check_point.mgmt.cp_mgmt_set_global_properties module – Edit Global Properties.
Note
This module is part of the check_point.mgmt collection (version 5.2.3).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install check_point.mgmt.
To use it in a playbook, specify: check_point.mgmt.cp_mgmt_set_global_properties.
New in check_point.mgmt 3.0.0
Synopsis
Edit Global Properties.
All operations are performed over Web Services API.
Parameters
Parameter |
Comments |
|---|---|
Configure advanced global attributes. It’s highly recommended to consult with Check Point’s Technical Support before modifying these values. |
|
Configure Certificates and PKI properties. |
|
Enforce key length in certificate validation (R80+ gateways only). Choices:
|
|
Select the key size for ECDSA of the host certificate. Choices:
|
|
Select the key size of the host certificate. Choices:
|
|
After installing an OPSEC application, the remote administration (RA) utility enables an OPSEC product to finish registering itself without having to access the SmartConsole. If set to true, any host including the application host can run the utility. Otherwise, the RA utility can only be run from the Security Management host. Choices:
|
|
Define Authentication properties that are common to all users and to the various ways that the Check Point Security Gateway asks for passwords (User, Client and Session Authentication). |
|
Suffix for internal users authentication. |
|
Enforce suffix for internal users authentication. Choices:
|
|
Delay each authentication attempt by the specified number of milliseconds. Any value from 1 to 25000 can be entered in this field. |
|
all authentications other than certificate-based authentications will be delayed by the specified time. Applying this delay will stall brute force authentication attacks. The delay is applied for both failed and successful authentication attempts. Choices:
|
|
Allowed Number of Failed Client Authentication Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field. |
|
Users certificates which were initiated but not pulled will expire after the specified number of days. Any value from 1 to 60 days can be entered in this field. |
|
Allowed Number of Failed rlogin Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field. |
|
Allowed Number of Failed Session Authentication Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field. |
|
Allowed Number of Failed telnet Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field. |
|
Publish the current session if changes have been performed after task completes. Choices:
|
|
Specify system-wide properties. Select GTP intra tunnel inspection options, including anti-spoofing; tracking and logging options, and integrity tests. |
|
If true, enables configuring aggressive aging thresholds and time out value. Choices:
|
|
Aggressive timeout. Available only if aggressive-aging is true. |
|
Allows GTP signaling replies from an IP address different from the IP address to which the requests are sent (Relevant only for gateways below R80). Choices:
|
|
Prevents GTP packets from being encapsulated inside GTP tunnels. When this option is checked, such packets are dropped and logged. Choices:
|
|
If set to false, sequence checking is not enforced and all out-of-sequence G-PDUs will be accepted.<br>To enhance performance, disable this extended integrity test. Choices:
|
|
Allows Carrier Security gateways to accept PDUs sent from the GGSN to the SGSN, on a previously established PDP context, even if these PDUs are sent over ports that do not match the ports of the established PDP context. Choices:
|
|
verifies that G-PDUs are using the end user IP address that has been agreed upon in the PDP context activation process. When this option is checked, packets that do not use this IP address are dropped and logged. Choices:
|
|
specifies that a G-PDU is accepted only if the difference between its sequence number and the expected sequence number is less than or equal to the allowed deviation.<br>Available only ifenable-g-pdu-seq-number-check-with-max-deviation is true. |
|
Works in correlation with the property Enforce GTP Signal packet rate limit found in the Carrier Security window of the GSN network object. For example, with the rate limit sampling interval default of 1 second, and the network object enforced a GTP signal packet rate limit of the default 2048 PDU per second, sampling will occur one time per second, or 2048 signaling PDUs between two consecutive samplings. |
|
Memory activation threshold. Available only if aggressive-aging is true. |
|
Memory deactivation threshold. Available only if aggressive-aging is true. |
|
sets the number of GTP Echo exchanges per path allowed per configured time period. Echo requests exceeding this rate are dropped and logged. Setting the value to 0 disables the feature and allows an unlimited number of echo requests per path at any interval. |
|
logs GTP packets not matched by previous rules with Carrier Security’s extended GTP-related log fields. These logs are brown and their Action attribute is empty. The default setting is checked. Choices:
|
|
Choose to place this implicit rule Before Last or as the Last rule.<br>Available only if produce-extended-logs-on-unmatched-pdus is true. Choices:
|
|
Set the appropriate track or alert option to be used when a protocol violation (malformed packet) is detected. Choices:
|
|
Tunnel activation threshold. Available only if aggressive-aging is true. |
|
Tunnel deactivation threshold. Available only if aggressive-aging is true. |
|
See that each packet’s flow label matches the flow labels defined by GTP signaling. This option is relevant for GTP version 0 only.<br>To enhance performance, disable this extended integrity test. Choices:
|
|
Configure settings that relate to ConnectControl server load balancing. |
|
Sets the port number on which load measuring agents communicate with ConnectControl. |
|
sets how often (in seconds) the load measuring agents report their load status to ConnectControl. |
|
Sets the amount of time (in seconds) that a client, once directed to a particular server, will continue to be directed to that same server. |
|
Sets how often (in seconds) ConnectControl checks to make sure the load balanced servers are running and responding to service requests. |
|
Sets how many times ConnectControl attempts to contact a server before ceasing to direct traffic to it. |
|
Configure automatic downloads from Check Point and anonymously share product data. Options selected here apply to all Security Gateways, Clusters and VSX devices managed by this management server. |
|
Automatically download and install Software Blade Contracts, security updates and other important data (highly recommended). Choices:
|
|
Automatically download software updates and new features (highly recommended).<br>Available only if auto-download-important-data is set to true. Choices:
|
|
Help Check Point improve the product by sending anonymous information. Choices:
|
|
Approve sharing core dump files and other relevant crash data which might contain personal information. All shared data will be processed in accordance with Check Point’s Privacy Policy.<br>Available only if send-anonymous-info is set to true. Choices:
|
|
The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed representation of the object. Choices:
|
|
Indicates which domains to process the commands on. It cannot be used with the details-level full, must be run from the System Domain only and with ignore-warnings true. Valid values are, CURRENT_DOMAIN, ALL_DOMAINS_ON_THIS_SERVER. |
|
Add implied rules to or remove them from the Firewall Rule Base. Determine the position of the implied rules in the Rule Base, and whether or not to log them. |
|
Used for,<br> <ul><li> Installing the security policy from the Security Management server to the gateways.</li><br> <li> Sending logs from the gateways to the Security Management server.</li><br> <li> Communication between SmartConsole clients and the Security Management Server</li><br> <li> Communication between Firewall daemons on different machines (Security Management Server, Security Gateway).</li><br> <li> Connecting to OPSEC applications such as RADIUS and TACACS authentication servers.</li></ul>If you disable Accept Control Connections and you want Check Point components to communicate with each other and with OPSEC components, you must explicitly allow these connections in the Rule Base. Choices:
|
|
Accepts Domain Name (DNS) queries and replies over TCP, to allow downloading of the domain name-resolving tables used for zone transfers between servers. For clients, DNS over TCP is only used if the tables to be transferred are very large. Choices:
|
|
The position of the implied rules in the Rule Base.<br>Available only if accept-domain-name-over-tcp is true. Choices:
|
|
Accepts Domain Name (DNS) queries and replies over UDP. Choices:
|
|
The position of the implied rules in the Rule Base.<br>Available only if accept-domain-name-over-udp is true. Choices:
|
|
Accept Dynamic Address modules’ outgoing internet connections.Accepts DHCP traffic for DAIP (Dynamically Assigned IP Address) gateways. In Small Office Appliance gateways, this rule allows outgoing DHCP, PPP, PPTP and L2TP Internet connections (regardless of whether it is or is not a DAIP gateway). Choices:
|
|
Accepts Internet Control Message Protocol messages. Choices:
|
|
The position of the implied rules in the Rule Base.<br>Available only if accept-icmp-requests is true. Choices:
|
|
Accepts traffic between Security Gateways in distributed environment configurations of Identity Awareness. Choices:
|
|
The position of the implied rules in the Rule Base.<br>Available only if accept-identity-awareness-control-connections is true. Choices:
|
|
Allows the Small Office Appliance gateway to provide DHCP relay, DHCP server and DNS proxy services regardless of the rule base. Choices:
|
|
Accepts IPS-1 connections.<br>Available only if accept-control-connections is true. Choices:
|
|
Accepts outgoing packets originating from Connectra gateway.<br>Available only if accept-outgoing-packets-originating-from-gw is false. Choices:
|
|
Accepts all packets from connections that originate at the Check Point Security Gateway. Choices:
|
|
The position of the implied rules in the Rule Base.<br>Available only if accept-outgoing-packets-originating-from-gw is false. Choices:
|
|
Allow Security Gateways to access Check Point online services. Supported for R80.10 Gateway and higher.<br>Available only if accept-outgoing-packets-originating-from-gw is false. Choices:
|
|
The position of the implied rules in the Rule Base.<br>Available only if accept-outgoing-packets-to-cp-online-services is true. Choices:
|
|
Accepts Remote Access connections.<br>Available only if accept-control-connections is true. Choices:
|
|
Accepts Routing Information Protocol (RIP), using UDP on port 520. Choices:
|
|
The position of the implied rules in the Rule Base.<br>Available only if accept-rip is true. Choices:
|
|
Accepts SmartUpdate connections. Choices:
|
|
Selecting this option creates an implied rule in the security policy Rule Base that accepts VRRP inbound and outbound traffic to and from the members of the cluster. Choices:
|
|
Accepts Web and SSH connections for Small Office Appliance gateways. Choices:
|
|
Produces log records for communications that match the implied rules that are generated in the Rule Base from the properties defined in this window. Choices:
|
|
Control the welcome messages that users will see when logging in to servers behind Check Point Security Gateways. |
|
Client authentication welcome file is the name of a file whose contents are to be displayed when a user begins a Client Authenticated session (optional) using the Manual Sign On Method. Client Authenticated Sessions initiated by Manual Sign On are not mediated by a security server. |
|
FTP welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated FTP session. |
|
HTTP next proxy host is the host name of the HTTP proxy behind the Check Point Security Gateway HTTP security server (if there is one). Changing the HTTP Next Proxy fields takes effect after the Security Gateway database is downloaded to the authenticating gateway, or after the security policy is re-installed. <br>These settings apply only to firewalled gateways prior to NG. For later versions, these settings should be defined in the Node Properties window. |
|
HTTP next proxy port is the port of the HTTP proxy behind the Check Point Security Gateway HTTP security server (if there is one). Changing the HTTP Next Proxy fields takes effect after the Security Gateway database is downloaded to the authenticating gateway, or after the security policy is re-installed. <br>These settings apply only to firewalled gateways prior to NG. For later versions, these settings should be defined in the Node Properties window. |
|
This list specifies the HTTP servers. Defining HTTP servers allows you to restrict incoming HTTP. |
|
Host name of the HTTP Server. |
|
Unique Logical Name of the HTTP Server. |
|
Port number of the HTTP Server. |
|
Specify whether users must reauthenticate when accessing a specific server. Choices:
|
|
MDQ Welcome Message is the message to be displayed when a user begins an MDQ session. The MDQ Welcome Message should contain characters according to RFC 1035 and it must follow the ARPANET host name rules,<br> - This message must begin with a number or letter. After the first letter or number character the remaining characters can be a letter, number, space, tab or hyphen.<br> - This message must not end with a space or a tab and is limited to 63 characters. |
|
Rlogin welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated RLOGIN session. |
|
The Logical Name of a Null Requests Server from http-servers. |
|
SMTP Welcome Message is the message to be displayed when a user begins an SMTP session. |
|
Telnet welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated Telnet session. |
|
Enable the Hit Count feature that tracks the number of connections that each rule matches. |
|
Select to enable or clear to disable all Security Gateways to monitor the number of connections each rule matches. Choices:
|
|
Select one of the time range options. Data is kept in the Security Management Server database for this period and is shown in the Hits column. Choices:
|
|
Apply changes ignoring errors. You won’t be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored. Choices:
|
|
Apply changes ignoring warnings. Choices:
|
|
Define system-wide logging and alerting parameters. |
|
Administrative notifications specifies the action to be taken when an administrative event (for example, when a certificate is about to expire) occurs. Choices:
|
|
Define the behavior of alert logs and the type of alert used for System Alert logs. |
|
Set the default track option for System Alerts. Choices:
|
|
Run mail alert script the operating system script to be executed when Mail is specified as the Track in a rule. The default is internal_sendmail, which is not a script but an internal Security Gateway command. |
|
Run popup alert script the operating system script to be executed when an alert is issued. For example, set another form of notification, such as an email or a user-defined command. |
|
Send mail alert to SmartView Monitor when a mail alert is issued, it is also sent to SmartView Monitor. Choices:
|
|
Send popup alert to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor. Choices:
|
|
Send SNMP trap alert to SmartView Monitor when an SNMP trap alert is issued, it is also sent to SmartView Monitor. Choices:
|
|
Send user defined alert no. 1 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor. Choices:
|
|
Send user defined alert no. 2 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor. Choices:
|
|
Send user defined alert no. 3 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor. Choices:
|
|
Run SNMP trap alert script command to be executed when SNMP Trap is specified as the Track in a rule. By default the internal_snmp_trap is used. This command is executed by the fwd process. |
|
Run user defined script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 1 is selected as a Track Option. |
|
Run user defined 2 script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 2 is selected as a Track Option. |
|
Run user defined 3 script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 3 is selected as a Track Option. |
|
Connection matched by SAM specifies the action to be taken when a connection is blocked by SAM (Suspicious Activities Monitoring). Choices:
|
|
Dynamic object resolution failure specifies the action to be taken when a dynamic object cannot be resolved. Choices:
|
|
IP Options drop specifies the action to take when a packet with IP Options is encountered. The Check Point Security Gateway always drops these packets, but you can log them or issue an alert. Choices:
|
|
Log every authenticated HTTP connection specifies that a log entry should be generated for every authenticated HTTP connection. Choices:
|
|
Log Traffic specifies whether or not to log traffic. Choices:
|
|
Packet is incorrectly tagged. Choices:
|
|
Packet tagging brute force attack. Choices:
|
|
SLA violation specifies the action to be taken when an SLA violation occurs, as defined in the Virtual Links window. Choices:
|
|
Configure the time settings associated with system-wide logging and alerting parameters. |
|
Specifies the minimum amount of time (in seconds) between consecutive logs of similar packets. Two packets are considered similar if they have the same source address, source port, destination address, and destination port; and the same protocol was used. After the first packet, similar packets encountered in the grace period will be acted upon according to the security policy, but only the first packet generates a log entry or an alert. Any value from 0 to 90 seconds can be entered in this field.<br>Note, This option only applies for DROP rules with logging. |
|
Specifies the amount of time (in seconds), after which the log page is displayed without resolving names and while showing only IP addresses. Any value from 0 to 90 seconds can be entered in this field. |
|
Specifies the frequency at which the Security Management server queries the Check Point Security gateway, Check Point QoS and other gateways it manages for status information. Any value from 30 to 900 seconds can be entered in this field. |
|
Specifies the frequency (in seconds) with which Virtual Link statistics will be logged. This parameter is relevant only for Virtual Links defined with SmartView Monitor statistics enabled in the SLA Parameters tab of the Virtual Link window. Any value from 60 to 3600 seconds can be entered in this field. |
|
VPN configuration & key exchange errors specifies the action to be taken when logging configuration or key exchange errors occur, for example, when attempting to establish encrypted communication with a network object inside the same encryption domain. Choices:
|
|
VPN packet handling errors specifies the action to be taken when encryption or decryption errors occurs. A log entry contains the action performed (Drop or Reject) and a short description of the error cause, for example, scheme or method mismatch. Choices:
|
|
VPN successful key exchange specifies the action to be taken when VPN keys are successfully exchanged. Choices:
|
|
Configure settings that apply to all NAT connections. |
|
Specifies whether to log each allocation and release of an IP address from the IP Pool.<br>Available only if enable-ip-pool-nat is true. Choices:
|
|
Specifies the action to take if the IP Pool is exhausted.<br>Available only if enable-ip-pool-nat is true. Choices:
|
|
Applies to automatic NAT rules in the NAT Rule Base, and allows two automatic NAT rules to match a connection. Without Bidirectional NAT, only one automatic NAT rule can match a connection. Choices:
|
|
Ensures that ARP requests for a translated (NATed) machine, network or address range are answered by the Check Point Security Gateway. Choices:
|
|
Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side. Choices:
|
|
Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side. Choices:
|
|
Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side. Choices:
|
|
Merges the automatic and manual ARP configurations. Manual proxy ARP configuration is required for manual Static NAT rules.<br>Available only if auto-arp-conf is true. Choices:
|
|
Specify Non Unique IP Address Ranges. |
|
The type of the IP Address. Choices:
|
|
The first IPV4 Address in the range. |
|
The first IPV6 Address in the range. |
|
The last IPV4 Address in the range. |
|
The last IPV6 Address in the range. |
|
Indicates how many incorrectly signed packets will be tolerated before assuming that there is an attack on the packet tagging and revoking the client’s key. |
|
Select whether a proxy server is used when servers, gateways, or clients need to access the internet for certain Check Point features and set the default proxy server that will be used. |
|
Specify the URL or IP address of the proxy server.<br>Available only if use-proxy-server is set to true. |
|
Specify the Port on which the server will be accessed.<br>Available only if use-proxy-server is set to true. |
|
If set to true, a proxy server is used when features need to access the internet. Choices:
|
|
Define the general parameters of Quality of Service (QoS) and apply them to QoS rules. |
|
Define the Authentication time-out for QoS. This timeout is set in minutes. In an Authenticated IP all connections which are open in a specified time limit will be guaranteed bandwidth, but will not be guaranteed bandwidth after the time limit. |
|
Define a Weight at which bandwidth will be guaranteed. Set a default weight for a rule.<br>Note, Value will be applied to new rules only. |
|
Define a Weight at which bandwidth will be guaranteed. Set a maximum weight for a rule. |
|
Define the Authentication time-out for QoS. This timeout is set in minutes. |
|
Define the Authentication time-out for QoS. This timeout is set in minutes. |
|
Define the Rate at which packets are transmitted, for which bandwidth will be guaranteed. Set a Unit of measure. Choices:
|
|
Configure Remote Access properties. |
|
Usually communication with remote clients must be initialized by the clients. However, once a client has opened a connection, the hosts behind VPN can open a return or back connection to the client. For a back connection, the client’s details must be maintained on all the devices between the client and the gateway, and on the gateway itself. Determine whether the back connection is enabled. Choices:
|
|
You can decide whether DNS queries sent by the remote client to a DNS server located on the corporate LAN are passed through the VPN tunnel or not. Disable this option if the client has to make DNS queries to the DNS server on the corporate LAN while connecting to the organization but without using the SecuRemote client. Choices:
|
|
Configure global settings for Endpoint Connect. These settings apply to all gateways. |
|
Cached password timeout (in minutes). |
|
Select an option to determine how the client is upgraded. Choices:
|
|
Methods by which a connection to the gateway will be initiated,<br>Manual - VPN connections will not be initiated automatically.<br>Always connected - Endpoint Connect will automatically establish a connection to the last connected gateway under the following circumstances, (a) the device has a valid IP address, (b) when the device “wakes up” from a low-power state or a soft-reset, or (c) after a condition that caused the device to automatically disconnect ceases to exist (for example, Device is out of PC Sync, Disconnect is not idle.).<br>Configured on endpoint client - the method used for initiating a connection to a gateway is determined by the endpoint client. Choices:
|
|
Enabling this feature disconnects users from the gateway when connectivity to the network is lost. Choices:
|
|
Enabling this feature will disconnect users from the gateway if there is no traffic sent during the defined time period. Choices:
|
|
If the password entered to authenticate is saved locally on the user’s machine. Choices:
|
|
Wide Impact, Also applies for Check Point GO clients!<br>Endpoint Connect intelligently detects whether it is inside or outside of the VPN domain (Enterprise LAN), and automatically connects or disconnects as required. Select true and edit network-location-awareness-conf to configure this capability. Choices:
|
|
Configure how the client determines its location in relation to the internal network. |
|
The speed at which locations are classified as internal or external can be increased by creating a list of DNS suffixes that are known to be external. Enable this to be able to define DNS suffixes which won’t be considered external. Choices:
|
|
The speed at which locations are classified as internal or external can be increased by creating a list of wireless networks that are known to be external. A wireless network is identified by its Service Set Identifier (SSID) a name used to identify a particular 802.11 wireless LAN. Choices:
|
|
DNS suffixes not defined here will be considered as external. If this list is empty consider-undefined-dns-suffixes-as-external will automatically be set to false.<br>Available only if consider-undefined-dns-suffixes-as-external is set to true. |
|
Excludes the specified internal networks names (SSIDs).<br>Available only if consider-wireless-networks-as-external is set to true. |
|
Name or UID of Network or Group the VPN client is connected from.<br>Available only if vpn-clients-are-considered-inside-the-internal-network-when-the-client is set to “Connects from network or group”. |
|
The speed at which locations are classified as internal or external can be increased by caching (on the client side) names of networks that were previously determined to be external. Choices:
|
|
When a VPN client is within the internal network, the internal resources are available and the VPN tunnel should be disconnected. Determine when VPN clients are considered inside the internal network,<br>Connects to GW through internal interface - The client connects to the gateway through one of its internal interfaces (recommended).<br>Connects from network or group - The client connects from a network or group specified in network-or-group-of-conn-vpn-client.<br>Runs on computer with access to Active Directory domain - The client runs on a computer that can access its Active Directory domain.<br>Note, The VPN tunnel will resume automatically when the VPN client is no longer in the internal network and the client is set to “Always connected” mode. Choices:
|
|
The length of time (in minutes) until the user’s credentials are resent to the gateway to verify authorization. |
|
Operates the client in Hub Mode, sending all traffic to the VPN server for routing, filtering, and processing. Choices:
|
|
Configure the settings for Wireless Hot Spot and Hotel Internet access registration. |
|
Set Enable registration to true in order to configure settings. Set Enable registration to false in order to cancel registration (the configurations below won’t be available). When the feature is enabled, you have several minutes to complete registration. Choices:
|
|
Local subnets access only. Choices:
|
|
Maximum number of addresses to allow access to during registration. |
|
Ports to be opened during registration (up to 10 ports). |
|
Maximum time (in seconds) to complete registration. |
|
Track log. Choices:
|
|
Usually communication with remote clients must be initialized by the clients. However, once a client has opened a connection, the hosts behind VPN can open a return or back connection to the client. For a back connection, the client’s details must be maintained on all the devices between the client and the gateway, and on the gateway itself. Determine frequency (in seconds) of the Keep Alive packets sent by the client in order to maintain the connection with the gateway.<br>Available only if enable-back-connections is true. |
|
Define properties of the Secure Configuration Verification process. |
|
Determine whether the gateway verifies that remote access clients are securely configured. This is set here only if the security policy is defined in the Simplified Mode. If the security policy is defined in the Traditional Mode, verification takes place per rule. Choices:
|
|
Specify the hosts that can be accessed using the selected services even if the client is not verified.<br>Available only if apply-scv-on-simplified-mode-fw-policies is true. |
|
Specify the Hosts to be excluded from SCV. |
|
Specify the services to be accessed. |
|
If the client identifies that the secure configuration has been violated, select whether a log is generated by the remote access client and sent to the Security Management server. Choices:
|
|
Do not apply Secure Configuration Verification for connections from Check Point VPN clients that don’t support it, such as SSL Network Extender, GO, Capsule VPN / Connect, Endpoint Connects lower than R75, or L2TP clients.<br>Available only if apply-scv-on-simplified-mode-fw-policies is true. Choices:
|
|
If the client identifies that the secure configuration has been violated, select whether to user should be notified. Choices:
|
|
Most SCV checks are configured via the SCV policy. Specify whether to verify that only TCP/IP protocols are used. Choices:
|
|
Most SCV checks are configured via the SCV policy. Specify whether to verify that the Desktop Security Policy is installed on all the interfaces of the client. Choices:
|
|
If the gateway verifies the client’s configuration, decide how the gateway should handle connections with clients that fail the Security Configuration Verification. It is possible to either drop the connection or Accept the connection and log it. Choices:
|
|
Define properties for SecureClient Mobile. |
|
When selected, the client will initiate a GPRS dialup connection before attempting to establish the VPN connection. Note that if a local IP address is already available through another network interface, then the GPRS dialup is not initiated. Choices:
|
|
Cached password timeout (in minutes). |
|
Methods by which a connection to the gateway will be initiated,<br>Configured On Endpoint Client - the method used for initiating a connection to a gateway is determined by the endpoint client<br>Manual - VPN connections will not be initiated automatically.<br>Always connected - SecureClient Mobile will automatically establish a connection to the last connected gateway under the following circumstances, (a) the device has a valid IP address, (b) when the device “wakes up” from a low-power state or a soft-reset, or (c) after a condition that caused the device to automatically disconnect ceases to exist (for example, Device is out of PC Sync, Disconnect is not idle.).<br>On application request - Applications requiring access to resources through the VPN will be able to initiate a VPN connection. Choices:
|
|
Enabling this feature will disconnect users from the gateway if there is no traffic sent during the defined time period. Choices:
|
|
If the password entered to authenticate is saved locally on the user’s machine. Choices:
|
|
Wide Impact, Also applies for SSL Network Extender clients!<br>The length of time (in minutes) until the user’s credentials are resent to the gateway to verify authorization. |
|
Operates the client in Hub Mode, sending all traffic to the VPN server for routing, filtering, and processing. Choices:
|
|
Wide Impact, Also applies for SSL Network Extender clients!<br>Select the encryption algorithms that will be supported with remote users. Choices:
|
|
Wide Impact, Also applies for SSL Network Extender clients and Check Point GO clients.<br>How the user will be authenticated by the gateway. Choices:
|
|
Select the simultaneous login mode. Choices:
|
|
Define properties for SSL Network Extender users. |
|
Select the interval which the keep-alive packets are sent. |
|
Select whether the client should automatically uninstall SSL Network Extender when it disconnects from the gateway. Choices:
|
|
When a client connects to the gateway with SSL Network Extender, the client automatically checks for upgrade. Select whether the client should automatically upgrade. Choices:
|
|
Wide Impact, Applies for the SecureClient Mobile!<br>Select the interval that users will need to reauthenticate. |
|
Set to true if you want endpoint machines to be scanned for compliance with the Endpoint Compliance Policy. Choices:
|
|
Wide Impact, Also applies to SecureClient Mobile devices!<br>Select the encryption algorithms that will be supported for remote users. Changes made here will also apply for all SSL clients. Choices:
|
|
Wide Impact, Also applies for SecureClient Mobile devices and Check Point GO clients!<br>User authentication method indicates how the user will be authenticated by the gateway. Changes made here will also apply for SSL clients.<br>Legacy - Username and password only.<br>Certificate - Certificate only with an existing certificate.<br>Certificate with Enrollment - Allows you to obtain a new certificate and then use certificate authentication only.<br>Mixed - Can use either username and password or certificate. Choices:
|
|
Configure encryption methods and interface resolution for remote access clients. |
|
SecuRemote/SecureClient behavior while disconnected - How traffic to the VPN domain is handled when the Remote Access VPN client is not connected to the site. Traffic can either be dropped or sent in clear without encryption. Choices:
|
|
Load distribution for Multiple Entry Points configurations - Remote access clients will randomly select a gateway from the list of entry points. Make sure to define the same VPN domain for all the Security Gateways you want to be entry points. Choices:
|
|
Use first allocated Office Mode IP Address for all connections to the Gateways of the site.After a remote user connects and receives an Office Mode IP address from a gateway, every connection to that gateways encryption domain will go out with the Office Mode IP as the internal source IP. The Office Mode IP is what hosts in the encryption domain will recognize as the remote user’s IP address. The Office Mode IP address assigned by a specific gateway can be used in its own encryption domain and in neighboring encryption domains as well. The neighboring encryption domains should reside behind gateways that are members of the same VPN community as the assigning gateway. Since the remote hosts connections are dependant on the Office Mode IP address it received, should the gateway that issued the IP become unavailable, all the connections to the site will terminate. Choices:
|
|
configure supported Encryption and Authentication methods for Remote Access clients. |
|
Select the methods negotiated in IKE phase 2 and used in IPSec connections. |
|
Configure the IKE Phase 1 settings. |
|
Select the hash algorithms that will be supported with remote hosts to ensure data integrity. |
|
Select whether the AES-XCBC hash algorithm will be supported with remote hosts to ensure data integrity. Choices:
|
|
Select whether the MD5 hash algorithm will be supported with remote hosts to ensure data integrity. Choices:
|
|
Select whether the SHA1 hash algorithm will be supported with remote hosts to ensure data integrity. Choices:
|
|
Select whether the SHA256 hash algorithm will be supported with remote hosts to ensure data integrity. Choices:
|
|
Select the Diffie-Hellman groups that will be supported with remote hosts. |
|
Select whether Diffie-Hellman Group 1 (768 bit) will be supported with remote hosts. Choices:
|
|
Select whether Diffie-Hellman Group 14 (2048 bit) will be supported with remote hosts. Choices:
|
|
Select whether Diffie-Hellman Group 2 (1024 bit) will be supported with remote hosts. Choices:
|
|
Select whether Diffie-Hellman Group 5 (1536 bit) will be supported with remote hosts. Choices:
|
|
Select the encryption algorithms that will be supported with remote hosts. |
|
Select whether the AES-128 encryption algorithm will be supported with remote hosts. Choices:
|
|
Select whether the AES-256 encryption algorithm will be supported with remote hosts. Choices:
|
|
Select whether the DES encryption algorithm will be supported with remote hosts. Choices:
|
|
Select whether the Triple DES encryption algorithm will be supported with remote hosts. Choices:
|
|
The hash algorithm chosen here will be given the highest priority if more than one choice is offered. Choices:
|
|
SecureClient users utilize the Diffie-Hellman group selected in this field. Choices:
|
|
Choose the encryption algorithm that will have the highest priority of the selected algorithms. If given a choice of more that one encryption algorithm to use, the algorithm selected in this field will be used. Choices:
|
|
Configure the IPSEC Phase 2 settings. |
|
Enforce Encryption Algorithm and Data Integrity on all users. Choices:
|
|
Select the hash algorithms that will be supported with remote hosts to ensure data integrity. |
|
Select whether the AES-XCBC hash algorithm will be supported with remote hosts to ensure data integrity. Choices:
|
|
Select whether the MD5 hash algorithm will be supported with remote hosts to ensure data integrity. Choices:
|
|
Select whether the SHA1 hash algorithm will be supported with remote hosts to ensure data integrity. Choices:
|
|
Select whether the SHA256 hash algorithm will be supported with remote hosts to ensure data integrity. Choices:
|
|
Select the encryption algorithms that will be supported with remote hosts. |
|
Select whether the AES-128 encryption algorithm will be supported with remote hosts. Choices:
|
|
Select whether the AES-256 encryption algorithm will be supported with remote hosts. Choices:
|
|
Select whether the DES encryption algorithm will be supported with remote hosts. Choices:
|
|
Select whether the Triple DES encryption algorithm will be supported with remote hosts. Choices:
|
|
The hash algorithm chosen here will be given the highest priority if more than one choice is offered. Choices:
|
|
Choose the encryption algorithm that will have the highest priority of the selected algorithms. If given a choice of more that one encryption algorithm to use, the algorithm selected in this field will be used. Choices:
|
|
Select the encryption method. Choices:
|
|
Type in the pre-shared key.<br>Available only if support-l2tp-with-pre-shared-key is set to true. |
|
the user password is specified in the Authentication tab in the user’s IKE properties (in the user properties window, Encryption tab > Edit). Choices:
|
|
Use a centrally managed pre-shared key for IKE. Choices:
|
|
Support Legacy Authentication for SC (hybrid mode), L2TP (PAP) and Nokia clients (CRACK). Choices:
|
|
Support Legacy EAP (Extensible Authentication Protocol). Choices:
|
|
Adjust Stateful Inspection parameters. |
|
Accept ICMP error packets which refer to another non-ICMP connection (for example, to an ongoing TCP or UDP connection) that was accepted by the Rule Base. Choices:
|
|
Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base. Choices:
|
|
Accept reply packets for other undefined services (that is, services which are not one of the following, TCP, UDP, ICMP). Choices:
|
|
Specifies if UDP replies are to be accepted for unknown services. Choices:
|
|
Drop ICMP packets which are not consistent with the current state of the connection. Choices:
|
|
Drop SCTP packets which are not consistent with the current state of the connection. Choices:
|
|
Drop TCP packets which are not consistent with the current state of the connection. Choices:
|
|
An ICMP virtual session will be considered to have timed out after this time period (in seconds). |
|
Generates a log entry when these out of state ICMP packets are dropped.<br>Available only if drop-out-of-state-icmp-packets is true. Choices:
|
|
Generates a log entry when these out of state SCTP packets are dropped.<br>Available only if drop-out-of-state-sctp-packets is true. Choices:
|
|
Generates a log entry when these out of state TCP packets are dropped.<br>Available only if drop-out-of-state-tcp-packets is true. Choices:
|
|
A virtual session of services which are not explicitly configured here will be considered to have timed out after this time period (in seconds). |
|
SCTP connections end after this number of seconds, after the connection ends or is reset, to allow for stray ACKs of the connection that arrive late. |
|
Time (in seconds) an idle connection will remain in the Security Gateway connections table. |
|
SCTP connections will be timed out if the interval between the arrival of the first packet and establishment of the connection exceeds this value (in seconds). |
|
A TCP connection will only terminate TCP end timeout seconds after two FIN packets (one in each direction, client-to-server, and server-to-client) or an RST packet. When a TCP connection ends (FIN packets sent or connection reset) the Check Point Security Gateway will keep the connection in the connections table for another TCP end timeout seconds, to allow for stray ACKs of the connection that arrive late. |
|
A TCP connection will only terminate TCP end timeout seconds after two FIN packets (one in each direction, client-to-server, and server-to-client) or an RST packet. When a TCP connection ends (FIN packets sent or connection reset) the Check Point Security Gateway will keep the connection in the connections table for another TCP end timeout seconds, to allow for stray ACKs of the connection that arrive late. |
|
Name or uid of the gateways and clusters for which Out of State packets are allowed. |
|
The length of time (in seconds) an idle connection will remain in the Security Gateway connections table. |
|
A TCP connection will be timed out if the interval between the arrival of the first packet and establishment of the connection (TCP three-way handshake) exceeds TCP start timeout seconds. |
|
Specifies the amount of time (in seconds) a UDP reply channel may remain open without any packets being returned. |
|
Set the expiration for a user account and configure “about to expire” warnings. |
|
Account expires after the number of days that you select.<br>Available only if expiration-date-method is set to “expire after”. |
|
Specify an Expiration Date in the following format, YYYY-MM-DD.<br>Available only if expiration-date-method is set to “expire at”. |
|
Select an Expiration Date Method.<br>Expire at - Account expires on the date that you select.<br>Expire after - Account expires after the number of days that you select. Choices:
|
|
Activates the Expired Accounts link, to open the Expired Accounts window. Choices:
|
|
Decide whether to display and access the WebAccess rule base. This policy defines which users (that is, which Windows Domains) have access to the internal sites of the organization. |
|
Specify whether or not to display the WebAccess rule base. This rule base is used for UserAuthority. Choices:
|
|
Specify which Windows domains will have access to the internal sites of the organization.<br>Available only if windows-domains-to-trust is set to SELECTIVELY. |
|
When matching Firewall usernames to Windows Domains usernames for Single Sign on, selectwhether to trust all or specify which Windows Domain should be trusted.<br>ALL - Enables you to allow all Windows domains to access the internal sites of the organization.<br>SELECTIVELY - Enables you to specify which Windows domains will have access to the internal sites of the organization. Choices:
|
|
Set a language for the UserCheck message if the language setting in the user’s browser cannot be determined. |
|
The preferred language for new UserCheck message. Choices:
|
|
Name or UID of mail server to send emails to. |
|
User can enable LDAP User Directory as well as specify global parameters for LDAP. If LDAP User Directory is enabled, this means that users are managed on an external LDAP server and not on the internal Check Point Security Gateway users databases. |
|
The maximum number of cached users allowed. The cache is FIFO (first-in, first-out). When a new user is added to a full cache, the first user is deleted to make room for the new user. The Check Point Security Gateway does not query the LDAP server for users already in the cache, unless the cache has timed out. |
|
Decide whether or not you would like to display the user’s DN when logging in. If you choose to display the user DN, you can select whether to display it, when the user is prompted for the password at login, or on the request of the authentication scheme. This property is a useful diagnostic tool when there is more than one user with the same name in an Account Unit. In this case, the first one is chosen and the others are ignored. Choices:
|
|
For organizations using MS Active Directory, this setting enables users whose passwords have expired to automatically create new passwords. Choices:
|
|
Enable configuring of the number of days during which the password is valid.<br>If enable-password-change-when-user-active-directory-expires is true, the password expiration time is determined by the Active Directory. In this case it is recommended not to set this to true. Choices:
|
|
Enforces password strength rules on LDAP users when you create or modify a Check Point Password. Choices:
|
|
Specifies the minimum length (in characters) of the password. |
|
Specifies the number of days during which the password is valid. Users are authenticated using a special LDAP password. Should this password expire, a new password must be defined.<br>Available only if enable-password-expiration-configuration is true. |
|
Password must include a digit. Choices:
|
|
Password must include a symbol. Choices:
|
|
Password must include a lowercase character. Choices:
|
|
Password must include an uppercase character. Choices:
|
|
The period of time in which a cached user is timed out and will need to be fetched again from the LDAP server. |
|
Version of checkpoint. If not given one, the latest version taken. |
|
Configure settings relevant to VPN. |
|
Enter the domain name that will be used for gateways DNS lookup. The DNS host name that is used is “gateway_name.domain_name”. |
|
Enable Backup Gateway. Choices:
|
|
Enable decrypt on accept for gateway to gateway traffic. This is only relevant for policies in traditional mode. In Traditional Mode, the ‘Accept’ action determines that a connection is allowed, while the ‘Encrypt’ action determines that a connection is allowed and encrypted. Select whether VPN accepts an encrypted packet that matches a rule with an ‘Accept’ action or drops it. Choices:
|
|
Enable load distribution for Multiple Entry Points configurations (Site To Site connections). The VPN Multiple Entry Point (MEP) feature supplies high availability and load distribution for Check Point Security Gateways. MEP works in four modes,<br> <ul><li> First to Respond, in which the first gateway to reply to the peer gateway is chosen. An organization would choose this option if, for example, the organization has two gateways in a MEPed configuration - one in London, the other in New York. It makes sense for Check Point Security Gateway peers located in England to try the London gateway first and the NY gateway second. Being geographically closer to Check Point Security Gateway peers in England, the London gateway will be the first to respond, and becomes the entry point to the internal network.</li><br> <li> VPN Domain, is when the destination IP belongs to a particular VPN domain, the gateway of that domain becomes the chosen entry point. This gateway becomes the primary gateway while other gateways in the MEP configuration become its backup gateways.</li><br> <li> Random Selection, in which the remote Check Point Security Gateway peer randomly selects a gateway with which to open a VPN connection. For each IP source/destination address pair, a new gateway is randomly selected. An organization might have a number of machines with equal performance abilities. In this case, it makes sense to enable load distribution. The machines are used in a random and equal way.</li><br> <li> Manually set priority list, gateway priorities can be set manually for the entire community or for individual satellite gateways.</li></ul>. Choices:
|
|
Enable VPN Directional Match in VPN Column.<br>Note, VPN Directional Match is supported only on Gaia, SecurePlatform, Linux and IPSO. Choices:
|
|
When establishing VPN tunnels, the peer presents its certificate for authentication. The clock on the gateway machine must be synchronized with the clock on the Certificate Authority machine. Otherwise, the Certificate Revocation List (CRL) used for validating the peer’s certificate may be considered invalid and thus the authentication fails. To resolve the issue of differing clock times, a Grace Period permits a wider window for CRL validity. |
|
When establishing VPN tunnels, the peer presents its certificate for authentication. The clock on the gateway machine must be synchronized with the clock on the Certificate Authority machine. Otherwise, the Certificate Revocation List (CRL) used for validating the peer’s certificate may be considered invalid and thus the authentication fails. To resolve the issue of differing clock times, a Grace Period permits a wider window for CRL validity. |
|
When dealing with remote clients the Grace Period needs to be extended. The remote client sometimes relies on the peer gateway to supply the CRL. If the client’s clock is not synchronized with the gateway’s clock, a CRL that is considered valid by the gateway may be considered invalid by the client. |
|
When the number of IKE negotiations handled simultaneously exceeds a threshold above VPN’s capacity, a gateway concludes that it is either under a high load or experiencing a Denial of Service attack. VPN can filter out peers that are the probable source of the potential Denial of Service attack. There are two kinds of protection,<br> <ul><li> Stateless - the peer has to respond to an IKE notification in a way that proves the peer’s IP address is not spoofed. If the peer cannot prove this, VPN does not allocate resources for the IKE negotiation</li><br> <li> Puzzles - this is the same as Stateless, but in addition, the peer has to solve a mathematical puzzle. Solving this puzzle consumes peer CPU resources in a way that makes it difficult to initiate multiple IKE negotiations simultaneously.</li></ul>Puzzles is more secure then Stateless, but affects performance.<br>Since these kinds of attacks involve a new proprietary addition to the IKE protocol, enabling these protection mechanisms may cause difficulties with non Check Point VPN products or older versions of VPN. Choices:
|
|
When the number of IKE negotiations handled simultaneously exceeds a threshold above VPN’s capacity, a gateway concludes that it is either under a high load or experiencing a Denial of Service attack. VPN can filter out peers that are the probable source of the potential Denial of Service attack. There are two kinds of protection,<br> <ul><li> Stateless - the peer has to respond to an IKE notification in a way that proves the peer’s IP address is not spoofed. If the peer cannot prove this, VPN does not allocate resources for the IKE negotiation</li><br> <li> Puzzles - this is the same as Stateless, but in addition, the peer has to solve a mathematical puzzle. Solving this puzzle consumes peer CPU resources in a way that makes it difficult to initiate multiple IKE negotiations simultaneously.</li></ul>Puzzles is more secure then Stateless, but affects performance.<br>Since these kinds of attacks involve a new proprietary addition to the IKE protocol, enabling these protection mechanisms may cause difficulties with non Check Point VPN products or older versions of VPN. Choices:
|
|
Decide on Simplified or Traditional mode for all new security policies or decide which mode to use on a policy by policy basis. Choices:
|
|
Wait for the task to end. Such as publish task. Choices:
|
|
How many minutes to wait until throwing a timeout error. Default: |
Examples
- name: set-global-properties
cp_mgmt_set_global_properties:
firewall:
security_server:
http_servers:
- host: host name of server
logical_name: unique logical name
port: 8080
reauthentication: post request
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
The checkpoint set-global-properties output. Returned: always. |