From c0a6f34c556b027fdaae37e4281abc94c9983e9f Mon Sep 17 00:00:00 2001
From: chkp-edenbr <94056191+chkp-edenbr@users.noreply.github.com>
Date: Mon, 8 Jul 2024 14:06:31 +0300
Subject: [PATCH] add new resource module (#133)
---
CHANGELOG.rst | 14 +++
changelogs/changelog.yaml | 14 +++
galaxy.yml | 2 +-
meta/runtime.yml | 2 +-
plugins/modules/cp_mgmt_access_rule.py | 1 -
plugins/modules/cp_mgmt_access_rules.py | 1 -
.../cp_mgmt_set_https_advanced_settings.py | 118 ++++++++++--------
.../cp_mgmt_show_https_advanced_settings.py | 6 +-
8 files changed, 97 insertions(+), 61 deletions(-)
diff --git a/CHANGELOG.rst b/CHANGELOG.rst
index f5586af..6a8613a 100644
--- a/CHANGELOG.rst
+++ b/CHANGELOG.rst
@@ -4,6 +4,20 @@ Check_Point.Mgmt Release Notes
.. contents:: Topics
+v6.1.0
+======
+
+Release Summary
+---------------
+
+This is release 6.1.0 of ``check_point.mgmt``, released on 2024-07-08.
+
+New Modules
+-----------
+
+- check_point.mgmt.cp_mgmt_set_https_advanced_settings - Configure advanced settings for HTTPS Inspection.
+- check_point.mgmt.cp_mgmt_show_https_advanced_settings - Show advanced settings for HTTPS Inspection.
+
v6.0.0
======
diff --git a/changelogs/changelog.yaml b/changelogs/changelog.yaml
index 720c9f7..c8330b4 100644
--- a/changelogs/changelog.yaml
+++ b/changelogs/changelog.yaml
@@ -1108,3 +1108,17 @@ releases:
name: cp_mgmt_show_mobile_access_section
namespace: ''
release_date: '2024-06-16'
+ 6.1.0:
+ changes:
+ release_summary: This is release 6.1.0 of ``check_point.mgmt``, released on
+ 2024-07-08.
+ fragments:
+ - 6.1.0.yml
+ modules:
+ - description: Configure advanced settings for HTTPS Inspection.
+ name: cp_mgmt_set_https_advanced_settings
+ namespace: ''
+ - description: Show advanced settings for HTTPS Inspection.
+ name: cp_mgmt_show_https_advanced_settings
+ namespace: ''
+ release_date: '2024-07-08'
diff --git a/galaxy.yml b/galaxy.yml
index 7501973..43c098a 100644
--- a/galaxy.yml
+++ b/galaxy.yml
@@ -9,7 +9,7 @@ namespace: check_point
name: mgmt
# The version of the collection. Must be compatible with semantic versioning
-version: 6.0.0
+version: 6.1.0
# The path to the Markdown (.md) readme file. This path is relative to the root of the collection
readme: README.md
diff --git a/meta/runtime.yml b/meta/runtime.yml
index 93a159c..531e865 100644
--- a/meta/runtime.yml
+++ b/meta/runtime.yml
@@ -1,5 +1,5 @@
---
-requires_ansible: ">=2.14.0"
+requires_ansible: ">=2.15.0"
plugin_routing:
modules:
cp_mgmt_add_nat_rule:
diff --git a/plugins/modules/cp_mgmt_access_rule.py b/plugins/modules/cp_mgmt_access_rule.py
index ca26a29..59d3919 100644
--- a/plugins/modules/cp_mgmt_access_rule.py
+++ b/plugins/modules/cp_mgmt_access_rule.py
@@ -326,7 +326,6 @@
"""
from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils.connection import Connection
from ansible_collections.check_point.mgmt.plugins.module_utils.checkpoint import (
checkpoint_argument_spec_for_objects,
api_call,
diff --git a/plugins/modules/cp_mgmt_access_rules.py b/plugins/modules/cp_mgmt_access_rules.py
index cdc1f8a..fd8bcaa 100644
--- a/plugins/modules/cp_mgmt_access_rules.py
+++ b/plugins/modules/cp_mgmt_access_rules.py
@@ -300,7 +300,6 @@
"""
from ansible.module_utils.basic import AnsibleModule
-from ansible.module_utils.connection import Connection
from ansible_collections.check_point.mgmt.plugins.module_utils.checkpoint import (
checkpoint_argument_spec_for_action_module,
)
diff --git a/plugins/modules/cp_mgmt_set_https_advanced_settings.py b/plugins/modules/cp_mgmt_set_https_advanced_settings.py
index 38ed575..98f232b 100644
--- a/plugins/modules/cp_mgmt_set_https_advanced_settings.py
+++ b/plugins/modules/cp_mgmt_set_https_advanced_settings.py
@@ -28,22 +28,24 @@
DOCUMENTATION = """
---
module: cp_mgmt_set_https_advanced_settings
-short_description: Edit HTTPS Inspection's Blades' Settings.
+short_description: Configure advanced settings for HTTPS Inspection.
description:
- - Edit HTTPS Inspection's Blades' Settings.
+ - Configure advanced settings for HTTPS Inspection.
- All operations are performed over Web Services API.
-version_added: "6.0.0"
+version_added: "6.1.0"
author: "Eden Brillant (@chkp-edenbr)"
options:
bypass_on_client_failure:
description:
- Whether all requests should be bypassed or blocked-in case of client errors (Client closes the connection due to authentication issues during
- handshake)
true - Fail-open (bypass all requests)
false - Fail-close (block all requests).
+ handshake)
- true - Fail-open (bypass all requests).
- false - Fail-close (block all
+ requests.
The default value is true.
type: bool
bypass_on_failure:
description:
- Whether all requests should be bypassed or blocked-in case of server errors (for example validation error during GW-Server
- authentication)
true - Fail-open (bypass all requests)
false - Fail-close (block all requests).
+ authentication)
- true - Fail-open (bypass all requests).
- false - Fail-close (block all
+ requests.
The default value is true.
type: bool
bypass_under_load:
description:
@@ -62,33 +64,41 @@
'user defined alert no.3']
site_categorization_allow_mode:
description:
- - Whether all requests should be allowed or blocked until categorization is complete.
Background - in order to allow requests until
- categorization is complete.
Hold- in order to block requests until categorization is complete.
+ - Whether all requests should be allowed or blocked until categorization is complete.
- Background - to
+ allow requests until categorization is complete.
- Hold- to block requests until categorization is complete.
The default value is
+ hold.
type: str
choices: ['background', 'hold']
- deny_untrusted_server_cert:
+ server_certificate_validation_actions:
description:
- - Set to be true in order to drop traffic from servers with untrusted server certificate.
- type: bool
- deny_revoked_server_cert:
- description:
- - Set to be true in order to drop traffic from servers with revoked server certificate (validate CRL).
- type: bool
- deny_expired_server_cert:
- description:
- - Set to be true in order to drop traffic from servers with expired server certificate.
- type: bool
- track_validation_errors:
- description:
- - Whether to log and send a notification for the server validation errors,
- None - Does not record the
- event.
- Log - Records the event details in SmartView.
- Alert - Logs the event and executes a command.
- Mail - Sends an email to
- the administrator.
- SNMP Trap - Sends an SNMP alert to the SNMP GU.
- User Defined Alert - Sends customized alerts.
.
- type: str
- choices: ['none', 'log', 'popup alert', 'mail alert', 'snmp trap alert', 'user defined alert no.1', 'user defined alert no.2', 'user defined alert no.3']
+ - When a Security Gateway receives an untrusted certificate from a website server, define when to drop the connection and how to track it.
+ type: dict
+ suboptions:
+ block_expired:
+ description:
+ - Set to be true in order to drop traffic from servers with expired server certificate.
+ type: bool
+ block_revoked:
+ description:
+ - Set to be true in order to drop traffic from servers with revoked server certificate (validate CRL).
+ type: bool
+ block_untrusted:
+ description:
+ - Set to be true in order to drop traffic from servers with untrusted server certificate.
+ type: bool
+ track_errors:
+ description:
+ - Whether to log and send a notification for the server validation errors,
- None - Does not
+ record the event.
- Log - Records the event details in SmartView.
- Alert - Logs the event and executes a command.
- Mail -
+ Sends an email to the administrator.
- SNMP Trap - Sends an SNMP alert to the SNMP GU.
- User Defined Alert - Sends customized
+ alerts.
.
+ type: str
+ choices: ['none', 'log', 'popup alert', 'mail alert', 'snmp trap alert', 'user defined alert no.1', 'user defined alert no.2',
+ 'user defined alert no.3']
retrieve_intermediate_ca_certificates:
description:
- Configure the value "true" to use the "Certificate Authority Information Access" extension to retrieve certificates that are missing from the
- certificate chain.
+ certificate chain.
The default value is true.
type: bool
blocked_certificates:
description:
@@ -115,22 +125,20 @@
the administrator.SNMP Trap - Sends an SNMP alert to the SNMP GU.User Defined Alert - Sends customized alerts..
type: str
choices: ['none', 'log', 'popup alert', 'mail alert', 'snmp trap alert', 'user defined alert no.1', 'user defined alert no.2', 'user defined alert no.3']
- bypass_certificate_pinned_apps:
- description:
- - Configure the value "true" to bypass traffic from certificate-pinned applications approved by Check Point.
HTTPS Inspection cannot inspect
- connections initiated by certificate-pinned applications.
- type: bool
bypass_update_services:
description:
- - Configure the value "true" to bypass traffic to well-known software update services.
+ - Configure the value "true" to bypass traffic to well-known software update services.
The default value is true.
type: bool
- httpsi_statistics_logs:
+ certificate_pinned_apps_action:
description:
- - Configure the value "true" to send logs for every TLS session for all rules in HTTPS Inspection policy.
- type: bool
- log_empty_ssl_connections:
+ - Configure the value "bypass" to bypass traffic from certificate-pinned applications approved by Check Point.
HTTPS Inspection cannot
+ inspect connections initiated by certificate-pinned applications.
Configure the value "detect" to send logs for traffic from certificate-pinned
+ applications approved by Check Point.
The default value is bypass.
+ type: str
+ choices: ['bypass', 'detect', 'none']
+ log_sessions:
description:
- - Configure the value "true" to send logs about SSL connections that are closed without data or are closed in the middle of a handshake.
+ - The value "true" configures the Security Gateway to send HTTPS Inspection session logs.
The default value is true.
type: bool
details_level:
description:
@@ -159,20 +167,20 @@
- name: set-https-advanced-settings
cp_mgmt_set_https_advanced_settings:
blocked_certificate_tracking: popup alert
- bypass_certificate_pinned_apps: 'false'
bypass_on_client_failure: 'false'
bypass_on_failure: 'false'
bypass_under_load:
- track: log
+ track: log
bypass_update_services: 'true'
- deny_expired_server_cert: 'true'
- deny_revoked_server_cert: 'false'
- deny_untrusted_server_cert: 'true'
- httpsi_statistics_logs: 'true'
- log_empty_ssl_connections: 'true'
+ certificate_pinned_apps_action: bypass
+ log_sessions: 'true'
retrieve_intermediate_ca_certificates: 'true'
+ server_certificate_validation_actions:
+ block_expired: 'true'
+ block_revoked: 'false'
+ block_untrusted: 'true'
+ track_errors: snmp trap alert
site_categorization_allow_mode: background
- track_validation_errors: snmp trap alert
"""
RETURN = """
@@ -190,16 +198,19 @@ def main():
argument_spec = dict(
bypass_on_client_failure=dict(type='bool'),
bypass_on_failure=dict(type='bool'),
- bypass_under_load=dict(type='dict', options=dict(
+ bypass_under_load=dict(type='dict', no_log=False, options=dict(
track=dict(type='str', choices=['none', 'log', 'popup alert', 'mail alert', 'snmp trap alert',
'user defined alert no.1', 'user defined alert no.2', 'user defined alert no.3'])
)),
site_categorization_allow_mode=dict(type='str', choices=['background', 'hold']),
- deny_untrusted_server_cert=dict(type='bool'),
- deny_revoked_server_cert=dict(type='bool'),
- deny_expired_server_cert=dict(type='bool'),
- track_validation_errors=dict(type='str', choices=['none', 'log', 'popup alert', 'mail alert',
- 'snmp trap alert', 'user defined alert no.1', 'user defined alert no.2', 'user defined alert no.3']),
+ server_certificate_validation_actions=dict(type='dict', options=dict(
+ block_expired=dict(type='bool'),
+ block_revoked=dict(type='bool'),
+ block_untrusted=dict(type='bool'),
+ track_errors=dict(type='str', choices=['none', 'log', 'popup alert', 'mail alert',
+ 'snmp trap alert', 'user defined alert no.1',
+ 'user defined alert no.2', 'user defined alert no.3'])
+ )),
retrieve_intermediate_ca_certificates=dict(type='bool'),
blocked_certificates=dict(type='list', elements='dict', options=dict(
name=dict(type='str'),
@@ -209,10 +220,9 @@ def main():
blocked_certificate_tracking=dict(type='str', choices=['none', 'log', 'popup alert',
'mail alert', 'snmp trap alert', 'user defined alert no.1', 'user defined alert no.2',
'user defined alert no.3']),
- bypass_certificate_pinned_apps=dict(type='bool'),
bypass_update_services=dict(type='bool'),
- httpsi_statistics_logs=dict(type='bool'),
- log_empty_ssl_connections=dict(type='bool'),
+ certificate_pinned_apps_action=dict(type='str', choices=['bypass', 'detect', 'none']),
+ log_sessions=dict(type='bool'),
details_level=dict(type='str', choices=['uid', 'standard', 'full']),
domains_to_process=dict(type='list', elements='str'),
ignore_warnings=dict(type='bool'),
diff --git a/plugins/modules/cp_mgmt_show_https_advanced_settings.py b/plugins/modules/cp_mgmt_show_https_advanced_settings.py
index 2680109..68d3d8e 100644
--- a/plugins/modules/cp_mgmt_show_https_advanced_settings.py
+++ b/plugins/modules/cp_mgmt_show_https_advanced_settings.py
@@ -28,11 +28,11 @@
DOCUMENTATION = """
---
module: cp_mgmt_show_https_advanced_settings
-short_description: Show HTTPS Inspection's Blades' Settings.
+short_description: Show advanced settings for HTTPS Inspection.
description:
- - Show HTTPS Inspection's Blades' Settings.
+ - Show advanced settings for HTTPS Inspection.
- All operations are performed over Web Services API.
-version_added: "6.0.0"
+version_added: "6.1.0"
author: "Eden Brillant (@chkp-edenbr)"
options: {}
extends_documentation_fragment: check_point.mgmt.checkpoint_commands