMP alert to the SNMP GU.</li><li>User Defined Alert - Sends customized alerts.</li></ul>. Choices: "none" "log" "popup alert" "mail alert" "snmp trap alert" "user defined alert no.1" "user defined alert no.2" "user defined alert no.3"
site_categorization_allow_mode string	Whether all requests should be allowed or blocked until categorization is complete.<br><ul style=”list-style-type,square”><li>Background - to allow requests until categorization is complete.</li><li>Hold- to block requests until categorization is complete.</li></ul><br>The default value is hold. Choices: "background" "hold"
version string	Version of checkpoint. If not given one, the latest version taken.
wait_for_task boolean	Wait for the task to end. Such as publish task. Choices: false true ← (default)
wait_for_task_timeout integer	How many minutes to wait until throwing a timeout error. Default: 30

Examples

- name: set-https-advanced-settings
  cp_mgmt_set_https_advanced_settings:
    blocked_certificate_tracking: popup alert
    bypass_on_client_failure: 'false'
    bypass_on_failure: 'false'
    bypass_under_load:
      track: log
    bypass_update_services: 'true'
    certificate_pinned_apps_action: bypass
    log_sessions: 'true'
    retrieve_intermediate_ca_certificates: 'true'
    server_certificate_validation_actions:
      block_expired: 'true'
      block_revoked: 'false'
      block_untrusted: 'true'
      track_errors: snmp trap alert
    site_categorization_allow_mode: background

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
cp_mgmt_set_https_advanced_settings dictionary	The checkpoint set-https-advanced-settings output. Returned: always.

Authors

• Eden Brillant (@chkp-edenbr)

Collection links

• Issue Tracker
• Repository (Sources)