check_point.mgmt.cp_mgmt_access_rule module – Manages access-rule objects on Check Point over Web Services API
Note
This module is part of the check_point.mgmt collection (version 5.2.3).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install check_point.mgmt
.
To use it in a playbook, specify: check_point.mgmt.cp_mgmt_access_rule
.
New in check_point.mgmt 1.0.0
Synopsis
Manages access-rule objects on Check Point devices including creating, updating and removing objects.
All operations are performed over Web Services API.
Parameters
Parameter |
Comments |
---|---|
a “Accept”, “Drop”, “Ask”, “Inform”, “Reject”, “User Auth”, “Client Auth”, “Apply Layer”. |
|
Action settings. |
|
N/A Choices:
|
|
N/A |
|
Publish the current session if changes have been performed after task completes. Choices:
|
|
Comments string. |
|
List of processed file types that this rule applies on. |
|
On which direction the file types processing is applied. Choices:
|
|
True if negate is set for data. Choices:
|
|
Custom fields. |
|
First custom field. |
|
Second custom field. |
|
Third custom field. |
|
Collection of Network objects identified by the name or UID. |
|
True if negate is set for destination. Choices:
|
|
The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed representation of the object. Choices:
|
|
Enable/Disable the rule. Choices:
|
|
Apply changes ignoring errors. You won’t be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored. Choices:
|
|
Apply changes ignoring warnings. Choices:
|
|
Inline Layer identified by the name or UID. Relevant only if “Action” was set to “Apply Layer”. |
|
Which Gateways identified by the name or UID to install the policy on. |
|
Layer that the rule belongs to identified by the name or UID. |
|
Object name. |
|
Position in the rulebase. The use of values “top” and “bottom” may not be idempotent. |
|
Position in the rulebase. Use of this field may not be idempotent. |
|
Add rule above specific rule/section identified by name (limited to 50 rules if search_entire_rulebase is False). |
|
Add rule below specific rule/section identified by name (limited to 50 rules if search_entire_rulebase is False). |
|
Add rule to the bottom of a specific section identified by name (limited to 50 rules if search_entire_rulebase is False). |
|
Add rule to the top of a specific section identified by name (limited to 50 rules if search_entire_rulebase is False). |
|
Whether to search the entire rulebase for a rule that’s been edited in its relative_position field to make sure there indeed has been a change in its position or the section it might be in. Choices:
|
|
Collection of Network objects identified by the name or UID. |
|
True if negate is set for service. Choices:
|
|
Collection of Network objects identified by the name or UID. |
|
True if negate is set for source. Choices:
|
|
State of the access rule (present or absent). Choices:
|
|
List of time objects. For example, “Weekend”, “Off-Work”, “Every-Day”. |
|
Track Settings. |
|
Turns accounting for track on and off. Choices:
|
|
Type of alert for the track. Choices:
|
|
Determine whether to generate session log to firewall only connections. Choices:
|
|
Determines whether to perform the log per connection. Choices:
|
|
Determines whether to perform the log per session. Choices:
|
|
a “Log”, “Extended Log”, “Detailed Log”, “None”. |
|
User check settings. |
|
N/A Choices:
|
|
N/A |
|
N/A |
|
N/A Choices:
|
|
N/A Choices:
|
|
N/A |
|
Version of checkpoint. If not given one, the latest version taken. |
|
Any or All_GwToGw. Choices:
|
|
Communities or Directional. |
|
List of community name or UID. |
|
Communities directional match condition. |
|
From community name or UID. |
|
To community name or UID. |
|
Wait for the task to end. Such as publish task. Choices:
|
|
How many minutes to wait until throwing a timeout error. Default: |
Examples
- name: add-access-rule
cp_mgmt_access_rule:
layer: Network
name: Rule 1
position: 1
service:
- SMTP
- AOL
vpn: All_GwToGw
state: present
- name: set-access-rule
cp_mgmt_access_rule:
action: Ask
action_settings:
enable_identity_captive_portal: true
limit: Upload_1Gbps
layer: Network
name: Rule 1
state: present
- name: delete-access-rule
cp_mgmt_access_rule:
layer: Network
name: Rule 2
state: absent
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
The checkpoint object created or updated. Returned: always, except when deleting the object. |