Module checkpoint

  • License: Inmanta EULA

  • Version: 5.0.0

Typedefs

typedef checkpoint::action_type

  • Base type string

  • Type constraint (self in ['Accept', 'Drop'])

typedef checkpoint::position_type

  • Base type string

  • Type constraint (self in ['top', 'above', 'below', 'bottom'])

typedef checkpoint::script_type

  • Base type string

  • Type constraint /\S/

typedef checkpoint::service_type

  • Base type string

  • Type constraint (self in ['icmp', 'tcp', 'udp', 'sctp'])

typedef checkpoint::track_type_t

  • Base type string

  • Type constraint (self in ['Log', 'Extended Log', 'Detailed Log', 'None'])

Entities

entity checkpoint::AbstractGroup

Parents: checkpoint::NetworkObject

https://sc1.checkpoint.com/documents/latest/APIs/index.html?#web/add-group~v1.1%20

relation checkpoint::AnonymousNamedObject members [0:*]

other end: checkpoint::AnonymousNamedObject.security_groups [0:*]

The following implementations are defined for this entity:

The following implements statements select implementations for this entity:

entity checkpoint::AnonymousNamedObject

Parents: checkpoint::ExpandableObject

Simple named object. It defines self.effective_members to gather all effective children. A NetworkObject is effective if it points to some definite target. A group with no effective_members (i.e. that only contains empty groups) is not a valid target for a firewall rule and will cause failure during policy install.

This object has no index assigned to it, and can duplicate a reference to another NamedObject

attribute string name
attribute bool purged=false
relation checkpoint::AnonymousNamedObject effective_members [0:*]
relation checkpoint::AbstractGroup security_groups [0:*]

other end: checkpoint::AbstractGroup.members [0:*]

relation checkpoint::SharedGroup removed_from_groups [0:*]

other end: checkpoint::SharedGroup.removed_members [0:*]

The following implementations are defined for this entity:

The following implements statements select implementations for this entity:

entity checkpoint::CheckpointResource

Parents: std::PurgeableResource, std::ManagedResource

Basic resource for every Checkpoint resource.

attribute string agent_name
attribute bool send_event=true
attribute bool purge_on_delete=false
attribute bool custom_agent=false
relation checkpoint::Credentials credentials [1]

The following implementations are defined for this entity:

The following implements statements select implementations for this entity:

entity checkpoint::CommonService

Parents: checkpoint::Service

Basic common service entity.

attribute int port

Port number used to provide the service.

attribute int? source_port=null

Port number for the client side service. If specified, only those source port numbers will be accepted, dropped, or rejected during packet inspection.

entity checkpoint::Credentials

Parents: std::Entity

Basic credentials entity

attribute string host

Host

attribute string? username

Username

attribute string? password

Password

attribute string? username_env_var=null

Name of environment variable that contains the username

attribute string? password_env_var=null

Name of environment variable that contains the password

attribute bool unsafe_auto_accept=true

Defines if the handler should accept the fingerprint without verification, or not

attribute bool start_agent=false

If true agent will be started (default: false)

The following implementations are defined for this entity:

The following implements statements select implementations for this entity:

entity checkpoint::ExpandableObject

Parents: std::Entity

Provides an interface that gathers all the children objects with self into self.expanded_objects relation.

relation checkpoint::ExpandableObject parent_objects [0:*]

other end: checkpoint::ExpandableObject.expanded_objects [0:*]

relation checkpoint::ExpandableObject expanded_objects [0:*]

other end: checkpoint::ExpandableObject.parent_objects [0:*]

The following implementations are defined for this entity:

The following implements statements select implementations for this entity:

entity checkpoint::Group

Parents: checkpoint::AbstractGroup

Completely manage the members of a group, without allowing co-management. After deployment of this desired state the members will be exactly as specified. For co-management, use SharedGroup

The following implements statements select implementations for this entity:

  • constraint true

entity checkpoint::Host

Parents: checkpoint::NetworkObject

https://sc1.checkpoint.com/documents/latest/APIs/index.html?#web/add-host~v1.1%20

attribute std::ipv4_address ip_address

Ip address of the host.

The following implements statements select implementations for this entity:

entity checkpoint::ICMPService

Parents: checkpoint::Service

ICMP Service entity https://sc1.checkpoint.com/documents/latest/APIs/index.html?#web/add-service-icmp~v1.1%20

attribute int icmp_type

Type of the ICMP message.

attribute int icmp_code

Code of the ICMP message.

The following implementations are defined for this entity:

The following implements statements select implementations for this entity:

entity checkpoint::Interface

Parents: checkpoint::CheckpointResource

Resource used to run scripts through the Checkpoint API

attribute string context_name
attribute string trunk_local_port
attribute int vlanid
attribute std::ipv4_address ip_address
attribute int prefixlen
attribute string target
attribute int retry_interval=7

Interval in seconds after which the handler is going to retry the deployment of RunScript in case of a failure

attribute int retry_limit=5

Number of retries performed before an error

attribute bool allow_update_deletion=false

Allow the handler of the interface to delete to perform an update. If disabled the update of the interface will not work anymore.

The following implements statements select implementations for this entity:

  • constraint true

entity checkpoint::NamedObject

Parents: checkpoint::AnonymousNamedObject, checkpoint::CheckpointResource

This object has an index and will ensure it is unique and conistently typed

attribute string name

Name of the object in Checkpoint Firewall

The following implements statements select implementations for this entity:

entity checkpoint::Network

Parents: checkpoint::NetworkObject

https://sc1.checkpoint.com/documents/latest/APIs/index.html?#web/add-network~v1.1%20

attribute std::ipv4_interface subnet

Ip address of the network as a cidr block.

The following implements statements select implementations for this entity:

entity checkpoint::NetworkObject

Parents: checkpoint::NamedObject, checkpoint::CheckpointResource

https://sc1.checkpoint.com/documents/latest/APIs/#introduction~v1.1%20

Network object might reference to unmanaged things Network object might be a member of a Group.

attribute bool ignore_warnings=false

Deploy a resource ignoring warnings from the Checkpoint

entity checkpoint::PolicyInstallBase

Parents: std::Entity

Trigger a policy install on checkpoint. The different generations of handlers have different strategies when it comes to evaluating whether a new install is required. Refer to their specific documenation (docstring) to learn more about it.

All policy install mechanism share the same failure strategy: - If a request to trigger a policy install fails, with any other error than

a conflict (meaning a policy install is probably already running). The handler fails immediately. This means the resource is trying to do something wrong. (See resource logs for more details)

  • If a request fails with a conflict error, we will retry it “later”. “Later”

    is defined as the time it took to perform the policy install request plus the retry interval. So the retry will naturally slow down with load. The retry sequence with these values will take (retry_interval + response_time) * retry_limit seconds before timeout. Where response_time is the time it takes for checkpoint to deny the request.

  • We stop retrying to perform a policy install after retry_limit failed attempts.

attribute string policy_package

name of the policy package to install

attribute string[] targets

name of the targets that should receive the policy_package

attribute int retry_interval=1

The time, in seconds, to wait between attempts to trigger a policy install when another policy install is ongoing.

attribute int retry_limit=50

Number of attempts performed before raising an error when another policy install is ongoing.

attribute bool overwrite=false

Determines if the policy is going to be overwritten in case of other policy package is currently installed for this particular target If False it raises an error. Caution: this behavior can not be guaranteed due to issues in the checkpoint api. When this policy was not recently installed on any target, the ‘installation-targets-revision’ field is not present in the ‘show-package’ checkpoint response. This makes it impossible for this handler to verify if the policy is already installed. We will fail the deployment in this case, but proceed with a warning.

attribute bool receive_events=true
entity checkpoint::PolicyInstallV2

Parents: checkpoint::CheckpointResource, checkpoint::PolicyInstallBase

A resource triggering policy install when one of its dependencies have changed.

see: https://sc1.checkpoint.com/documents/latest/APIs/#cli/install-policy~v1.1

When using authentication on the orchestrator this version of PolicyInstall can not be used out of the box. Because is uses in its handler a client requiring api permissions, which would require an authentication token to communicate with the orchestrator. You can find more information about the additionnal setup in this use case in the README.md of te checkpoint module.

Here is the behavior of the entity under normal circumstances: 1. One resource (dependency of policy install) is created:

after its deployment finishes, a new policy install is done.

  1. One resource (dependency of policy install) is updated:

    after its deployment finishes, a new policy install is done.

  2. One resource (dependency of policy install) is purged:

    after its deployment finishes, a new policy install is done.

Here is the behavior of the entity in some corner cases: 1. The policy has never been installed: it will be installed,

regardless the fact it might not have dependencies.

  1. The last policy installation occurred further in time that

    the server can remember: it will be installed, regardless the fact it might not have dependencies.

The following implements statements select implementations for this entity:

  • constraint true

entity checkpoint::PolicyInstallV3

Parents: checkpoint::CheckpointResource, checkpoint::PolicyInstallBase

A resource triggering policy install when one of its dependencies have changed.

see: https://sc1.checkpoint.com/documents/latest/APIs/#cli/install-policy~v1.1

When using authentication on the orchestrator this version of PolicyInstall can not be used out of the box. Because is uses in its handler a client requiring api permissions, which would require an authentication token to communicate with the orchestrator. You can find more information about the additionnal setup in this use case in the README.md of te checkpoint module.

Here is the behavior of the entity under normal circumstances: 1. One resource (dependency of policy install) is created:

after its deployment finishes, a new policy install is done.

  1. One resource (dependency of policy install) is updated:

    after its deployment finishes, a new policy install is done.

  2. One resource (dependency of policy install) is purged:

    after its deployment finishes, a new policy install is done.

Here is the behavior of the entity in some corner cases: 1. The policy has never been installed: it will be installed,

regardless the fact it might not have dependencies.

  1. The last policy installation occurred further in time that

    the server can remember: it will be installed, regardless the fact it might not have dependencies.

The following implements statements select implementations for this entity:

  • constraint true

entity checkpoint::Route

Parents: checkpoint::CheckpointResource

Resource used to run scripts through the Checkpoint API

attribute string context_name
attribute string name
attribute std::ipv4_network prefix
attribute std::ipv4_address gateway
attribute string target
attribute int retry_interval=7

Interval in seconds after which the handler is going to retry the deployment of RunScript in case of a failure

attribute int retry_limit=5

Number of retries performed before an error

attribute bool allow_update_deletion=false

Allow the handler of the route to delete to perform an update. If disabled the update of the interface will not work anymore.

The following implements statements select implementations for this entity:

  • constraint true

entity checkpoint::Rule

Parents: checkpoint::CheckpointResource, checkpoint::ExpandableObject

Rule entity https://sc1.checkpoint.com/documents/latest/APIs/#web/add-access-rule~v1.1%20

attribute string name

Name of the rule.

attribute string layer

Layer that the rule belongs to identified by the name or UID.

attribute checkpoint::action_type action='Drop'

Action type to be performed on a packet by this rule.

attribute checkpoint::position_type? position

Position in the rulebase

attribute string? position_reference_object

Reference object which we relate to in the position attribute.

attribute string? comments=null

Comments string.

relation checkpoint::ServiceReference services [0:*]

other end: checkpoint::ServiceReference.rules [0:*]

relation checkpoint::AnonymousNamedObject source [0:*]
relation checkpoint::AnonymousNamedObject destination [0:*]
relation checkpoint::RuleTrack track [0:1]

The following implementations are defined for this entity:

The following implements statements select implementations for this entity:

entity checkpoint::RuleTrack

Parents: std::Entity

Track object in rule entity: https://sc1.checkpoint.com/documents/latest/APIs/#web/add-access-rule~v1.1%20

attribute bool? accounting=null

Turns accounting for track on and off.

attribute checkpoint::track_type_t? type=null

“Log”, “Extended Log”, “Detailed Log”, “None”.

The following implementations are defined for this entity:

The following implements statements select implementations for this entity:

entity checkpoint::RunScript

Parents: checkpoint::CheckpointResource

Resource used to run scripts through the Checkpoint API

attribute string script_name

Script name.

attribute checkpoint::script_type script

Script.

attribute string[] targets

Targets for a script.

attribute checkpoint::script_type? only_if

Script that determines the targets for which the ‘script’ will be executed

attribute checkpoint::script_type? unless

Script that determines the targets for which the ‘script’ will not be executed

attribute int retry_interval=7

Interval in seconds after which the handler is going to retry the deployment of RunScript in case of a failure

attribute int retry_limit=5

Number of retries performed before an error

The following implements statements select implementations for this entity:

  • constraint true

entity checkpoint::SCTPService

Parents: checkpoint::CommonService

SCTP Service entity https://sc1.checkpoint.com/documents/latest/APIs/index.html?#web/add-service-sctp~v1.1%20

The following implementations are defined for this entity:

The following implements statements select implementations for this entity:

entity checkpoint::Service

Parents: checkpoint::ServiceReference, checkpoint::CheckpointResource

Basic service entity.

attribute checkpoint::service_type protocol

Select the protocol type associated with the service, and by implication, the management server (if any) that enforces Content Security and Authentication for the service. Selecting a Protocol Type invokes the specific protocol handlers for each protocol type, thus enabling higher level of security by parsing the protocol, and higher level of connectivity by tracking dynamic actions (such as opening of ports).

attribute bool ignore_warnings=false

Deploy a resource ignoring warnings from the Checkpoint

entity checkpoint::ServiceReference

Parents: checkpoint::ExpandableObject

Reference to existing service.

attribute string name

Name of the object in Checkpoint Firewall

relation checkpoint::Rule rules [0:*]

other end: checkpoint::Rule.services [0:*]

The following implements statements select implementations for this entity:

entity checkpoint::SharedGroup

Parents: checkpoint::AbstractGroup

A SharedGroup is a Group that can be co-managed It will make sure that - the SharedGroup.members are in the Group - the SharedGroup.removed_members are not in the Group It will not touch the remaining members (probably added by someone else)

relation checkpoint::AnonymousNamedObject removed_members [0:*]

other end: checkpoint::AnonymousNamedObject.removed_from_groups [0:*]

relation checkpoint::SharedGroupSubResource subresources [0:*]

other end: checkpoint::SharedGroupSubResource.owner [1]

The following implements statements select implementations for this entity:

  • constraint true

entity checkpoint::SharedGroupSubResource

Parents: std::PurgeableResource, std::ManagedResource, checkpoint::ExpandableObject

This is a way of breaking a single SharedGroup info multiple resources

All resources will manage the same group, like the SharedGroup

The distinguisher is used to make all resources have a unique name

This resource is intended for partial compile, where breaking up group ownership may be required.

attribute string distinguisher
attribute bool send_event=true
relation checkpoint::SharedGroup owner [1]

other end: checkpoint::SharedGroup.subresources [0:*]

relation checkpoint::AnonymousNamedObject members [0:*]
relation checkpoint::AnonymousNamedObject removed_members [0:*]

The following implementations are defined for this entity:

The following implements statements select implementations for this entity:

entity checkpoint::TCPService

Parents: checkpoint::CommonService

TCP Service entity https://sc1.checkpoint.com/documents/latest/APIs/index.html?#web/add-service-tcp~v1.1%20

The following implementations are defined for this entity:

The following implements statements select implementations for this entity:

entity checkpoint::UDPService

Parents: checkpoint::CommonService

UDP Service entity https://sc1.checkpoint.com/documents/latest/APIs/index.html?#web/add-service-udp~v1.1%20

The following implementations are defined for this entity:

The following implements statements select implementations for this entity:

Implementations

implementation checkpoint::checkpoint_resource
implementation checkpoint::ensure_consistency
implementation checkpoint::is_effective
implementation checkpoint::sharedGroupSubResource
implementation checkpoint::stdCredentials
implementation checkpoint::stdEffectiveMembers
implementation checkpoint::stdExpandableObject
implementation checkpoint::stdGroup
implementation checkpoint::stdICMPService
implementation checkpoint::stdRule
implementation checkpoint::stdSCTP
implementation checkpoint::stdTCP
implementation checkpoint::stdUDP

Plugins

checkpoint.gather_hosts_names(hosts: 'checkpoint::Host[]') 'string[]'
checkpoint.gather_named_objects(named_objects: 'checkpoint::AnonymousNamedObject[]') 'string[]'

Resources

class checkpoint.CommonService
class checkpoint.Group

Group resource.

class checkpoint.Host

Host resource.

class checkpoint.ICMPService
class checkpoint.Interface

Checkpoint Interface resource.

class checkpoint.Network

Network resource.

class checkpoint.PolicyInstallV2

Resource for the PolicyInstallV2 entity.

Here is the behavior of the entity under normal circumstances: 1. One resource (dependency of policy install) is created:

after its deployment finishes, a new policy install is done.

  1. One resource (dependency of policy install) is updated:

    after its deployment finishes, a new policy install is done.

  2. One resource (dependency of policy install) is purged:

    after its deployment finishes, a new policy install is done.

Here is the behavior of the entity in some corner cases: 1. The policy has never been installed: it will be installed,

regardless the fact it might not have dependencies.

  1. The last policy installation occurred further in time that

    the server can remember: it will be installed, regardless the fact it might not have dependencies.

class checkpoint.PolicyInstallV3

Resource for the PolicyInstall entity.

Here is the behavior of the entity under normal circumstances: 1. A new version of the model is created, with dependencies for

the policy install, the policy install is executed.

  1. A new version of the model is created, with no dependencies for the policy install, the policy install is not executed.

class checkpoint.Route

Checkpoint Interface resource.

class checkpoint.Rule

Checkpoint Object resource.

class checkpoint.RunScript

Checkpoint RunScript resource.

class checkpoint.SharedGroup
class checkpoint.SharedGroupSubResource

Handlers

class checkpoint.RunScriptHandler
class checkpoint.InterfaceHandler
class checkpoint.RouteHandler
class checkpoint.PolicyInstallV2Handler
class checkpoint.PolicyInstallV3Handler

This handler is, in its behavior, mostly the same as V2 Implementation wise, the complex logic of determining when to deploy has been moved onto the server.

This means that the resource field and the operation_uuid fields are gone. Removing these fields makes this resource more suitable for partial compile

class checkpoint.SharedGroupHandler
class checkpoint.CheckpointObjectHandler