Try SpotterManages access-rules objects on Check Point over Web Services API
| "added in version" 2.2.0 of check_point.mgmt"
Authors: Shiran Golzar (@chkp-shirango)
preview | supported by community
This plugin has a corresponding action plugin.
Install with ansible-galaxy collection install check_point.mgmt:==5.2.3
collections:
- name: check_point.mgmt
version: 5.2.3Manages access-rules objects on Check Point devices including creating, updating and removing objects.
All operations are performed over Web Services API.
- name: add-access-rules
cp_mgmt_access_rules:
rules:
- name: Rule 1
service:
- SMTP
- AOL
state: present
- name: Rule 2
service:
- SMTP
state: present
layer: Network
auto_publish_session: true
layer:
description:
- Layer that the rule belongs to identified by the name or UID.
required: true
type: str
rules:
description:
- List of rules.
elements: dict
required: true
suboptions:
action:
description:
- a "Accept", "Drop", "Ask", "Inform", "Reject", "User Auth", "Client Auth", "Apply
Layer".
type: str
action_settings:
description:
- Action settings.
suboptions:
enable_identity_captive_portal:
description:
- N/A
type: bool
limit:
description:
- N/A
type: str
type: dict
comments:
description:
- Comments string.
type: str
content:
description:
- List of processed file types that this rule applies on.
elements: dict
type: list
content_direction:
choices:
- any
- up
- down
description:
- On which direction the file types processing is applied.
type: str
content_negate:
description:
- True if negate is set for data.
type: bool
custom_fields:
description:
- Custom fields.
suboptions:
field_1:
description:
- First custom field.
type: str
field_2:
description:
- Second custom field.
type: str
field_3:
description:
- Third custom field.
type: str
type: dict
destination:
description:
- Collection of Network objects identified by the name or UID.
elements: str
type: list
destination_negate:
description:
- True if negate is set for destination.
type: bool
details_level:
choices:
- uid
- standard
- full
description:
- The level of detail for some of the fields in the response can vary from showing
only the UID value of the object to a fully detailed representation of the object.
type: str
enabled:
description:
- Enable/Disable the rule.
type: bool
ignore_errors:
description:
- Apply changes ignoring errors. You won't be able to publish such a changes.
If ignore-warnings flag was omitted - warnings will also be ignored.
type: bool
ignore_warnings:
description:
- Apply changes ignoring warnings.
type: bool
inline_layer:
description:
- Inline Layer identified by the name or UID. Relevant only if "Action" was set
to "Apply Layer".
type: str
install_on:
description:
- Which Gateways identified by the name or UID to install the policy on.
elements: str
type: list
name:
description:
- Object name.
required: true
type: str
service:
description:
- Collection of Network objects identified by the name or UID.
elements: str
type: list
service_negate:
description:
- True if negate is set for service.
type: bool
source:
description:
- Collection of Network objects identified by the name or UID.
elements: str
type: list
source_negate:
description:
- True if negate is set for source.
type: bool
state:
choices:
- present
- absent
default: present
description:
- State of the access rule (present or absent). Defaults to present.
type: str
time:
description:
- List of time objects. For example, "Weekend", "Off-Work", "Every-Day".
elements: str
type: list
track:
description:
- Track Settings.
suboptions:
accounting:
description:
- Turns accounting for track on and off.
type: bool
alert:
choices:
- none
- alert
- snmp
- mail
- user alert 1
- user alert 2
- user alert 3
description:
- Type of alert for the track.
type: str
enable_firewall_session:
description:
- Determine whether to generate session log to firewall only connections.
type: bool
per_connection:
description:
- Determines whether to perform the log per connection.
type: bool
per_session:
description:
- Determines whether to perform the log per session.
type: bool
type:
description:
- a "Log", "Extended Log", "Detailed Log", "None".
type: str
type: dict
user_check:
description:
- User check settings.
suboptions:
confirm:
choices:
- per rule
- per category
- per application/site
- per data type
description:
- N/A
type: str
custom_frequency:
description:
- N/A
suboptions:
every:
description:
- N/A
type: int
unit:
choices:
- hours
- days
- weeks
- months
description:
- N/A
type: str
type: dict
frequency:
choices:
- once a day
- once a week
- once a month
- custom frequency...
description:
- N/A
type: str
interaction:
description:
- N/A
type: str
type: dict
vpn:
choices:
- Any
- All_GwToGw
description:
- Any or All_GwToGw.
type: str
vpn_list:
description:
- Communities or Directional.
elements: dict
suboptions:
community:
description:
- List of community name or UID.
elements: str
type: list
directional:
description:
- Communities directional match condition.
elements: dict
suboptions:
from:
description:
- From community name or UID.
type: str
to:
description:
- To community name or UID.
type: str
type: list
type: list
type: list
version:
description:
- Version of checkpoint. If not given one, the latest version taken.
type: str
details_level:
choices:
- uid
- standard
- full
description:
- The level of detail for some of the fields in the response can vary from showing
only the UID value of the object to a fully detailed representation of the object.
type: str
auto_publish_session:
default: false
description:
- Publish the current session if changes have been performed after task completes.
type: bool
wait_for_task_timeout:
default: 30
description:
- How many minutes to wait until throwing a timeout error.
type: int
cp_mgmt_access_rules: description: The checkpoint object created or updated. returned: always, except when deleting the object. type: dict