check_point.mgmt.cp_mgmt_access_rule – Manages access-rule objects on Check Point over Web Services API
Note
This plugin is part of the check_point.mgmt collection (version 2.1.1).
You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install check_point.mgmt.
To use it in a playbook, specify: check_point.mgmt.cp_mgmt_access_rule.
New in version 2.9: of check_point.mgmt
Synopsis
- Manages access-rule objects on Check Point devices including creating, updating and removing objects.
- All operations are performed over Web Services API.
Parameters
| Parameter | Choices/Defaults | Comments | ||
|---|---|---|---|---|
| action
string
|
a "Accept", "Drop", "Ask", "Inform", "Reject", "User Auth", "Client Auth", "Apply Layer".
|
|||
| action_settings
dictionary
|
Action settings.
|
|||
| enable_identity_captive_portal
boolean
|
|
N/A
|
||
| limit
string
|
N/A
|
|||
| auto_publish_session
boolean
|
|
Publish the current session if changes have been performed after task completes.
|
||
| comments
string
|
Comments string.
|
|||
| content
list / elements=string
|
List of processed file types that this rule applies on.
|
|||
| content_direction
string
|
|
On which direction the file types processing is applied.
|
||
| content_negate
boolean
|
|
True if negate is set for data.
|
||
| custom_fields
dictionary
|
Custom fields.
|
|||
| field_1
string
|
First custom field.
|
|||
| field_2
string
|
Second custom field.
|
|||
| field_3
string
|
Third custom field.
|
|||
| destination
list / elements=string
|
Collection of Network objects identified by the name or UID.
|
|||
| destination_negate
boolean
|
|
True if negate is set for destination.
|
||
| details_level
string
|
|
The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed representation of the object.
|
||
| enabled
boolean
|
|
Enable/Disable the rule.
|
||
| ignore_errors
boolean
|
|
Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
|
||
| ignore_warnings
boolean
|
|
Apply changes ignoring warnings.
|
||
| inline_layer
string
|
Inline Layer identified by the name or UID. Relevant only if "Action" was set to "Apply Layer".
|
|||
| install_on
list / elements=string
|
Which Gateways identified by the name or UID to install the policy on.
|
|||
| layer
string
|
Layer that the rule belongs to identified by the name or UID.
|
|||
| name
string / required
|
Object name.
|
|||
| position
string
|
Position in the rulebase.
|
|||
| service
list / elements=string
|
Collection of Network objects identified by the name or UID.
|
|||
| service_negate
boolean
|
|
True if negate is set for service.
|
||
| source
list / elements=string
|
Collection of Network objects identified by the name or UID.
|
|||
| source_negate
boolean
|
|
True if negate is set for source.
|
||
| state
string
|
|
State of the access rule (present or absent). Defaults to present.
|
||
| time
list / elements=string
|
List of time objects. For example, "Weekend", "Off-Work", "Every-Day".
|
|||
| track
dictionary
|
Track Settings.
|
|||
| accounting
boolean
|
|
Turns accounting for track on and off.
|
||
| alert
string
|
|
Type of alert for the track.
|
||
| enable_firewall_session
boolean
|
|
Determine whether to generate session log to firewall only connections.
|
||
| per_connection
boolean
|
|
Determines whether to perform the log per connection.
|
||
| per_session
boolean
|
|
Determines whether to perform the log per session.
|
||
| type
string
|
a "Log", "Extended Log", "Detailed Log", "None".
|
|||
| user_check
dictionary
|
User check settings.
|
|||
| confirm
string
|
|
N/A
|
||
| custom_frequency
dictionary
|
N/A
|
|||
| every
integer
|
N/A
|
|||
| unit
string
|
|
N/A
|
||
| frequency
string
|
|
N/A
|
||
| interaction
string
|
N/A
|
|||
| version
string
|
Version of checkpoint. If not given one, the latest version taken.
|
|||
| vpn
list / elements=string
|
Communities or Directional.
|
|||
| community
list / elements=string
|
List of community name or UID.
|
|||
| directional
list / elements=string
|
Communities directional match condition.
|
|||
| from
string
|
From community name or UID.
|
|||
| to
string
|
To community name or UID.
|
|||
| wait_for_task
boolean
|
|
Wait for the task to end. Such as publish task.
|
||
| wait_for_task_timeout
integer
|
Default:
30
|
How many minutes to wait until throwing a timeout error.
|
||
Examples
- name: add-access-rule
cp_mgmt_access_rule:
layer: Network
name: Rule 1
position: 1
service:
- SMTP
- AOL
state: present
- name: set-access-rule
cp_mgmt_access_rule:
action: Ask
action_settings:
enable_identity_captive_portal: true
limit: Upload_1Gbps
layer: Network
name: Rule 1
state: present
- name: delete-access-rule
cp_mgmt_access_rule:
layer: Network
name: Rule 2
state: absent
Return Values
Common return values are documented here, the following are the fields unique to this module:
| Key | Returned | Description |
|---|---|---|
| cp_mgmt_access_rule
dictionary
|
always, except when deleting the object. |
The checkpoint object created or updated.
|
Authors
- Or Soffer (@chkp-orso)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_access_rule_module.html