From fff11bde0df33190fca022bd85d13135c8df97d6 Mon Sep 17 00:00:00 2001
From: chkp-amiads <35657202+chkp-amiads@users.noreply.github.com>
Date: Thu, 29 Aug 2019 07:33:38 +0300
Subject: [PATCH] threat_profile module (#61391)
* threat_profile module
* list to dict
* fix example
---
.../checkpoint/cp_mgmt_threat_profile.py | 400 ++++++++++++++++++
.../cp_mgmt_threat_profile_facts.py | 126 ++++++
2 files changed, 526 insertions(+)
create mode 100644 lib/ansible/modules/network/checkpoint/cp_mgmt_threat_profile.py
create mode 100644 lib/ansible/modules/network/checkpoint/cp_mgmt_threat_profile_facts.py
diff --git a/lib/ansible/modules/network/checkpoint/cp_mgmt_threat_profile.py b/lib/ansible/modules/network/checkpoint/cp_mgmt_threat_profile.py
new file mode 100644
index 00000000000..472ebb2b695
--- /dev/null
+++ b/lib/ansible/modules/network/checkpoint/cp_mgmt_threat_profile.py
@@ -0,0 +1,400 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+#
+# Ansible module to manage CheckPoint Firewall (c) 2019
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible. If not, see .
+#
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {'metadata_version': '1.1',
+ 'status': ['preview'],
+ 'supported_by': 'community'}
+
+DOCUMENTATION = """
+---
+module: cp_mgmt_threat_profile
+short_description: Manages threat-profile objects on Checkpoint over Web Services API
+description:
+ - Manages threat-profile objects on Checkpoint devices including creating, updating and removing objects.
+ - All operations are performed over Web Services API.
+version_added: "2.9"
+author: "Or Soffer (@chkp-orso)"
+options:
+ name:
+ description:
+ - Object name.
+ type: str
+ required: True
+ active_protections_performance_impact:
+ description:
+ - Protections with this performance impact only will be activated in the profile.
+ type: str
+ choices: ['high', 'medium', 'low', 'very_low']
+ active_protections_severity:
+ description:
+ - Protections with this severity only will be activated in the profile.
+ type: str
+ choices: ['Critical', 'High', 'Medium or above', 'Low or above']
+ confidence_level_high:
+ description:
+ - Action for protections with high confidence level.
+ type: str
+ choices: ['Inactive', 'Ask', 'Prevent', 'Detect']
+ confidence_level_low:
+ description:
+ - Action for protections with low confidence level.
+ type: str
+ choices: ['Inactive', 'Ask', 'Prevent', 'Detect']
+ confidence_level_medium:
+ description:
+ - Action for protections with medium confidence level.
+ type: str
+ choices: ['Inactive', 'Ask', 'Prevent', 'Detect']
+ indicator_overrides:
+ description:
+ - Indicators whose action will be overridden in this profile.
+ type: list
+ suboptions:
+ action:
+ description:
+ - The indicator's action in this profile.
+ type: str
+ choices: ['Inactive', 'Ask', 'Prevent', 'Detect']
+ indicator:
+ description:
+ - The indicator whose action is to be overriden.
+ type: str
+ ips_settings:
+ description:
+ - IPS blade settings.
+ type: dict
+ suboptions:
+ exclude_protection_with_performance_impact:
+ description:
+ - Whether to exclude protections depending on their level of performance impact.
+ type: bool
+ exclude_protection_with_performance_impact_mode:
+ description:
+ - Exclude protections with this level of performance impact.
+ type: str
+ choices: ['very low', 'low or lower', 'medium or lower', 'high or lower']
+ exclude_protection_with_severity:
+ description:
+ - Whether to exclude protections depending on their level of severity.
+ type: bool
+ exclude_protection_with_severity_mode:
+ description:
+ - Exclude protections with this level of severity.
+ type: str
+ choices: ['low or above', 'medium or above', 'high or above', 'critical']
+ newly_updated_protections:
+ description:
+ - Activation of newly updated protections.
+ type: str
+ choices: ['active', 'inactive', 'staging']
+ malicious_mail_policy_settings:
+ description:
+ - Malicious Mail Policy for MTA Gateways.
+ type: dict
+ suboptions:
+ add_customized_text_to_email_body:
+ description:
+ - Add customized text to the malicious email body.
+ type: bool
+ add_email_subject_prefix:
+ description:
+ - Add a prefix to the malicious email subject.
+ type: bool
+ add_x_header_to_email:
+ description:
+ - Add an X-Header to the malicious email.
+ type: bool
+ email_action:
+ description:
+ - Block - block the entire malicious email
Allow - pass the malicious email and apply email changes (like, remove attachments and
+ links, add x-header, etc...).
+ type: str
+ choices: ['allow', 'block']
+ email_body_customized_text:
+ description:
+ - Customized text for the malicious email body.
Available predefined fields,
$verdicts$ - the malicious/error attachments/links verdict.
+ type: str
+ email_subject_prefix_text:
+ description:
+ - Prefix for the malicious email subject.
+ type: str
+ failed_to_scan_attachments_text:
+ description:
+ - Replace attachments that failed to be scanned with this text.
Available predefined fields,
$filename$ - the malicious file
+ name.
$md5$ - MD5 of the malicious file.
+ type: str
+ malicious_attachments_text:
+ description:
+ - Replace malicious attachments with this text.
Available predefined fields,
$filename$ - the malicious file name.
$md5$ -
+ MD5 of the malicious file.
+ type: str
+ malicious_links_text:
+ description:
+ - Replace malicious links with this text.
Available predefined fields,
$neutralized_url$ - neutralized malicious link.
+ type: str
+ remove_attachments_and_links:
+ description:
+ - Remove attachments and links from the malicious email.
+ type: bool
+ send_copy:
+ description:
+ - Send a copy of the malicious email to the recipient list.
+ type: bool
+ send_copy_list:
+ description:
+ - Recipient list to send a copy of the malicious email.
+ type: list
+ overrides:
+ description:
+ - Overrides per profile for this protection.
+ type: list
+ suboptions:
+ action:
+ description:
+ - Protection action.
+ type: str
+ choices: ['Threat Cloud: Inactive', 'Detect', 'Prevent
Core: Drop', 'Inactive', 'Accept']
+ protection:
+ description:
+ - IPS protection identified by name or UID.
+ type: str
+ capture_packets:
+ description:
+ - Capture packets.
+ type: bool
+ track:
+ description:
+ - Tracking method for protection.
+ type: str
+ choices: ['none', 'log', 'alert', 'mail', 'snmp trap', 'user alert', 'user alert 1', 'user alert 2']
+ tags:
+ description:
+ - Collection of tag identifiers.
+ type: list
+ use_indicators:
+ description:
+ - Indicates whether the profile should make use of indicators.
+ type: bool
+ anti_bot:
+ description:
+ - Is Anti-Bot blade activated.
+ type: bool
+ anti_virus:
+ description:
+ - Is Anti-Virus blade activated.
+ type: bool
+ ips:
+ description:
+ - Is IPS blade activated.
+ type: bool
+ threat_emulation:
+ description:
+ - Is Threat Emulation blade activated.
+ type: bool
+ activate_protections_by_extended_attributes:
+ description:
+ - Activate protections by these extended attributes.
+ type: list
+ suboptions:
+ name:
+ description:
+ - IPS tag name.
+ type: str
+ category:
+ description:
+ - IPS tag category name.
+ type: str
+ deactivate_protections_by_extended_attributes:
+ description:
+ - Deactivate protections by these extended attributes.
+ type: list
+ suboptions:
+ name:
+ description:
+ - IPS tag name.
+ type: str
+ category:
+ description:
+ - IPS tag category name.
+ type: str
+ use_extended_attributes:
+ description:
+ - Whether to activate/deactivate IPS protections according to the extended attributes.
+ type: bool
+ color:
+ description:
+ - Color of the object. Should be one of existing colors.
+ type: str
+ choices: ['aquamarine', 'black', 'blue', 'crete blue', 'burlywood', 'cyan', 'dark green', 'khaki', 'orchid', 'dark orange', 'dark sea green',
+ 'pink', 'turquoise', 'dark blue', 'firebrick', 'brown', 'forest green', 'gold', 'dark gold', 'gray', 'dark gray', 'light green', 'lemon chiffon',
+ 'coral', 'sea green', 'sky blue', 'magenta', 'purple', 'slate blue', 'violet red', 'navy blue', 'olive', 'orange', 'red', 'sienna', 'yellow']
+ comments:
+ description:
+ - Comments string.
+ type: str
+ details_level:
+ description:
+ - The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed
+ representation of the object.
+ type: str
+ choices: ['uid', 'standard', 'full']
+ ignore_warnings:
+ description:
+ - Apply changes ignoring warnings.
+ type: bool
+ ignore_errors:
+ description:
+ - Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
+ type: bool
+extends_documentation_fragment: checkpoint_objects
+"""
+
+EXAMPLES = """
+- name: add-threat-profile
+ cp_mgmt_threat_profile:
+ active_protections_performance_impact: low
+ active_protections_severity: low or above
+ anti_bot: true
+ anti_virus: true
+ confidence_level_high: prevent
+ confidence_level_medium: prevent
+ ips: true
+ ips_settings:
+ exclude_protection_with_performance_impact: true
+ exclude_protection_with_performance_impact_mode: high or lower
+ newly_updated_protections: staging
+ name: New Profile 1
+ state: present
+ threat_emulation: true
+
+- name: set-threat-profile
+ cp_mgmt_threat_profile:
+ active_protections_performance_impact: low
+ active_protections_severity: low or above
+ anti_bot: true
+ anti_virus: false
+ comments: update recommended profile
+ confidence_level_high: prevent
+ confidence_level_low: prevent
+ confidence_level_medium: prevent
+ ips: false
+ ips_settings:
+ exclude_protection_with_performance_impact: true
+ exclude_protection_with_performance_impact_mode: high or lower
+ newly_updated_protections: active
+ name: New Profile 1
+ state: present
+ threat_emulation: true
+
+- name: delete-threat-profile
+ cp_mgmt_threat_profile:
+ name: New Profile 1
+ state: absent
+"""
+
+RETURN = """
+cp_mgmt_threat_profile:
+ description: The checkpoint object created or updated.
+ returned: always, except when deleting the object.
+ type: dict
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.network.checkpoint.checkpoint import checkpoint_argument_spec_for_objects, api_call
+
+
+def main():
+ argument_spec = dict(
+ name=dict(type='str', required=True),
+ active_protections_performance_impact=dict(type='str', choices=['high', 'medium', 'low', 'very_low']),
+ active_protections_severity=dict(type='str', choices=['Critical', 'High', 'Medium or above', 'Low or above']),
+ confidence_level_high=dict(type='str', choices=['Inactive', 'Ask', 'Prevent', 'Detect']),
+ confidence_level_low=dict(type='str', choices=['Inactive', 'Ask', 'Prevent', 'Detect']),
+ confidence_level_medium=dict(type='str', choices=['Inactive', 'Ask', 'Prevent', 'Detect']),
+ indicator_overrides=dict(type='list', options=dict(
+ action=dict(type='str', choices=['Inactive', 'Ask', 'Prevent', 'Detect']),
+ indicator=dict(type='str')
+ )),
+ ips_settings=dict(type='dict', options=dict(
+ exclude_protection_with_performance_impact=dict(type='bool'),
+ exclude_protection_with_performance_impact_mode=dict(type='str', choices=['very low', 'low or lower', 'medium or lower', 'high or lower']),
+ exclude_protection_with_severity=dict(type='bool'),
+ exclude_protection_with_severity_mode=dict(type='str', choices=['low or above', 'medium or above', 'high or above', 'critical']),
+ newly_updated_protections=dict(type='str', choices=['active', 'inactive', 'staging'])
+ )),
+ malicious_mail_policy_settings=dict(type='dict', options=dict(
+ add_customized_text_to_email_body=dict(type='bool'),
+ add_email_subject_prefix=dict(type='bool'),
+ add_x_header_to_email=dict(type='bool'),
+ email_action=dict(type='str', choices=['allow', 'block']),
+ email_body_customized_text=dict(type='str'),
+ email_subject_prefix_text=dict(type='str'),
+ failed_to_scan_attachments_text=dict(type='str'),
+ malicious_attachments_text=dict(type='str'),
+ malicious_links_text=dict(type='str'),
+ remove_attachments_and_links=dict(type='bool'),
+ send_copy=dict(type='bool'),
+ send_copy_list=dict(type='list')
+ )),
+ overrides=dict(type='list', options=dict(
+ action=dict(type='str', choices=['Threat Cloud: Inactive', 'Detect', 'Prevent
Core: Drop', 'Inactive', 'Accept']),
+ protection=dict(type='str'),
+ capture_packets=dict(type='bool'),
+ track=dict(type='str', choices=['none', 'log', 'alert', 'mail', 'snmp trap', 'user alert', 'user alert 1', 'user alert 2'])
+ )),
+ tags=dict(type='list'),
+ use_indicators=dict(type='bool'),
+ anti_bot=dict(type='bool'),
+ anti_virus=dict(type='bool'),
+ ips=dict(type='bool'),
+ threat_emulation=dict(type='bool'),
+ activate_protections_by_extended_attributes=dict(type='list', options=dict(
+ name=dict(type='str'),
+ category=dict(type='str')
+ )),
+ deactivate_protections_by_extended_attributes=dict(type='list', options=dict(
+ name=dict(type='str'),
+ category=dict(type='str')
+ )),
+ use_extended_attributes=dict(type='bool'),
+ color=dict(type='str', choices=['aquamarine', 'black', 'blue', 'crete blue', 'burlywood', 'cyan', 'dark green',
+ 'khaki', 'orchid', 'dark orange', 'dark sea green', 'pink', 'turquoise', 'dark blue', 'firebrick', 'brown',
+ 'forest green', 'gold', 'dark gold', 'gray', 'dark gray', 'light green', 'lemon chiffon', 'coral', 'sea green',
+ 'sky blue', 'magenta', 'purple', 'slate blue', 'violet red', 'navy blue', 'olive', 'orange', 'red', 'sienna',
+ 'yellow']),
+ comments=dict(type='str'),
+ details_level=dict(type='str', choices=['uid', 'standard', 'full']),
+ ignore_warnings=dict(type='bool'),
+ ignore_errors=dict(type='bool')
+ )
+ argument_spec.update(checkpoint_argument_spec_for_objects)
+
+ module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=True)
+ api_call_object = 'threat-profile'
+
+ result = api_call(module, api_call_object)
+ module.exit_json(**result)
+
+
+if __name__ == '__main__':
+ main()
diff --git a/lib/ansible/modules/network/checkpoint/cp_mgmt_threat_profile_facts.py b/lib/ansible/modules/network/checkpoint/cp_mgmt_threat_profile_facts.py
new file mode 100644
index 00000000000..99b2df2a176
--- /dev/null
+++ b/lib/ansible/modules/network/checkpoint/cp_mgmt_threat_profile_facts.py
@@ -0,0 +1,126 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+#
+# Ansible module to manage CheckPoint Firewall (c) 2019
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible. If not, see .
+#
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {'metadata_version': '1.1',
+ 'status': ['preview'],
+ 'supported_by': 'community'}
+
+DOCUMENTATION = """
+---
+module: cp_mgmt_threat_profile_facts
+short_description: Get threat-profile objects facts on Checkpoint over Web Services API
+description:
+ - Get threat-profile objects facts on Checkpoint devices.
+ - All operations are performed over Web Services API.
+ - This module handles both operations, get a specific object and get several objects,
+ For getting a specific object use the parameter 'name'.
+version_added: "2.9"
+author: "Or Soffer (@chkp-orso)"
+options:
+ name:
+ description:
+ - Object name.
+ This parameter is relevant only for getting a specific object.
+ type: str
+ details_level:
+ description:
+ - The level of detail for some of the fields in the response can vary from showing only the UID value of the object to a fully detailed
+ representation of the object.
+ type: str
+ choices: ['uid', 'standard', 'full']
+ limit:
+ description:
+ - No more than that many results will be returned.
+ This parameter is relevant only for getting few objects.
+ type: int
+ offset:
+ description:
+ - Skip that many results before beginning to return them.
+ This parameter is relevant only for getting few objects.
+ type: int
+ order:
+ description:
+ - Sorts results by the given field. By default the results are sorted in the ascending order by name.
+ This parameter is relevant only for getting few objects.
+ type: list
+ suboptions:
+ ASC:
+ description:
+ - Sorts results by the given field in ascending order.
+ type: str
+ choices: ['name']
+ DESC:
+ description:
+ - Sorts results by the given field in descending order.
+ type: str
+ choices: ['name']
+extends_documentation_fragment: checkpoint_facts
+"""
+
+EXAMPLES = """
+- name: show-threat-profile
+ cp_mgmt_threat_profile_facts:
+ name: Recommended_Profile
+
+- name: show-threat-profiles
+ cp_mgmt_threat_profile_facts:
+ details_level: standard
+ limit: 50
+ offset: 0
+"""
+
+RETURN = """
+ansible_facts:
+ description: The checkpoint object facts.
+ returned: always.
+ type: dict
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible.module_utils.network.checkpoint.checkpoint import checkpoint_argument_spec_for_facts, api_call_facts
+
+
+def main():
+ argument_spec = dict(
+ name=dict(type='str'),
+ details_level=dict(type='str', choices=['uid', 'standard', 'full']),
+ limit=dict(type='int'),
+ offset=dict(type='int'),
+ order=dict(type='list', options=dict(
+ ASC=dict(type='str', choices=['name']),
+ DESC=dict(type='str', choices=['name'])
+ ))
+ )
+ argument_spec.update(checkpoint_argument_spec_for_facts)
+
+ module = AnsibleModule(argument_spec=argument_spec)
+
+ api_call_object = "threat-profile"
+ api_call_object_plural_version = "threat-profiles"
+
+ result = api_call_facts(module, api_call_object, api_call_object_plural_version)
+ module.exit_json(ansible_facts=result)
+
+
+if __name__ == '__main__':
+ main()