check_point.mgmt.cp_mgmt_resource_uri module – Manages resource-uri objects on Checkpoint over Web Services API

Note

This module is part of the check_point.mgmt collection (version 6.2.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install check_point.mgmt.

To use it in a playbook, specify: check_point.mgmt.cp_mgmt_resource_uri.

New in check_point.mgmt 6.0.0

Synopsis

  • Manages resource-uri objects on Checkpoint devices including creating, updating and removing objects.

  • All operations are performed over Web Services API.

Parameters

Parameter

Comments

action

dictionary

Action settings.

replacement_uri

string

If the Action in a rule which uses this resource is Drop or Reject, then the Replacement URI is displayed instead of the one requested by the user.

strip_activex_tags

boolean

Strip activeX tags.

Choices:

  • false

  • true

strip_applet_tags

boolean

Strip JAVA applets.

Choices:

  • false

  • true

boolean

Strip ftp links.

Choices:

  • false

  • true

strip_port_strings

boolean

Strip ports.

Choices:

  • false

  • true

strip_script_tags

boolean

Strip JAVA scripts.

Choices:

  • false

  • true

auto_publish_session

boolean

Publish the current session if changes have been performed after task completes.

Choices:

  • false ← (default)

  • true

color

string

Color of the object. Should be one of existing colors.

Choices:

  • "aquamarine"

  • "black"

  • "blue"

  • "crete blue"

  • "burlywood"

  • "cyan"

  • "dark green"

  • "khaki"

  • "orchid"

  • "dark orange"

  • "dark sea green"

  • "pink"

  • "turquoise"

  • "dark blue"

  • "firebrick"

  • "brown"

  • "forest green"

  • "gold"

  • "dark gold"

  • "gray"

  • "dark gray"

  • "light green"

  • "lemon chiffon"

  • "coral"

  • "sea green"

  • "sky blue"

  • "magenta"

  • "purple"

  • "slate blue"

  • "violet red"

  • "navy blue"

  • "olive"

  • "orange"

  • "red"

  • "sienna"

  • "yellow"

comments

string

Comments string.

connection_methods

dictionary

Connection methods.

proxy

boolean

The Resource is applied when people specify the Check Point Security Gateway as a proxy in their browser.

Choices:

  • false

  • true

transparent

boolean

The security server is invisible to the client that originates the connection, and to the server. The Transparent connection method is the most secure.

Choices:

  • false

  • true

tunneling

boolean

The Resource is applied when people specify the Security Gateway as a proxy in their browser, and is used for connections where Security Gateway cannot examine the contents of the packets, not even the URL.

Choices:

  • false

  • true

cvp

dictionary

CVP settings.

allowed_to_modify_content

boolean

Configures the CVP server to inspect but not modify content.

Choices:

  • false

  • true

enable_cvp

boolean

Select to enable the Content Vectoring Protocol.

Choices:

  • false

  • true

reply_order

string

Designates when the CVP server returns data to the Security Gateway security server.

Choices:

  • "return_data_after_content_is_approved"

  • "return_data_before_content_is_approved"

send_http_headers_to_cvp

boolean

Select, if you would like the CVP server to check the HTTP headers of the message packets.

Choices:

  • false

  • true

send_http_request_to_cvp

boolean

Used to protect against undesirable content in the HTTP request, for example, when inspecting peer-to-peer connections.

Choices:

  • false

  • true

send_only_unsafe_file_types

boolean

Improves the performance of the CVP server. This option does not send to the CVP server traffic that is considered safe.

Choices:

  • false

  • true

server

string

The UID or Name of the CVP server, make sure the CVP server is already be defined as an OPSEC Application.

details_level

string

The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed representation of the object.

Choices:

  • "uid"

  • "standard"

  • "full"

exception_track

string

Configures how to track connections that match this rule but fail the content security checks. An example of an exception is a connection with an unsupported scheme or method.

Choices:

  • "none"

  • "exception log"

  • "exception alert"

ignore_errors

boolean

Apply changes ignoring errors. You won’t be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.

Choices:

  • false

  • true

ignore_warnings

boolean

Apply changes ignoring warnings.

Choices:

  • false

  • true

match_ufp

dictionary

Match-Ufp settings.

caching_control

string

Specifies if and how caching is to be enabled.

Choices:

  • "security_gateway_one_request"

  • "security_gateway_two_requests"

  • "no_caching"

  • "ufp_server"

ignore_ufp_server_after_failure

boolean

The UFP server will be ignored after numerous UFP server connections were unsuccessful.

Choices:

  • false

  • true

number_of_failures_before_ignore

integer

Signifies at what point the UFP server should be ignored.

server

string

The UID or Name of the UFP server that is an OPSEC certified third party application that checks URLs against a list of permitted categories.

timeout_before_reconnecting

integer

The amount of time that must pass before a UFP server connection should be attempted.

match_wildcards

dictionary

Match-Wildcards settings.

host

string

The functionality of the Host parameter depends on the DNS setup of the addressed server. For the host, only the IP address or the full DNS name should be used.

methods

dictionary

Select the URI Schemes to which this resource applies.

get

boolean

GET method.

Choices:

  • false

  • true

head

boolean

HEAD method.

Choices:

  • false

  • true

other

string

You can specify another method in the Other field. You can use wildcards.

post

boolean

POST method.

Choices:

  • false

  • true

put

boolean

PUT method.

Choices:

  • false

  • true

path

string

Name matching is based on appending the file name in the request to the current working directory (unless the file name is already a full path name) and comparing the result to the path specified in the Resource definition.

query

string

The parameters that are sent to the URI when it is accessed.

schemes

dictionary

Select the URI Schemes to which this resource applies.

ftp

boolean

Ftp scheme.

Choices:

  • false

  • true

gopher

boolean

Gopher scheme.

Choices:

  • false

  • true

http

boolean

Http scheme.

Choices:

  • false

  • true

mailto

boolean

Mailto scheme.

Choices:

  • false

  • true

news

boolean

News scheme.

Choices:

  • false

  • true

other

string

You can specify another scheme in the Other field. You can use wildcards.

wais

boolean

Wais scheme.

Choices:

  • false

  • true

name

string / required

Object name.

soap

dictionary

SOAP settings.

file_id

string

A file containing SOAP requests.

Choices:

  • "scheme1"

  • "scheme2"

  • "scheme3"

  • "scheme4"

  • "scheme5"

  • "scheme6"

  • "scheme7"

  • "scheme8"

  • "scheme9"

  • "scheme10"

inspection

string

Allow all SOAP Requests, or Allow only SOAP requests specified in the following file-id.

Choices:

  • "allow_all_soap_requests"

  • "allow_soap_requests_as_specified_in_file"

track_connections

string

The method of tracking SOAP connections.

Choices:

  • "none"

  • "log"

  • "popup_alert"

  • "mail_alert"

  • "snmp_trap_alert"

  • "user_defined_alert_no"

  • "user_defined_alert_no"

  • "user_defined_alert_no"

state

string

State of the access rule (present or absent).

Choices:

  • "present" ← (default)

  • "absent"

tags

list / elements=string

Collection of tag identifiers.

uri_match_specification_type

string

The type can be Wild Cards or UFP, where a UFP server holds categories of forbidden web sites.

Choices:

  • "wildcards"

  • "ufp"

use_this_resource_to

string

Select the use of the URI resource.

Choices:

  • "enforce_uri_capabilities"

  • "optimize_url_logging"

  • "enhance_ufp_performance"

version

string

Version of checkpoint. If not given one, the latest version taken.

wait_for_task

boolean

Wait for the task to end. Such as publish task.

Choices:

  • false

  • true ← (default)

wait_for_task_timeout

integer

How many minutes to wait until throwing a timeout error.

Default: 30

Examples

- name: add-resource-uri
  cp_mgmt_resource_uri:
    connection_methods:
      transparent: 'false'
      tunneling: 'true'
    match_wildcards:
      host: hostName
      path: pathName
    name: newUriResource
    state: present
    uri_match_specification_type: wildcards
    use_this_resource_to: optimize_url_logging

- name: set-resource-uri
  cp_mgmt_resource_uri:
    connection_methods:
      transparent: 'false'
      tunneling: 'true'
    match_wildcards:
      host: hostName
      path: pathName
    name: newUriResource
    state: present
    uri_match_specification_type: wildcards
    use_this_resource_to: optimize_url_logging

- name: delete-resource-uri
  cp_mgmt_resource_uri:
    name: newUriResource
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

cp_mgmt_resource_uri

dictionary

The checkpoint object created or updated.

Returned: always, except when deleting the object.

Authors

  • Eden Brillant (@chkp-edenbr)