check_point / check_point.mgmt / 5.2.2 / module / cp_mgmt_set_global_properties Edit Global Properties. | "added in version" 3.0.0 of check_point.mgmt" Authors: Eden Brillant (@chkp-edenbr) preview | supported by communitycheck_point.mgmt.cp_mgmt_set_global_properties (5.2.2) — module
Install with ansible-galaxy collection install check_point.mgmt:==5.2.2
collections: - name: check_point.mgmt version: 5.2.2
Edit Global Properties.
All operations are performed over Web Services API.
- name: set-global-properties cp_mgmt_set_global_properties: firewall: security_server: http_servers: - host: host name of server logical_name: unique logical name port: 8080 reauthentication: post request
nat: description: - Configure settings that apply to all NAT connections. suboptions: addr_alloc_and_release_track: choices: - ip allocation log - none description: - Specifies whether to log each allocation and release of an IP address from the IP Pool.<br>Available only if enable-ip-pool-nat is true. type: str addr_exhaustion_track: choices: - ip exhaustion alert - none - ip exhaustion log description: - Specifies the action to take if the IP Pool is exhausted.<br>Available only if enable-ip-pool-nat is true. type: str allow_bi_directional_nat: description: - Applies to automatic NAT rules in the NAT Rule Base, and allows two automatic NAT rules to match a connection. Without Bidirectional NAT, only one automatic NAT rule can match a connection. type: bool auto_arp_conf: description: - Ensures that ARP requests for a translated (NATed) machine, network or address range are answered by the Check Point Security Gateway. type: bool auto_translate_dest_on_client_side: description: - Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side. type: bool enable_ip_pool_nat: description: - Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side. type: bool manually_translate_dest_on_client_side: description: - Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side. type: bool merge_manual_proxy_arp_conf: description: - Merges the automatic and manual ARP configurations. Manual proxy ARP configuration is required for manual Static NAT rules.<br>Available only if auto-arp-conf is true. type: bool type: dict qos: description: - Define the general parameters of Quality of Service (QoS) and apply them to QoS rules. suboptions: authenticated_ip_expiration: description: - Define the Authentication time-out for QoS. This timeout is set in minutes. In an Authenticated IP all connections which are open in a specified time limit will be guaranteed bandwidth, but will not be guaranteed bandwidth after the time limit. type: int default_weight_of_rule: description: - Define a Weight at which bandwidth will be guaranteed. Set a default weight for a rule.<br>Note, Value will be applied to new rules only. type: int max_weight_of_rule: description: - Define a Weight at which bandwidth will be guaranteed. Set a maximum weight for a rule. type: int non_authenticated_ip_expiration: description: - Define the Authentication time-out for QoS. This timeout is set in minutes. type: int unanswered_queried_ip_expiration: description: - Define the Authentication time-out for QoS. This timeout is set in minutes. type: int unit_of_measure: choices: - bits-per-sec - bytes-per-sec - kbits-per-sec - kbytes-per-sec - mbits-per-sec - mbytes-per-sec description: - Define the Rate at which packets are transmitted, for which bandwidth will be guaranteed. Set a Unit of measure. type: str type: dict vpn: description: - Configure settings relevant to VPN. suboptions: domain_name_for_dns_resolving: description: - Enter the domain name that will be used for gateways DNS lookup. The DNS host name that is used is "gateway_name.domain_name". type: str enable_backup_gw: description: - Enable Backup Gateway. type: bool enable_decrypt_on_accept_for_gw_to_gw_traffic: description: - Enable decrypt on accept for gateway to gateway traffic. This is only relevant for policies in traditional mode. In Traditional Mode, the 'Accept' action determines that a connection is allowed, while the 'Encrypt' action determines that a connection is allowed and encrypted. Select whether VPN accepts an encrypted packet that matches a rule with an 'Accept' action or drops it. type: bool enable_load_distribution_for_mep_conf: description: - Enable load distribution for Multiple Entry Points configurations (Site To Site connections). The VPN Multiple Entry Point (MEP) feature supplies high availability and load distribution for Check Point Security Gateways. MEP works in four modes,<br>&nbsp;&nbsp;&nbsp;&nbsp; <ul><li> First to Respond, in which the first gateway to reply to the peer gateway is chosen. An organization would choose this option if, for example, the organization has two gateways in a MEPed configuration - one in London, the other in New York. It makes sense for Check Point Security Gateway peers located in England to try the London gateway first and the NY gateway second. Being geographically closer to Check Point Security Gateway peers in England, the London gateway will be the first to respond, and becomes the entry point to the internal network.</li><br>&nbsp;&nbsp;&nbsp;&nbsp; <li> VPN Domain, is when the destination IP belongs to a particular VPN domain, the gateway of that domain becomes the chosen entry point. This gateway becomes the primary gateway while other gateways in the MEP configuration become its backup gateways.</li><br>&nbsp;&nbsp;&nbsp;&nbsp; <li> Random Selection, in which the remote Check Point Security Gateway peer randomly selects a gateway with which to open a VPN connection. For each IP source/destination address pair, a new gateway is randomly selected. An organization might have a number of machines with equal performance abilities. In this case, it makes sense to enable load distribution. The machines are used in a random and equal way.</li><br>&nbsp;&nbsp;&nbsp;&nbsp; <li> Manually set priority list, gateway priorities can be set manually for the entire community or for individual satellite gateways.</li></ul>. type: bool enable_vpn_directional_match_in_vpn_column: description: - Enable VPN Directional Match in VPN Column.<br>Note, VPN Directional Match is supported only on Gaia, SecurePlatform, Linux and IPSO. type: bool grace_period_after_the_crl_is_not_valid: description: - When establishing VPN tunnels, the peer presents its certificate for authentication. The clock on the gateway machine must be synchronized with the clock on the Certificate Authority machine. Otherwise, the Certificate Revocation List (CRL) used for validating the peer's certificate may be considered invalid and thus the authentication fails. To resolve the issue of differing clock times, a Grace Period permits a wider window for CRL validity. type: int grace_period_before_the_crl_is_valid: description: - When establishing VPN tunnels, the peer presents its certificate for authentication. The clock on the gateway machine must be synchronized with the clock on the Certificate Authority machine. Otherwise, the Certificate Revocation List (CRL) used for validating the peer's certificate may be considered invalid and thus the authentication fails. To resolve the issue of differing clock times, a Grace Period permits a wider window for CRL validity. type: int grace_period_extension_for_secure_remote_secure_client: description: - When dealing with remote clients the Grace Period needs to be extended. The remote client sometimes relies on the peer gateway to supply the CRL. If the client's clock is not synchronized with the gateway's clock, a CRL that is considered valid by the gateway may be considered invalid by the client. type: int support_ike_dos_protection_from_identified_src: choices: - puzzles - stateless - none description: - When the number of IKE negotiations handled simultaneously exceeds a threshold above VPN's capacity, a gateway concludes that it is either under a high load or experiencing a Denial of Service attack. VPN can filter out peers that are the probable source of the potential Denial of Service attack. There are two kinds of protection,<br>&nbsp;&nbsp;&nbsp;&nbsp; <ul><li> Stateless - the peer has to respond to an IKE notification in a way that proves the peer's IP address is not spoofed. If the peer cannot prove this, VPN does not allocate resources for the IKE negotiation</li><br>&nbsp;&nbsp;&nbsp;&nbsp; <li> Puzzles - this is the same as Stateless, but in addition, the peer has to solve a mathematical puzzle. Solving this puzzle consumes peer CPU resources in a way that makes it difficult to initiate multiple IKE negotiations simultaneously.</li></ul>Puzzles is more secure then Stateless, but affects performance.<br>Since these kinds of attacks involve a new proprietary addition to the IKE protocol, enabling these protection mechanisms may cause difficulties with non Check Point VPN products or older versions of VPN. type: str support_ike_dos_protection_from_unidentified_src: choices: - puzzles - stateless - none description: - When the number of IKE negotiations handled simultaneously exceeds a threshold above VPN's capacity, a gateway concludes that it is either under a high load or experiencing a Denial of Service attack. VPN can filter out peers that are the probable source of the potential Denial of Service attack. There are two kinds of protection,<br>&nbsp;&nbsp;&nbsp;&nbsp; <ul><li> Stateless - the peer has to respond to an IKE notification in a way that proves the peer's IP address is not spoofed. If the peer cannot prove this, VPN does not allocate resources for the IKE negotiation</li><br>&nbsp;&nbsp;&nbsp;&nbsp; <li> Puzzles - this is the same as Stateless, but in addition, the peer has to solve a mathematical puzzle. Solving this puzzle consumes peer CPU resources in a way that makes it difficult to initiate multiple IKE negotiations simultaneously.</li></ul>Puzzles is more secure then Stateless, but affects performance.<br>Since these kinds of attacks involve a new proprietary addition to the IKE protocol, enabling these protection mechanisms may cause difficulties with non Check Point VPN products or older versions of VPN. type: str vpn_conf_method: choices: - simplified - traditional - per policy description: - Decide on Simplified or Traditional mode for all new security policies or decide which mode to use on a policy by policy basis. type: str type: dict proxy: description: - Select whether a proxy server is used when servers, gateways, or clients need to access the internet for certain Check Point features and set the default proxy server that will be used. suboptions: proxy_address: description: - Specify the URL or IP address of the proxy server.<br>Available only if use-proxy-server is set to true. type: str proxy_port: description: - Specify the Port on which the server will be accessed.<br>Available only if use-proxy-server is set to true. type: int use_proxy_server: description: - If set to true, a proxy server is used when features need to access the internet. type: bool type: dict version: description: - Version of checkpoint. If not given one, the latest version taken. type: str firewall: description: - Add implied rules to or remove them from the Firewall Rule Base. Determine the position of the implied rules in the Rule Base, and whether or not to log them. suboptions: accept_control_connections: description: - Used for,<br>&nbsp;&nbsp;&nbsp;&nbsp; <ul><li> Installing the security policy from the Security Management server to the gateways.</li><br>&nbsp;&nbsp;&nbsp;&nbsp; <li> Sending logs from the gateways to the Security Management server.</li><br>&nbsp;&nbsp;&nbsp;&nbsp; <li> Communication between SmartConsole clients and the Security Management Server</li><br>&nbsp;&nbsp;&nbsp;&nbsp; <li> Communication between Firewall daemons on different machines (Security Management Server, Security Gateway).</li><br>&nbsp;&nbsp;&nbsp;&nbsp; <li> Connecting to OPSEC applications such as RADIUS and TACACS authentication servers.</li></ul>If you disable Accept Control Connections and you want Check Point components to communicate with each other and with OPSEC components, you must explicitly allow these connections in the Rule Base. type: bool accept_domain_name_over_tcp: description: - Accepts Domain Name (DNS) queries and replies over TCP, to allow downloading of the domain name-resolving tables used for zone transfers between servers. For clients, DNS over TCP is only used if the tables to be transferred are very large. type: bool accept_domain_name_over_tcp_position: choices: - first - last - before last description: - The position of the implied rules in the Rule Base.<br>Available only if accept-domain-name-over-tcp is true. type: str accept_domain_name_over_udp: description: - Accepts Domain Name (DNS) queries and replies over UDP. type: bool accept_domain_name_over_udp_position: choices: - first - last - before last description: - The position of the implied rules in the Rule Base.<br>Available only if accept-domain-name-over-udp is true. type: str accept_dynamic_addr_modules_outgoing_internet_connections: description: - Accept Dynamic Address modules' outgoing internet connections.Accepts DHCP traffic for DAIP (Dynamically Assigned IP Address) gateways. In Small Office Appliance gateways, this rule allows outgoing DHCP, PPP, PPTP and L2TP Internet connections (regardless of whether it is or is not a DAIP gateway). type: bool accept_icmp_requests: description: - Accepts Internet Control Message Protocol messages. type: bool accept_icmp_requests_position: choices: - first - last - before last description: - The position of the implied rules in the Rule Base.<br>Available only if accept-icmp-requests is true. type: str accept_identity_awareness_control_connections: description: - Accepts traffic between Security Gateways in distributed environment configurations of Identity Awareness. type: bool accept_identity_awareness_control_connections_position: choices: - first - last - before last description: - The position of the implied rules in the Rule Base.<br>Available only if accept-identity-awareness-control-connections is true. type: str accept_incoming_traffic_to_dhcp_and_dns_services_of_gws: description: - Allows the Small Office Appliance gateway to provide DHCP relay, DHCP server and DNS proxy services regardless of the rule base. type: bool accept_ips1_management_connections: description: - Accepts IPS-1 connections.<br>Available only if accept-control-connections is true. type: bool accept_outgoing_packets_originating_from_connectra_gw: description: - Accepts outgoing packets originating from Connectra gateway.<br>Available only if accept-outgoing-packets-originating-from-gw is false. type: bool accept_outgoing_packets_originating_from_gw: description: - Accepts all packets from connections that originate at the Check Point Security Gateway. type: bool accept_outgoing_packets_originating_from_gw_position: choices: - first - last - before last description: - The position of the implied rules in the Rule Base.<br>Available only if accept-outgoing-packets-originating-from-gw is false. type: str accept_outgoing_packets_to_cp_online_services: description: - Allow Security Gateways to access Check Point online services. Supported for R80.10 Gateway and higher.<br>Available only if accept-outgoing-packets-originating-from-gw is false. type: bool accept_outgoing_packets_to_cp_online_services_position: choices: - first - last - before last description: - The position of the implied rules in the Rule Base.<br>Available only if accept-outgoing-packets-to-cp-online-services is true. type: str accept_remote_access_control_connections: description: - Accepts Remote Access connections.<br>Available only if accept-control-connections is true. type: bool accept_rip: description: - Accepts Routing Information Protocol (RIP), using UDP on port 520. type: bool accept_rip_position: choices: - first - last - before last description: - The position of the implied rules in the Rule Base.<br>Available only if accept-rip is true. type: str accept_smart_update_connections: description: - Accepts SmartUpdate connections. type: bool accept_vrrp_packets_originating_from_cluster_members: description: - Selecting this option creates an implied rule in the security policy Rule Base that accepts VRRP inbound and outbound traffic to and from the members of the cluster. type: bool accept_web_and_ssh_connections_for_gw_administration: description: - Accepts Web and SSH connections for Small Office Appliance gateways. type: bool log_implied_rules: description: - Produces log records for communications that match the implied rules that are generated in the Rule Base from the properties defined in this window. type: bool security_server: description: - Control the welcome messages that users will see when logging in to servers behind Check Point Security Gateways. suboptions: client_auth_welcome_file: description: - Client authentication welcome file is the name of a file whose contents are to be displayed when a user begins a Client Authenticated session (optional) using the Manual Sign On Method. Client Authenticated Sessions initiated by Manual Sign On are not mediated by a security server. type: str ftp_welcome_msg_file: description: - FTP welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated FTP session. type: str http_next_proxy_host: description: - HTTP next proxy host is the host name of the HTTP proxy behind the Check Point Security Gateway HTTP security server (if there is one). Changing the HTTP Next Proxy fields takes effect after the Security Gateway database is downloaded to the authenticating gateway, or after the security policy is re-installed. <br>These settings apply only to firewalled gateways prior to NG. For later versions, these settings should be defined in the Node Properties window. type: str http_next_proxy_port: description: - HTTP next proxy port is the port of the HTTP proxy behind the Check Point Security Gateway HTTP security server (if there is one). Changing the HTTP Next Proxy fields takes effect after the Security Gateway database is downloaded to the authenticating gateway, or after the security policy is re-installed. <br>These settings apply only to firewalled gateways prior to NG. For later versions, these settings should be defined in the Node Properties window. type: int http_servers: description: - This list specifies the HTTP servers. Defining HTTP servers allows you to restrict incoming HTTP. elements: dict suboptions: host: description: - Host name of the HTTP Server. type: str logical_name: description: - Unique Logical Name of the HTTP Server. type: str port: description: - Port number of the HTTP Server. type: int reauthentication: choices: - standard - post request - every request description: - Specify whether users must reauthenticate when accessing a specific server. type: str type: list mdq_welcome_msg: description: - MDQ Welcome Message is the message to be displayed when a user begins an MDQ session. The MDQ Welcome Message should contain characters according to RFC 1035 and it must follow the ARPANET host name rules,<br> - This message must begin with a number or letter. After the first letter or number character the remaining characters can be a letter, number, space, tab or hyphen.<br> - This message must not end with a space or a tab and is limited to 63 characters. type: str rlogin_welcome_msg_file: description: - Rlogin welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated RLOGIN session. type: str server_for_null_requests: description: - The Logical Name of a Null Requests Server from http-servers. type: str smtp_welcome_msg: description: - SMTP Welcome Message is the message to be displayed when a user begins an SMTP session. type: str telnet_welcome_msg_file: description: - Telnet welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated Telnet session. type: str type: dict type: dict hit_count: description: - Enable the Hit Count feature that tracks the number of connections that each rule matches. suboptions: enable_hit_count: description: - Select to enable or clear to disable all Security Gateways to monitor the number of connections each rule matches. type: bool keep_hit_count_data_up_to: choices: - 3 months - 6 months - 1 year - 2 years description: - Select one of the time range options. Data is kept in the Security Management Server database for this period and is shown in the Hits column. type: str type: dict user_check: description: - Set a language for the UserCheck message if the language setting in the user's browser cannot be determined. suboptions: preferred_language: choices: - Afrikaans - Albanian - Amharic - Arabic - Armenian - Basque - Belarusian - Bosnian - Bulgarian - Catalan - Chinese - Croatian - Czech - Danish - Dutch - English - Estonian - Finnish - French - Gaelic - Georgian - German - Greek - Hebrew - Hindi - Hungarian - Icelandic - Indonesian - Irish - Italian - Japanese - Korean - Latvian - Lithuanian - Macedonia - Maltese - Nepali - Norwegian - Polish - Portuguese - Romanian - Russian - Serbian - Slovak - Slovenian - Sorbian - Spanish - Swahili - Swedish - Thai - Turkish - Ukrainian - Vietnamese - Welsh description: - The preferred language for new UserCheck message. type: str send_emails_using_mail_server: description: - Name or UID of mail server to send emails to. type: str type: dict advanced_conf: description: - Configure advanced global attributes. It's highly recommended to consult with Check Point's Technical Support before modifying these values. suboptions: certs_and_pki: description: - Configure Certificates and PKI properties. suboptions: cert_validation_enforce_key_size: choices: - 'off' - alert - fail description: - Enforce key length in certificate validation (R80+ gateways only). type: str host_certs_ecdsa_key_size: choices: - p-256 - p-384 - p-521 description: - Select the key size for ECDSA of the host certificate. type: str host_certs_key_size: choices: - '4096' - '1024' - '2048' description: - Select the key size of the host certificate. type: str type: dict type: dict details_level: choices: - uid - standard - full description: - The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed representation of the object. type: str ignore_errors: description: - Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored. type: bool log_and_alert: description: - Define system-wide logging and alerting parameters. suboptions: administrative_notifications: choices: - none - log - popup alert - mail alert - snmp trap alert - user defined alert no.1 - user defined alert no.2 - user defined alert no.3 description: - Administrative notifications specifies the action to be taken when an administrative event (for example, when a certificate is about to expire) occurs. type: str alerts: description: - Define the behavior of alert logs and the type of alert used for System Alert logs. suboptions: default_track_option_for_system_alerts: choices: - Popup Alert - Mail Alert - SNMP Trap Alert - User Defined Alert no.1 - User Defined Alert no.2 - User Defined Alert no.3 description: - Set the default track option for System Alerts. type: str mail_alert_script: description: - Run mail alert script the operating system script to be executed when Mail is specified as the Track in a rule. The default is internal_sendmail, which is not a script but an internal Security Gateway command. type: str popup_alert_script: description: - Run popup alert script the operating system script to be executed when an alert is issued. For example, set another form of notification, such as an email or a user-defined command. type: str send_mail_alert_to_smartview_monitor: description: - Send mail alert to SmartView Monitor when a mail alert is issued, it is also sent to SmartView Monitor. type: bool send_popup_alert_to_smartview_monitor: description: - Send popup alert to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor. type: bool send_snmp_trap_alert_to_smartview_monitor: description: - Send SNMP trap alert to SmartView Monitor when an SNMP trap alert is issued, it is also sent to SmartView Monitor. type: bool send_user_defined_alert_num1_to_smartview_monitor: description: - Send user defined alert no. 1 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor. type: bool send_user_defined_alert_num2_to_smartview_monitor: description: - Send user defined alert no. 2 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor. type: bool send_user_defined_alert_num3_to_smartview_monitor: description: - Send user defined alert no. 3 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor. type: bool snmp_trap_alert_script: description: - Run SNMP trap alert script command to be executed when SNMP Trap is specified as the Track in a rule. By default the internal_snmp_trap is used. This command is executed by the fwd process. type: str user_defined_script_num1: description: - Run user defined script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 1 is selected as a Track Option. type: str user_defined_script_num2: description: - Run user defined 2 script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 2 is selected as a Track Option. type: str user_defined_script_num3: description: - Run user defined 3 script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 3 is selected as a Track Option. type: str type: dict connection_matched_by_sam: choices: - Popup Alert - Mail Alert - SNMP Trap Alert - User Defined Alert no.1 - User Defined Alert no.2 - User Defined Alert no.3 description: - Connection matched by SAM specifies the action to be taken when a connection is blocked by SAM (Suspicious Activities Monitoring). type: str dynamic_object_resolution_failure: choices: - none - log - popup alert - mail alert - snmp trap alert - user defined alert no.1 - user defined alert no.2 - user defined alert no.3 description: - Dynamic object resolution failure specifies the action to be taken when a dynamic object cannot be resolved. type: str ip_options_drop: choices: - none - log - popup alert - mail alert - snmp trap alert - user defined alert no.1 - user defined alert no.2 - user defined alert no.3 description: - IP Options drop specifies the action to take when a packet with IP Options is encountered. The Check Point Security Gateway always drops these packets, but you can log them or issue an alert. type: str log_every_authenticated_http_connection: description: - Log every authenticated HTTP connection specifies that a log entry should be generated for every authenticated HTTP connection. type: bool log_traffic: choices: - none - log description: - Log Traffic specifies whether or not to log traffic. type: str packet_is_incorrectly_tagged: choices: - none - log - popup alert - mail alert - snmp trap alert - user defined alert no.1 - user defined alert no.2 - user defined alert no.3 description: - Packet is incorrectly tagged. type: str packet_tagging_brute_force_attack: choices: - none - log - popup alert - mail alert - snmp trap alert - user defined alert no.1 - user defined alert no.2 - user defined alert no.3 description: - Packet tagging brute force attack. type: str sla_violation: choices: - none - log - popup alert - mail alert - snmp trap alert - user defined alert no.1 - user defined alert no.2 - user defined alert no.3 description: - SLA violation specifies the action to be taken when an SLA violation occurs, as defined in the Virtual Links window. type: str time_settings: description: - Configure the time settings associated with system-wide logging and alerting parameters. suboptions: excessive_log_grace_period: description: - Specifies the minimum amount of time (in seconds) between consecutive logs of similar packets. Two packets are considered similar if they have the same source address, source port, destination address, and destination port; and the same protocol was used. After the first packet, similar packets encountered in the grace period will be acted upon according to the security policy, but only the first packet generates a log entry or an alert. Any value from 0 to 90 seconds can be entered in this field.<br>Note, This option only applies for DROP rules with logging. type: int logs_resolving_timeout: description: - Specifies the amount of time (in seconds), after which the log page is displayed without resolving names and while showing only IP addresses. Any value from 0 to 90 seconds can be entered in this field. type: int status_fetching_interval: description: - Specifies the frequency at which the Security Management server queries the Check Point Security gateway, Check Point QoS and other gateways it manages for status information. Any value from 30 to 900 seconds can be entered in this field. type: int virtual_link_statistics_logging_interval: description: - Specifies the frequency (in seconds) with which Virtual Link statistics will be logged. This parameter is relevant only for Virtual Links defined with SmartView Monitor statistics enabled in the SLA Parameters tab of the Virtual Link window. Any value from 60 to 3600 seconds can be entered in this field. type: int type: dict vpn_conf_and_key_exchange_errors: choices: - none - log - popup alert - mail alert - snmp trap alert - user defined alert no.1 - user defined alert no.2 - user defined alert no.3 description: - VPN configuration & key exchange errors specifies the action to be taken when logging configuration or key exchange errors occur, for example, when attempting to establish encrypted communication with a network object inside the same encryption domain. type: str vpn_packet_handling_error: choices: - none - log - popup alert - mail alert - snmp trap alert - user defined alert no.1 - user defined alert no.2 - user defined alert no.3 description: - VPN packet handling errors specifies the action to be taken when encryption or decryption errors occurs. A log entry contains the action performed (Drop or Reject) and a short description of the error cause, for example, scheme or method mismatch. type: str vpn_successful_key_exchange: choices: - none - log - popup alert - mail alert - snmp trap alert - user defined alert no.1 - user defined alert no.2 - user defined alert no.3 description: - VPN successful key exchange specifies the action to be taken when VPN keys are successfully exchanged. type: str type: dict remote_access: description: - Configure Remote Access properties. suboptions: enable_back_connections: description: - Usually communication with remote clients must be initialized by the clients. However, once a client has opened a connection, the hosts behind VPN can open a return or back connection to the client. For a back connection, the client's details must be maintained on all the devices between the client and the gateway, and on the gateway itself. Determine whether the back connection is enabled. type: bool encrypt_dns_traffic: description: - You can decide whether DNS queries sent by the remote client to a DNS server located on the corporate LAN are passed through the VPN tunnel or not. Disable this option if the client has to make DNS queries to the DNS server on the corporate LAN while connecting to the organization but without using the SecuRemote client. type: bool endpoint_connect: description: - Configure global settings for Endpoint Connect. These settings apply to all gateways. suboptions: cache_password_timeout: description: - Cached password timeout (in minutes). type: int client_upgrade_mode: choices: - force_upgrade - ask_user - no_upgrade description: - Select an option to determine how the client is upgraded. type: str connect_mode: choices: - Manual - Always Connected - Configured On Endpoint Client description: - Methods by which a connection to the gateway will be initiated,<br>Manual - VPN connections will not be initiated automatically.<br>Always connected - Endpoint Connect will automatically establish a connection to the last connected gateway under the following circumstances, (a) the device has a valid IP address, (b) when the device "wakes up" from a low-power state or a soft-reset, or (c) after a condition that caused the device to automatically disconnect ceases to exist (for example, Device is out of PC Sync, Disconnect is not idle.).<br>Configured on endpoint client - the method used for initiating a connection to a gateway is determined by the endpoint client. type: str disconnect_when_conn_to_network_is_lost: choices: - client_decide - 'true' - 'false' description: - Enabling this feature disconnects users from the gateway when connectivity to the network is lost. type: str disconnect_when_device_is_idle: choices: - client_decide - 'true' - 'false' description: - Enabling this feature will disconnect users from the gateway if there is no traffic sent during the defined time period. type: str enable_password_caching: choices: - client_decide - 'true' - 'false' description: - If the password entered to authenticate is saved locally on the user's machine. type: str network_location_awareness: choices: - client_decide - 'true' - 'false' description: - Wide Impact, Also applies for Check Point GO clients!<br>Endpoint Connect intelligently detects whether it is inside or outside of the VPN domain (Enterprise LAN), and automatically connects or disconnects as required. Select true and edit network-location-awareness-conf to configure this capability. type: str network_location_awareness_conf: description: - Configure how the client determines its location in relation to the internal network. suboptions: consider_undefined_dns_suffixes_as_external: description: - The speed at which locations are classified as internal or external can be increased by creating a list of DNS suffixes that are known to be external. Enable this to be able to define DNS suffixes which won't be considered external. type: bool consider_wireless_networks_as_external: description: - The speed at which locations are classified as internal or external can be increased by creating a list of wireless networks that are known to be external. A wireless network is identified by its Service Set Identifier (SSID) a name used to identify a particular 802.11 wireless LAN. type: bool dns_suffixes: description: - DNS suffixes not defined here will be considered as external. If this list is empty consider-undefined-dns-suffixes-as-external will automatically be set to false.<br>Available only if consider-undefined-dns-suffixes-as-external is set to true. elements: str type: list excluded_internal_wireless_networks: description: - Excludes the specified internal networks names (SSIDs).<br>Available only if consider-wireless-networks-as-external is set to true. elements: str type: list network_or_group_of_conn_vpn_client: description: - Name or UID of Network or Group the VPN client is connected from.<br>Available only if vpn-clients-are-considered-inside-the-internal-network-when-the-client is set to "Connects from network or group". type: str remember_previously_detected_external_networks: description: - The speed at which locations are classified as internal or external can be increased by caching (on the client side) names of networks that were previously determined to be external. type: bool vpn_clients_are_considered_inside_the_internal_network_when_the_client: choices: - connects to gw through internal interface - connects from network or group - runs on computer with access to active directory domain description: - When a VPN client is within the internal network, the internal resources are available and the VPN tunnel should be disconnected. Determine when VPN clients are considered inside the internal network,<br>Connects to GW through internal interface - The client connects to the gateway through one of its internal interfaces (recommended).<br>Connects from network or group - The client connects from a network or group specified in network-or-group-of-conn-vpn-client.<br>Runs on computer with access to Active Directory domain - The client runs on a computer that can access its Active Directory domain.<br>Note, The VPN tunnel will resume automatically when the VPN client is no longer in the internal network and the client is set to "Always connected" mode. type: str type: dict re_auth_user_interval: description: - The length of time (in minutes) until the user's credentials are resent to the gateway to verify authorization. type: int route_all_traffic_to_gw: choices: - client_decide - 'true' - 'false' description: - Operates the client in Hub Mode, sending all traffic to the VPN server for routing, filtering, and processing. type: str type: dict hot_spot_and_hotel_registration: description: - Configure the settings for Wireless Hot Spot and Hotel Internet access registration. suboptions: enable_registration: description: - Set Enable registration to true in order to configure settings. Set Enable registration to false in order to cancel registration (the configurations below won't be available). When the feature is enabled, you have several minutes to complete registration. type: bool local_subnets_access_only: description: - Local subnets access only. type: bool max_ip_access_during_registration: description: - Maximum number of addresses to allow access to during registration. type: int ports: description: - Ports to be opened during registration (up to 10 ports). elements: str type: list registration_timeout: description: - Maximum time (in seconds) to complete registration. type: int track_log: description: - Track log. type: bool type: dict keep_alive_packet_to_gw_interval: description: - Usually communication with remote clients must be initialized by the clients. However, once a client has opened a connection, the hosts behind VPN can open a return or back connection to the client. For a back connection, the client's details must be maintained on all the devices between the client and the gateway, and on the gateway itself. Determine frequency (in seconds) of the Keep Alive packets sent by the client in order to maintain the connection with the gateway.<br>Available only if enable-back-connections is true. type: int scv: description: - Define properties of the Secure Configuration Verification process. suboptions: apply_scv_on_simplified_mode_fw_policies: description: - Determine whether the gateway verifies that remote access clients are securely configured. This is set here only if the security policy is defined in the Simplified Mode. If the security policy is defined in the Traditional Mode, verification takes place per rule. type: bool exceptions: description: - Specify the hosts that can be accessed using the selected services even if the client is not verified.<br>Available only if apply-scv-on-simplified-mode-fw-policies is true. elements: dict suboptions: hosts: description: - Specify the Hosts to be excluded from SCV. elements: str type: list services: description: - Specify the services to be accessed. elements: str type: list type: list generate_log: description: - If the client identifies that the secure configuration has been violated, select whether a log is generated by the remote access client and sent to the Security Management server. type: bool no_scv_for_unsupported_cp_clients: description: - Do not apply Secure Configuration Verification for connections from Check Point VPN clients that don't support it, such as SSL Network Extender, GO, Capsule VPN / Connect, Endpoint Connects lower than R75, or L2TP clients.<br>Available only if apply-scv-on-simplified-mode-fw-policies is true. type: bool notify_user: description: - If the client identifies that the secure configuration has been violated, select whether to user should be notified. type: bool only_tcp_ip_protocols_are_used: description: - Most SCV checks are configured via the SCV policy. Specify whether to verify that only TCP/IP protocols are used. type: bool policy_installed_on_all_interfaces: description: - Most SCV checks are configured via the SCV policy. Specify whether to verify that the Desktop Security Policy is installed on all the interfaces of the client. type: bool upon_verification_accept_and_log_client_connection: description: - If the gateway verifies the client's configuration, decide how the gateway should handle connections with clients that fail the Security Configuration Verification. It is possible to either drop the connection or Accept the connection and log it. type: bool type: dict secure_client_mobile: description: - Define properties for SecureClient Mobile. suboptions: automatically_initiate_dialup: choices: - client_decide - 'true' - 'false' description: - When selected, the client will initiate a GPRS dialup connection before attempting to establish the VPN connection. Note that if a local IP address is already available through another network interface, then the GPRS dialup is not initiated. type: str cache_password_timeout: description: - Cached password timeout (in minutes). type: int connect_mode: choices: - manual - always connected - on application request - configured on endpoint client description: - Methods by which a connection to the gateway will be initiated,<br>Configured On Endpoint Client - the method used for initiating a connection to a gateway is determined by the endpoint client<br>Manual - VPN connections will not be initiated automatically.<br>Always connected - SecureClient Mobile will automatically establish a connection to the last connected gateway under the following circumstances, (a) the device has a valid IP address, (b) when the device "wakes up" from a low-power state or a soft-reset, or (c) after a condition that caused the device to automatically disconnect ceases to exist (for example, Device is out of PC Sync, Disconnect is not idle.).<br>On application request - Applications requiring access to resources through the VPN will be able to initiate a VPN connection. type: str disconnect_when_device_is_idle: choices: - client_decide - 'true' - 'false' description: - Enabling this feature will disconnect users from the gateway if there is no traffic sent during the defined time period. type: str enable_password_caching: choices: - client_decide - 'true' - 'false' description: - If the password entered to authenticate is saved locally on the user's machine. type: str re_auth_user_interval: description: - Wide Impact, Also applies for SSL Network Extender clients!<br>The length of time (in minutes) until the user's credentials are resent to the gateway to verify authorization. type: int route_all_traffic_to_gw: choices: - client_decide - 'true' - 'false' description: - Operates the client in Hub Mode, sending all traffic to the VPN server for routing, filtering, and processing. type: str supported_encryption_methods: choices: - 3des_or_rc4 - 3des_only description: - Wide Impact, Also applies for SSL Network Extender clients!<br>Select the encryption algorithms that will be supported with remote users. type: str user_auth_method: choices: - certificate_with_enrollment - certificate - mixed - legacy description: - Wide Impact, Also applies for SSL Network Extender clients and Check Point GO clients.<br>How the user will be authenticated by the gateway. type: str type: dict simultaneous_login_mode: choices: - allowonlysinglelogintouser - allowseverallogintouser description: - Select the simultaneous login mode. type: str ssl_network_extender: description: - Define properties for SSL Network Extender users. suboptions: client_outgoing_keep_alive_packets_frequency: description: - Select the interval which the keep-alive packets are sent. type: int client_uninstall_upon_disconnection: choices: - force_uninstall - ask_user - dont_uninstall description: - Select whether the client should automatically uninstall SSL Network Extender when it disconnects from the gateway. type: str client_upgrade_upon_connection: choices: - force_upgrade - ask_user - no_upgrade description: - When a client connects to the gateway with SSL Network Extender, the client automatically checks for upgrade. Select whether the client should automatically upgrade. type: str re_auth_user_interval: description: - Wide Impact, Applies for the SecureClient Mobile!<br>Select the interval that users will need to reauthenticate. type: int scan_ep_machine_for_compliance_with_ep_compliance_policy: description: - Set to true if you want endpoint machines to be scanned for compliance with the Endpoint Compliance Policy. type: bool supported_encryption_methods: choices: - 3des_or_rc4 - 3des_only description: - Wide Impact, Also applies to SecureClient Mobile devices!<br>Select the encryption algorithms that will be supported for remote users. Changes made here will also apply for all SSL clients. type: str user_auth_method: choices: - certificate_with_enrollment - certificate - mixed - legacy description: - Wide Impact, Also applies for SecureClient Mobile devices and Check Point GO clients!<br>User authentication method indicates how the user will be authenticated by the gateway. Changes made here will also apply for SSL clients.<br>Legacy - Username and password only.<br>Certificate - Certificate only with an existing certificate.<br>Certificate with Enrollment - Allows you to obtain a new certificate and then use certificate authentication only.<br>Mixed - Can use either username and password or certificate. type: str type: dict vpn_advanced: description: - Configure encryption methods and interface resolution for remote access clients. suboptions: allow_clear_traffic_to_encryption_domain_when_disconnected: description: - SecuRemote/SecureClient behavior while disconnected - How traffic to the VPN domain is handled when the Remote Access VPN client is not connected to the site. Traffic can either be dropped or sent in clear without encryption. type: bool enable_load_distribution_for_mep_conf: description: - Load distribution for Multiple Entry Points configurations - Remote access clients will randomly select a gateway from the list of entry points. Make sure to define the same VPN domain for all the Security Gateways you want to be entry points. type: bool use_first_allocated_om_ip_addr_for_all_conn_to_the_gws_of_the_site: description: - Use first allocated Office Mode IP Address for all connections to the Gateways of the site.After a remote user connects and receives an Office Mode IP address from a gateway, every connection to that gateways encryption domain will go out with the Office Mode IP as the internal source IP. The Office Mode IP is what hosts in the encryption domain will recognize as the remote user's IP address. The Office Mode IP address assigned by a specific gateway can be used in its own encryption domain and in neighboring encryption domains as well. The neighboring encryption domains should reside behind gateways that are members of the same VPN community as the assigning gateway. Since the remote hosts connections are dependant on the Office Mode IP address it received, should the gateway that issued the IP become unavailable, all the connections to the site will terminate. type: bool type: dict vpn_authentication_and_encryption: description: - configure supported Encryption and Authentication methods for Remote Access clients. suboptions: encryption_algorithms: description: - Select the methods negotiated in IKE phase 2 and used in IPSec connections. suboptions: ike: description: - Configure the IKE Phase 1 settings. suboptions: support_data_integrity: description: - Select the hash algorithms that will be supported with remote hosts to ensure data integrity. suboptions: aes_xcbc: description: - Select whether the AES-XCBC hash algorithm will be supported with remote hosts to ensure data integrity. type: bool md5: description: - Select whether the MD5 hash algorithm will be supported with remote hosts to ensure data integrity. type: bool sha1: description: - Select whether the SHA1 hash algorithm will be supported with remote hosts to ensure data integrity. type: bool sha256: description: - Select whether the SHA256 hash algorithm will be supported with remote hosts to ensure data integrity. type: bool type: dict support_diffie_hellman_groups: description: - Select the Diffie-Hellman groups that will be supported with remote hosts. suboptions: group1: description: - Select whether Diffie-Hellman Group 1 (768 bit) will be supported with remote hosts. type: bool group14: description: - Select whether Diffie-Hellman Group 14 (2048 bit) will be supported with remote hosts. type: bool group2: description: - Select whether Diffie-Hellman Group 2 (1024 bit) will be supported with remote hosts. type: bool group5: description: - Select whether Diffie-Hellman Group 5 (1536 bit) will be supported with remote hosts. type: bool type: dict support_encryption_algorithms: description: - Select the encryption algorithms that will be supported with remote hosts. suboptions: aes_128: description: - Select whether the AES-128 encryption algorithm will be supported with remote hosts. type: bool aes_256: description: - Select whether the AES-256 encryption algorithm will be supported with remote hosts. type: bool des: description: - Select whether the DES encryption algorithm will be supported with remote hosts. type: bool tdes: description: - Select whether the Triple DES encryption algorithm will be supported with remote hosts. type: bool type: dict use_data_integrity: choices: - aes-xcbc - sha256 - sha1 - md5 description: - The hash algorithm chosen here will be given the highest priority if more than one choice is offered. type: str use_diffie_hellman_group: choices: - group 1 - group 2 - group 5 - group 14 description: - SecureClient users utilize the Diffie-Hellman group selected in this field. type: str use_encryption_algorithm: choices: - AES-256 - DES - AES-128 - TDES description: - Choose the encryption algorithm that will have the highest priority of the selected algorithms. If given a choice of more that one encryption algorithm to use, the algorithm selected in this field will be used. type: str type: dict ipsec: description: - Configure the IPSEC Phase 2 settings. suboptions: enforce_encryption_alg_and_data_integrity_on_all_users: description: - Enforce Encryption Algorithm and Data Integrity on all users. type: bool support_data_integrity: description: - Select the hash algorithms that will be supported with remote hosts to ensure data integrity. suboptions: aes_xcbc: description: - Select whether the AES-XCBC hash algorithm will be supported with remote hosts to ensure data integrity. type: bool md5: description: - Select whether the MD5 hash algorithm will be supported with remote hosts to ensure data integrity. type: bool sha1: description: - Select whether the SHA1 hash algorithm will be supported with remote hosts to ensure data integrity. type: bool sha256: description: - Select whether the SHA256 hash algorithm will be supported with remote hosts to ensure data integrity. type: bool type: dict support_encryption_algorithms: description: - Select the encryption algorithms that will be supported with remote hosts. suboptions: aes_128: description: - Select whether the AES-128 encryption algorithm will be supported with remote hosts. type: bool aes_256: description: - Select whether the AES-256 encryption algorithm will be supported with remote hosts. type: bool des: description: - Select whether the DES encryption algorithm will be supported with remote hosts. type: bool tdes: description: - Select whether the Triple DES encryption algorithm will be supported with remote hosts. type: bool type: dict use_data_integrity: choices: - aes-xcbc - sha1 - sha256 - sha384 - sha512 - md5 description: - The hash algorithm chosen here will be given the highest priority if more than one choice is offered. type: str use_encryption_algorithm: choices: - AES-256 - DES - AES-128 - TDES description: - Choose the encryption algorithm that will have the highest priority of the selected algorithms. If given a choice of more that one encryption algorithm to use, the algorithm selected in this field will be used. type: str type: dict type: dict encryption_method: choices: - prefer_ikev2_support_ikev1 - ike_v2_only - ike_v1_only description: - Select the encryption method. type: str l2tp_pre_shared_key: description: - Type in the pre-shared key.<br>Available only if support-l2tp-with-pre-shared-key is set to true. type: str pre_shared_secret: description: - the user password is specified in the Authentication tab in the user's IKE properties (in the user properties window, Encryption tab > Edit). type: bool support_l2tp_with_pre_shared_key: description: - Use a centrally managed pre-shared key for IKE. type: bool support_legacy_auth_for_sc_l2tp_nokia_clients: description: - Support Legacy Authentication for SC (hybrid mode), L2TP (PAP) and Nokia clients (CRACK). type: bool support_legacy_eap: description: - Support Legacy EAP (Extensible Authentication Protocol). type: bool type: dict type: dict user_accounts: description: - Set the expiration for a user account and configure "about to expire" warnings. suboptions: days_until_expiration: description: - Account expires after the number of days that you select.<br>Available only if expiration-date-method is set to "expire after". type: int expiration_date: description: - Specify an Expiration Date in the following format, YYYY-MM-DD.<br>Available only if expiration-date-method is set to "expire at". type: str expiration_date_method: choices: - expire after - expire at description: - Select an Expiration Date Method.<br>Expire at - Account expires on the date that you select.<br>Expire after - Account expires after the number of days that you select. type: str show_accounts_expiration_indication_days_in_advance: description: - Activates the Expired Accounts link, to open the Expired Accounts window. type: bool type: dict wait_for_task: default: true description: - Wait for the task to end. Such as publish task. type: bool authentication: description: - Define Authentication properties that are common to all users and to the various ways that the Check Point Security Gateway asks for passwords (User, Client and Session Authentication). suboptions: allowed_suffix_for_internal_users: description: - Suffix for internal users authentication. type: str auth_internal_users_with_specific_suffix: description: - Enforce suffix for internal users authentication. type: bool delay_each_auth_attempt_by: description: - Delay each authentication attempt by the specified number of milliseconds. Any value from 1 to 25000 can be entered in this field. type: int enable_delayed_auth: description: - all authentications other than certificate-based authentications will be delayed by the specified time. Applying this delay will stall brute force authentication attacks. The delay is applied for both failed and successful authentication attempts. type: bool max_client_auth_attempts_before_connection_termination: description: - Allowed Number of Failed Client Authentication Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field. type: int max_days_before_expiration_of_non_pulled_user_certificates: description: - Users certificates which were initiated but not pulled will expire after the specified number of days. Any value from 1 to 60 days can be entered in this field. type: int max_rlogin_attempts_before_connection_termination: description: - Allowed Number of Failed rlogin Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field. type: int max_session_auth_attempts_before_connection_termination: description: - Allowed Number of Failed Session Authentication Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field. type: int max_telnet_attempts_before_connection_termination: description: - Allowed Number of Failed telnet Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field. type: int type: dict user_authority: description: - Decide whether to display and access the WebAccess rule base. This policy defines which users (that is, which Windows Domains) have access to the internal sites of the organization. suboptions: display_web_access_view: description: - Specify whether or not to display the WebAccess rule base. This rule base is used for UserAuthority. type: bool trust_only_following_windows_domains: description: - Specify which Windows domains will have access to the internal sites of the organization.<br>Available only if windows-domains-to-trust is set to SELECTIVELY. elements: str type: list windows_domains_to_trust: choices: - selectively - all description: - When matching Firewall usernames to Windows Domains usernames for Single Sign on, selectwhether to trust all or specify which Windows Domain should be trusted.<br>ALL - Enables you to allow all Windows domains to access the internal sites of the organization.<br>SELECTIVELY - Enables you to specify which Windows domains will have access to the internal sites of the organization. type: str type: dict user_directory: description: - User can enable LDAP User Directory as well as specify global parameters for LDAP. If LDAP User Directory is enabled, this means that users are managed on an external LDAP server and not on the internal Check Point Security Gateway users databases. suboptions: cache_size: description: - The maximum number of cached users allowed. The cache is FIFO (first-in, first-out). When a new user is added to a full cache, the first user is deleted to make room for the new user. The Check Point Security Gateway does not query the LDAP server for users already in the cache, unless the cache has timed out. type: int display_user_dn_at_login: choices: - no display - display upon request - display description: - Decide whether or not you would like to display the user's DN when logging in. If you choose to display the user DN, you can select whether to display it, when the user is prompted for the password at login, or on the request of the authentication scheme. This property is a useful diagnostic tool when there is more than one user with the same name in an Account Unit. In this case, the first one is chosen and the others are ignored. type: str enable_password_change_when_user_active_directory_expires: description: - For organizations using MS Active Directory, this setting enables users whose passwords have expired to automatically create new passwords. type: bool enable_password_expiration_configuration: description: - Enable configuring of the number of days during which the password is valid.<br>If enable-password-change-when-user-active-directory-expires is true, the password expiration time is determined by the Active Directory. In this case it is recommended not to set this to true. type: bool enforce_rules_for_user_mgmt_admins: description: - Enforces password strength rules on LDAP users when you create or modify a Check Point Password. type: bool min_password_length: description: - Specifies the minimum length (in characters) of the password. type: int password_expires_after: description: - Specifies the number of days during which the password is valid. Users are authenticated using a special LDAP password. Should this password expire, a new password must be defined.<br>Available only if enable-password-expiration-configuration is true. type: int password_must_include_a_digit: description: - Password must include a digit. type: bool password_must_include_a_symbol: description: - Password must include a symbol. type: bool password_must_include_lowercase_char: description: - Password must include a lowercase character. type: bool password_must_include_uppercase_char: description: - Password must include an uppercase character. type: bool timeout_on_cached_users: description: - The period of time in which a cached user is timed out and will need to be fetched again from the LDAP server. type: int type: dict connect_control: description: - Configure settings that relate to ConnectControl server load balancing. suboptions: load_agents_port: description: - Sets the port number on which load measuring agents communicate with ConnectControl. type: int load_measurement_interval: description: - sets how often (in seconds) the load measuring agents report their load status to ConnectControl. type: int persistence_server_timeout: description: - Sets the amount of time (in seconds) that a client, once directed to a particular server, will continue to be directed to that same server. type: int server_availability_check_interval: description: - Sets how often (in seconds) ConnectControl checks to make sure the load balanced servers are running and responding to service requests. type: int server_check_retries: description: - Sets how many times ConnectControl attempts to contact a server before ceasing to direct traffic to it. type: int type: dict ignore_warnings: description: - Apply changes ignoring warnings. type: bool carrier_security: description: - Specify system-wide properties. Select GTP intra tunnel inspection options, including anti-spoofing; tracking and logging options, and integrity tests. suboptions: aggressive_aging: description: - If true, enables configuring aggressive aging thresholds and time out value. type: bool aggressive_timeout: description: - Aggressive timeout. Available only if aggressive-aging is true. type: int allow_ggsn_replies_from_multiple_interfaces: description: - Allows GTP signaling replies from an IP address different from the IP address to which the requests are sent (Relevant only for gateways below R80). type: bool block_gtp_in_gtp: description: - Prevents GTP packets from being encapsulated inside GTP tunnels. When this option is checked, such packets are dropped and logged. type: bool enable_g_pdu_seq_number_check_with_max_deviation: description: - If set to false, sequence checking is not enforced and all out-of-sequence G-PDUs will be accepted.<br>To enhance performance, disable this extended integrity test. type: bool enable_reverse_connections: description: - Allows Carrier Security gateways to accept PDUs sent from the GGSN to the SGSN, on a previously established PDP context, even if these PDUs are sent over ports that do not match the ports of the established PDP context. type: bool enforce_gtp_anti_spoofing: description: - verifies that G-PDUs are using the end user IP address that has been agreed upon in the PDP context activation process. When this option is checked, packets that do not use this IP address are dropped and logged. type: bool g_pdu_seq_number_check_max_deviation: description: - specifies that a G-PDU is accepted only if the difference between its sequence number and the expected sequence number is less than or equal to the allowed deviation.<br>Available only ifenable-g-pdu-seq-number-check-with-max-deviation is true. type: int gtp_signaling_rate_limit_sampling_interval: description: - Works in correlation with the property Enforce GTP Signal packet rate limit found in the Carrier Security window of the GSN network object. For example, with the rate limit sampling interval default of 1 second, and the network object enforced a GTP signal packet rate limit of the default 2048 PDU per second, sampling will occur one time per second, or 2048 signaling PDUs between two consecutive samplings. type: int memory_activation_threshold: description: - Memory activation threshold. Available only if aggressive-aging is true. type: int memory_deactivation_threshold: description: - Memory deactivation threshold. Available only if aggressive-aging is true. type: int one_gtp_echo_on_each_path_frequency: description: - sets the number of GTP Echo exchanges per path allowed per configured time period. Echo requests exceeding this rate are dropped and logged. Setting the value to 0 disables the feature and allows an unlimited number of echo requests per path at any interval. type: int produce_extended_logs_on_unmatched_pdus: description: - logs GTP packets not matched by previous rules with Carrier Security's extended GTP-related log fields. These logs are brown and their Action attribute is empty. The default setting is checked. type: bool produce_extended_logs_on_unmatched_pdus_position: choices: - before last - last description: - Choose to place this implicit rule Before Last or as the Last rule.<br>Available only if produce-extended-logs-on-unmatched-pdus is true. type: str protocol_violation_track_option: choices: - none - log - popup alert - mail alert - snmp trap alert - user defined alert no.1 - user defined alert no.2 - user defined alert no.3 description: - Set the appropriate track or alert option to be used when a protocol violation (malformed packet) is detected. type: str tunnel_activation_threshold: description: - Tunnel activation threshold. Available only if aggressive-aging is true. type: int tunnel_deactivation_threshold: description: - Tunnel deactivation threshold. Available only if aggressive-aging is true. type: int verify_flow_labels: description: - See that each packet's flow label matches the flow labels defined by GTP signaling. This option is relevant for GTP version 0 only.<br>To enhance performance, disable this extended integrity test. type: bool type: dict domains_to_process: description: - Indicates which domains to process the commands on. It cannot be used with the details-level full, must be run from the System Domain only and with ignore-warnings true. Valid values are, CURRENT_DOMAIN, ALL_DOMAINS_ON_THIS_SERVER. elements: str type: list data_access_control: description: - Configure automatic downloads from Check Point and anonymously share product data. Options selected here apply to all Security Gateways, Clusters and VSX devices managed by this management server. suboptions: auto_download_important_data: description: - Automatically download and install Software Blade Contracts, security updates and other important data (highly recommended). type: bool auto_download_sw_updates_and_new_features: description: - Automatically download software updates and new features (highly recommended).<br>Available only if auto-download-important-data is set to true. type: bool send_anonymous_info: description: - Help Check Point improve the product by sending anonymous information. type: bool share_sensitive_info: description: - Approve sharing core dump files and other relevant crash data which might contain personal information. All shared data will be processed in accordance with Check Point's Privacy Policy.<br>Available only if send-anonymous-info is set to true. type: bool type: dict stateful_inspection: description: - Adjust Stateful Inspection parameters. suboptions: accept_stateful_icmp_errors: description: - Accept ICMP error packets which refer to another non-ICMP connection (for example, to an ongoing TCP or UDP connection) that was accepted by the Rule Base. type: bool accept_stateful_icmp_replies: description: - Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base. type: bool accept_stateful_other_ip_protocols_replies_for_unknown_services: description: - Accept reply packets for other undefined services (that is, services which are not one of the following, TCP, UDP, ICMP). type: bool accept_stateful_udp_replies_for_unknown_services: description: - Specifies if UDP replies are to be accepted for unknown services. type: bool drop_out_of_state_icmp_packets: description: - Drop ICMP packets which are not consistent with the current state of the connection. type: bool drop_out_of_state_sctp_packets: description: - Drop SCTP packets which are not consistent with the current state of the connection. type: bool drop_out_of_state_tcp_packets: description: - Drop TCP packets which are not consistent with the current state of the connection. type: bool icmp_virtual_session_timeout: description: - An ICMP virtual session will be considered to have timed out after this time period (in seconds). type: int log_on_drop_out_of_state_icmp_packets: description: - Generates a log entry when these out of state ICMP packets are dropped.<br>Available only if drop-out-of-state-icmp-packets is true. type: bool log_on_drop_out_of_state_sctp_packets: description: - Generates a log entry when these out of state SCTP packets are dropped.<br>Available only if drop-out-of-state-sctp-packets is true. type: bool log_on_drop_out_of_state_tcp_packets: description: - Generates a log entry when these out of state TCP packets are dropped.<br>Available only if drop-out-of-state-tcp-packets is true. type: bool other_ip_protocols_virtual_session_timeout: description: - A virtual session of services which are not explicitly configured here will be considered to have timed out after this time period (in seconds). type: int sctp_end_timeout: description: - SCTP connections end after this number of seconds, after the connection ends or is reset, to allow for stray ACKs of the connection that arrive late. type: int sctp_session_timeout: description: - Time (in seconds) an idle connection will remain in the Security Gateway connections table. type: int sctp_start_timeout: description: - SCTP connections will be timed out if the interval between the arrival of the first packet and establishment of the connection exceeds this value (in seconds). type: int tcp_end_timeout: description: - A TCP connection will only terminate TCP end timeout seconds after two FIN packets (one in each direction, client-to-server, and server-to-client) or an RST packet. When a TCP connection ends (FIN packets sent or connection reset) the Check Point Security Gateway will keep the connection in the connections table for another TCP end timeout seconds, to allow for stray ACKs of the connection that arrive late. type: int tcp_end_timeout_r8020_gw_and_above: description: - A TCP connection will only terminate TCP end timeout seconds after two FIN packets (one in each direction, client-to-server, and server-to-client) or an RST packet. When a TCP connection ends (FIN packets sent or connection reset) the Check Point Security Gateway will keep the connection in the connections table for another TCP end timeout seconds, to allow for stray ACKs of the connection that arrive late. type: int tcp_out_of_state_drop_exceptions: description: - Name or uid of the gateways and clusters for which Out of State packets are allowed. elements: str type: list tcp_session_timeout: description: - The length of time (in seconds) an idle connection will remain in the Security Gateway connections table. type: int tcp_start_timeout: description: - A TCP connection will be timed out if the interval between the arrival of the first packet and establishment of the connection (TCP three-way handshake) exceeds TCP start timeout seconds. type: int udp_virtual_session_timeout: description: - Specifies the amount of time (in seconds) a UDP reply channel may remain open without any packets being returned. type: int type: dict auto_publish_session: default: false description: - Publish the current session if changes have been performed after task completes. type: bool wait_for_task_timeout: default: 30 description: - How many minutes to wait until throwing a timeout error. type: int non_unique_ip_address_ranges: description: - Specify Non Unique IP Address Ranges. elements: dict suboptions: address_type: choices: - IPv4 - IPv6 description: - The type of the IP Address. type: str first_ipv4_address: description: - The first IPV4 Address in the range. type: str first_ipv6_address: description: - The first IPV6 Address in the range. type: str last_ipv4_address: description: - The last IPV4 Address in the range. type: str last_ipv6_address: description: - The last IPV6 Address in the range. type: str type: list num_spoofing_errs_that_trigger_brute_force: description: - Indicates how many incorrectly signed packets will be tolerated before assuming that there is an attack on the packet tagging and revoking the client's key. type: int allow_remote_registration_of_opsec_products: description: - After installing an OPSEC application, the remote administration (RA) utility enables an OPSEC product to finish registering itself without having to access the SmartConsole. If set to true, any host including the application host can run the utility. Otherwise, the RA utility can only be run from the Security Management host. type: bool
cp_mgmt_set_global_properties: description: The checkpoint set-global-properties output. returned: always. type: dict