check_point.mgmt.cp_mgmt_access_rule – Manages access-rule objects on Check Point over Web Services API

Note

This plugin is part of the check_point.mgmt collection (version 2.1.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install check_point.mgmt.

To use it in a playbook, specify: check_point.mgmt.cp_mgmt_access_rule.

New in version 2.9: of check_point.mgmt

Synopsis

  • Manages access-rule objects on Check Point devices including creating, updating and removing objects.
  • All operations are performed over Web Services API.

Parameters

Parameter Choices/Defaults Comments
action
string
a "Accept", "Drop", "Ask", "Inform", "Reject", "User Auth", "Client Auth", "Apply Layer".
action_settings
dictionary
Action settings.
enable_identity_captive_portal
boolean
    Choices:
  • no
  • yes
N/A
limit
string
N/A
auto_publish_session
boolean
    Choices:
  • no
  • yes
Publish the current session if changes have been performed after task completes.
comments
string
Comments string.
content
list / elements=string
List of processed file types that this rule applies on.
content_direction
string
    Choices:
  • any
  • up
  • down
On which direction the file types processing is applied.
content_negate
boolean
    Choices:
  • no
  • yes
True if negate is set for data.
custom_fields
dictionary
Custom fields.
field_1
string
First custom field.
field_2
string
Second custom field.
field_3
string
Third custom field.
destination
list / elements=string
Collection of Network objects identified by the name or UID.
destination_negate
boolean
    Choices:
  • no
  • yes
True if negate is set for destination.
details_level
string
    Choices:
  • uid
  • standard
  • full
The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed representation of the object.
enabled
boolean
    Choices:
  • no
  • yes
Enable/Disable the rule.
ignore_errors
boolean
    Choices:
  • no
  • yes
Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
ignore_warnings
boolean
    Choices:
  • no
  • yes
Apply changes ignoring warnings.
inline_layer
string
Inline Layer identified by the name or UID. Relevant only if "Action" was set to "Apply Layer".
install_on
list / elements=string
Which Gateways identified by the name or UID to install the policy on.
layer
string
Layer that the rule belongs to identified by the name or UID.
name
string / required
Object name.
position
string
Position in the rulebase.
service
list / elements=string
Collection of Network objects identified by the name or UID.
service_negate
boolean
    Choices:
  • no
  • yes
True if negate is set for service.
source
list / elements=string
Collection of Network objects identified by the name or UID.
source_negate
boolean
    Choices:
  • no
  • yes
True if negate is set for source.
state
string
    Choices:
  • present
  • absent
State of the access rule (present or absent). Defaults to present.
time
list / elements=string
List of time objects. For example, "Weekend", "Off-Work", "Every-Day".
track
dictionary
Track Settings.
accounting
boolean
    Choices:
  • no
  • yes
Turns accounting for track on and off.
alert
string
    Choices:
  • none
  • alert
  • snmp
  • mail
  • user alert 1
  • user alert 2
  • user alert 3
Type of alert for the track.
enable_firewall_session
boolean
    Choices:
  • no
  • yes
Determine whether to generate session log to firewall only connections.
per_connection
boolean
    Choices:
  • no
  • yes
Determines whether to perform the log per connection.
per_session
boolean
    Choices:
  • no
  • yes
Determines whether to perform the log per session.
type
string
a "Log", "Extended Log", "Detailed Log", "None".
user_check
dictionary
User check settings.
confirm
string
    Choices:
  • per rule
  • per category
  • per application/site
  • per data type
N/A
custom_frequency
dictionary
N/A
every
integer
N/A
unit
string
    Choices:
  • hours
  • days
  • weeks
  • months
N/A
frequency
string
    Choices:
  • once a day
  • once a week
  • once a month
  • custom frequency...
N/A
interaction
string
N/A
version
string
Version of checkpoint. If not given one, the latest version taken.
vpn
list / elements=string
Communities or Directional.
community
list / elements=string
List of community name or UID.
directional
list / elements=string
Communities directional match condition.
from
string
From community name or UID.
to
string
To community name or UID.
wait_for_task
boolean
    Choices:
  • no
  • yes
Wait for the task to end. Such as publish task.
wait_for_task_timeout
integer
Default:
30
How many minutes to wait until throwing a timeout error.

Examples

- name: add-access-rule
  cp_mgmt_access_rule:
    layer: Network
    name: Rule 1
    position: 1
    service:
    - SMTP
    - AOL
    state: present

- name: set-access-rule
  cp_mgmt_access_rule:
    action: Ask
    action_settings:
      enable_identity_captive_portal: true
      limit: Upload_1Gbps
    layer: Network
    name: Rule 1
    state: present

- name: delete-access-rule
  cp_mgmt_access_rule:
    layer: Network
    name: Rule 2
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
cp_mgmt_access_rule
dictionary
always, except when deleting the object.
The checkpoint object created or updated.



Authors

  • Or Soffer (@chkp-orso)

© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_access_rule_module.html