Viewing docs for checkpoint 3.0.0
published on Monday, Mar 30, 2026 by checkpointsw
published on Monday, Mar 30, 2026 by checkpointsw
Viewing docs for checkpoint 3.0.0
published on Monday, Mar 30, 2026 by checkpointsw
published on Monday, Mar 30, 2026 by checkpointsw
Create ManagementCommandSetGlobalProperties Resource
Resources are created with functions called constructors. To learn more about declaring and configuring resources, see Resources.
Constructor syntax
new ManagementCommandSetGlobalProperties(name: string, args?: ManagementCommandSetGlobalPropertiesArgs, opts?: CustomResourceOptions);@overload
def ManagementCommandSetGlobalProperties(resource_name: str,
args: Optional[ManagementCommandSetGlobalPropertiesArgs] = None,
opts: Optional[ResourceOptions] = None)
@overload
def ManagementCommandSetGlobalProperties(resource_name: str,
opts: Optional[ResourceOptions] = None,
advanced_conf: Optional[ManagementCommandSetGlobalPropertiesAdvancedConfArgs] = None,
allow_remote_registration_of_opsec_products: Optional[bool] = None,
authentication: Optional[ManagementCommandSetGlobalPropertiesAuthenticationArgs] = None,
carrier_security: Optional[ManagementCommandSetGlobalPropertiesCarrierSecurityArgs] = None,
connect_control: Optional[ManagementCommandSetGlobalPropertiesConnectControlArgs] = None,
data_access_control: Optional[ManagementCommandSetGlobalPropertiesDataAccessControlArgs] = None,
domains_to_processes: Optional[Sequence[str]] = None,
firewall: Optional[ManagementCommandSetGlobalPropertiesFirewallArgs] = None,
hit_count: Optional[ManagementCommandSetGlobalPropertiesHitCountArgs] = None,
ignore_errors: Optional[bool] = None,
ignore_warnings: Optional[bool] = None,
log_and_alerts: Optional[Sequence[ManagementCommandSetGlobalPropertiesLogAndAlertArgs]] = None,
management_command_set_global_properties_id: Optional[str] = None,
nat: Optional[ManagementCommandSetGlobalPropertiesNatArgs] = None,
non_unique_ip_address_ranges: Optional[Sequence[ManagementCommandSetGlobalPropertiesNonUniqueIpAddressRangeArgs]] = None,
num_spoofing_errs_that_trigger_brute_force: Optional[float] = None,
proxy: Optional[ManagementCommandSetGlobalPropertiesProxyArgs] = None,
qos: Optional[ManagementCommandSetGlobalPropertiesQosArgs] = None,
remote_accesses: Optional[Sequence[ManagementCommandSetGlobalPropertiesRemoteAccessArgs]] = None,
stateful_inspection: Optional[ManagementCommandSetGlobalPropertiesStatefulInspectionArgs] = None,
user_accounts: Optional[ManagementCommandSetGlobalPropertiesUserAccountsArgs] = None,
user_authority: Optional[ManagementCommandSetGlobalPropertiesUserAuthorityArgs] = None,
user_check: Optional[ManagementCommandSetGlobalPropertiesUserCheckArgs] = None,
user_directory: Optional[ManagementCommandSetGlobalPropertiesUserDirectoryArgs] = None,
vpn: Optional[ManagementCommandSetGlobalPropertiesVpnArgs] = None)func NewManagementCommandSetGlobalProperties(ctx *Context, name string, args *ManagementCommandSetGlobalPropertiesArgs, opts ...ResourceOption) (*ManagementCommandSetGlobalProperties, error)public ManagementCommandSetGlobalProperties(string name, ManagementCommandSetGlobalPropertiesArgs? args = null, CustomResourceOptions? opts = null)
public ManagementCommandSetGlobalProperties(String name, ManagementCommandSetGlobalPropertiesArgs args)
public ManagementCommandSetGlobalProperties(String name, ManagementCommandSetGlobalPropertiesArgs args, CustomResourceOptions options)
type: checkpoint:ManagementCommandSetGlobalProperties
properties: # The arguments to resource properties.
options: # Bag of options to control resource's behavior.
Parameters
- name string
- The unique name of the resource.
- args ManagementCommandSetGlobalPropertiesArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- resource_name str
- The unique name of the resource.
- args ManagementCommandSetGlobalPropertiesArgs
- The arguments to resource properties.
- opts ResourceOptions
- Bag of options to control resource's behavior.
- ctx Context
- Context object for the current deployment.
- name string
- The unique name of the resource.
- args ManagementCommandSetGlobalPropertiesArgs
- The arguments to resource properties.
- opts ResourceOption
- Bag of options to control resource's behavior.
- name string
- The unique name of the resource.
- args ManagementCommandSetGlobalPropertiesArgs
- The arguments to resource properties.
- opts CustomResourceOptions
- Bag of options to control resource's behavior.
- name String
- The unique name of the resource.
- args ManagementCommandSetGlobalPropertiesArgs
- The arguments to resource properties.
- options CustomResourceOptions
- Bag of options to control resource's behavior.
Constructor example
The following reference example uses placeholder values for all input properties.
var managementCommandSetGlobalPropertiesResource = new Checkpoint.ManagementCommandSetGlobalProperties("managementCommandSetGlobalPropertiesResource", new()
{
AdvancedConf = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesAdvancedConfArgs
{
CertsAndPki = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesAdvancedConfCertsAndPkiArgs
{
CertValidationEnforceKeySize = "string",
HostCertsEcdsaKeySize = "string",
HostCertsKeySize = "string",
},
},
AllowRemoteRegistrationOfOpsecProducts = false,
Authentication = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesAuthenticationArgs
{
AllowedSuffixForInternalUsers = "string",
AuthInternalUsersWithSpecificSuffix = false,
DelayEachAuthAttemptBy = 0,
EnableDelayedAuth = false,
MaxClientAuthAttemptsBeforeConnectionTermination = 0,
MaxDaysBeforeExpirationOfNonPulledUserCertificates = 0,
MaxRloginAttemptsBeforeConnectionTermination = 0,
MaxSessionAuthAttemptsBeforeConnectionTermination = 0,
MaxTelnetAttemptsBeforeConnectionTermination = 0,
},
CarrierSecurity = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesCarrierSecurityArgs
{
AggressiveAging = false,
AggressiveTimeout = 0,
AllowGgsnRepliesFromMultipleInterfaces = false,
BlockGtpInGtp = false,
EnableGPduSeqNumberCheckWithMaxDeviation = false,
EnableReverseConnections = false,
EnforceGtpAntiSpoofing = false,
GPduSeqNumberCheckMaxDeviation = 0,
GtpSignalingRateLimitSamplingInterval = 0,
MemoryActivationThreshold = 0,
MemoryDeactivationThreshold = 0,
OneGtpEchoOnEachPathFrequency = 0,
ProduceExtendedLogsOnUnmatchedPdus = false,
ProduceExtendedLogsOnUnmatchedPdusPosition = "string",
ProtocolViolationTrackOption = "string",
TunnelActivationThreshold = 0,
TunnelDeactivationThreshold = 0,
VerifyFlowLabels = false,
},
ConnectControl = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesConnectControlArgs
{
LoadAgentsPort = 0,
LoadMeasurementInterval = 0,
PersistenceServerTimeout = 0,
ServerAvailabilityCheckInterval = 0,
ServerCheckRetries = 0,
},
DataAccessControl = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesDataAccessControlArgs
{
AutoDownloadImportantData = false,
AutoDownloadSwUpdatesAndNewFeatures = false,
SendAnonymousInfo = false,
ShareSensitiveInfo = false,
},
DomainsToProcesses = new[]
{
"string",
},
Firewall = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesFirewallArgs
{
AcceptControlConnections = false,
AcceptDomainNameOverTcp = false,
AcceptDomainNameOverTcpPosition = "string",
AcceptDomainNameOverUdp = false,
AcceptDomainNameOverUdpPosition = "string",
AcceptDynamicAddrModulesOutgoingInternetConnections = false,
AcceptIcmpRequests = false,
AcceptIcmpRequestsPosition = "string",
AcceptIdentityAwarenessControlConnections = false,
AcceptIdentityAwarenessControlConnectionsPosition = "string",
AcceptIncomingTrafficToDhcpAndDnsServicesOfGws = false,
AcceptIps1ManagementConnections = false,
AcceptOutgoingPacketsOriginatingFromConnectraGw = false,
AcceptOutgoingPacketsOriginatingFromGw = false,
AcceptOutgoingPacketsOriginatingFromGwPosition = "string",
AcceptOutgoingPacketsToCpOnlineServices = false,
AcceptOutgoingPacketsToCpOnlineServicesPosition = "string",
AcceptRemoteAccessControlConnections = false,
AcceptRip = false,
AcceptRipPosition = "string",
AcceptSmartUpdateConnections = false,
AcceptVrrpPacketsOriginatingFromClusterMembers = false,
AcceptWebAndSshConnectionsForGwAdministration = false,
LogImpliedRules = false,
SecurityServer = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesFirewallSecurityServerArgs
{
ClientAuthWelcomeFile = "string",
FtpWelcomeMsgFile = "string",
HttpNextProxyHost = "string",
HttpNextProxyPort = 0,
HttpServers = new[]
{
new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesFirewallSecurityServerHttpServerArgs
{
Host = "string",
LogicalName = "string",
Port = 0,
Reauthentication = "string",
},
},
MdqWelcomeMsg = "string",
RloginWelcomeMsgFile = "string",
ServerForNullRequests = "string",
SmtpWelcomeMsg = "string",
TelnetWelcomeMsgFile = "string",
},
},
HitCount = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesHitCountArgs
{
EnableHitCount = false,
KeepHitCountDataUpTo = "string",
},
IgnoreErrors = false,
IgnoreWarnings = false,
LogAndAlerts = new[]
{
new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesLogAndAlertArgs
{
AdministrativeNotifications = "string",
Alerts = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesLogAndAlertAlertsArgs
{
DefaultTrackOptionForSystemAlerts = "string",
MailAlertScript = "string",
PopupAlertScript = "string",
SendMailAlertToSmartviewMonitor = false,
SendPopupAlertToSmartviewMonitor = false,
SendSnmpTrapAlertToSmartviewMonitor = false,
SendUserDefinedAlertNum1ToSmartviewMonitor = false,
SendUserDefinedAlertNum2ToSmartviewMonitor = false,
SendUserDefinedAlertNum3ToSmartviewMonitor = false,
SnmpTrapAlertScript = "string",
UserDefinedScriptNum1 = "string",
UserDefinedScriptNum2 = "string",
UserDefinedScriptNum3 = "string",
},
ConnectionMatchedBySam = "string",
DynamicObjectResolutionFailure = "string",
LogEveryAuthenticatedHttpConnection = false,
LogTraffic = "string",
PacketIsIncorrectlyTagged = "string",
PacketTaggingBruteForceAttack = "string",
SlaViolation = "string",
TimeSettings = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesLogAndAlertTimeSettingsArgs
{
ExcessiveLogGracePeriod = 0,
LogsResolvingTimeout = 0,
StatusFetchingInterval = 0,
VirtualLinkStatisticsLoggingInterval = 0,
},
VpnConfAndKeyExchangeErrors = "string",
VpnPacketHandlingError = "string",
VpnSuccessfulKeyExchange = "string",
},
},
ManagementCommandSetGlobalPropertiesId = "string",
Nat = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesNatArgs
{
AddrAllocAndReleaseTrack = "string",
AddrExhaustionTrack = "string",
AllowBiDirectionalNat = false,
AutoArpConf = false,
AutoTranslateDestOnClientSide = false,
EnableIpPoolNat = false,
ManuallyTranslateDestOnClientSide = false,
MergeManualProxyArpConf = false,
},
NonUniqueIpAddressRanges = new[]
{
new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesNonUniqueIpAddressRangeArgs
{
AddressType = "string",
FirstIpv4Address = "string",
FirstIpv6Address = "string",
LastIpv4Address = "string",
LastIpv6Address = "string",
},
},
NumSpoofingErrsThatTriggerBruteForce = 0,
Proxy = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesProxyArgs
{
ProxyAddress = "string",
ProxyPort = 0,
UseProxyServer = false,
},
Qos = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesQosArgs
{
AuthenticatedIpExpiration = 0,
DefaultWeightOfRule = 0,
MaxWeightOfRule = 0,
NonAuthenticatedIpExpiration = 0,
UnansweredQueriedIpExpiration = 0,
UnitOfMeasure = "string",
},
RemoteAccesses = new[]
{
new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesRemoteAccessArgs
{
EnableBackConnections = false,
EncryptDnsTraffic = false,
EndpointConnect = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesRemoteAccessEndpointConnectArgs
{
CachePasswordTimeout = 0,
ClientUpgradeMode = "string",
ConnectMode = "string",
DisconnectWhenConnToNetworkIsLost = "string",
DisconnectWhenDeviceIsIdle = "string",
EnablePasswordCaching = "string",
NetworkLocationAwareness = "string",
NetworkLocationAwarenessConf = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesRemoteAccessEndpointConnectNetworkLocationAwarenessConfArgs
{
ConsiderUndefinedDnsSuffixesAsExternal = false,
ConsiderWirelessNetworksAsExternal = false,
DnsSuffixes = new[]
{
"string",
},
ExcludedInternalWirelessNetworks = new[]
{
"string",
},
NetworkOrGroupOfConnVpnClient = "string",
RememberPreviouslyDetectedExternalNetworks = false,
VpnClientsAreConsideredInsideTheInternalNetworkWhenTheClient = "string",
},
ReAuthUserInterval = 0,
RouteAllTrafficToGw = "string",
},
HotSpotAndHotelRegistration = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesRemoteAccessHotSpotAndHotelRegistrationArgs
{
EnableRegistration = false,
LocalSubnetsAccessOnly = false,
MaxIpAccessDuringRegistration = 0,
Ports = new[]
{
"string",
},
RegistrationTimeout = 0,
TrackLog = false,
},
KeepAlivePacketToGwInterval = 0,
Scv = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesRemoteAccessScvArgs
{
ApplyScvOnSimplifiedModeFwPolicies = false,
Exceptions = new[]
{
new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesRemoteAccessScvExceptionArgs
{
Hosts = new[]
{
"string",
},
Services = new[]
{
"string",
},
},
},
GenerateLog = false,
NoScvForUnsupportedCpClients = false,
NotifyUser = false,
OnlyTcpIpProtocolsAreUsed = false,
PolicyInstalledOnAllInterfaces = false,
UponVerificationAcceptAndLogClientConnection = false,
},
SecureClientMobile = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesRemoteAccessSecureClientMobileArgs
{
AutomaticallyInitiateDialup = "string",
CachePasswordTimeout = 0,
ConnectMode = "string",
DisconnectWhenDeviceIsIdle = "string",
EnablePasswordCaching = "string",
ReAuthUserInterval = 0,
RouteAllTrafficToGw = "string",
SupportedEncryptionMethods = "string",
UserAuthMethod = "string",
},
SimultaneousLoginMode = "string",
SslNetworkExtender = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesRemoteAccessSslNetworkExtenderArgs
{
ClientOutgoingKeepAlivePacketsFrequency = 0,
ClientUninstallUponDisconnection = "string",
ClientUpgradeUponConnection = "string",
ReAuthUserInterval = 0,
ScanEpMachineForComplianceWithEpCompliancePolicy = false,
SupportedEncryptionMethods = "string",
UserAuthMethod = "string",
},
VpnAdvanced = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesRemoteAccessVpnAdvancedArgs
{
AllowClearTrafficToEncryptionDomainWhenDisconnected = false,
EnableLoadDistributionForMepConf = false,
UseFirstAllocatedOmIpAddrForAllConnToTheGwsOfTheSite = false,
},
VpnAuthenticationAndEncryptions = new[]
{
new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionArgs
{
EncryptionAlgorithms = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsArgs
{
Ike = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIkeArgs
{
SupportDataIntegrity = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIkeSupportDataIntegrityArgs
{
AesXcbc = false,
Md5 = false,
Sha1 = false,
Sha256 = false,
},
SupportDiffieHellmanGroups = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIkeSupportDiffieHellmanGroupsArgs
{
Group1 = false,
Group14 = false,
Group2 = false,
Group5 = false,
},
SupportEncryptionAlgorithms = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIkeSupportEncryptionAlgorithmsArgs
{
Aes128 = false,
Aes256 = false,
Des = false,
Tdes = false,
},
UseDataIntegrity = "string",
UseDiffieHellmanGroup = "string",
UseEncryptionAlgorithm = "string",
},
Ipsec = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIpsecArgs
{
EnforceEncryptionAlgAndDataIntegrityOnAllUsers = false,
SupportDataIntegrity = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIpsecSupportDataIntegrityArgs
{
AesXcbc = false,
Md5 = false,
Sha1 = false,
Sha256 = false,
},
SupportEncryptionAlgorithms = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIpsecSupportEncryptionAlgorithmsArgs
{
Aes128 = false,
Aes256 = false,
Des = false,
Tdes = false,
},
UseDataIntegrity = "string",
UseEncryptionAlgorithm = "string",
},
},
EncryptionMethod = "string",
L2tpPreSharedKey = "string",
PreSharedSecret = false,
SupportL2tpWithPreSharedKey = false,
SupportLegacyAuthForScL2tpNokiaClients = false,
SupportLegacyEap = false,
},
},
},
},
StatefulInspection = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesStatefulInspectionArgs
{
AcceptStatefulIcmpErrors = false,
AcceptStatefulIcmpReplies = false,
AcceptStatefulOtherIpProtocolsRepliesForUnknownServices = false,
AcceptStatefulUdpRepliesForUnknownServices = false,
DropOutOfStateIcmpPackets = false,
DropOutOfStateSctpPackets = false,
DropOutOfStateTcpPackets = false,
IcmpVirtualSessionTimeout = 0,
LogOnDropOutOfStateIcmpPackets = false,
LogOnDropOutOfStateSctpPackets = false,
LogOnDropOutOfStateTcpPackets = false,
OtherIpProtocolsVirtualSessionTimeout = 0,
SctpEndTimeout = 0,
SctpSessionTimeout = 0,
SctpStartTimeout = 0,
TcpEndTimeout = 0,
TcpEndTimeoutR8020GwAndAbove = 0,
TcpOutOfStateDropExceptions = new[]
{
"string",
},
TcpSessionTimeout = 0,
TcpStartTimeout = 0,
UdpVirtualSessionTimeout = 0,
},
UserAccounts = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesUserAccountsArgs
{
DaysUntilExpiration = 0,
ExpirationDate = "string",
ExpirationDateMethod = "string",
ShowAccountsExpirationIndicationDaysInAdvance = false,
},
UserAuthority = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesUserAuthorityArgs
{
DisplayWebAccessView = false,
TrustOnlyFollowingWindowsDomains = new[]
{
"string",
},
WindowsDomainsToTrust = "string",
},
UserCheck = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesUserCheckArgs
{
PreferredLanguage = "string",
SendEmailsUsingMailServer = "string",
},
UserDirectory = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesUserDirectoryArgs
{
CacheSize = 0,
DisplayUserDnAtLogin = "string",
EnablePasswordChangeWhenUserActiveDirectoryExpires = false,
EnablePasswordExpirationConfiguration = false,
EnforceRulesForUserMgmtAdmins = false,
MinPasswordLength = 0,
PasswordExpiresAfter = 0,
PasswordMustIncludeADigit = false,
PasswordMustIncludeASymbol = false,
PasswordMustIncludeLowercaseChar = false,
PasswordMustIncludeUppercaseChar = false,
TimeoutOnCachedUsers = 0,
},
Vpn = new Checkpoint.Inputs.ManagementCommandSetGlobalPropertiesVpnArgs
{
DomainNameForDnsResolving = "string",
EnableBackupGw = false,
EnableDecryptOnAcceptForGwToGwTraffic = false,
EnableLoadDistributionForMepConf = false,
EnableVpnDirectionalMatchInVpnColumn = false,
GracePeriodAfterTheCrlIsNotValid = 0,
GracePeriodBeforeTheCrlIsValid = 0,
GracePeriodExtensionForSecureRemoteSecureClient = 0,
SupportIkeDosProtectionFromIdentifiedSrc = "string",
SupportIkeDosProtectionFromUnidentifiedSrc = "string",
VpnConfMethod = "string",
},
});
example, err := checkpoint.NewManagementCommandSetGlobalProperties(ctx, "managementCommandSetGlobalPropertiesResource", &checkpoint.ManagementCommandSetGlobalPropertiesArgs{
AdvancedConf: &checkpoint.ManagementCommandSetGlobalPropertiesAdvancedConfArgs{
CertsAndPki: &checkpoint.ManagementCommandSetGlobalPropertiesAdvancedConfCertsAndPkiArgs{
CertValidationEnforceKeySize: pulumi.String("string"),
HostCertsEcdsaKeySize: pulumi.String("string"),
HostCertsKeySize: pulumi.String("string"),
},
},
AllowRemoteRegistrationOfOpsecProducts: pulumi.Bool(false),
Authentication: &checkpoint.ManagementCommandSetGlobalPropertiesAuthenticationArgs{
AllowedSuffixForInternalUsers: pulumi.String("string"),
AuthInternalUsersWithSpecificSuffix: pulumi.Bool(false),
DelayEachAuthAttemptBy: pulumi.Float64(0),
EnableDelayedAuth: pulumi.Bool(false),
MaxClientAuthAttemptsBeforeConnectionTermination: pulumi.Float64(0),
MaxDaysBeforeExpirationOfNonPulledUserCertificates: pulumi.Float64(0),
MaxRloginAttemptsBeforeConnectionTermination: pulumi.Float64(0),
MaxSessionAuthAttemptsBeforeConnectionTermination: pulumi.Float64(0),
MaxTelnetAttemptsBeforeConnectionTermination: pulumi.Float64(0),
},
CarrierSecurity: &checkpoint.ManagementCommandSetGlobalPropertiesCarrierSecurityArgs{
AggressiveAging: pulumi.Bool(false),
AggressiveTimeout: pulumi.Float64(0),
AllowGgsnRepliesFromMultipleInterfaces: pulumi.Bool(false),
BlockGtpInGtp: pulumi.Bool(false),
EnableGPduSeqNumberCheckWithMaxDeviation: pulumi.Bool(false),
EnableReverseConnections: pulumi.Bool(false),
EnforceGtpAntiSpoofing: pulumi.Bool(false),
GPduSeqNumberCheckMaxDeviation: pulumi.Float64(0),
GtpSignalingRateLimitSamplingInterval: pulumi.Float64(0),
MemoryActivationThreshold: pulumi.Float64(0),
MemoryDeactivationThreshold: pulumi.Float64(0),
OneGtpEchoOnEachPathFrequency: pulumi.Float64(0),
ProduceExtendedLogsOnUnmatchedPdus: pulumi.Bool(false),
ProduceExtendedLogsOnUnmatchedPdusPosition: pulumi.String("string"),
ProtocolViolationTrackOption: pulumi.String("string"),
TunnelActivationThreshold: pulumi.Float64(0),
TunnelDeactivationThreshold: pulumi.Float64(0),
VerifyFlowLabels: pulumi.Bool(false),
},
ConnectControl: &checkpoint.ManagementCommandSetGlobalPropertiesConnectControlArgs{
LoadAgentsPort: pulumi.Float64(0),
LoadMeasurementInterval: pulumi.Float64(0),
PersistenceServerTimeout: pulumi.Float64(0),
ServerAvailabilityCheckInterval: pulumi.Float64(0),
ServerCheckRetries: pulumi.Float64(0),
},
DataAccessControl: &checkpoint.ManagementCommandSetGlobalPropertiesDataAccessControlArgs{
AutoDownloadImportantData: pulumi.Bool(false),
AutoDownloadSwUpdatesAndNewFeatures: pulumi.Bool(false),
SendAnonymousInfo: pulumi.Bool(false),
ShareSensitiveInfo: pulumi.Bool(false),
},
DomainsToProcesses: pulumi.StringArray{
pulumi.String("string"),
},
Firewall: &checkpoint.ManagementCommandSetGlobalPropertiesFirewallArgs{
AcceptControlConnections: pulumi.Bool(false),
AcceptDomainNameOverTcp: pulumi.Bool(false),
AcceptDomainNameOverTcpPosition: pulumi.String("string"),
AcceptDomainNameOverUdp: pulumi.Bool(false),
AcceptDomainNameOverUdpPosition: pulumi.String("string"),
AcceptDynamicAddrModulesOutgoingInternetConnections: pulumi.Bool(false),
AcceptIcmpRequests: pulumi.Bool(false),
AcceptIcmpRequestsPosition: pulumi.String("string"),
AcceptIdentityAwarenessControlConnections: pulumi.Bool(false),
AcceptIdentityAwarenessControlConnectionsPosition: pulumi.String("string"),
AcceptIncomingTrafficToDhcpAndDnsServicesOfGws: pulumi.Bool(false),
AcceptIps1ManagementConnections: pulumi.Bool(false),
AcceptOutgoingPacketsOriginatingFromConnectraGw: pulumi.Bool(false),
AcceptOutgoingPacketsOriginatingFromGw: pulumi.Bool(false),
AcceptOutgoingPacketsOriginatingFromGwPosition: pulumi.String("string"),
AcceptOutgoingPacketsToCpOnlineServices: pulumi.Bool(false),
AcceptOutgoingPacketsToCpOnlineServicesPosition: pulumi.String("string"),
AcceptRemoteAccessControlConnections: pulumi.Bool(false),
AcceptRip: pulumi.Bool(false),
AcceptRipPosition: pulumi.String("string"),
AcceptSmartUpdateConnections: pulumi.Bool(false),
AcceptVrrpPacketsOriginatingFromClusterMembers: pulumi.Bool(false),
AcceptWebAndSshConnectionsForGwAdministration: pulumi.Bool(false),
LogImpliedRules: pulumi.Bool(false),
SecurityServer: &checkpoint.ManagementCommandSetGlobalPropertiesFirewallSecurityServerArgs{
ClientAuthWelcomeFile: pulumi.String("string"),
FtpWelcomeMsgFile: pulumi.String("string"),
HttpNextProxyHost: pulumi.String("string"),
HttpNextProxyPort: pulumi.Float64(0),
HttpServers: checkpoint.ManagementCommandSetGlobalPropertiesFirewallSecurityServerHttpServerArray{
&checkpoint.ManagementCommandSetGlobalPropertiesFirewallSecurityServerHttpServerArgs{
Host: pulumi.String("string"),
LogicalName: pulumi.String("string"),
Port: pulumi.Float64(0),
Reauthentication: pulumi.String("string"),
},
},
MdqWelcomeMsg: pulumi.String("string"),
RloginWelcomeMsgFile: pulumi.String("string"),
ServerForNullRequests: pulumi.String("string"),
SmtpWelcomeMsg: pulumi.String("string"),
TelnetWelcomeMsgFile: pulumi.String("string"),
},
},
HitCount: &checkpoint.ManagementCommandSetGlobalPropertiesHitCountArgs{
EnableHitCount: pulumi.Bool(false),
KeepHitCountDataUpTo: pulumi.String("string"),
},
IgnoreErrors: pulumi.Bool(false),
IgnoreWarnings: pulumi.Bool(false),
LogAndAlerts: checkpoint.ManagementCommandSetGlobalPropertiesLogAndAlertArray{
&checkpoint.ManagementCommandSetGlobalPropertiesLogAndAlertArgs{
AdministrativeNotifications: pulumi.String("string"),
Alerts: &checkpoint.ManagementCommandSetGlobalPropertiesLogAndAlertAlertsArgs{
DefaultTrackOptionForSystemAlerts: pulumi.String("string"),
MailAlertScript: pulumi.String("string"),
PopupAlertScript: pulumi.String("string"),
SendMailAlertToSmartviewMonitor: pulumi.Bool(false),
SendPopupAlertToSmartviewMonitor: pulumi.Bool(false),
SendSnmpTrapAlertToSmartviewMonitor: pulumi.Bool(false),
SendUserDefinedAlertNum1ToSmartviewMonitor: pulumi.Bool(false),
SendUserDefinedAlertNum2ToSmartviewMonitor: pulumi.Bool(false),
SendUserDefinedAlertNum3ToSmartviewMonitor: pulumi.Bool(false),
SnmpTrapAlertScript: pulumi.String("string"),
UserDefinedScriptNum1: pulumi.String("string"),
UserDefinedScriptNum2: pulumi.String("string"),
UserDefinedScriptNum3: pulumi.String("string"),
},
ConnectionMatchedBySam: pulumi.String("string"),
DynamicObjectResolutionFailure: pulumi.String("string"),
LogEveryAuthenticatedHttpConnection: pulumi.Bool(false),
LogTraffic: pulumi.String("string"),
PacketIsIncorrectlyTagged: pulumi.String("string"),
PacketTaggingBruteForceAttack: pulumi.String("string"),
SlaViolation: pulumi.String("string"),
TimeSettings: &checkpoint.ManagementCommandSetGlobalPropertiesLogAndAlertTimeSettingsArgs{
ExcessiveLogGracePeriod: pulumi.Float64(0),
LogsResolvingTimeout: pulumi.Float64(0),
StatusFetchingInterval: pulumi.Float64(0),
VirtualLinkStatisticsLoggingInterval: pulumi.Float64(0),
},
VpnConfAndKeyExchangeErrors: pulumi.String("string"),
VpnPacketHandlingError: pulumi.String("string"),
VpnSuccessfulKeyExchange: pulumi.String("string"),
},
},
ManagementCommandSetGlobalPropertiesId: pulumi.String("string"),
Nat: &checkpoint.ManagementCommandSetGlobalPropertiesNatArgs{
AddrAllocAndReleaseTrack: pulumi.String("string"),
AddrExhaustionTrack: pulumi.String("string"),
AllowBiDirectionalNat: pulumi.Bool(false),
AutoArpConf: pulumi.Bool(false),
AutoTranslateDestOnClientSide: pulumi.Bool(false),
EnableIpPoolNat: pulumi.Bool(false),
ManuallyTranslateDestOnClientSide: pulumi.Bool(false),
MergeManualProxyArpConf: pulumi.Bool(false),
},
NonUniqueIpAddressRanges: checkpoint.ManagementCommandSetGlobalPropertiesNonUniqueIpAddressRangeArray{
&checkpoint.ManagementCommandSetGlobalPropertiesNonUniqueIpAddressRangeArgs{
AddressType: pulumi.String("string"),
FirstIpv4Address: pulumi.String("string"),
FirstIpv6Address: pulumi.String("string"),
LastIpv4Address: pulumi.String("string"),
LastIpv6Address: pulumi.String("string"),
},
},
NumSpoofingErrsThatTriggerBruteForce: pulumi.Float64(0),
Proxy: &checkpoint.ManagementCommandSetGlobalPropertiesProxyArgs{
ProxyAddress: pulumi.String("string"),
ProxyPort: pulumi.Float64(0),
UseProxyServer: pulumi.Bool(false),
},
Qos: &checkpoint.ManagementCommandSetGlobalPropertiesQosArgs{
AuthenticatedIpExpiration: pulumi.Float64(0),
DefaultWeightOfRule: pulumi.Float64(0),
MaxWeightOfRule: pulumi.Float64(0),
NonAuthenticatedIpExpiration: pulumi.Float64(0),
UnansweredQueriedIpExpiration: pulumi.Float64(0),
UnitOfMeasure: pulumi.String("string"),
},
RemoteAccesses: checkpoint.ManagementCommandSetGlobalPropertiesRemoteAccessArray{
&checkpoint.ManagementCommandSetGlobalPropertiesRemoteAccessArgs{
EnableBackConnections: pulumi.Bool(false),
EncryptDnsTraffic: pulumi.Bool(false),
EndpointConnect: &checkpoint.ManagementCommandSetGlobalPropertiesRemoteAccessEndpointConnectArgs{
CachePasswordTimeout: pulumi.Float64(0),
ClientUpgradeMode: pulumi.String("string"),
ConnectMode: pulumi.String("string"),
DisconnectWhenConnToNetworkIsLost: pulumi.String("string"),
DisconnectWhenDeviceIsIdle: pulumi.String("string"),
EnablePasswordCaching: pulumi.String("string"),
NetworkLocationAwareness: pulumi.String("string"),
NetworkLocationAwarenessConf: &checkpoint.ManagementCommandSetGlobalPropertiesRemoteAccessEndpointConnectNetworkLocationAwarenessConfArgs{
ConsiderUndefinedDnsSuffixesAsExternal: pulumi.Bool(false),
ConsiderWirelessNetworksAsExternal: pulumi.Bool(false),
DnsSuffixes: pulumi.StringArray{
pulumi.String("string"),
},
ExcludedInternalWirelessNetworks: pulumi.StringArray{
pulumi.String("string"),
},
NetworkOrGroupOfConnVpnClient: pulumi.String("string"),
RememberPreviouslyDetectedExternalNetworks: pulumi.Bool(false),
VpnClientsAreConsideredInsideTheInternalNetworkWhenTheClient: pulumi.String("string"),
},
ReAuthUserInterval: pulumi.Float64(0),
RouteAllTrafficToGw: pulumi.String("string"),
},
HotSpotAndHotelRegistration: &checkpoint.ManagementCommandSetGlobalPropertiesRemoteAccessHotSpotAndHotelRegistrationArgs{
EnableRegistration: pulumi.Bool(false),
LocalSubnetsAccessOnly: pulumi.Bool(false),
MaxIpAccessDuringRegistration: pulumi.Float64(0),
Ports: pulumi.StringArray{
pulumi.String("string"),
},
RegistrationTimeout: pulumi.Float64(0),
TrackLog: pulumi.Bool(false),
},
KeepAlivePacketToGwInterval: pulumi.Float64(0),
Scv: &checkpoint.ManagementCommandSetGlobalPropertiesRemoteAccessScvArgs{
ApplyScvOnSimplifiedModeFwPolicies: pulumi.Bool(false),
Exceptions: checkpoint.ManagementCommandSetGlobalPropertiesRemoteAccessScvExceptionArray{
&checkpoint.ManagementCommandSetGlobalPropertiesRemoteAccessScvExceptionArgs{
Hosts: pulumi.StringArray{
pulumi.String("string"),
},
Services: pulumi.StringArray{
pulumi.String("string"),
},
},
},
GenerateLog: pulumi.Bool(false),
NoScvForUnsupportedCpClients: pulumi.Bool(false),
NotifyUser: pulumi.Bool(false),
OnlyTcpIpProtocolsAreUsed: pulumi.Bool(false),
PolicyInstalledOnAllInterfaces: pulumi.Bool(false),
UponVerificationAcceptAndLogClientConnection: pulumi.Bool(false),
},
SecureClientMobile: &checkpoint.ManagementCommandSetGlobalPropertiesRemoteAccessSecureClientMobileArgs{
AutomaticallyInitiateDialup: pulumi.String("string"),
CachePasswordTimeout: pulumi.Float64(0),
ConnectMode: pulumi.String("string"),
DisconnectWhenDeviceIsIdle: pulumi.String("string"),
EnablePasswordCaching: pulumi.String("string"),
ReAuthUserInterval: pulumi.Float64(0),
RouteAllTrafficToGw: pulumi.String("string"),
SupportedEncryptionMethods: pulumi.String("string"),
UserAuthMethod: pulumi.String("string"),
},
SimultaneousLoginMode: pulumi.String("string"),
SslNetworkExtender: &checkpoint.ManagementCommandSetGlobalPropertiesRemoteAccessSslNetworkExtenderArgs{
ClientOutgoingKeepAlivePacketsFrequency: pulumi.Float64(0),
ClientUninstallUponDisconnection: pulumi.String("string"),
ClientUpgradeUponConnection: pulumi.String("string"),
ReAuthUserInterval: pulumi.Float64(0),
ScanEpMachineForComplianceWithEpCompliancePolicy: pulumi.Bool(false),
SupportedEncryptionMethods: pulumi.String("string"),
UserAuthMethod: pulumi.String("string"),
},
VpnAdvanced: &checkpoint.ManagementCommandSetGlobalPropertiesRemoteAccessVpnAdvancedArgs{
AllowClearTrafficToEncryptionDomainWhenDisconnected: pulumi.Bool(false),
EnableLoadDistributionForMepConf: pulumi.Bool(false),
UseFirstAllocatedOmIpAddrForAllConnToTheGwsOfTheSite: pulumi.Bool(false),
},
VpnAuthenticationAndEncryptions: checkpoint.ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionArray{
&checkpoint.ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionArgs{
EncryptionAlgorithms: &checkpoint.ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsArgs{
Ike: &checkpoint.ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIkeArgs{
SupportDataIntegrity: &checkpoint.ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIkeSupportDataIntegrityArgs{
AesXcbc: pulumi.Bool(false),
Md5: pulumi.Bool(false),
Sha1: pulumi.Bool(false),
Sha256: pulumi.Bool(false),
},
SupportDiffieHellmanGroups: &checkpoint.ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIkeSupportDiffieHellmanGroupsArgs{
Group1: pulumi.Bool(false),
Group14: pulumi.Bool(false),
Group2: pulumi.Bool(false),
Group5: pulumi.Bool(false),
},
SupportEncryptionAlgorithms: &checkpoint.ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIkeSupportEncryptionAlgorithmsArgs{
Aes128: pulumi.Bool(false),
Aes256: pulumi.Bool(false),
Des: pulumi.Bool(false),
Tdes: pulumi.Bool(false),
},
UseDataIntegrity: pulumi.String("string"),
UseDiffieHellmanGroup: pulumi.String("string"),
UseEncryptionAlgorithm: pulumi.String("string"),
},
Ipsec: &checkpoint.ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIpsecArgs{
EnforceEncryptionAlgAndDataIntegrityOnAllUsers: pulumi.Bool(false),
SupportDataIntegrity: &checkpoint.ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIpsecSupportDataIntegrityArgs{
AesXcbc: pulumi.Bool(false),
Md5: pulumi.Bool(false),
Sha1: pulumi.Bool(false),
Sha256: pulumi.Bool(false),
},
SupportEncryptionAlgorithms: &checkpoint.ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIpsecSupportEncryptionAlgorithmsArgs{
Aes128: pulumi.Bool(false),
Aes256: pulumi.Bool(false),
Des: pulumi.Bool(false),
Tdes: pulumi.Bool(false),
},
UseDataIntegrity: pulumi.String("string"),
UseEncryptionAlgorithm: pulumi.String("string"),
},
},
EncryptionMethod: pulumi.String("string"),
L2tpPreSharedKey: pulumi.String("string"),
PreSharedSecret: pulumi.Bool(false),
SupportL2tpWithPreSharedKey: pulumi.Bool(false),
SupportLegacyAuthForScL2tpNokiaClients: pulumi.Bool(false),
SupportLegacyEap: pulumi.Bool(false),
},
},
},
},
StatefulInspection: &checkpoint.ManagementCommandSetGlobalPropertiesStatefulInspectionArgs{
AcceptStatefulIcmpErrors: pulumi.Bool(false),
AcceptStatefulIcmpReplies: pulumi.Bool(false),
AcceptStatefulOtherIpProtocolsRepliesForUnknownServices: pulumi.Bool(false),
AcceptStatefulUdpRepliesForUnknownServices: pulumi.Bool(false),
DropOutOfStateIcmpPackets: pulumi.Bool(false),
DropOutOfStateSctpPackets: pulumi.Bool(false),
DropOutOfStateTcpPackets: pulumi.Bool(false),
IcmpVirtualSessionTimeout: pulumi.Float64(0),
LogOnDropOutOfStateIcmpPackets: pulumi.Bool(false),
LogOnDropOutOfStateSctpPackets: pulumi.Bool(false),
LogOnDropOutOfStateTcpPackets: pulumi.Bool(false),
OtherIpProtocolsVirtualSessionTimeout: pulumi.Float64(0),
SctpEndTimeout: pulumi.Float64(0),
SctpSessionTimeout: pulumi.Float64(0),
SctpStartTimeout: pulumi.Float64(0),
TcpEndTimeout: pulumi.Float64(0),
TcpEndTimeoutR8020GwAndAbove: pulumi.Float64(0),
TcpOutOfStateDropExceptions: pulumi.StringArray{
pulumi.String("string"),
},
TcpSessionTimeout: pulumi.Float64(0),
TcpStartTimeout: pulumi.Float64(0),
UdpVirtualSessionTimeout: pulumi.Float64(0),
},
UserAccounts: &checkpoint.ManagementCommandSetGlobalPropertiesUserAccountsArgs{
DaysUntilExpiration: pulumi.Float64(0),
ExpirationDate: pulumi.String("string"),
ExpirationDateMethod: pulumi.String("string"),
ShowAccountsExpirationIndicationDaysInAdvance: pulumi.Bool(false),
},
UserAuthority: &checkpoint.ManagementCommandSetGlobalPropertiesUserAuthorityArgs{
DisplayWebAccessView: pulumi.Bool(false),
TrustOnlyFollowingWindowsDomains: pulumi.StringArray{
pulumi.String("string"),
},
WindowsDomainsToTrust: pulumi.String("string"),
},
UserCheck: &checkpoint.ManagementCommandSetGlobalPropertiesUserCheckArgs{
PreferredLanguage: pulumi.String("string"),
SendEmailsUsingMailServer: pulumi.String("string"),
},
UserDirectory: &checkpoint.ManagementCommandSetGlobalPropertiesUserDirectoryArgs{
CacheSize: pulumi.Float64(0),
DisplayUserDnAtLogin: pulumi.String("string"),
EnablePasswordChangeWhenUserActiveDirectoryExpires: pulumi.Bool(false),
EnablePasswordExpirationConfiguration: pulumi.Bool(false),
EnforceRulesForUserMgmtAdmins: pulumi.Bool(false),
MinPasswordLength: pulumi.Float64(0),
PasswordExpiresAfter: pulumi.Float64(0),
PasswordMustIncludeADigit: pulumi.Bool(false),
PasswordMustIncludeASymbol: pulumi.Bool(false),
PasswordMustIncludeLowercaseChar: pulumi.Bool(false),
PasswordMustIncludeUppercaseChar: pulumi.Bool(false),
TimeoutOnCachedUsers: pulumi.Float64(0),
},
Vpn: &checkpoint.ManagementCommandSetGlobalPropertiesVpnArgs{
DomainNameForDnsResolving: pulumi.String("string"),
EnableBackupGw: pulumi.Bool(false),
EnableDecryptOnAcceptForGwToGwTraffic: pulumi.Bool(false),
EnableLoadDistributionForMepConf: pulumi.Bool(false),
EnableVpnDirectionalMatchInVpnColumn: pulumi.Bool(false),
GracePeriodAfterTheCrlIsNotValid: pulumi.Float64(0),
GracePeriodBeforeTheCrlIsValid: pulumi.Float64(0),
GracePeriodExtensionForSecureRemoteSecureClient: pulumi.Float64(0),
SupportIkeDosProtectionFromIdentifiedSrc: pulumi.String("string"),
SupportIkeDosProtectionFromUnidentifiedSrc: pulumi.String("string"),
VpnConfMethod: pulumi.String("string"),
},
})
var managementCommandSetGlobalPropertiesResource = new ManagementCommandSetGlobalProperties("managementCommandSetGlobalPropertiesResource", ManagementCommandSetGlobalPropertiesArgs.builder()
.advancedConf(ManagementCommandSetGlobalPropertiesAdvancedConfArgs.builder()
.certsAndPki(ManagementCommandSetGlobalPropertiesAdvancedConfCertsAndPkiArgs.builder()
.certValidationEnforceKeySize("string")
.hostCertsEcdsaKeySize("string")
.hostCertsKeySize("string")
.build())
.build())
.allowRemoteRegistrationOfOpsecProducts(false)
.authentication(ManagementCommandSetGlobalPropertiesAuthenticationArgs.builder()
.allowedSuffixForInternalUsers("string")
.authInternalUsersWithSpecificSuffix(false)
.delayEachAuthAttemptBy(0.0)
.enableDelayedAuth(false)
.maxClientAuthAttemptsBeforeConnectionTermination(0.0)
.maxDaysBeforeExpirationOfNonPulledUserCertificates(0.0)
.maxRloginAttemptsBeforeConnectionTermination(0.0)
.maxSessionAuthAttemptsBeforeConnectionTermination(0.0)
.maxTelnetAttemptsBeforeConnectionTermination(0.0)
.build())
.carrierSecurity(ManagementCommandSetGlobalPropertiesCarrierSecurityArgs.builder()
.aggressiveAging(false)
.aggressiveTimeout(0.0)
.allowGgsnRepliesFromMultipleInterfaces(false)
.blockGtpInGtp(false)
.enableGPduSeqNumberCheckWithMaxDeviation(false)
.enableReverseConnections(false)
.enforceGtpAntiSpoofing(false)
.gPduSeqNumberCheckMaxDeviation(0.0)
.gtpSignalingRateLimitSamplingInterval(0.0)
.memoryActivationThreshold(0.0)
.memoryDeactivationThreshold(0.0)
.oneGtpEchoOnEachPathFrequency(0.0)
.produceExtendedLogsOnUnmatchedPdus(false)
.produceExtendedLogsOnUnmatchedPdusPosition("string")
.protocolViolationTrackOption("string")
.tunnelActivationThreshold(0.0)
.tunnelDeactivationThreshold(0.0)
.verifyFlowLabels(false)
.build())
.connectControl(ManagementCommandSetGlobalPropertiesConnectControlArgs.builder()
.loadAgentsPort(0.0)
.loadMeasurementInterval(0.0)
.persistenceServerTimeout(0.0)
.serverAvailabilityCheckInterval(0.0)
.serverCheckRetries(0.0)
.build())
.dataAccessControl(ManagementCommandSetGlobalPropertiesDataAccessControlArgs.builder()
.autoDownloadImportantData(false)
.autoDownloadSwUpdatesAndNewFeatures(false)
.sendAnonymousInfo(false)
.shareSensitiveInfo(false)
.build())
.domainsToProcesses("string")
.firewall(ManagementCommandSetGlobalPropertiesFirewallArgs.builder()
.acceptControlConnections(false)
.acceptDomainNameOverTcp(false)
.acceptDomainNameOverTcpPosition("string")
.acceptDomainNameOverUdp(false)
.acceptDomainNameOverUdpPosition("string")
.acceptDynamicAddrModulesOutgoingInternetConnections(false)
.acceptIcmpRequests(false)
.acceptIcmpRequestsPosition("string")
.acceptIdentityAwarenessControlConnections(false)
.acceptIdentityAwarenessControlConnectionsPosition("string")
.acceptIncomingTrafficToDhcpAndDnsServicesOfGws(false)
.acceptIps1ManagementConnections(false)
.acceptOutgoingPacketsOriginatingFromConnectraGw(false)
.acceptOutgoingPacketsOriginatingFromGw(false)
.acceptOutgoingPacketsOriginatingFromGwPosition("string")
.acceptOutgoingPacketsToCpOnlineServices(false)
.acceptOutgoingPacketsToCpOnlineServicesPosition("string")
.acceptRemoteAccessControlConnections(false)
.acceptRip(false)
.acceptRipPosition("string")
.acceptSmartUpdateConnections(false)
.acceptVrrpPacketsOriginatingFromClusterMembers(false)
.acceptWebAndSshConnectionsForGwAdministration(false)
.logImpliedRules(false)
.securityServer(ManagementCommandSetGlobalPropertiesFirewallSecurityServerArgs.builder()
.clientAuthWelcomeFile("string")
.ftpWelcomeMsgFile("string")
.httpNextProxyHost("string")
.httpNextProxyPort(0.0)
.httpServers(ManagementCommandSetGlobalPropertiesFirewallSecurityServerHttpServerArgs.builder()
.host("string")
.logicalName("string")
.port(0.0)
.reauthentication("string")
.build())
.mdqWelcomeMsg("string")
.rloginWelcomeMsgFile("string")
.serverForNullRequests("string")
.smtpWelcomeMsg("string")
.telnetWelcomeMsgFile("string")
.build())
.build())
.hitCount(ManagementCommandSetGlobalPropertiesHitCountArgs.builder()
.enableHitCount(false)
.keepHitCountDataUpTo("string")
.build())
.ignoreErrors(false)
.ignoreWarnings(false)
.logAndAlerts(ManagementCommandSetGlobalPropertiesLogAndAlertArgs.builder()
.administrativeNotifications("string")
.alerts(ManagementCommandSetGlobalPropertiesLogAndAlertAlertsArgs.builder()
.defaultTrackOptionForSystemAlerts("string")
.mailAlertScript("string")
.popupAlertScript("string")
.sendMailAlertToSmartviewMonitor(false)
.sendPopupAlertToSmartviewMonitor(false)
.sendSnmpTrapAlertToSmartviewMonitor(false)
.sendUserDefinedAlertNum1ToSmartviewMonitor(false)
.sendUserDefinedAlertNum2ToSmartviewMonitor(false)
.sendUserDefinedAlertNum3ToSmartviewMonitor(false)
.snmpTrapAlertScript("string")
.userDefinedScriptNum1("string")
.userDefinedScriptNum2("string")
.userDefinedScriptNum3("string")
.build())
.connectionMatchedBySam("string")
.dynamicObjectResolutionFailure("string")
.logEveryAuthenticatedHttpConnection(false)
.logTraffic("string")
.packetIsIncorrectlyTagged("string")
.packetTaggingBruteForceAttack("string")
.slaViolation("string")
.timeSettings(ManagementCommandSetGlobalPropertiesLogAndAlertTimeSettingsArgs.builder()
.excessiveLogGracePeriod(0.0)
.logsResolvingTimeout(0.0)
.statusFetchingInterval(0.0)
.virtualLinkStatisticsLoggingInterval(0.0)
.build())
.vpnConfAndKeyExchangeErrors("string")
.vpnPacketHandlingError("string")
.vpnSuccessfulKeyExchange("string")
.build())
.managementCommandSetGlobalPropertiesId("string")
.nat(ManagementCommandSetGlobalPropertiesNatArgs.builder()
.addrAllocAndReleaseTrack("string")
.addrExhaustionTrack("string")
.allowBiDirectionalNat(false)
.autoArpConf(false)
.autoTranslateDestOnClientSide(false)
.enableIpPoolNat(false)
.manuallyTranslateDestOnClientSide(false)
.mergeManualProxyArpConf(false)
.build())
.nonUniqueIpAddressRanges(ManagementCommandSetGlobalPropertiesNonUniqueIpAddressRangeArgs.builder()
.addressType("string")
.firstIpv4Address("string")
.firstIpv6Address("string")
.lastIpv4Address("string")
.lastIpv6Address("string")
.build())
.numSpoofingErrsThatTriggerBruteForce(0.0)
.proxy(ManagementCommandSetGlobalPropertiesProxyArgs.builder()
.proxyAddress("string")
.proxyPort(0.0)
.useProxyServer(false)
.build())
.qos(ManagementCommandSetGlobalPropertiesQosArgs.builder()
.authenticatedIpExpiration(0.0)
.defaultWeightOfRule(0.0)
.maxWeightOfRule(0.0)
.nonAuthenticatedIpExpiration(0.0)
.unansweredQueriedIpExpiration(0.0)
.unitOfMeasure("string")
.build())
.remoteAccesses(ManagementCommandSetGlobalPropertiesRemoteAccessArgs.builder()
.enableBackConnections(false)
.encryptDnsTraffic(false)
.endpointConnect(ManagementCommandSetGlobalPropertiesRemoteAccessEndpointConnectArgs.builder()
.cachePasswordTimeout(0.0)
.clientUpgradeMode("string")
.connectMode("string")
.disconnectWhenConnToNetworkIsLost("string")
.disconnectWhenDeviceIsIdle("string")
.enablePasswordCaching("string")
.networkLocationAwareness("string")
.networkLocationAwarenessConf(ManagementCommandSetGlobalPropertiesRemoteAccessEndpointConnectNetworkLocationAwarenessConfArgs.builder()
.considerUndefinedDnsSuffixesAsExternal(false)
.considerWirelessNetworksAsExternal(false)
.dnsSuffixes("string")
.excludedInternalWirelessNetworks("string")
.networkOrGroupOfConnVpnClient("string")
.rememberPreviouslyDetectedExternalNetworks(false)
.vpnClientsAreConsideredInsideTheInternalNetworkWhenTheClient("string")
.build())
.reAuthUserInterval(0.0)
.routeAllTrafficToGw("string")
.build())
.hotSpotAndHotelRegistration(ManagementCommandSetGlobalPropertiesRemoteAccessHotSpotAndHotelRegistrationArgs.builder()
.enableRegistration(false)
.localSubnetsAccessOnly(false)
.maxIpAccessDuringRegistration(0.0)
.ports("string")
.registrationTimeout(0.0)
.trackLog(false)
.build())
.keepAlivePacketToGwInterval(0.0)
.scv(ManagementCommandSetGlobalPropertiesRemoteAccessScvArgs.builder()
.applyScvOnSimplifiedModeFwPolicies(false)
.exceptions(ManagementCommandSetGlobalPropertiesRemoteAccessScvExceptionArgs.builder()
.hosts("string")
.services("string")
.build())
.generateLog(false)
.noScvForUnsupportedCpClients(false)
.notifyUser(false)
.onlyTcpIpProtocolsAreUsed(false)
.policyInstalledOnAllInterfaces(false)
.uponVerificationAcceptAndLogClientConnection(false)
.build())
.secureClientMobile(ManagementCommandSetGlobalPropertiesRemoteAccessSecureClientMobileArgs.builder()
.automaticallyInitiateDialup("string")
.cachePasswordTimeout(0.0)
.connectMode("string")
.disconnectWhenDeviceIsIdle("string")
.enablePasswordCaching("string")
.reAuthUserInterval(0.0)
.routeAllTrafficToGw("string")
.supportedEncryptionMethods("string")
.userAuthMethod("string")
.build())
.simultaneousLoginMode("string")
.sslNetworkExtender(ManagementCommandSetGlobalPropertiesRemoteAccessSslNetworkExtenderArgs.builder()
.clientOutgoingKeepAlivePacketsFrequency(0.0)
.clientUninstallUponDisconnection("string")
.clientUpgradeUponConnection("string")
.reAuthUserInterval(0.0)
.scanEpMachineForComplianceWithEpCompliancePolicy(false)
.supportedEncryptionMethods("string")
.userAuthMethod("string")
.build())
.vpnAdvanced(ManagementCommandSetGlobalPropertiesRemoteAccessVpnAdvancedArgs.builder()
.allowClearTrafficToEncryptionDomainWhenDisconnected(false)
.enableLoadDistributionForMepConf(false)
.useFirstAllocatedOmIpAddrForAllConnToTheGwsOfTheSite(false)
.build())
.vpnAuthenticationAndEncryptions(ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionArgs.builder()
.encryptionAlgorithms(ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsArgs.builder()
.ike(ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIkeArgs.builder()
.supportDataIntegrity(ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIkeSupportDataIntegrityArgs.builder()
.aesXcbc(false)
.md5(false)
.sha1(false)
.sha256(false)
.build())
.supportDiffieHellmanGroups(ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIkeSupportDiffieHellmanGroupsArgs.builder()
.group1(false)
.group14(false)
.group2(false)
.group5(false)
.build())
.supportEncryptionAlgorithms(ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIkeSupportEncryptionAlgorithmsArgs.builder()
.aes128(false)
.aes256(false)
.des(false)
.tdes(false)
.build())
.useDataIntegrity("string")
.useDiffieHellmanGroup("string")
.useEncryptionAlgorithm("string")
.build())
.ipsec(ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIpsecArgs.builder()
.enforceEncryptionAlgAndDataIntegrityOnAllUsers(false)
.supportDataIntegrity(ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIpsecSupportDataIntegrityArgs.builder()
.aesXcbc(false)
.md5(false)
.sha1(false)
.sha256(false)
.build())
.supportEncryptionAlgorithms(ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIpsecSupportEncryptionAlgorithmsArgs.builder()
.aes128(false)
.aes256(false)
.des(false)
.tdes(false)
.build())
.useDataIntegrity("string")
.useEncryptionAlgorithm("string")
.build())
.build())
.encryptionMethod("string")
.l2tpPreSharedKey("string")
.preSharedSecret(false)
.supportL2tpWithPreSharedKey(false)
.supportLegacyAuthForScL2tpNokiaClients(false)
.supportLegacyEap(false)
.build())
.build())
.statefulInspection(ManagementCommandSetGlobalPropertiesStatefulInspectionArgs.builder()
.acceptStatefulIcmpErrors(false)
.acceptStatefulIcmpReplies(false)
.acceptStatefulOtherIpProtocolsRepliesForUnknownServices(false)
.acceptStatefulUdpRepliesForUnknownServices(false)
.dropOutOfStateIcmpPackets(false)
.dropOutOfStateSctpPackets(false)
.dropOutOfStateTcpPackets(false)
.icmpVirtualSessionTimeout(0.0)
.logOnDropOutOfStateIcmpPackets(false)
.logOnDropOutOfStateSctpPackets(false)
.logOnDropOutOfStateTcpPackets(false)
.otherIpProtocolsVirtualSessionTimeout(0.0)
.sctpEndTimeout(0.0)
.sctpSessionTimeout(0.0)
.sctpStartTimeout(0.0)
.tcpEndTimeout(0.0)
.tcpEndTimeoutR8020GwAndAbove(0.0)
.tcpOutOfStateDropExceptions("string")
.tcpSessionTimeout(0.0)
.tcpStartTimeout(0.0)
.udpVirtualSessionTimeout(0.0)
.build())
.userAccounts(ManagementCommandSetGlobalPropertiesUserAccountsArgs.builder()
.daysUntilExpiration(0.0)
.expirationDate("string")
.expirationDateMethod("string")
.showAccountsExpirationIndicationDaysInAdvance(false)
.build())
.userAuthority(ManagementCommandSetGlobalPropertiesUserAuthorityArgs.builder()
.displayWebAccessView(false)
.trustOnlyFollowingWindowsDomains("string")
.windowsDomainsToTrust("string")
.build())
.userCheck(ManagementCommandSetGlobalPropertiesUserCheckArgs.builder()
.preferredLanguage("string")
.sendEmailsUsingMailServer("string")
.build())
.userDirectory(ManagementCommandSetGlobalPropertiesUserDirectoryArgs.builder()
.cacheSize(0.0)
.displayUserDnAtLogin("string")
.enablePasswordChangeWhenUserActiveDirectoryExpires(false)
.enablePasswordExpirationConfiguration(false)
.enforceRulesForUserMgmtAdmins(false)
.minPasswordLength(0.0)
.passwordExpiresAfter(0.0)
.passwordMustIncludeADigit(false)
.passwordMustIncludeASymbol(false)
.passwordMustIncludeLowercaseChar(false)
.passwordMustIncludeUppercaseChar(false)
.timeoutOnCachedUsers(0.0)
.build())
.vpn(ManagementCommandSetGlobalPropertiesVpnArgs.builder()
.domainNameForDnsResolving("string")
.enableBackupGw(false)
.enableDecryptOnAcceptForGwToGwTraffic(false)
.enableLoadDistributionForMepConf(false)
.enableVpnDirectionalMatchInVpnColumn(false)
.gracePeriodAfterTheCrlIsNotValid(0.0)
.gracePeriodBeforeTheCrlIsValid(0.0)
.gracePeriodExtensionForSecureRemoteSecureClient(0.0)
.supportIkeDosProtectionFromIdentifiedSrc("string")
.supportIkeDosProtectionFromUnidentifiedSrc("string")
.vpnConfMethod("string")
.build())
.build());
management_command_set_global_properties_resource = checkpoint.ManagementCommandSetGlobalProperties("managementCommandSetGlobalPropertiesResource",
advanced_conf={
"certs_and_pki": {
"cert_validation_enforce_key_size": "string",
"host_certs_ecdsa_key_size": "string",
"host_certs_key_size": "string",
},
},
allow_remote_registration_of_opsec_products=False,
authentication={
"allowed_suffix_for_internal_users": "string",
"auth_internal_users_with_specific_suffix": False,
"delay_each_auth_attempt_by": float(0),
"enable_delayed_auth": False,
"max_client_auth_attempts_before_connection_termination": float(0),
"max_days_before_expiration_of_non_pulled_user_certificates": float(0),
"max_rlogin_attempts_before_connection_termination": float(0),
"max_session_auth_attempts_before_connection_termination": float(0),
"max_telnet_attempts_before_connection_termination": float(0),
},
carrier_security={
"aggressive_aging": False,
"aggressive_timeout": float(0),
"allow_ggsn_replies_from_multiple_interfaces": False,
"block_gtp_in_gtp": False,
"enable_g_pdu_seq_number_check_with_max_deviation": False,
"enable_reverse_connections": False,
"enforce_gtp_anti_spoofing": False,
"g_pdu_seq_number_check_max_deviation": float(0),
"gtp_signaling_rate_limit_sampling_interval": float(0),
"memory_activation_threshold": float(0),
"memory_deactivation_threshold": float(0),
"one_gtp_echo_on_each_path_frequency": float(0),
"produce_extended_logs_on_unmatched_pdus": False,
"produce_extended_logs_on_unmatched_pdus_position": "string",
"protocol_violation_track_option": "string",
"tunnel_activation_threshold": float(0),
"tunnel_deactivation_threshold": float(0),
"verify_flow_labels": False,
},
connect_control={
"load_agents_port": float(0),
"load_measurement_interval": float(0),
"persistence_server_timeout": float(0),
"server_availability_check_interval": float(0),
"server_check_retries": float(0),
},
data_access_control={
"auto_download_important_data": False,
"auto_download_sw_updates_and_new_features": False,
"send_anonymous_info": False,
"share_sensitive_info": False,
},
domains_to_processes=["string"],
firewall={
"accept_control_connections": False,
"accept_domain_name_over_tcp": False,
"accept_domain_name_over_tcp_position": "string",
"accept_domain_name_over_udp": False,
"accept_domain_name_over_udp_position": "string",
"accept_dynamic_addr_modules_outgoing_internet_connections": False,
"accept_icmp_requests": False,
"accept_icmp_requests_position": "string",
"accept_identity_awareness_control_connections": False,
"accept_identity_awareness_control_connections_position": "string",
"accept_incoming_traffic_to_dhcp_and_dns_services_of_gws": False,
"accept_ips1_management_connections": False,
"accept_outgoing_packets_originating_from_connectra_gw": False,
"accept_outgoing_packets_originating_from_gw": False,
"accept_outgoing_packets_originating_from_gw_position": "string",
"accept_outgoing_packets_to_cp_online_services": False,
"accept_outgoing_packets_to_cp_online_services_position": "string",
"accept_remote_access_control_connections": False,
"accept_rip": False,
"accept_rip_position": "string",
"accept_smart_update_connections": False,
"accept_vrrp_packets_originating_from_cluster_members": False,
"accept_web_and_ssh_connections_for_gw_administration": False,
"log_implied_rules": False,
"security_server": {
"client_auth_welcome_file": "string",
"ftp_welcome_msg_file": "string",
"http_next_proxy_host": "string",
"http_next_proxy_port": float(0),
"http_servers": [{
"host": "string",
"logical_name": "string",
"port": float(0),
"reauthentication": "string",
}],
"mdq_welcome_msg": "string",
"rlogin_welcome_msg_file": "string",
"server_for_null_requests": "string",
"smtp_welcome_msg": "string",
"telnet_welcome_msg_file": "string",
},
},
hit_count={
"enable_hit_count": False,
"keep_hit_count_data_up_to": "string",
},
ignore_errors=False,
ignore_warnings=False,
log_and_alerts=[{
"administrative_notifications": "string",
"alerts": {
"default_track_option_for_system_alerts": "string",
"mail_alert_script": "string",
"popup_alert_script": "string",
"send_mail_alert_to_smartview_monitor": False,
"send_popup_alert_to_smartview_monitor": False,
"send_snmp_trap_alert_to_smartview_monitor": False,
"send_user_defined_alert_num1_to_smartview_monitor": False,
"send_user_defined_alert_num2_to_smartview_monitor": False,
"send_user_defined_alert_num3_to_smartview_monitor": False,
"snmp_trap_alert_script": "string",
"user_defined_script_num1": "string",
"user_defined_script_num2": "string",
"user_defined_script_num3": "string",
},
"connection_matched_by_sam": "string",
"dynamic_object_resolution_failure": "string",
"log_every_authenticated_http_connection": False,
"log_traffic": "string",
"packet_is_incorrectly_tagged": "string",
"packet_tagging_brute_force_attack": "string",
"sla_violation": "string",
"time_settings": {
"excessive_log_grace_period": float(0),
"logs_resolving_timeout": float(0),
"status_fetching_interval": float(0),
"virtual_link_statistics_logging_interval": float(0),
},
"vpn_conf_and_key_exchange_errors": "string",
"vpn_packet_handling_error": "string",
"vpn_successful_key_exchange": "string",
}],
management_command_set_global_properties_id="string",
nat={
"addr_alloc_and_release_track": "string",
"addr_exhaustion_track": "string",
"allow_bi_directional_nat": False,
"auto_arp_conf": False,
"auto_translate_dest_on_client_side": False,
"enable_ip_pool_nat": False,
"manually_translate_dest_on_client_side": False,
"merge_manual_proxy_arp_conf": False,
},
non_unique_ip_address_ranges=[{
"address_type": "string",
"first_ipv4_address": "string",
"first_ipv6_address": "string",
"last_ipv4_address": "string",
"last_ipv6_address": "string",
}],
num_spoofing_errs_that_trigger_brute_force=float(0),
proxy={
"proxy_address": "string",
"proxy_port": float(0),
"use_proxy_server": False,
},
qos={
"authenticated_ip_expiration": float(0),
"default_weight_of_rule": float(0),
"max_weight_of_rule": float(0),
"non_authenticated_ip_expiration": float(0),
"unanswered_queried_ip_expiration": float(0),
"unit_of_measure": "string",
},
remote_accesses=[{
"enable_back_connections": False,
"encrypt_dns_traffic": False,
"endpoint_connect": {
"cache_password_timeout": float(0),
"client_upgrade_mode": "string",
"connect_mode": "string",
"disconnect_when_conn_to_network_is_lost": "string",
"disconnect_when_device_is_idle": "string",
"enable_password_caching": "string",
"network_location_awareness": "string",
"network_location_awareness_conf": {
"consider_undefined_dns_suffixes_as_external": False,
"consider_wireless_networks_as_external": False,
"dns_suffixes": ["string"],
"excluded_internal_wireless_networks": ["string"],
"network_or_group_of_conn_vpn_client": "string",
"remember_previously_detected_external_networks": False,
"vpn_clients_are_considered_inside_the_internal_network_when_the_client": "string",
},
"re_auth_user_interval": float(0),
"route_all_traffic_to_gw": "string",
},
"hot_spot_and_hotel_registration": {
"enable_registration": False,
"local_subnets_access_only": False,
"max_ip_access_during_registration": float(0),
"ports": ["string"],
"registration_timeout": float(0),
"track_log": False,
},
"keep_alive_packet_to_gw_interval": float(0),
"scv": {
"apply_scv_on_simplified_mode_fw_policies": False,
"exceptions": [{
"hosts": ["string"],
"services": ["string"],
}],
"generate_log": False,
"no_scv_for_unsupported_cp_clients": False,
"notify_user": False,
"only_tcp_ip_protocols_are_used": False,
"policy_installed_on_all_interfaces": False,
"upon_verification_accept_and_log_client_connection": False,
},
"secure_client_mobile": {
"automatically_initiate_dialup": "string",
"cache_password_timeout": float(0),
"connect_mode": "string",
"disconnect_when_device_is_idle": "string",
"enable_password_caching": "string",
"re_auth_user_interval": float(0),
"route_all_traffic_to_gw": "string",
"supported_encryption_methods": "string",
"user_auth_method": "string",
},
"simultaneous_login_mode": "string",
"ssl_network_extender": {
"client_outgoing_keep_alive_packets_frequency": float(0),
"client_uninstall_upon_disconnection": "string",
"client_upgrade_upon_connection": "string",
"re_auth_user_interval": float(0),
"scan_ep_machine_for_compliance_with_ep_compliance_policy": False,
"supported_encryption_methods": "string",
"user_auth_method": "string",
},
"vpn_advanced": {
"allow_clear_traffic_to_encryption_domain_when_disconnected": False,
"enable_load_distribution_for_mep_conf": False,
"use_first_allocated_om_ip_addr_for_all_conn_to_the_gws_of_the_site": False,
},
"vpn_authentication_and_encryptions": [{
"encryption_algorithms": {
"ike": {
"support_data_integrity": {
"aes_xcbc": False,
"md5": False,
"sha1": False,
"sha256": False,
},
"support_diffie_hellman_groups": {
"group1": False,
"group14": False,
"group2": False,
"group5": False,
},
"support_encryption_algorithms": {
"aes128": False,
"aes256": False,
"des": False,
"tdes": False,
},
"use_data_integrity": "string",
"use_diffie_hellman_group": "string",
"use_encryption_algorithm": "string",
},
"ipsec": {
"enforce_encryption_alg_and_data_integrity_on_all_users": False,
"support_data_integrity": {
"aes_xcbc": False,
"md5": False,
"sha1": False,
"sha256": False,
},
"support_encryption_algorithms": {
"aes128": False,
"aes256": False,
"des": False,
"tdes": False,
},
"use_data_integrity": "string",
"use_encryption_algorithm": "string",
},
},
"encryption_method": "string",
"l2tp_pre_shared_key": "string",
"pre_shared_secret": False,
"support_l2tp_with_pre_shared_key": False,
"support_legacy_auth_for_sc_l2tp_nokia_clients": False,
"support_legacy_eap": False,
}],
}],
stateful_inspection={
"accept_stateful_icmp_errors": False,
"accept_stateful_icmp_replies": False,
"accept_stateful_other_ip_protocols_replies_for_unknown_services": False,
"accept_stateful_udp_replies_for_unknown_services": False,
"drop_out_of_state_icmp_packets": False,
"drop_out_of_state_sctp_packets": False,
"drop_out_of_state_tcp_packets": False,
"icmp_virtual_session_timeout": float(0),
"log_on_drop_out_of_state_icmp_packets": False,
"log_on_drop_out_of_state_sctp_packets": False,
"log_on_drop_out_of_state_tcp_packets": False,
"other_ip_protocols_virtual_session_timeout": float(0),
"sctp_end_timeout": float(0),
"sctp_session_timeout": float(0),
"sctp_start_timeout": float(0),
"tcp_end_timeout": float(0),
"tcp_end_timeout_r8020_gw_and_above": float(0),
"tcp_out_of_state_drop_exceptions": ["string"],
"tcp_session_timeout": float(0),
"tcp_start_timeout": float(0),
"udp_virtual_session_timeout": float(0),
},
user_accounts={
"days_until_expiration": float(0),
"expiration_date": "string",
"expiration_date_method": "string",
"show_accounts_expiration_indication_days_in_advance": False,
},
user_authority={
"display_web_access_view": False,
"trust_only_following_windows_domains": ["string"],
"windows_domains_to_trust": "string",
},
user_check={
"preferred_language": "string",
"send_emails_using_mail_server": "string",
},
user_directory={
"cache_size": float(0),
"display_user_dn_at_login": "string",
"enable_password_change_when_user_active_directory_expires": False,
"enable_password_expiration_configuration": False,
"enforce_rules_for_user_mgmt_admins": False,
"min_password_length": float(0),
"password_expires_after": float(0),
"password_must_include_a_digit": False,
"password_must_include_a_symbol": False,
"password_must_include_lowercase_char": False,
"password_must_include_uppercase_char": False,
"timeout_on_cached_users": float(0),
},
vpn={
"domain_name_for_dns_resolving": "string",
"enable_backup_gw": False,
"enable_decrypt_on_accept_for_gw_to_gw_traffic": False,
"enable_load_distribution_for_mep_conf": False,
"enable_vpn_directional_match_in_vpn_column": False,
"grace_period_after_the_crl_is_not_valid": float(0),
"grace_period_before_the_crl_is_valid": float(0),
"grace_period_extension_for_secure_remote_secure_client": float(0),
"support_ike_dos_protection_from_identified_src": "string",
"support_ike_dos_protection_from_unidentified_src": "string",
"vpn_conf_method": "string",
})
const managementCommandSetGlobalPropertiesResource = new checkpoint.ManagementCommandSetGlobalProperties("managementCommandSetGlobalPropertiesResource", {
advancedConf: {
certsAndPki: {
certValidationEnforceKeySize: "string",
hostCertsEcdsaKeySize: "string",
hostCertsKeySize: "string",
},
},
allowRemoteRegistrationOfOpsecProducts: false,
authentication: {
allowedSuffixForInternalUsers: "string",
authInternalUsersWithSpecificSuffix: false,
delayEachAuthAttemptBy: 0,
enableDelayedAuth: false,
maxClientAuthAttemptsBeforeConnectionTermination: 0,
maxDaysBeforeExpirationOfNonPulledUserCertificates: 0,
maxRloginAttemptsBeforeConnectionTermination: 0,
maxSessionAuthAttemptsBeforeConnectionTermination: 0,
maxTelnetAttemptsBeforeConnectionTermination: 0,
},
carrierSecurity: {
aggressiveAging: false,
aggressiveTimeout: 0,
allowGgsnRepliesFromMultipleInterfaces: false,
blockGtpInGtp: false,
enableGPduSeqNumberCheckWithMaxDeviation: false,
enableReverseConnections: false,
enforceGtpAntiSpoofing: false,
gPduSeqNumberCheckMaxDeviation: 0,
gtpSignalingRateLimitSamplingInterval: 0,
memoryActivationThreshold: 0,
memoryDeactivationThreshold: 0,
oneGtpEchoOnEachPathFrequency: 0,
produceExtendedLogsOnUnmatchedPdus: false,
produceExtendedLogsOnUnmatchedPdusPosition: "string",
protocolViolationTrackOption: "string",
tunnelActivationThreshold: 0,
tunnelDeactivationThreshold: 0,
verifyFlowLabels: false,
},
connectControl: {
loadAgentsPort: 0,
loadMeasurementInterval: 0,
persistenceServerTimeout: 0,
serverAvailabilityCheckInterval: 0,
serverCheckRetries: 0,
},
dataAccessControl: {
autoDownloadImportantData: false,
autoDownloadSwUpdatesAndNewFeatures: false,
sendAnonymousInfo: false,
shareSensitiveInfo: false,
},
domainsToProcesses: ["string"],
firewall: {
acceptControlConnections: false,
acceptDomainNameOverTcp: false,
acceptDomainNameOverTcpPosition: "string",
acceptDomainNameOverUdp: false,
acceptDomainNameOverUdpPosition: "string",
acceptDynamicAddrModulesOutgoingInternetConnections: false,
acceptIcmpRequests: false,
acceptIcmpRequestsPosition: "string",
acceptIdentityAwarenessControlConnections: false,
acceptIdentityAwarenessControlConnectionsPosition: "string",
acceptIncomingTrafficToDhcpAndDnsServicesOfGws: false,
acceptIps1ManagementConnections: false,
acceptOutgoingPacketsOriginatingFromConnectraGw: false,
acceptOutgoingPacketsOriginatingFromGw: false,
acceptOutgoingPacketsOriginatingFromGwPosition: "string",
acceptOutgoingPacketsToCpOnlineServices: false,
acceptOutgoingPacketsToCpOnlineServicesPosition: "string",
acceptRemoteAccessControlConnections: false,
acceptRip: false,
acceptRipPosition: "string",
acceptSmartUpdateConnections: false,
acceptVrrpPacketsOriginatingFromClusterMembers: false,
acceptWebAndSshConnectionsForGwAdministration: false,
logImpliedRules: false,
securityServer: {
clientAuthWelcomeFile: "string",
ftpWelcomeMsgFile: "string",
httpNextProxyHost: "string",
httpNextProxyPort: 0,
httpServers: [{
host: "string",
logicalName: "string",
port: 0,
reauthentication: "string",
}],
mdqWelcomeMsg: "string",
rloginWelcomeMsgFile: "string",
serverForNullRequests: "string",
smtpWelcomeMsg: "string",
telnetWelcomeMsgFile: "string",
},
},
hitCount: {
enableHitCount: false,
keepHitCountDataUpTo: "string",
},
ignoreErrors: false,
ignoreWarnings: false,
logAndAlerts: [{
administrativeNotifications: "string",
alerts: {
defaultTrackOptionForSystemAlerts: "string",
mailAlertScript: "string",
popupAlertScript: "string",
sendMailAlertToSmartviewMonitor: false,
sendPopupAlertToSmartviewMonitor: false,
sendSnmpTrapAlertToSmartviewMonitor: false,
sendUserDefinedAlertNum1ToSmartviewMonitor: false,
sendUserDefinedAlertNum2ToSmartviewMonitor: false,
sendUserDefinedAlertNum3ToSmartviewMonitor: false,
snmpTrapAlertScript: "string",
userDefinedScriptNum1: "string",
userDefinedScriptNum2: "string",
userDefinedScriptNum3: "string",
},
connectionMatchedBySam: "string",
dynamicObjectResolutionFailure: "string",
logEveryAuthenticatedHttpConnection: false,
logTraffic: "string",
packetIsIncorrectlyTagged: "string",
packetTaggingBruteForceAttack: "string",
slaViolation: "string",
timeSettings: {
excessiveLogGracePeriod: 0,
logsResolvingTimeout: 0,
statusFetchingInterval: 0,
virtualLinkStatisticsLoggingInterval: 0,
},
vpnConfAndKeyExchangeErrors: "string",
vpnPacketHandlingError: "string",
vpnSuccessfulKeyExchange: "string",
}],
managementCommandSetGlobalPropertiesId: "string",
nat: {
addrAllocAndReleaseTrack: "string",
addrExhaustionTrack: "string",
allowBiDirectionalNat: false,
autoArpConf: false,
autoTranslateDestOnClientSide: false,
enableIpPoolNat: false,
manuallyTranslateDestOnClientSide: false,
mergeManualProxyArpConf: false,
},
nonUniqueIpAddressRanges: [{
addressType: "string",
firstIpv4Address: "string",
firstIpv6Address: "string",
lastIpv4Address: "string",
lastIpv6Address: "string",
}],
numSpoofingErrsThatTriggerBruteForce: 0,
proxy: {
proxyAddress: "string",
proxyPort: 0,
useProxyServer: false,
},
qos: {
authenticatedIpExpiration: 0,
defaultWeightOfRule: 0,
maxWeightOfRule: 0,
nonAuthenticatedIpExpiration: 0,
unansweredQueriedIpExpiration: 0,
unitOfMeasure: "string",
},
remoteAccesses: [{
enableBackConnections: false,
encryptDnsTraffic: false,
endpointConnect: {
cachePasswordTimeout: 0,
clientUpgradeMode: "string",
connectMode: "string",
disconnectWhenConnToNetworkIsLost: "string",
disconnectWhenDeviceIsIdle: "string",
enablePasswordCaching: "string",
networkLocationAwareness: "string",
networkLocationAwarenessConf: {
considerUndefinedDnsSuffixesAsExternal: false,
considerWirelessNetworksAsExternal: false,
dnsSuffixes: ["string"],
excludedInternalWirelessNetworks: ["string"],
networkOrGroupOfConnVpnClient: "string",
rememberPreviouslyDetectedExternalNetworks: false,
vpnClientsAreConsideredInsideTheInternalNetworkWhenTheClient: "string",
},
reAuthUserInterval: 0,
routeAllTrafficToGw: "string",
},
hotSpotAndHotelRegistration: {
enableRegistration: false,
localSubnetsAccessOnly: false,
maxIpAccessDuringRegistration: 0,
ports: ["string"],
registrationTimeout: 0,
trackLog: false,
},
keepAlivePacketToGwInterval: 0,
scv: {
applyScvOnSimplifiedModeFwPolicies: false,
exceptions: [{
hosts: ["string"],
services: ["string"],
}],
generateLog: false,
noScvForUnsupportedCpClients: false,
notifyUser: false,
onlyTcpIpProtocolsAreUsed: false,
policyInstalledOnAllInterfaces: false,
uponVerificationAcceptAndLogClientConnection: false,
},
secureClientMobile: {
automaticallyInitiateDialup: "string",
cachePasswordTimeout: 0,
connectMode: "string",
disconnectWhenDeviceIsIdle: "string",
enablePasswordCaching: "string",
reAuthUserInterval: 0,
routeAllTrafficToGw: "string",
supportedEncryptionMethods: "string",
userAuthMethod: "string",
},
simultaneousLoginMode: "string",
sslNetworkExtender: {
clientOutgoingKeepAlivePacketsFrequency: 0,
clientUninstallUponDisconnection: "string",
clientUpgradeUponConnection: "string",
reAuthUserInterval: 0,
scanEpMachineForComplianceWithEpCompliancePolicy: false,
supportedEncryptionMethods: "string",
userAuthMethod: "string",
},
vpnAdvanced: {
allowClearTrafficToEncryptionDomainWhenDisconnected: false,
enableLoadDistributionForMepConf: false,
useFirstAllocatedOmIpAddrForAllConnToTheGwsOfTheSite: false,
},
vpnAuthenticationAndEncryptions: [{
encryptionAlgorithms: {
ike: {
supportDataIntegrity: {
aesXcbc: false,
md5: false,
sha1: false,
sha256: false,
},
supportDiffieHellmanGroups: {
group1: false,
group14: false,
group2: false,
group5: false,
},
supportEncryptionAlgorithms: {
aes128: false,
aes256: false,
des: false,
tdes: false,
},
useDataIntegrity: "string",
useDiffieHellmanGroup: "string",
useEncryptionAlgorithm: "string",
},
ipsec: {
enforceEncryptionAlgAndDataIntegrityOnAllUsers: false,
supportDataIntegrity: {
aesXcbc: false,
md5: false,
sha1: false,
sha256: false,
},
supportEncryptionAlgorithms: {
aes128: false,
aes256: false,
des: false,
tdes: false,
},
useDataIntegrity: "string",
useEncryptionAlgorithm: "string",
},
},
encryptionMethod: "string",
l2tpPreSharedKey: "string",
preSharedSecret: false,
supportL2tpWithPreSharedKey: false,
supportLegacyAuthForScL2tpNokiaClients: false,
supportLegacyEap: false,
}],
}],
statefulInspection: {
acceptStatefulIcmpErrors: false,
acceptStatefulIcmpReplies: false,
acceptStatefulOtherIpProtocolsRepliesForUnknownServices: false,
acceptStatefulUdpRepliesForUnknownServices: false,
dropOutOfStateIcmpPackets: false,
dropOutOfStateSctpPackets: false,
dropOutOfStateTcpPackets: false,
icmpVirtualSessionTimeout: 0,
logOnDropOutOfStateIcmpPackets: false,
logOnDropOutOfStateSctpPackets: false,
logOnDropOutOfStateTcpPackets: false,
otherIpProtocolsVirtualSessionTimeout: 0,
sctpEndTimeout: 0,
sctpSessionTimeout: 0,
sctpStartTimeout: 0,
tcpEndTimeout: 0,
tcpEndTimeoutR8020GwAndAbove: 0,
tcpOutOfStateDropExceptions: ["string"],
tcpSessionTimeout: 0,
tcpStartTimeout: 0,
udpVirtualSessionTimeout: 0,
},
userAccounts: {
daysUntilExpiration: 0,
expirationDate: "string",
expirationDateMethod: "string",
showAccountsExpirationIndicationDaysInAdvance: false,
},
userAuthority: {
displayWebAccessView: false,
trustOnlyFollowingWindowsDomains: ["string"],
windowsDomainsToTrust: "string",
},
userCheck: {
preferredLanguage: "string",
sendEmailsUsingMailServer: "string",
},
userDirectory: {
cacheSize: 0,
displayUserDnAtLogin: "string",
enablePasswordChangeWhenUserActiveDirectoryExpires: false,
enablePasswordExpirationConfiguration: false,
enforceRulesForUserMgmtAdmins: false,
minPasswordLength: 0,
passwordExpiresAfter: 0,
passwordMustIncludeADigit: false,
passwordMustIncludeASymbol: false,
passwordMustIncludeLowercaseChar: false,
passwordMustIncludeUppercaseChar: false,
timeoutOnCachedUsers: 0,
},
vpn: {
domainNameForDnsResolving: "string",
enableBackupGw: false,
enableDecryptOnAcceptForGwToGwTraffic: false,
enableLoadDistributionForMepConf: false,
enableVpnDirectionalMatchInVpnColumn: false,
gracePeriodAfterTheCrlIsNotValid: 0,
gracePeriodBeforeTheCrlIsValid: 0,
gracePeriodExtensionForSecureRemoteSecureClient: 0,
supportIkeDosProtectionFromIdentifiedSrc: "string",
supportIkeDosProtectionFromUnidentifiedSrc: "string",
vpnConfMethod: "string",
},
});
type: checkpoint:ManagementCommandSetGlobalProperties
properties:
advancedConf:
certsAndPki:
certValidationEnforceKeySize: string
hostCertsEcdsaKeySize: string
hostCertsKeySize: string
allowRemoteRegistrationOfOpsecProducts: false
authentication:
allowedSuffixForInternalUsers: string
authInternalUsersWithSpecificSuffix: false
delayEachAuthAttemptBy: 0
enableDelayedAuth: false
maxClientAuthAttemptsBeforeConnectionTermination: 0
maxDaysBeforeExpirationOfNonPulledUserCertificates: 0
maxRloginAttemptsBeforeConnectionTermination: 0
maxSessionAuthAttemptsBeforeConnectionTermination: 0
maxTelnetAttemptsBeforeConnectionTermination: 0
carrierSecurity:
aggressiveAging: false
aggressiveTimeout: 0
allowGgsnRepliesFromMultipleInterfaces: false
blockGtpInGtp: false
enableGPduSeqNumberCheckWithMaxDeviation: false
enableReverseConnections: false
enforceGtpAntiSpoofing: false
gPduSeqNumberCheckMaxDeviation: 0
gtpSignalingRateLimitSamplingInterval: 0
memoryActivationThreshold: 0
memoryDeactivationThreshold: 0
oneGtpEchoOnEachPathFrequency: 0
produceExtendedLogsOnUnmatchedPdus: false
produceExtendedLogsOnUnmatchedPdusPosition: string
protocolViolationTrackOption: string
tunnelActivationThreshold: 0
tunnelDeactivationThreshold: 0
verifyFlowLabels: false
connectControl:
loadAgentsPort: 0
loadMeasurementInterval: 0
persistenceServerTimeout: 0
serverAvailabilityCheckInterval: 0
serverCheckRetries: 0
dataAccessControl:
autoDownloadImportantData: false
autoDownloadSwUpdatesAndNewFeatures: false
sendAnonymousInfo: false
shareSensitiveInfo: false
domainsToProcesses:
- string
firewall:
acceptControlConnections: false
acceptDomainNameOverTcp: false
acceptDomainNameOverTcpPosition: string
acceptDomainNameOverUdp: false
acceptDomainNameOverUdpPosition: string
acceptDynamicAddrModulesOutgoingInternetConnections: false
acceptIcmpRequests: false
acceptIcmpRequestsPosition: string
acceptIdentityAwarenessControlConnections: false
acceptIdentityAwarenessControlConnectionsPosition: string
acceptIncomingTrafficToDhcpAndDnsServicesOfGws: false
acceptIps1ManagementConnections: false
acceptOutgoingPacketsOriginatingFromConnectraGw: false
acceptOutgoingPacketsOriginatingFromGw: false
acceptOutgoingPacketsOriginatingFromGwPosition: string
acceptOutgoingPacketsToCpOnlineServices: false
acceptOutgoingPacketsToCpOnlineServicesPosition: string
acceptRemoteAccessControlConnections: false
acceptRip: false
acceptRipPosition: string
acceptSmartUpdateConnections: false
acceptVrrpPacketsOriginatingFromClusterMembers: false
acceptWebAndSshConnectionsForGwAdministration: false
logImpliedRules: false
securityServer:
clientAuthWelcomeFile: string
ftpWelcomeMsgFile: string
httpNextProxyHost: string
httpNextProxyPort: 0
httpServers:
- host: string
logicalName: string
port: 0
reauthentication: string
mdqWelcomeMsg: string
rloginWelcomeMsgFile: string
serverForNullRequests: string
smtpWelcomeMsg: string
telnetWelcomeMsgFile: string
hitCount:
enableHitCount: false
keepHitCountDataUpTo: string
ignoreErrors: false
ignoreWarnings: false
logAndAlerts:
- administrativeNotifications: string
alerts:
defaultTrackOptionForSystemAlerts: string
mailAlertScript: string
popupAlertScript: string
sendMailAlertToSmartviewMonitor: false
sendPopupAlertToSmartviewMonitor: false
sendSnmpTrapAlertToSmartviewMonitor: false
sendUserDefinedAlertNum1ToSmartviewMonitor: false
sendUserDefinedAlertNum2ToSmartviewMonitor: false
sendUserDefinedAlertNum3ToSmartviewMonitor: false
snmpTrapAlertScript: string
userDefinedScriptNum1: string
userDefinedScriptNum2: string
userDefinedScriptNum3: string
connectionMatchedBySam: string
dynamicObjectResolutionFailure: string
logEveryAuthenticatedHttpConnection: false
logTraffic: string
packetIsIncorrectlyTagged: string
packetTaggingBruteForceAttack: string
slaViolation: string
timeSettings:
excessiveLogGracePeriod: 0
logsResolvingTimeout: 0
statusFetchingInterval: 0
virtualLinkStatisticsLoggingInterval: 0
vpnConfAndKeyExchangeErrors: string
vpnPacketHandlingError: string
vpnSuccessfulKeyExchange: string
managementCommandSetGlobalPropertiesId: string
nat:
addrAllocAndReleaseTrack: string
addrExhaustionTrack: string
allowBiDirectionalNat: false
autoArpConf: false
autoTranslateDestOnClientSide: false
enableIpPoolNat: false
manuallyTranslateDestOnClientSide: false
mergeManualProxyArpConf: false
nonUniqueIpAddressRanges:
- addressType: string
firstIpv4Address: string
firstIpv6Address: string
lastIpv4Address: string
lastIpv6Address: string
numSpoofingErrsThatTriggerBruteForce: 0
proxy:
proxyAddress: string
proxyPort: 0
useProxyServer: false
qos:
authenticatedIpExpiration: 0
defaultWeightOfRule: 0
maxWeightOfRule: 0
nonAuthenticatedIpExpiration: 0
unansweredQueriedIpExpiration: 0
unitOfMeasure: string
remoteAccesses:
- enableBackConnections: false
encryptDnsTraffic: false
endpointConnect:
cachePasswordTimeout: 0
clientUpgradeMode: string
connectMode: string
disconnectWhenConnToNetworkIsLost: string
disconnectWhenDeviceIsIdle: string
enablePasswordCaching: string
networkLocationAwareness: string
networkLocationAwarenessConf:
considerUndefinedDnsSuffixesAsExternal: false
considerWirelessNetworksAsExternal: false
dnsSuffixes:
- string
excludedInternalWirelessNetworks:
- string
networkOrGroupOfConnVpnClient: string
rememberPreviouslyDetectedExternalNetworks: false
vpnClientsAreConsideredInsideTheInternalNetworkWhenTheClient: string
reAuthUserInterval: 0
routeAllTrafficToGw: string
hotSpotAndHotelRegistration:
enableRegistration: false
localSubnetsAccessOnly: false
maxIpAccessDuringRegistration: 0
ports:
- string
registrationTimeout: 0
trackLog: false
keepAlivePacketToGwInterval: 0
scv:
applyScvOnSimplifiedModeFwPolicies: false
exceptions:
- hosts:
- string
services:
- string
generateLog: false
noScvForUnsupportedCpClients: false
notifyUser: false
onlyTcpIpProtocolsAreUsed: false
policyInstalledOnAllInterfaces: false
uponVerificationAcceptAndLogClientConnection: false
secureClientMobile:
automaticallyInitiateDialup: string
cachePasswordTimeout: 0
connectMode: string
disconnectWhenDeviceIsIdle: string
enablePasswordCaching: string
reAuthUserInterval: 0
routeAllTrafficToGw: string
supportedEncryptionMethods: string
userAuthMethod: string
simultaneousLoginMode: string
sslNetworkExtender:
clientOutgoingKeepAlivePacketsFrequency: 0
clientUninstallUponDisconnection: string
clientUpgradeUponConnection: string
reAuthUserInterval: 0
scanEpMachineForComplianceWithEpCompliancePolicy: false
supportedEncryptionMethods: string
userAuthMethod: string
vpnAdvanced:
allowClearTrafficToEncryptionDomainWhenDisconnected: false
enableLoadDistributionForMepConf: false
useFirstAllocatedOmIpAddrForAllConnToTheGwsOfTheSite: false
vpnAuthenticationAndEncryptions:
- encryptionAlgorithms:
ike:
supportDataIntegrity:
aesXcbc: false
md5: false
sha1: false
sha256: false
supportDiffieHellmanGroups:
group1: false
group2: false
group5: false
group14: false
supportEncryptionAlgorithms:
aes128: false
aes256: false
des: false
tdes: false
useDataIntegrity: string
useDiffieHellmanGroup: string
useEncryptionAlgorithm: string
ipsec:
enforceEncryptionAlgAndDataIntegrityOnAllUsers: false
supportDataIntegrity:
aesXcbc: false
md5: false
sha1: false
sha256: false
supportEncryptionAlgorithms:
aes128: false
aes256: false
des: false
tdes: false
useDataIntegrity: string
useEncryptionAlgorithm: string
encryptionMethod: string
l2tpPreSharedKey: string
preSharedSecret: false
supportL2tpWithPreSharedKey: false
supportLegacyAuthForScL2tpNokiaClients: false
supportLegacyEap: false
statefulInspection:
acceptStatefulIcmpErrors: false
acceptStatefulIcmpReplies: false
acceptStatefulOtherIpProtocolsRepliesForUnknownServices: false
acceptStatefulUdpRepliesForUnknownServices: false
dropOutOfStateIcmpPackets: false
dropOutOfStateSctpPackets: false
dropOutOfStateTcpPackets: false
icmpVirtualSessionTimeout: 0
logOnDropOutOfStateIcmpPackets: false
logOnDropOutOfStateSctpPackets: false
logOnDropOutOfStateTcpPackets: false
otherIpProtocolsVirtualSessionTimeout: 0
sctpEndTimeout: 0
sctpSessionTimeout: 0
sctpStartTimeout: 0
tcpEndTimeout: 0
tcpEndTimeoutR8020GwAndAbove: 0
tcpOutOfStateDropExceptions:
- string
tcpSessionTimeout: 0
tcpStartTimeout: 0
udpVirtualSessionTimeout: 0
userAccounts:
daysUntilExpiration: 0
expirationDate: string
expirationDateMethod: string
showAccountsExpirationIndicationDaysInAdvance: false
userAuthority:
displayWebAccessView: false
trustOnlyFollowingWindowsDomains:
- string
windowsDomainsToTrust: string
userCheck:
preferredLanguage: string
sendEmailsUsingMailServer: string
userDirectory:
cacheSize: 0
displayUserDnAtLogin: string
enablePasswordChangeWhenUserActiveDirectoryExpires: false
enablePasswordExpirationConfiguration: false
enforceRulesForUserMgmtAdmins: false
minPasswordLength: 0
passwordExpiresAfter: 0
passwordMustIncludeADigit: false
passwordMustIncludeASymbol: false
passwordMustIncludeLowercaseChar: false
passwordMustIncludeUppercaseChar: false
timeoutOnCachedUsers: 0
vpn:
domainNameForDnsResolving: string
enableBackupGw: false
enableDecryptOnAcceptForGwToGwTraffic: false
enableLoadDistributionForMepConf: false
enableVpnDirectionalMatchInVpnColumn: false
gracePeriodAfterTheCrlIsNotValid: 0
gracePeriodBeforeTheCrlIsValid: 0
gracePeriodExtensionForSecureRemoteSecureClient: 0
supportIkeDosProtectionFromIdentifiedSrc: string
supportIkeDosProtectionFromUnidentifiedSrc: string
vpnConfMethod: string
ManagementCommandSetGlobalProperties Resource Properties
To learn more about resource properties and how to use them, see Inputs and Outputs in the Architecture and Concepts docs.
Inputs
In Python, inputs that are objects can be passed either as argument classes or as dictionary literals.
The ManagementCommandSetGlobalProperties resource accepts the following input properties:
- Advanced
Conf ManagementCommand Set Global Properties Advanced Conf - Configure advanced global attributes. It's highly recommended to consult with Check Point's Technical Support before modifying these values.
- Allow
Remote boolRegistration Of Opsec Products - After installing an OPSEC application, the remote administration (RA) utility enables an OPSEC product to finish registering itself without having to access the SmartConsole. If set to true, any host including the application host can run the utility. Otherwise, the RA utility can only be run from the Security Management host.
- Authentication
Management
Command Set Global Properties Authentication - Define Authentication properties that are common to all users and to the various ways that the Check Point Security Gateway asks for passwords (User, Client and Session Authentication).
- Carrier
Security ManagementCommand Set Global Properties Carrier Security - Specify system-wide properties. Select GTP intra tunnel inspection options, including anti-spoofing; tracking and logging options, and integrity tests.
- Connect
Control ManagementCommand Set Global Properties Connect Control - Configure settings that relate to ConnectControl server load balancing.
- Data
Access ManagementControl Command Set Global Properties Data Access Control - Configure automatic downloads from Check Point and anonymously share product data. Options selected here apply to all Security Gateways, Clusters and VSX devices managed by this management server.
- Domains
To List<string>Processes - Indicates which domains to process the commands on. It cannot be used with the details-level full, must be run from the System Domain only and with ignore-warnings true. Valid values are: CURRENT_DOMAIN, ALL_DOMAINS_ON_THIS_SERVER.
- Firewall
Management
Command Set Global Properties Firewall - Add implied rules to or remove them from the Firewall Rule Base. Determine the position of the implied rules in the Rule Base, and whether or not to log them.
- Hit
Count ManagementCommand Set Global Properties Hit Count - Enable the Hit Count feature that tracks the number of connections that each rule matches.
- Ignore
Errors bool - Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
- Ignore
Warnings bool - Apply changes ignoring warnings.
- Log
And List<ManagementAlerts Command Set Global Properties Log And Alert> - Define system-wide logging and alerting parameters.
- Management
Command stringSet Global Properties Id - Nat
Management
Command Set Global Properties Nat - Configure settings that apply to all NAT connections.
- Non
Unique List<ManagementIp Address Ranges Command Set Global Properties Non Unique Ip Address Range> - Specify Non Unique IP Address Ranges.
- Num
Spoofing doubleErrs That Trigger Brute Force - Indicates how many incorrectly signed packets will be tolerated before assuming that there is an attack on the packet tagging and revoking the client's key.
- Proxy
Management
Command Set Global Properties Proxy - Select whether a proxy server is used when servers, gateways, or clients need to access the internet for certain Check Point features and set the default proxy server that will be used.
- Qos
Management
Command Set Global Properties Qos - Define the general parameters of Quality of Service (QoS) and apply them to QoS rules.
- Remote
Accesses List<ManagementCommand Set Global Properties Remote Access> - Configure Remote Access properties.
- Stateful
Inspection ManagementCommand Set Global Properties Stateful Inspection - Adjust Stateful Inspection parameters.
- User
Accounts ManagementCommand Set Global Properties User Accounts - Set the expiration for a user account and configure "about to expire" warnings.
-
Management
Command Set Global Properties User Authority - Decide whether to display and access the WebAccess rule base. This policy defines which users (that is, which Windows Domains) have access to the internal sites of the organization.
- User
Check ManagementCommand Set Global Properties User Check - Set a language for the UserCheck message if the language setting in the user's browser cannot be determined.
- User
Directory ManagementCommand Set Global Properties User Directory - User can enable LDAP User Directory as well as specify global parameters for LDAP. If LDAP User Directory is enabled, this means that users are managed on an external LDAP server and not on the internal Check Point Security Gateway users databases.
- Vpn
Management
Command Set Global Properties Vpn - Configure settings relevant to VPN.
- Advanced
Conf ManagementCommand Set Global Properties Advanced Conf Args - Configure advanced global attributes. It's highly recommended to consult with Check Point's Technical Support before modifying these values.
- Allow
Remote boolRegistration Of Opsec Products - After installing an OPSEC application, the remote administration (RA) utility enables an OPSEC product to finish registering itself without having to access the SmartConsole. If set to true, any host including the application host can run the utility. Otherwise, the RA utility can only be run from the Security Management host.
- Authentication
Management
Command Set Global Properties Authentication Args - Define Authentication properties that are common to all users and to the various ways that the Check Point Security Gateway asks for passwords (User, Client and Session Authentication).
- Carrier
Security ManagementCommand Set Global Properties Carrier Security Args - Specify system-wide properties. Select GTP intra tunnel inspection options, including anti-spoofing; tracking and logging options, and integrity tests.
- Connect
Control ManagementCommand Set Global Properties Connect Control Args - Configure settings that relate to ConnectControl server load balancing.
- Data
Access ManagementControl Command Set Global Properties Data Access Control Args - Configure automatic downloads from Check Point and anonymously share product data. Options selected here apply to all Security Gateways, Clusters and VSX devices managed by this management server.
- Domains
To []stringProcesses - Indicates which domains to process the commands on. It cannot be used with the details-level full, must be run from the System Domain only and with ignore-warnings true. Valid values are: CURRENT_DOMAIN, ALL_DOMAINS_ON_THIS_SERVER.
- Firewall
Management
Command Set Global Properties Firewall Args - Add implied rules to or remove them from the Firewall Rule Base. Determine the position of the implied rules in the Rule Base, and whether or not to log them.
- Hit
Count ManagementCommand Set Global Properties Hit Count Args - Enable the Hit Count feature that tracks the number of connections that each rule matches.
- Ignore
Errors bool - Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
- Ignore
Warnings bool - Apply changes ignoring warnings.
- Log
And []ManagementAlerts Command Set Global Properties Log And Alert Args - Define system-wide logging and alerting parameters.
- Management
Command stringSet Global Properties Id - Nat
Management
Command Set Global Properties Nat Args - Configure settings that apply to all NAT connections.
- Non
Unique []ManagementIp Address Ranges Command Set Global Properties Non Unique Ip Address Range Args - Specify Non Unique IP Address Ranges.
- Num
Spoofing float64Errs That Trigger Brute Force - Indicates how many incorrectly signed packets will be tolerated before assuming that there is an attack on the packet tagging and revoking the client's key.
- Proxy
Management
Command Set Global Properties Proxy Args - Select whether a proxy server is used when servers, gateways, or clients need to access the internet for certain Check Point features and set the default proxy server that will be used.
- Qos
Management
Command Set Global Properties Qos Args - Define the general parameters of Quality of Service (QoS) and apply them to QoS rules.
- Remote
Accesses []ManagementCommand Set Global Properties Remote Access Args - Configure Remote Access properties.
- Stateful
Inspection ManagementCommand Set Global Properties Stateful Inspection Args - Adjust Stateful Inspection parameters.
- User
Accounts ManagementCommand Set Global Properties User Accounts Args - Set the expiration for a user account and configure "about to expire" warnings.
-
Management
Command Set Global Properties User Authority Args - Decide whether to display and access the WebAccess rule base. This policy defines which users (that is, which Windows Domains) have access to the internal sites of the organization.
- User
Check ManagementCommand Set Global Properties User Check Args - Set a language for the UserCheck message if the language setting in the user's browser cannot be determined.
- User
Directory ManagementCommand Set Global Properties User Directory Args - User can enable LDAP User Directory as well as specify global parameters for LDAP. If LDAP User Directory is enabled, this means that users are managed on an external LDAP server and not on the internal Check Point Security Gateway users databases.
- Vpn
Management
Command Set Global Properties Vpn Args - Configure settings relevant to VPN.
- advanced
Conf ManagementCommand Set Global Properties Advanced Conf - Configure advanced global attributes. It's highly recommended to consult with Check Point's Technical Support before modifying these values.
- allow
Remote BooleanRegistration Of Opsec Products - After installing an OPSEC application, the remote administration (RA) utility enables an OPSEC product to finish registering itself without having to access the SmartConsole. If set to true, any host including the application host can run the utility. Otherwise, the RA utility can only be run from the Security Management host.
- authentication
Management
Command Set Global Properties Authentication - Define Authentication properties that are common to all users and to the various ways that the Check Point Security Gateway asks for passwords (User, Client and Session Authentication).
- carrier
Security ManagementCommand Set Global Properties Carrier Security - Specify system-wide properties. Select GTP intra tunnel inspection options, including anti-spoofing; tracking and logging options, and integrity tests.
- connect
Control ManagementCommand Set Global Properties Connect Control - Configure settings that relate to ConnectControl server load balancing.
- data
Access ManagementControl Command Set Global Properties Data Access Control - Configure automatic downloads from Check Point and anonymously share product data. Options selected here apply to all Security Gateways, Clusters and VSX devices managed by this management server.
- domains
To List<String>Processes - Indicates which domains to process the commands on. It cannot be used with the details-level full, must be run from the System Domain only and with ignore-warnings true. Valid values are: CURRENT_DOMAIN, ALL_DOMAINS_ON_THIS_SERVER.
- firewall
Management
Command Set Global Properties Firewall - Add implied rules to or remove them from the Firewall Rule Base. Determine the position of the implied rules in the Rule Base, and whether or not to log them.
- hit
Count ManagementCommand Set Global Properties Hit Count - Enable the Hit Count feature that tracks the number of connections that each rule matches.
- ignore
Errors Boolean - Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
- ignore
Warnings Boolean - Apply changes ignoring warnings.
- log
And List<ManagementAlerts Command Set Global Properties Log And Alert> - Define system-wide logging and alerting parameters.
- management
Command StringSet Global Properties Id - nat
Management
Command Set Global Properties Nat - Configure settings that apply to all NAT connections.
- non
Unique List<ManagementIp Address Ranges Command Set Global Properties Non Unique Ip Address Range> - Specify Non Unique IP Address Ranges.
- num
Spoofing DoubleErrs That Trigger Brute Force - Indicates how many incorrectly signed packets will be tolerated before assuming that there is an attack on the packet tagging and revoking the client's key.
- proxy
Management
Command Set Global Properties Proxy - Select whether a proxy server is used when servers, gateways, or clients need to access the internet for certain Check Point features and set the default proxy server that will be used.
- qos
Management
Command Set Global Properties Qos - Define the general parameters of Quality of Service (QoS) and apply them to QoS rules.
- remote
Accesses List<ManagementCommand Set Global Properties Remote Access> - Configure Remote Access properties.
- stateful
Inspection ManagementCommand Set Global Properties Stateful Inspection - Adjust Stateful Inspection parameters.
- user
Accounts ManagementCommand Set Global Properties User Accounts - Set the expiration for a user account and configure "about to expire" warnings.
-
Management
Command Set Global Properties User Authority - Decide whether to display and access the WebAccess rule base. This policy defines which users (that is, which Windows Domains) have access to the internal sites of the organization.
- user
Check ManagementCommand Set Global Properties User Check - Set a language for the UserCheck message if the language setting in the user's browser cannot be determined.
- user
Directory ManagementCommand Set Global Properties User Directory - User can enable LDAP User Directory as well as specify global parameters for LDAP. If LDAP User Directory is enabled, this means that users are managed on an external LDAP server and not on the internal Check Point Security Gateway users databases.
- vpn
Management
Command Set Global Properties Vpn - Configure settings relevant to VPN.
- advanced
Conf ManagementCommand Set Global Properties Advanced Conf - Configure advanced global attributes. It's highly recommended to consult with Check Point's Technical Support before modifying these values.
- allow
Remote booleanRegistration Of Opsec Products - After installing an OPSEC application, the remote administration (RA) utility enables an OPSEC product to finish registering itself without having to access the SmartConsole. If set to true, any host including the application host can run the utility. Otherwise, the RA utility can only be run from the Security Management host.
- authentication
Management
Command Set Global Properties Authentication - Define Authentication properties that are common to all users and to the various ways that the Check Point Security Gateway asks for passwords (User, Client and Session Authentication).
- carrier
Security ManagementCommand Set Global Properties Carrier Security - Specify system-wide properties. Select GTP intra tunnel inspection options, including anti-spoofing; tracking and logging options, and integrity tests.
- connect
Control ManagementCommand Set Global Properties Connect Control - Configure settings that relate to ConnectControl server load balancing.
- data
Access ManagementControl Command Set Global Properties Data Access Control - Configure automatic downloads from Check Point and anonymously share product data. Options selected here apply to all Security Gateways, Clusters and VSX devices managed by this management server.
- domains
To string[]Processes - Indicates which domains to process the commands on. It cannot be used with the details-level full, must be run from the System Domain only and with ignore-warnings true. Valid values are: CURRENT_DOMAIN, ALL_DOMAINS_ON_THIS_SERVER.
- firewall
Management
Command Set Global Properties Firewall - Add implied rules to or remove them from the Firewall Rule Base. Determine the position of the implied rules in the Rule Base, and whether or not to log them.
- hit
Count ManagementCommand Set Global Properties Hit Count - Enable the Hit Count feature that tracks the number of connections that each rule matches.
- ignore
Errors boolean - Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
- ignore
Warnings boolean - Apply changes ignoring warnings.
- log
And ManagementAlerts Command Set Global Properties Log And Alert[] - Define system-wide logging and alerting parameters.
- management
Command stringSet Global Properties Id - nat
Management
Command Set Global Properties Nat - Configure settings that apply to all NAT connections.
- non
Unique ManagementIp Address Ranges Command Set Global Properties Non Unique Ip Address Range[] - Specify Non Unique IP Address Ranges.
- num
Spoofing numberErrs That Trigger Brute Force - Indicates how many incorrectly signed packets will be tolerated before assuming that there is an attack on the packet tagging and revoking the client's key.
- proxy
Management
Command Set Global Properties Proxy - Select whether a proxy server is used when servers, gateways, or clients need to access the internet for certain Check Point features and set the default proxy server that will be used.
- qos
Management
Command Set Global Properties Qos - Define the general parameters of Quality of Service (QoS) and apply them to QoS rules.
- remote
Accesses ManagementCommand Set Global Properties Remote Access[] - Configure Remote Access properties.
- stateful
Inspection ManagementCommand Set Global Properties Stateful Inspection - Adjust Stateful Inspection parameters.
- user
Accounts ManagementCommand Set Global Properties User Accounts - Set the expiration for a user account and configure "about to expire" warnings.
-
Management
Command Set Global Properties User Authority - Decide whether to display and access the WebAccess rule base. This policy defines which users (that is, which Windows Domains) have access to the internal sites of the organization.
- user
Check ManagementCommand Set Global Properties User Check - Set a language for the UserCheck message if the language setting in the user's browser cannot be determined.
- user
Directory ManagementCommand Set Global Properties User Directory - User can enable LDAP User Directory as well as specify global parameters for LDAP. If LDAP User Directory is enabled, this means that users are managed on an external LDAP server and not on the internal Check Point Security Gateway users databases.
- vpn
Management
Command Set Global Properties Vpn - Configure settings relevant to VPN.
- advanced_
conf ManagementCommand Set Global Properties Advanced Conf Args - Configure advanced global attributes. It's highly recommended to consult with Check Point's Technical Support before modifying these values.
- allow_
remote_ boolregistration_ of_ opsec_ products - After installing an OPSEC application, the remote administration (RA) utility enables an OPSEC product to finish registering itself without having to access the SmartConsole. If set to true, any host including the application host can run the utility. Otherwise, the RA utility can only be run from the Security Management host.
- authentication
Management
Command Set Global Properties Authentication Args - Define Authentication properties that are common to all users and to the various ways that the Check Point Security Gateway asks for passwords (User, Client and Session Authentication).
- carrier_
security ManagementCommand Set Global Properties Carrier Security Args - Specify system-wide properties. Select GTP intra tunnel inspection options, including anti-spoofing; tracking and logging options, and integrity tests.
- connect_
control ManagementCommand Set Global Properties Connect Control Args - Configure settings that relate to ConnectControl server load balancing.
- data_
access_ Managementcontrol Command Set Global Properties Data Access Control Args - Configure automatic downloads from Check Point and anonymously share product data. Options selected here apply to all Security Gateways, Clusters and VSX devices managed by this management server.
- domains_
to_ Sequence[str]processes - Indicates which domains to process the commands on. It cannot be used with the details-level full, must be run from the System Domain only and with ignore-warnings true. Valid values are: CURRENT_DOMAIN, ALL_DOMAINS_ON_THIS_SERVER.
- firewall
Management
Command Set Global Properties Firewall Args - Add implied rules to or remove them from the Firewall Rule Base. Determine the position of the implied rules in the Rule Base, and whether or not to log them.
- hit_
count ManagementCommand Set Global Properties Hit Count Args - Enable the Hit Count feature that tracks the number of connections that each rule matches.
- ignore_
errors bool - Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
- ignore_
warnings bool - Apply changes ignoring warnings.
- log_
and_ Sequence[Managementalerts Command Set Global Properties Log And Alert Args] - Define system-wide logging and alerting parameters.
- management_
command_ strset_ global_ properties_ id - nat
Management
Command Set Global Properties Nat Args - Configure settings that apply to all NAT connections.
- non_
unique_ Sequence[Managementip_ address_ ranges Command Set Global Properties Non Unique Ip Address Range Args] - Specify Non Unique IP Address Ranges.
- num_
spoofing_ floaterrs_ that_ trigger_ brute_ force - Indicates how many incorrectly signed packets will be tolerated before assuming that there is an attack on the packet tagging and revoking the client's key.
- proxy
Management
Command Set Global Properties Proxy Args - Select whether a proxy server is used when servers, gateways, or clients need to access the internet for certain Check Point features and set the default proxy server that will be used.
- qos
Management
Command Set Global Properties Qos Args - Define the general parameters of Quality of Service (QoS) and apply them to QoS rules.
- remote_
accesses Sequence[ManagementCommand Set Global Properties Remote Access Args] - Configure Remote Access properties.
- stateful_
inspection ManagementCommand Set Global Properties Stateful Inspection Args - Adjust Stateful Inspection parameters.
- user_
accounts ManagementCommand Set Global Properties User Accounts Args - Set the expiration for a user account and configure "about to expire" warnings.
-
Management
Command Set Global Properties User Authority Args - Decide whether to display and access the WebAccess rule base. This policy defines which users (that is, which Windows Domains) have access to the internal sites of the organization.
- user_
check ManagementCommand Set Global Properties User Check Args - Set a language for the UserCheck message if the language setting in the user's browser cannot be determined.
- user_
directory ManagementCommand Set Global Properties User Directory Args - User can enable LDAP User Directory as well as specify global parameters for LDAP. If LDAP User Directory is enabled, this means that users are managed on an external LDAP server and not on the internal Check Point Security Gateway users databases.
- vpn
Management
Command Set Global Properties Vpn Args - Configure settings relevant to VPN.
- advanced
Conf Property Map - Configure advanced global attributes. It's highly recommended to consult with Check Point's Technical Support before modifying these values.
- allow
Remote BooleanRegistration Of Opsec Products - After installing an OPSEC application, the remote administration (RA) utility enables an OPSEC product to finish registering itself without having to access the SmartConsole. If set to true, any host including the application host can run the utility. Otherwise, the RA utility can only be run from the Security Management host.
- authentication Property Map
- Define Authentication properties that are common to all users and to the various ways that the Check Point Security Gateway asks for passwords (User, Client and Session Authentication).
- carrier
Security Property Map - Specify system-wide properties. Select GTP intra tunnel inspection options, including anti-spoofing; tracking and logging options, and integrity tests.
- connect
Control Property Map - Configure settings that relate to ConnectControl server load balancing.
- data
Access Property MapControl - Configure automatic downloads from Check Point and anonymously share product data. Options selected here apply to all Security Gateways, Clusters and VSX devices managed by this management server.
- domains
To List<String>Processes - Indicates which domains to process the commands on. It cannot be used with the details-level full, must be run from the System Domain only and with ignore-warnings true. Valid values are: CURRENT_DOMAIN, ALL_DOMAINS_ON_THIS_SERVER.
- firewall Property Map
- Add implied rules to or remove them from the Firewall Rule Base. Determine the position of the implied rules in the Rule Base, and whether or not to log them.
- hit
Count Property Map - Enable the Hit Count feature that tracks the number of connections that each rule matches.
- ignore
Errors Boolean - Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
- ignore
Warnings Boolean - Apply changes ignoring warnings.
- log
And List<Property Map>Alerts - Define system-wide logging and alerting parameters.
- management
Command StringSet Global Properties Id - nat Property Map
- Configure settings that apply to all NAT connections.
- non
Unique List<Property Map>Ip Address Ranges - Specify Non Unique IP Address Ranges.
- num
Spoofing NumberErrs That Trigger Brute Force - Indicates how many incorrectly signed packets will be tolerated before assuming that there is an attack on the packet tagging and revoking the client's key.
- proxy Property Map
- Select whether a proxy server is used when servers, gateways, or clients need to access the internet for certain Check Point features and set the default proxy server that will be used.
- qos Property Map
- Define the general parameters of Quality of Service (QoS) and apply them to QoS rules.
- remote
Accesses List<Property Map> - Configure Remote Access properties.
- stateful
Inspection Property Map - Adjust Stateful Inspection parameters.
- user
Accounts Property Map - Set the expiration for a user account and configure "about to expire" warnings.
- Property Map
- Decide whether to display and access the WebAccess rule base. This policy defines which users (that is, which Windows Domains) have access to the internal sites of the organization.
- user
Check Property Map - Set a language for the UserCheck message if the language setting in the user's browser cannot be determined.
- user
Directory Property Map - User can enable LDAP User Directory as well as specify global parameters for LDAP. If LDAP User Directory is enabled, this means that users are managed on an external LDAP server and not on the internal Check Point Security Gateway users databases.
- vpn Property Map
- Configure settings relevant to VPN.
Outputs
All input properties are implicitly available as output properties. Additionally, the ManagementCommandSetGlobalProperties resource produces the following output properties:
- Id string
- The provider-assigned unique ID for this managed resource.
- Id string
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
- id string
- The provider-assigned unique ID for this managed resource.
- id str
- The provider-assigned unique ID for this managed resource.
- id String
- The provider-assigned unique ID for this managed resource.
Look up Existing ManagementCommandSetGlobalProperties Resource
Get an existing ManagementCommandSetGlobalProperties resource’s state with the given name, ID, and optional extra properties used to qualify the lookup.
public static get(name: string, id: Input<ID>, state?: ManagementCommandSetGlobalPropertiesState, opts?: CustomResourceOptions): ManagementCommandSetGlobalProperties@staticmethod
def get(resource_name: str,
id: str,
opts: Optional[ResourceOptions] = None,
advanced_conf: Optional[ManagementCommandSetGlobalPropertiesAdvancedConfArgs] = None,
allow_remote_registration_of_opsec_products: Optional[bool] = None,
authentication: Optional[ManagementCommandSetGlobalPropertiesAuthenticationArgs] = None,
carrier_security: Optional[ManagementCommandSetGlobalPropertiesCarrierSecurityArgs] = None,
connect_control: Optional[ManagementCommandSetGlobalPropertiesConnectControlArgs] = None,
data_access_control: Optional[ManagementCommandSetGlobalPropertiesDataAccessControlArgs] = None,
domains_to_processes: Optional[Sequence[str]] = None,
firewall: Optional[ManagementCommandSetGlobalPropertiesFirewallArgs] = None,
hit_count: Optional[ManagementCommandSetGlobalPropertiesHitCountArgs] = None,
ignore_errors: Optional[bool] = None,
ignore_warnings: Optional[bool] = None,
log_and_alerts: Optional[Sequence[ManagementCommandSetGlobalPropertiesLogAndAlertArgs]] = None,
management_command_set_global_properties_id: Optional[str] = None,
nat: Optional[ManagementCommandSetGlobalPropertiesNatArgs] = None,
non_unique_ip_address_ranges: Optional[Sequence[ManagementCommandSetGlobalPropertiesNonUniqueIpAddressRangeArgs]] = None,
num_spoofing_errs_that_trigger_brute_force: Optional[float] = None,
proxy: Optional[ManagementCommandSetGlobalPropertiesProxyArgs] = None,
qos: Optional[ManagementCommandSetGlobalPropertiesQosArgs] = None,
remote_accesses: Optional[Sequence[ManagementCommandSetGlobalPropertiesRemoteAccessArgs]] = None,
stateful_inspection: Optional[ManagementCommandSetGlobalPropertiesStatefulInspectionArgs] = None,
user_accounts: Optional[ManagementCommandSetGlobalPropertiesUserAccountsArgs] = None,
user_authority: Optional[ManagementCommandSetGlobalPropertiesUserAuthorityArgs] = None,
user_check: Optional[ManagementCommandSetGlobalPropertiesUserCheckArgs] = None,
user_directory: Optional[ManagementCommandSetGlobalPropertiesUserDirectoryArgs] = None,
vpn: Optional[ManagementCommandSetGlobalPropertiesVpnArgs] = None) -> ManagementCommandSetGlobalPropertiesfunc GetManagementCommandSetGlobalProperties(ctx *Context, name string, id IDInput, state *ManagementCommandSetGlobalPropertiesState, opts ...ResourceOption) (*ManagementCommandSetGlobalProperties, error)public static ManagementCommandSetGlobalProperties Get(string name, Input<string> id, ManagementCommandSetGlobalPropertiesState? state, CustomResourceOptions? opts = null)public static ManagementCommandSetGlobalProperties get(String name, Output<String> id, ManagementCommandSetGlobalPropertiesState state, CustomResourceOptions options)resources: _: type: checkpoint:ManagementCommandSetGlobalProperties get: id: ${id}- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- resource_name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- name
- The unique name of the resulting resource.
- id
- The unique provider ID of the resource to lookup.
- state
- Any extra arguments used during the lookup.
- opts
- A bag of options that control this resource's behavior.
- Advanced
Conf ManagementCommand Set Global Properties Advanced Conf - Configure advanced global attributes. It's highly recommended to consult with Check Point's Technical Support before modifying these values.
- Allow
Remote boolRegistration Of Opsec Products - After installing an OPSEC application, the remote administration (RA) utility enables an OPSEC product to finish registering itself without having to access the SmartConsole. If set to true, any host including the application host can run the utility. Otherwise, the RA utility can only be run from the Security Management host.
- Authentication
Management
Command Set Global Properties Authentication - Define Authentication properties that are common to all users and to the various ways that the Check Point Security Gateway asks for passwords (User, Client and Session Authentication).
- Carrier
Security ManagementCommand Set Global Properties Carrier Security - Specify system-wide properties. Select GTP intra tunnel inspection options, including anti-spoofing; tracking and logging options, and integrity tests.
- Connect
Control ManagementCommand Set Global Properties Connect Control - Configure settings that relate to ConnectControl server load balancing.
- Data
Access ManagementControl Command Set Global Properties Data Access Control - Configure automatic downloads from Check Point and anonymously share product data. Options selected here apply to all Security Gateways, Clusters and VSX devices managed by this management server.
- Domains
To List<string>Processes - Indicates which domains to process the commands on. It cannot be used with the details-level full, must be run from the System Domain only and with ignore-warnings true. Valid values are: CURRENT_DOMAIN, ALL_DOMAINS_ON_THIS_SERVER.
- Firewall
Management
Command Set Global Properties Firewall - Add implied rules to or remove them from the Firewall Rule Base. Determine the position of the implied rules in the Rule Base, and whether or not to log them.
- Hit
Count ManagementCommand Set Global Properties Hit Count - Enable the Hit Count feature that tracks the number of connections that each rule matches.
- Ignore
Errors bool - Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
- Ignore
Warnings bool - Apply changes ignoring warnings.
- Log
And List<ManagementAlerts Command Set Global Properties Log And Alert> - Define system-wide logging and alerting parameters.
- Management
Command stringSet Global Properties Id - Nat
Management
Command Set Global Properties Nat - Configure settings that apply to all NAT connections.
- Non
Unique List<ManagementIp Address Ranges Command Set Global Properties Non Unique Ip Address Range> - Specify Non Unique IP Address Ranges.
- Num
Spoofing doubleErrs That Trigger Brute Force - Indicates how many incorrectly signed packets will be tolerated before assuming that there is an attack on the packet tagging and revoking the client's key.
- Proxy
Management
Command Set Global Properties Proxy - Select whether a proxy server is used when servers, gateways, or clients need to access the internet for certain Check Point features and set the default proxy server that will be used.
- Qos
Management
Command Set Global Properties Qos - Define the general parameters of Quality of Service (QoS) and apply them to QoS rules.
- Remote
Accesses List<ManagementCommand Set Global Properties Remote Access> - Configure Remote Access properties.
- Stateful
Inspection ManagementCommand Set Global Properties Stateful Inspection - Adjust Stateful Inspection parameters.
- User
Accounts ManagementCommand Set Global Properties User Accounts - Set the expiration for a user account and configure "about to expire" warnings.
-
Management
Command Set Global Properties User Authority - Decide whether to display and access the WebAccess rule base. This policy defines which users (that is, which Windows Domains) have access to the internal sites of the organization.
- User
Check ManagementCommand Set Global Properties User Check - Set a language for the UserCheck message if the language setting in the user's browser cannot be determined.
- User
Directory ManagementCommand Set Global Properties User Directory - User can enable LDAP User Directory as well as specify global parameters for LDAP. If LDAP User Directory is enabled, this means that users are managed on an external LDAP server and not on the internal Check Point Security Gateway users databases.
- Vpn
Management
Command Set Global Properties Vpn - Configure settings relevant to VPN.
- Advanced
Conf ManagementCommand Set Global Properties Advanced Conf Args - Configure advanced global attributes. It's highly recommended to consult with Check Point's Technical Support before modifying these values.
- Allow
Remote boolRegistration Of Opsec Products - After installing an OPSEC application, the remote administration (RA) utility enables an OPSEC product to finish registering itself without having to access the SmartConsole. If set to true, any host including the application host can run the utility. Otherwise, the RA utility can only be run from the Security Management host.
- Authentication
Management
Command Set Global Properties Authentication Args - Define Authentication properties that are common to all users and to the various ways that the Check Point Security Gateway asks for passwords (User, Client and Session Authentication).
- Carrier
Security ManagementCommand Set Global Properties Carrier Security Args - Specify system-wide properties. Select GTP intra tunnel inspection options, including anti-spoofing; tracking and logging options, and integrity tests.
- Connect
Control ManagementCommand Set Global Properties Connect Control Args - Configure settings that relate to ConnectControl server load balancing.
- Data
Access ManagementControl Command Set Global Properties Data Access Control Args - Configure automatic downloads from Check Point and anonymously share product data. Options selected here apply to all Security Gateways, Clusters and VSX devices managed by this management server.
- Domains
To []stringProcesses - Indicates which domains to process the commands on. It cannot be used with the details-level full, must be run from the System Domain only and with ignore-warnings true. Valid values are: CURRENT_DOMAIN, ALL_DOMAINS_ON_THIS_SERVER.
- Firewall
Management
Command Set Global Properties Firewall Args - Add implied rules to or remove them from the Firewall Rule Base. Determine the position of the implied rules in the Rule Base, and whether or not to log them.
- Hit
Count ManagementCommand Set Global Properties Hit Count Args - Enable the Hit Count feature that tracks the number of connections that each rule matches.
- Ignore
Errors bool - Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
- Ignore
Warnings bool - Apply changes ignoring warnings.
- Log
And []ManagementAlerts Command Set Global Properties Log And Alert Args - Define system-wide logging and alerting parameters.
- Management
Command stringSet Global Properties Id - Nat
Management
Command Set Global Properties Nat Args - Configure settings that apply to all NAT connections.
- Non
Unique []ManagementIp Address Ranges Command Set Global Properties Non Unique Ip Address Range Args - Specify Non Unique IP Address Ranges.
- Num
Spoofing float64Errs That Trigger Brute Force - Indicates how many incorrectly signed packets will be tolerated before assuming that there is an attack on the packet tagging and revoking the client's key.
- Proxy
Management
Command Set Global Properties Proxy Args - Select whether a proxy server is used when servers, gateways, or clients need to access the internet for certain Check Point features and set the default proxy server that will be used.
- Qos
Management
Command Set Global Properties Qos Args - Define the general parameters of Quality of Service (QoS) and apply them to QoS rules.
- Remote
Accesses []ManagementCommand Set Global Properties Remote Access Args - Configure Remote Access properties.
- Stateful
Inspection ManagementCommand Set Global Properties Stateful Inspection Args - Adjust Stateful Inspection parameters.
- User
Accounts ManagementCommand Set Global Properties User Accounts Args - Set the expiration for a user account and configure "about to expire" warnings.
-
Management
Command Set Global Properties User Authority Args - Decide whether to display and access the WebAccess rule base. This policy defines which users (that is, which Windows Domains) have access to the internal sites of the organization.
- User
Check ManagementCommand Set Global Properties User Check Args - Set a language for the UserCheck message if the language setting in the user's browser cannot be determined.
- User
Directory ManagementCommand Set Global Properties User Directory Args - User can enable LDAP User Directory as well as specify global parameters for LDAP. If LDAP User Directory is enabled, this means that users are managed on an external LDAP server and not on the internal Check Point Security Gateway users databases.
- Vpn
Management
Command Set Global Properties Vpn Args - Configure settings relevant to VPN.
- advanced
Conf ManagementCommand Set Global Properties Advanced Conf - Configure advanced global attributes. It's highly recommended to consult with Check Point's Technical Support before modifying these values.
- allow
Remote BooleanRegistration Of Opsec Products - After installing an OPSEC application, the remote administration (RA) utility enables an OPSEC product to finish registering itself without having to access the SmartConsole. If set to true, any host including the application host can run the utility. Otherwise, the RA utility can only be run from the Security Management host.
- authentication
Management
Command Set Global Properties Authentication - Define Authentication properties that are common to all users and to the various ways that the Check Point Security Gateway asks for passwords (User, Client and Session Authentication).
- carrier
Security ManagementCommand Set Global Properties Carrier Security - Specify system-wide properties. Select GTP intra tunnel inspection options, including anti-spoofing; tracking and logging options, and integrity tests.
- connect
Control ManagementCommand Set Global Properties Connect Control - Configure settings that relate to ConnectControl server load balancing.
- data
Access ManagementControl Command Set Global Properties Data Access Control - Configure automatic downloads from Check Point and anonymously share product data. Options selected here apply to all Security Gateways, Clusters and VSX devices managed by this management server.
- domains
To List<String>Processes - Indicates which domains to process the commands on. It cannot be used with the details-level full, must be run from the System Domain only and with ignore-warnings true. Valid values are: CURRENT_DOMAIN, ALL_DOMAINS_ON_THIS_SERVER.
- firewall
Management
Command Set Global Properties Firewall - Add implied rules to or remove them from the Firewall Rule Base. Determine the position of the implied rules in the Rule Base, and whether or not to log them.
- hit
Count ManagementCommand Set Global Properties Hit Count - Enable the Hit Count feature that tracks the number of connections that each rule matches.
- ignore
Errors Boolean - Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
- ignore
Warnings Boolean - Apply changes ignoring warnings.
- log
And List<ManagementAlerts Command Set Global Properties Log And Alert> - Define system-wide logging and alerting parameters.
- management
Command StringSet Global Properties Id - nat
Management
Command Set Global Properties Nat - Configure settings that apply to all NAT connections.
- non
Unique List<ManagementIp Address Ranges Command Set Global Properties Non Unique Ip Address Range> - Specify Non Unique IP Address Ranges.
- num
Spoofing DoubleErrs That Trigger Brute Force - Indicates how many incorrectly signed packets will be tolerated before assuming that there is an attack on the packet tagging and revoking the client's key.
- proxy
Management
Command Set Global Properties Proxy - Select whether a proxy server is used when servers, gateways, or clients need to access the internet for certain Check Point features and set the default proxy server that will be used.
- qos
Management
Command Set Global Properties Qos - Define the general parameters of Quality of Service (QoS) and apply them to QoS rules.
- remote
Accesses List<ManagementCommand Set Global Properties Remote Access> - Configure Remote Access properties.
- stateful
Inspection ManagementCommand Set Global Properties Stateful Inspection - Adjust Stateful Inspection parameters.
- user
Accounts ManagementCommand Set Global Properties User Accounts - Set the expiration for a user account and configure "about to expire" warnings.
-
Management
Command Set Global Properties User Authority - Decide whether to display and access the WebAccess rule base. This policy defines which users (that is, which Windows Domains) have access to the internal sites of the organization.
- user
Check ManagementCommand Set Global Properties User Check - Set a language for the UserCheck message if the language setting in the user's browser cannot be determined.
- user
Directory ManagementCommand Set Global Properties User Directory - User can enable LDAP User Directory as well as specify global parameters for LDAP. If LDAP User Directory is enabled, this means that users are managed on an external LDAP server and not on the internal Check Point Security Gateway users databases.
- vpn
Management
Command Set Global Properties Vpn - Configure settings relevant to VPN.
- advanced
Conf ManagementCommand Set Global Properties Advanced Conf - Configure advanced global attributes. It's highly recommended to consult with Check Point's Technical Support before modifying these values.
- allow
Remote booleanRegistration Of Opsec Products - After installing an OPSEC application, the remote administration (RA) utility enables an OPSEC product to finish registering itself without having to access the SmartConsole. If set to true, any host including the application host can run the utility. Otherwise, the RA utility can only be run from the Security Management host.
- authentication
Management
Command Set Global Properties Authentication - Define Authentication properties that are common to all users and to the various ways that the Check Point Security Gateway asks for passwords (User, Client and Session Authentication).
- carrier
Security ManagementCommand Set Global Properties Carrier Security - Specify system-wide properties. Select GTP intra tunnel inspection options, including anti-spoofing; tracking and logging options, and integrity tests.
- connect
Control ManagementCommand Set Global Properties Connect Control - Configure settings that relate to ConnectControl server load balancing.
- data
Access ManagementControl Command Set Global Properties Data Access Control - Configure automatic downloads from Check Point and anonymously share product data. Options selected here apply to all Security Gateways, Clusters and VSX devices managed by this management server.
- domains
To string[]Processes - Indicates which domains to process the commands on. It cannot be used with the details-level full, must be run from the System Domain only and with ignore-warnings true. Valid values are: CURRENT_DOMAIN, ALL_DOMAINS_ON_THIS_SERVER.
- firewall
Management
Command Set Global Properties Firewall - Add implied rules to or remove them from the Firewall Rule Base. Determine the position of the implied rules in the Rule Base, and whether or not to log them.
- hit
Count ManagementCommand Set Global Properties Hit Count - Enable the Hit Count feature that tracks the number of connections that each rule matches.
- ignore
Errors boolean - Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
- ignore
Warnings boolean - Apply changes ignoring warnings.
- log
And ManagementAlerts Command Set Global Properties Log And Alert[] - Define system-wide logging and alerting parameters.
- management
Command stringSet Global Properties Id - nat
Management
Command Set Global Properties Nat - Configure settings that apply to all NAT connections.
- non
Unique ManagementIp Address Ranges Command Set Global Properties Non Unique Ip Address Range[] - Specify Non Unique IP Address Ranges.
- num
Spoofing numberErrs That Trigger Brute Force - Indicates how many incorrectly signed packets will be tolerated before assuming that there is an attack on the packet tagging and revoking the client's key.
- proxy
Management
Command Set Global Properties Proxy - Select whether a proxy server is used when servers, gateways, or clients need to access the internet for certain Check Point features and set the default proxy server that will be used.
- qos
Management
Command Set Global Properties Qos - Define the general parameters of Quality of Service (QoS) and apply them to QoS rules.
- remote
Accesses ManagementCommand Set Global Properties Remote Access[] - Configure Remote Access properties.
- stateful
Inspection ManagementCommand Set Global Properties Stateful Inspection - Adjust Stateful Inspection parameters.
- user
Accounts ManagementCommand Set Global Properties User Accounts - Set the expiration for a user account and configure "about to expire" warnings.
-
Management
Command Set Global Properties User Authority - Decide whether to display and access the WebAccess rule base. This policy defines which users (that is, which Windows Domains) have access to the internal sites of the organization.
- user
Check ManagementCommand Set Global Properties User Check - Set a language for the UserCheck message if the language setting in the user's browser cannot be determined.
- user
Directory ManagementCommand Set Global Properties User Directory - User can enable LDAP User Directory as well as specify global parameters for LDAP. If LDAP User Directory is enabled, this means that users are managed on an external LDAP server and not on the internal Check Point Security Gateway users databases.
- vpn
Management
Command Set Global Properties Vpn - Configure settings relevant to VPN.
- advanced_
conf ManagementCommand Set Global Properties Advanced Conf Args - Configure advanced global attributes. It's highly recommended to consult with Check Point's Technical Support before modifying these values.
- allow_
remote_ boolregistration_ of_ opsec_ products - After installing an OPSEC application, the remote administration (RA) utility enables an OPSEC product to finish registering itself without having to access the SmartConsole. If set to true, any host including the application host can run the utility. Otherwise, the RA utility can only be run from the Security Management host.
- authentication
Management
Command Set Global Properties Authentication Args - Define Authentication properties that are common to all users and to the various ways that the Check Point Security Gateway asks for passwords (User, Client and Session Authentication).
- carrier_
security ManagementCommand Set Global Properties Carrier Security Args - Specify system-wide properties. Select GTP intra tunnel inspection options, including anti-spoofing; tracking and logging options, and integrity tests.
- connect_
control ManagementCommand Set Global Properties Connect Control Args - Configure settings that relate to ConnectControl server load balancing.
- data_
access_ Managementcontrol Command Set Global Properties Data Access Control Args - Configure automatic downloads from Check Point and anonymously share product data. Options selected here apply to all Security Gateways, Clusters and VSX devices managed by this management server.
- domains_
to_ Sequence[str]processes - Indicates which domains to process the commands on. It cannot be used with the details-level full, must be run from the System Domain only and with ignore-warnings true. Valid values are: CURRENT_DOMAIN, ALL_DOMAINS_ON_THIS_SERVER.
- firewall
Management
Command Set Global Properties Firewall Args - Add implied rules to or remove them from the Firewall Rule Base. Determine the position of the implied rules in the Rule Base, and whether or not to log them.
- hit_
count ManagementCommand Set Global Properties Hit Count Args - Enable the Hit Count feature that tracks the number of connections that each rule matches.
- ignore_
errors bool - Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
- ignore_
warnings bool - Apply changes ignoring warnings.
- log_
and_ Sequence[Managementalerts Command Set Global Properties Log And Alert Args] - Define system-wide logging and alerting parameters.
- management_
command_ strset_ global_ properties_ id - nat
Management
Command Set Global Properties Nat Args - Configure settings that apply to all NAT connections.
- non_
unique_ Sequence[Managementip_ address_ ranges Command Set Global Properties Non Unique Ip Address Range Args] - Specify Non Unique IP Address Ranges.
- num_
spoofing_ floaterrs_ that_ trigger_ brute_ force - Indicates how many incorrectly signed packets will be tolerated before assuming that there is an attack on the packet tagging and revoking the client's key.
- proxy
Management
Command Set Global Properties Proxy Args - Select whether a proxy server is used when servers, gateways, or clients need to access the internet for certain Check Point features and set the default proxy server that will be used.
- qos
Management
Command Set Global Properties Qos Args - Define the general parameters of Quality of Service (QoS) and apply them to QoS rules.
- remote_
accesses Sequence[ManagementCommand Set Global Properties Remote Access Args] - Configure Remote Access properties.
- stateful_
inspection ManagementCommand Set Global Properties Stateful Inspection Args - Adjust Stateful Inspection parameters.
- user_
accounts ManagementCommand Set Global Properties User Accounts Args - Set the expiration for a user account and configure "about to expire" warnings.
-
Management
Command Set Global Properties User Authority Args - Decide whether to display and access the WebAccess rule base. This policy defines which users (that is, which Windows Domains) have access to the internal sites of the organization.
- user_
check ManagementCommand Set Global Properties User Check Args - Set a language for the UserCheck message if the language setting in the user's browser cannot be determined.
- user_
directory ManagementCommand Set Global Properties User Directory Args - User can enable LDAP User Directory as well as specify global parameters for LDAP. If LDAP User Directory is enabled, this means that users are managed on an external LDAP server and not on the internal Check Point Security Gateway users databases.
- vpn
Management
Command Set Global Properties Vpn Args - Configure settings relevant to VPN.
- advanced
Conf Property Map - Configure advanced global attributes. It's highly recommended to consult with Check Point's Technical Support before modifying these values.
- allow
Remote BooleanRegistration Of Opsec Products - After installing an OPSEC application, the remote administration (RA) utility enables an OPSEC product to finish registering itself without having to access the SmartConsole. If set to true, any host including the application host can run the utility. Otherwise, the RA utility can only be run from the Security Management host.
- authentication Property Map
- Define Authentication properties that are common to all users and to the various ways that the Check Point Security Gateway asks for passwords (User, Client and Session Authentication).
- carrier
Security Property Map - Specify system-wide properties. Select GTP intra tunnel inspection options, including anti-spoofing; tracking and logging options, and integrity tests.
- connect
Control Property Map - Configure settings that relate to ConnectControl server load balancing.
- data
Access Property MapControl - Configure automatic downloads from Check Point and anonymously share product data. Options selected here apply to all Security Gateways, Clusters and VSX devices managed by this management server.
- domains
To List<String>Processes - Indicates which domains to process the commands on. It cannot be used with the details-level full, must be run from the System Domain only and with ignore-warnings true. Valid values are: CURRENT_DOMAIN, ALL_DOMAINS_ON_THIS_SERVER.
- firewall Property Map
- Add implied rules to or remove them from the Firewall Rule Base. Determine the position of the implied rules in the Rule Base, and whether or not to log them.
- hit
Count Property Map - Enable the Hit Count feature that tracks the number of connections that each rule matches.
- ignore
Errors Boolean - Apply changes ignoring errors. You won't be able to publish such a changes. If ignore-warnings flag was omitted - warnings will also be ignored.
- ignore
Warnings Boolean - Apply changes ignoring warnings.
- log
And List<Property Map>Alerts - Define system-wide logging and alerting parameters.
- management
Command StringSet Global Properties Id - nat Property Map
- Configure settings that apply to all NAT connections.
- non
Unique List<Property Map>Ip Address Ranges - Specify Non Unique IP Address Ranges.
- num
Spoofing NumberErrs That Trigger Brute Force - Indicates how many incorrectly signed packets will be tolerated before assuming that there is an attack on the packet tagging and revoking the client's key.
- proxy Property Map
- Select whether a proxy server is used when servers, gateways, or clients need to access the internet for certain Check Point features and set the default proxy server that will be used.
- qos Property Map
- Define the general parameters of Quality of Service (QoS) and apply them to QoS rules.
- remote
Accesses List<Property Map> - Configure Remote Access properties.
- stateful
Inspection Property Map - Adjust Stateful Inspection parameters.
- user
Accounts Property Map - Set the expiration for a user account and configure "about to expire" warnings.
- Property Map
- Decide whether to display and access the WebAccess rule base. This policy defines which users (that is, which Windows Domains) have access to the internal sites of the organization.
- user
Check Property Map - Set a language for the UserCheck message if the language setting in the user's browser cannot be determined.
- user
Directory Property Map - User can enable LDAP User Directory as well as specify global parameters for LDAP. If LDAP User Directory is enabled, this means that users are managed on an external LDAP server and not on the internal Check Point Security Gateway users databases.
- vpn Property Map
- Configure settings relevant to VPN.
Supporting Types
ManagementCommandSetGlobalPropertiesAdvancedConf, ManagementCommandSetGlobalPropertiesAdvancedConfArgs
- Certs
And ManagementPki Command Set Global Properties Advanced Conf Certs And Pki - Configure Certificates and PKI properties.
- Certs
And ManagementPki Command Set Global Properties Advanced Conf Certs And Pki - Configure Certificates and PKI properties.
- certs
And ManagementPki Command Set Global Properties Advanced Conf Certs And Pki - Configure Certificates and PKI properties.
- certs
And ManagementPki Command Set Global Properties Advanced Conf Certs And Pki - Configure Certificates and PKI properties.
- certs_
and_ Managementpki Command Set Global Properties Advanced Conf Certs And Pki - Configure Certificates and PKI properties.
- certs
And Property MapPki - Configure Certificates and PKI properties.
ManagementCommandSetGlobalPropertiesAdvancedConfCertsAndPki, ManagementCommandSetGlobalPropertiesAdvancedConfCertsAndPkiArgs
- Cert
Validation stringEnforce Key Size - Enforce key length in certificate validation (R80+ gateways only).
- Host
Certs stringEcdsa Key Size - Select the key size for ECDSA of the host certificate.
- Host
Certs stringKey Size - Select the key size of the host certificate.
- Cert
Validation stringEnforce Key Size - Enforce key length in certificate validation (R80+ gateways only).
- Host
Certs stringEcdsa Key Size - Select the key size for ECDSA of the host certificate.
- Host
Certs stringKey Size - Select the key size of the host certificate.
- cert
Validation StringEnforce Key Size - Enforce key length in certificate validation (R80+ gateways only).
- host
Certs StringEcdsa Key Size - Select the key size for ECDSA of the host certificate.
- host
Certs StringKey Size - Select the key size of the host certificate.
- cert
Validation stringEnforce Key Size - Enforce key length in certificate validation (R80+ gateways only).
- host
Certs stringEcdsa Key Size - Select the key size for ECDSA of the host certificate.
- host
Certs stringKey Size - Select the key size of the host certificate.
- cert_
validation_ strenforce_ key_ size - Enforce key length in certificate validation (R80+ gateways only).
- host_
certs_ strecdsa_ key_ size - Select the key size for ECDSA of the host certificate.
- host_
certs_ strkey_ size - Select the key size of the host certificate.
- cert
Validation StringEnforce Key Size - Enforce key length in certificate validation (R80+ gateways only).
- host
Certs StringEcdsa Key Size - Select the key size for ECDSA of the host certificate.
- host
Certs StringKey Size - Select the key size of the host certificate.
ManagementCommandSetGlobalPropertiesAuthentication, ManagementCommandSetGlobalPropertiesAuthenticationArgs
- Allowed
Suffix stringFor Internal Users - Suffix for internal users authentication.
- Auth
Internal boolUsers With Specific Suffix - Enforce suffix for internal users authentication.
- Delay
Each doubleAuth Attempt By - Delay each authentication attempt by the specified number of milliseconds. Any value from 1 to 25000 can be entered in this field.
- Enable
Delayed boolAuth - all authentications other than certificate-based authentications will be delayed by the specified time. Applying this delay will stall brute force authentication attacks. The delay is applied for both failed and successful authentication attempts.
- Max
Client doubleAuth Attempts Before Connection Termination - Allowed Number of Failed Client Authentication Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- Max
Days doubleBefore Expiration Of Non Pulled User Certificates - Users certificates which were initiated but not pulled will expire after the specified number of days. Any value from 1 to 60 days can be entered in this field.
- Max
Rlogin doubleAttempts Before Connection Termination - Allowed Number of Failed rlogin Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- Max
Session doubleAuth Attempts Before Connection Termination - Allowed Number of Failed Session Authentication Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- Max
Telnet doubleAttempts Before Connection Termination - Allowed Number of Failed telnet Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- Allowed
Suffix stringFor Internal Users - Suffix for internal users authentication.
- Auth
Internal boolUsers With Specific Suffix - Enforce suffix for internal users authentication.
- Delay
Each float64Auth Attempt By - Delay each authentication attempt by the specified number of milliseconds. Any value from 1 to 25000 can be entered in this field.
- Enable
Delayed boolAuth - all authentications other than certificate-based authentications will be delayed by the specified time. Applying this delay will stall brute force authentication attacks. The delay is applied for both failed and successful authentication attempts.
- Max
Client float64Auth Attempts Before Connection Termination - Allowed Number of Failed Client Authentication Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- Max
Days float64Before Expiration Of Non Pulled User Certificates - Users certificates which were initiated but not pulled will expire after the specified number of days. Any value from 1 to 60 days can be entered in this field.
- Max
Rlogin float64Attempts Before Connection Termination - Allowed Number of Failed rlogin Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- Max
Session float64Auth Attempts Before Connection Termination - Allowed Number of Failed Session Authentication Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- Max
Telnet float64Attempts Before Connection Termination - Allowed Number of Failed telnet Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- allowed
Suffix StringFor Internal Users - Suffix for internal users authentication.
- auth
Internal BooleanUsers With Specific Suffix - Enforce suffix for internal users authentication.
- delay
Each DoubleAuth Attempt By - Delay each authentication attempt by the specified number of milliseconds. Any value from 1 to 25000 can be entered in this field.
- enable
Delayed BooleanAuth - all authentications other than certificate-based authentications will be delayed by the specified time. Applying this delay will stall brute force authentication attacks. The delay is applied for both failed and successful authentication attempts.
- max
Client DoubleAuth Attempts Before Connection Termination - Allowed Number of Failed Client Authentication Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- max
Days DoubleBefore Expiration Of Non Pulled User Certificates - Users certificates which were initiated but not pulled will expire after the specified number of days. Any value from 1 to 60 days can be entered in this field.
- max
Rlogin DoubleAttempts Before Connection Termination - Allowed Number of Failed rlogin Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- max
Session DoubleAuth Attempts Before Connection Termination - Allowed Number of Failed Session Authentication Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- max
Telnet DoubleAttempts Before Connection Termination - Allowed Number of Failed telnet Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- allowed
Suffix stringFor Internal Users - Suffix for internal users authentication.
- auth
Internal booleanUsers With Specific Suffix - Enforce suffix for internal users authentication.
- delay
Each numberAuth Attempt By - Delay each authentication attempt by the specified number of milliseconds. Any value from 1 to 25000 can be entered in this field.
- enable
Delayed booleanAuth - all authentications other than certificate-based authentications will be delayed by the specified time. Applying this delay will stall brute force authentication attacks. The delay is applied for both failed and successful authentication attempts.
- max
Client numberAuth Attempts Before Connection Termination - Allowed Number of Failed Client Authentication Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- max
Days numberBefore Expiration Of Non Pulled User Certificates - Users certificates which were initiated but not pulled will expire after the specified number of days. Any value from 1 to 60 days can be entered in this field.
- max
Rlogin numberAttempts Before Connection Termination - Allowed Number of Failed rlogin Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- max
Session numberAuth Attempts Before Connection Termination - Allowed Number of Failed Session Authentication Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- max
Telnet numberAttempts Before Connection Termination - Allowed Number of Failed telnet Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- allowed_
suffix_ strfor_ internal_ users - Suffix for internal users authentication.
- auth_
internal_ boolusers_ with_ specific_ suffix - Enforce suffix for internal users authentication.
- delay_
each_ floatauth_ attempt_ by - Delay each authentication attempt by the specified number of milliseconds. Any value from 1 to 25000 can be entered in this field.
- enable_
delayed_ boolauth - all authentications other than certificate-based authentications will be delayed by the specified time. Applying this delay will stall brute force authentication attacks. The delay is applied for both failed and successful authentication attempts.
- max_
client_ floatauth_ attempts_ before_ connection_ termination - Allowed Number of Failed Client Authentication Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- max_
days_ floatbefore_ expiration_ of_ non_ pulled_ user_ certificates - Users certificates which were initiated but not pulled will expire after the specified number of days. Any value from 1 to 60 days can be entered in this field.
- max_
rlogin_ floatattempts_ before_ connection_ termination - Allowed Number of Failed rlogin Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- max_
session_ floatauth_ attempts_ before_ connection_ termination - Allowed Number of Failed Session Authentication Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- max_
telnet_ floatattempts_ before_ connection_ termination - Allowed Number of Failed telnet Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- allowed
Suffix StringFor Internal Users - Suffix for internal users authentication.
- auth
Internal BooleanUsers With Specific Suffix - Enforce suffix for internal users authentication.
- delay
Each NumberAuth Attempt By - Delay each authentication attempt by the specified number of milliseconds. Any value from 1 to 25000 can be entered in this field.
- enable
Delayed BooleanAuth - all authentications other than certificate-based authentications will be delayed by the specified time. Applying this delay will stall brute force authentication attacks. The delay is applied for both failed and successful authentication attempts.
- max
Client NumberAuth Attempts Before Connection Termination - Allowed Number of Failed Client Authentication Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- max
Days NumberBefore Expiration Of Non Pulled User Certificates - Users certificates which were initiated but not pulled will expire after the specified number of days. Any value from 1 to 60 days can be entered in this field.
- max
Rlogin NumberAttempts Before Connection Termination - Allowed Number of Failed rlogin Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- max
Session NumberAuth Attempts Before Connection Termination - Allowed Number of Failed Session Authentication Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
- max
Telnet NumberAttempts Before Connection Termination - Allowed Number of Failed telnet Attempts Before Session Termination. Any value from 1 to 800 attempts can be entered in this field.
ManagementCommandSetGlobalPropertiesCarrierSecurity, ManagementCommandSetGlobalPropertiesCarrierSecurityArgs
- Aggressive
Aging bool - If true, enables configuring aggressive aging thresholds and time out value.
- Aggressive
Timeout double - Aggressive timeout. Available only if aggressive-aging is true.
- Allow
Ggsn boolReplies From Multiple Interfaces - Allows GTP signaling replies from an IP address different from the IP address to which the requests are sent (Relevant only for gateways below R80).
- Block
Gtp boolIn Gtp - Prevents GTP packets from being encapsulated inside GTP tunnels. When this option is checked, such packets are dropped and logged.
- Enable
GPdu boolSeq Number Check With Max Deviation - If set to false, sequence checking is not enforced and all out-of-sequence G-PDUs will be accepted.To enhance performance, disable this extended integrity test.
- Enable
Reverse boolConnections - Allows Carrier Security gateways to accept PDUs sent from the GGSN to the SGSN, on a previously established PDP context, even if these PDUs are sent over ports that do not match the ports of the established PDP context.
- Enforce
Gtp boolAnti Spoofing - verifies that G-PDUs are using the end user IP address that has been agreed upon in the PDP context activation process. When this option is checked, packets that do not use this IP address are dropped and logged.
- GPdu
Seq doubleNumber Check Max Deviation - specifies that a G-PDU is accepted only if the difference between its sequence number and the expected sequence number is less than or equal to the allowed deviation.Available only ifenable-g-pdu-seq-number-check-with-max-deviation is true.
- Gtp
Signaling doubleRate Limit Sampling Interval - Works in correlation with the property Enforce GTP Signal packet rate limit found in the Carrier Security window of the GSN network object. For example, with the rate limit sampling interval default of 1 second, and the network object enforced a GTP signal packet rate limit of the default 2048 PDU per second, sampling will occur one time per second, or 2048 signaling PDUs between two consecutive samplings.
- Memory
Activation doubleThreshold - Memory activation threshold. Available only if aggressive-aging is true.
- Memory
Deactivation doubleThreshold - Memory deactivation threshold. Available only if aggressive-aging is true.
- One
Gtp doubleEcho On Each Path Frequency - sets the number of GTP Echo exchanges per path allowed per configured time period. Echo requests exceeding this rate are dropped and logged. Setting the value to 0 disables the feature and allows an unlimited number of echo requests per path at any interval.
- Produce
Extended boolLogs On Unmatched Pdus - logs GTP packets not matched by previous rules with Carrier Security's extended GTP-related log fields. These logs are brown and their Action attribute is empty. The default setting is checked.
- Produce
Extended stringLogs On Unmatched Pdus Position - Choose to place this implicit rule Before Last or as the Last rule.Available only if produce-extended-logs-on-unmatched-pdus is true.
- Protocol
Violation stringTrack Option - Set the appropriate track or alert option to be used when a protocol violation (malformed packet) is detected.
- Tunnel
Activation doubleThreshold - Tunnel activation threshold. Available only if aggressive-aging is true.
- Tunnel
Deactivation doubleThreshold - Tunnel deactivation threshold. Available only if aggressive-aging is true.
- Verify
Flow boolLabels - See that each packet's flow label matches the flow labels defined by GTP signaling. This option is relevant for GTP version 0 only.To enhance performance, disable this extended integrity test.
- Aggressive
Aging bool - If true, enables configuring aggressive aging thresholds and time out value.
- Aggressive
Timeout float64 - Aggressive timeout. Available only if aggressive-aging is true.
- Allow
Ggsn boolReplies From Multiple Interfaces - Allows GTP signaling replies from an IP address different from the IP address to which the requests are sent (Relevant only for gateways below R80).
- Block
Gtp boolIn Gtp - Prevents GTP packets from being encapsulated inside GTP tunnels. When this option is checked, such packets are dropped and logged.
- Enable
GPdu boolSeq Number Check With Max Deviation - If set to false, sequence checking is not enforced and all out-of-sequence G-PDUs will be accepted.To enhance performance, disable this extended integrity test.
- Enable
Reverse boolConnections - Allows Carrier Security gateways to accept PDUs sent from the GGSN to the SGSN, on a previously established PDP context, even if these PDUs are sent over ports that do not match the ports of the established PDP context.
- Enforce
Gtp boolAnti Spoofing - verifies that G-PDUs are using the end user IP address that has been agreed upon in the PDP context activation process. When this option is checked, packets that do not use this IP address are dropped and logged.
- GPdu
Seq float64Number Check Max Deviation - specifies that a G-PDU is accepted only if the difference between its sequence number and the expected sequence number is less than or equal to the allowed deviation.Available only ifenable-g-pdu-seq-number-check-with-max-deviation is true.
- Gtp
Signaling float64Rate Limit Sampling Interval - Works in correlation with the property Enforce GTP Signal packet rate limit found in the Carrier Security window of the GSN network object. For example, with the rate limit sampling interval default of 1 second, and the network object enforced a GTP signal packet rate limit of the default 2048 PDU per second, sampling will occur one time per second, or 2048 signaling PDUs between two consecutive samplings.
- Memory
Activation float64Threshold - Memory activation threshold. Available only if aggressive-aging is true.
- Memory
Deactivation float64Threshold - Memory deactivation threshold. Available only if aggressive-aging is true.
- One
Gtp float64Echo On Each Path Frequency - sets the number of GTP Echo exchanges per path allowed per configured time period. Echo requests exceeding this rate are dropped and logged. Setting the value to 0 disables the feature and allows an unlimited number of echo requests per path at any interval.
- Produce
Extended boolLogs On Unmatched Pdus - logs GTP packets not matched by previous rules with Carrier Security's extended GTP-related log fields. These logs are brown and their Action attribute is empty. The default setting is checked.
- Produce
Extended stringLogs On Unmatched Pdus Position - Choose to place this implicit rule Before Last or as the Last rule.Available only if produce-extended-logs-on-unmatched-pdus is true.
- Protocol
Violation stringTrack Option - Set the appropriate track or alert option to be used when a protocol violation (malformed packet) is detected.
- Tunnel
Activation float64Threshold - Tunnel activation threshold. Available only if aggressive-aging is true.
- Tunnel
Deactivation float64Threshold - Tunnel deactivation threshold. Available only if aggressive-aging is true.
- Verify
Flow boolLabels - See that each packet's flow label matches the flow labels defined by GTP signaling. This option is relevant for GTP version 0 only.To enhance performance, disable this extended integrity test.
- aggressive
Aging Boolean - If true, enables configuring aggressive aging thresholds and time out value.
- aggressive
Timeout Double - Aggressive timeout. Available only if aggressive-aging is true.
- allow
Ggsn BooleanReplies From Multiple Interfaces - Allows GTP signaling replies from an IP address different from the IP address to which the requests are sent (Relevant only for gateways below R80).
- block
Gtp BooleanIn Gtp - Prevents GTP packets from being encapsulated inside GTP tunnels. When this option is checked, such packets are dropped and logged.
- enable
GPdu BooleanSeq Number Check With Max Deviation - If set to false, sequence checking is not enforced and all out-of-sequence G-PDUs will be accepted.To enhance performance, disable this extended integrity test.
- enable
Reverse BooleanConnections - Allows Carrier Security gateways to accept PDUs sent from the GGSN to the SGSN, on a previously established PDP context, even if these PDUs are sent over ports that do not match the ports of the established PDP context.
- enforce
Gtp BooleanAnti Spoofing - verifies that G-PDUs are using the end user IP address that has been agreed upon in the PDP context activation process. When this option is checked, packets that do not use this IP address are dropped and logged.
- g
Pdu DoubleSeq Number Check Max Deviation - specifies that a G-PDU is accepted only if the difference between its sequence number and the expected sequence number is less than or equal to the allowed deviation.Available only ifenable-g-pdu-seq-number-check-with-max-deviation is true.
- gtp
Signaling DoubleRate Limit Sampling Interval - Works in correlation with the property Enforce GTP Signal packet rate limit found in the Carrier Security window of the GSN network object. For example, with the rate limit sampling interval default of 1 second, and the network object enforced a GTP signal packet rate limit of the default 2048 PDU per second, sampling will occur one time per second, or 2048 signaling PDUs between two consecutive samplings.
- memory
Activation DoubleThreshold - Memory activation threshold. Available only if aggressive-aging is true.
- memory
Deactivation DoubleThreshold - Memory deactivation threshold. Available only if aggressive-aging is true.
- one
Gtp DoubleEcho On Each Path Frequency - sets the number of GTP Echo exchanges per path allowed per configured time period. Echo requests exceeding this rate are dropped and logged. Setting the value to 0 disables the feature and allows an unlimited number of echo requests per path at any interval.
- produce
Extended BooleanLogs On Unmatched Pdus - logs GTP packets not matched by previous rules with Carrier Security's extended GTP-related log fields. These logs are brown and their Action attribute is empty. The default setting is checked.
- produce
Extended StringLogs On Unmatched Pdus Position - Choose to place this implicit rule Before Last or as the Last rule.Available only if produce-extended-logs-on-unmatched-pdus is true.
- protocol
Violation StringTrack Option - Set the appropriate track or alert option to be used when a protocol violation (malformed packet) is detected.
- tunnel
Activation DoubleThreshold - Tunnel activation threshold. Available only if aggressive-aging is true.
- tunnel
Deactivation DoubleThreshold - Tunnel deactivation threshold. Available only if aggressive-aging is true.
- verify
Flow BooleanLabels - See that each packet's flow label matches the flow labels defined by GTP signaling. This option is relevant for GTP version 0 only.To enhance performance, disable this extended integrity test.
- aggressive
Aging boolean - If true, enables configuring aggressive aging thresholds and time out value.
- aggressive
Timeout number - Aggressive timeout. Available only if aggressive-aging is true.
- allow
Ggsn booleanReplies From Multiple Interfaces - Allows GTP signaling replies from an IP address different from the IP address to which the requests are sent (Relevant only for gateways below R80).
- block
Gtp booleanIn Gtp - Prevents GTP packets from being encapsulated inside GTP tunnels. When this option is checked, such packets are dropped and logged.
- enable
GPdu booleanSeq Number Check With Max Deviation - If set to false, sequence checking is not enforced and all out-of-sequence G-PDUs will be accepted.To enhance performance, disable this extended integrity test.
- enable
Reverse booleanConnections - Allows Carrier Security gateways to accept PDUs sent from the GGSN to the SGSN, on a previously established PDP context, even if these PDUs are sent over ports that do not match the ports of the established PDP context.
- enforce
Gtp booleanAnti Spoofing - verifies that G-PDUs are using the end user IP address that has been agreed upon in the PDP context activation process. When this option is checked, packets that do not use this IP address are dropped and logged.
- g
Pdu numberSeq Number Check Max Deviation - specifies that a G-PDU is accepted only if the difference between its sequence number and the expected sequence number is less than or equal to the allowed deviation.Available only ifenable-g-pdu-seq-number-check-with-max-deviation is true.
- gtp
Signaling numberRate Limit Sampling Interval - Works in correlation with the property Enforce GTP Signal packet rate limit found in the Carrier Security window of the GSN network object. For example, with the rate limit sampling interval default of 1 second, and the network object enforced a GTP signal packet rate limit of the default 2048 PDU per second, sampling will occur one time per second, or 2048 signaling PDUs between two consecutive samplings.
- memory
Activation numberThreshold - Memory activation threshold. Available only if aggressive-aging is true.
- memory
Deactivation numberThreshold - Memory deactivation threshold. Available only if aggressive-aging is true.
- one
Gtp numberEcho On Each Path Frequency - sets the number of GTP Echo exchanges per path allowed per configured time period. Echo requests exceeding this rate are dropped and logged. Setting the value to 0 disables the feature and allows an unlimited number of echo requests per path at any interval.
- produce
Extended booleanLogs On Unmatched Pdus - logs GTP packets not matched by previous rules with Carrier Security's extended GTP-related log fields. These logs are brown and their Action attribute is empty. The default setting is checked.
- produce
Extended stringLogs On Unmatched Pdus Position - Choose to place this implicit rule Before Last or as the Last rule.Available only if produce-extended-logs-on-unmatched-pdus is true.
- protocol
Violation stringTrack Option - Set the appropriate track or alert option to be used when a protocol violation (malformed packet) is detected.
- tunnel
Activation numberThreshold - Tunnel activation threshold. Available only if aggressive-aging is true.
- tunnel
Deactivation numberThreshold - Tunnel deactivation threshold. Available only if aggressive-aging is true.
- verify
Flow booleanLabels - See that each packet's flow label matches the flow labels defined by GTP signaling. This option is relevant for GTP version 0 only.To enhance performance, disable this extended integrity test.
- aggressive_
aging bool - If true, enables configuring aggressive aging thresholds and time out value.
- aggressive_
timeout float - Aggressive timeout. Available only if aggressive-aging is true.
- allow_
ggsn_ boolreplies_ from_ multiple_ interfaces - Allows GTP signaling replies from an IP address different from the IP address to which the requests are sent (Relevant only for gateways below R80).
- block_
gtp_ boolin_ gtp - Prevents GTP packets from being encapsulated inside GTP tunnels. When this option is checked, such packets are dropped and logged.
- enable_
g_ boolpdu_ seq_ number_ check_ with_ max_ deviation - If set to false, sequence checking is not enforced and all out-of-sequence G-PDUs will be accepted.To enhance performance, disable this extended integrity test.
- enable_
reverse_ boolconnections - Allows Carrier Security gateways to accept PDUs sent from the GGSN to the SGSN, on a previously established PDP context, even if these PDUs are sent over ports that do not match the ports of the established PDP context.
- enforce_
gtp_ boolanti_ spoofing - verifies that G-PDUs are using the end user IP address that has been agreed upon in the PDP context activation process. When this option is checked, packets that do not use this IP address are dropped and logged.
- g_
pdu_ floatseq_ number_ check_ max_ deviation - specifies that a G-PDU is accepted only if the difference between its sequence number and the expected sequence number is less than or equal to the allowed deviation.Available only ifenable-g-pdu-seq-number-check-with-max-deviation is true.
- gtp_
signaling_ floatrate_ limit_ sampling_ interval - Works in correlation with the property Enforce GTP Signal packet rate limit found in the Carrier Security window of the GSN network object. For example, with the rate limit sampling interval default of 1 second, and the network object enforced a GTP signal packet rate limit of the default 2048 PDU per second, sampling will occur one time per second, or 2048 signaling PDUs between two consecutive samplings.
- memory_
activation_ floatthreshold - Memory activation threshold. Available only if aggressive-aging is true.
- memory_
deactivation_ floatthreshold - Memory deactivation threshold. Available only if aggressive-aging is true.
- one_
gtp_ floatecho_ on_ each_ path_ frequency - sets the number of GTP Echo exchanges per path allowed per configured time period. Echo requests exceeding this rate are dropped and logged. Setting the value to 0 disables the feature and allows an unlimited number of echo requests per path at any interval.
- produce_
extended_ boollogs_ on_ unmatched_ pdus - logs GTP packets not matched by previous rules with Carrier Security's extended GTP-related log fields. These logs are brown and their Action attribute is empty. The default setting is checked.
- produce_
extended_ strlogs_ on_ unmatched_ pdus_ position - Choose to place this implicit rule Before Last or as the Last rule.Available only if produce-extended-logs-on-unmatched-pdus is true.
- protocol_
violation_ strtrack_ option - Set the appropriate track or alert option to be used when a protocol violation (malformed packet) is detected.
- tunnel_
activation_ floatthreshold - Tunnel activation threshold. Available only if aggressive-aging is true.
- tunnel_
deactivation_ floatthreshold - Tunnel deactivation threshold. Available only if aggressive-aging is true.
- verify_
flow_ boollabels - See that each packet's flow label matches the flow labels defined by GTP signaling. This option is relevant for GTP version 0 only.To enhance performance, disable this extended integrity test.
- aggressive
Aging Boolean - If true, enables configuring aggressive aging thresholds and time out value.
- aggressive
Timeout Number - Aggressive timeout. Available only if aggressive-aging is true.
- allow
Ggsn BooleanReplies From Multiple Interfaces - Allows GTP signaling replies from an IP address different from the IP address to which the requests are sent (Relevant only for gateways below R80).
- block
Gtp BooleanIn Gtp - Prevents GTP packets from being encapsulated inside GTP tunnels. When this option is checked, such packets are dropped and logged.
- enable
GPdu BooleanSeq Number Check With Max Deviation - If set to false, sequence checking is not enforced and all out-of-sequence G-PDUs will be accepted.To enhance performance, disable this extended integrity test.
- enable
Reverse BooleanConnections - Allows Carrier Security gateways to accept PDUs sent from the GGSN to the SGSN, on a previously established PDP context, even if these PDUs are sent over ports that do not match the ports of the established PDP context.
- enforce
Gtp BooleanAnti Spoofing - verifies that G-PDUs are using the end user IP address that has been agreed upon in the PDP context activation process. When this option is checked, packets that do not use this IP address are dropped and logged.
- g
Pdu NumberSeq Number Check Max Deviation - specifies that a G-PDU is accepted only if the difference between its sequence number and the expected sequence number is less than or equal to the allowed deviation.Available only ifenable-g-pdu-seq-number-check-with-max-deviation is true.
- gtp
Signaling NumberRate Limit Sampling Interval - Works in correlation with the property Enforce GTP Signal packet rate limit found in the Carrier Security window of the GSN network object. For example, with the rate limit sampling interval default of 1 second, and the network object enforced a GTP signal packet rate limit of the default 2048 PDU per second, sampling will occur one time per second, or 2048 signaling PDUs between two consecutive samplings.
- memory
Activation NumberThreshold - Memory activation threshold. Available only if aggressive-aging is true.
- memory
Deactivation NumberThreshold - Memory deactivation threshold. Available only if aggressive-aging is true.
- one
Gtp NumberEcho On Each Path Frequency - sets the number of GTP Echo exchanges per path allowed per configured time period. Echo requests exceeding this rate are dropped and logged. Setting the value to 0 disables the feature and allows an unlimited number of echo requests per path at any interval.
- produce
Extended BooleanLogs On Unmatched Pdus - logs GTP packets not matched by previous rules with Carrier Security's extended GTP-related log fields. These logs are brown and their Action attribute is empty. The default setting is checked.
- produce
Extended StringLogs On Unmatched Pdus Position - Choose to place this implicit rule Before Last or as the Last rule.Available only if produce-extended-logs-on-unmatched-pdus is true.
- protocol
Violation StringTrack Option - Set the appropriate track or alert option to be used when a protocol violation (malformed packet) is detected.
- tunnel
Activation NumberThreshold - Tunnel activation threshold. Available only if aggressive-aging is true.
- tunnel
Deactivation NumberThreshold - Tunnel deactivation threshold. Available only if aggressive-aging is true.
- verify
Flow BooleanLabels - See that each packet's flow label matches the flow labels defined by GTP signaling. This option is relevant for GTP version 0 only.To enhance performance, disable this extended integrity test.
ManagementCommandSetGlobalPropertiesConnectControl, ManagementCommandSetGlobalPropertiesConnectControlArgs
- Load
Agents doublePort - Sets the port number on which load measuring agents communicate with ConnectControl.
- Load
Measurement doubleInterval - sets how often (in seconds) the load measuring agents report their load status to ConnectControl.
- Persistence
Server doubleTimeout - Sets the amount of time (in seconds) that a client, once directed to a particular server, will continue to be directed to that same server.
- Server
Availability doubleCheck Interval - Sets how often (in seconds) ConnectControl checks to make sure the load balanced servers are running and responding to service requests.
- Server
Check doubleRetries - Sets how many times ConnectControl attempts to contact a server before ceasing to direct traffic to it.
- Load
Agents float64Port - Sets the port number on which load measuring agents communicate with ConnectControl.
- Load
Measurement float64Interval - sets how often (in seconds) the load measuring agents report their load status to ConnectControl.
- Persistence
Server float64Timeout - Sets the amount of time (in seconds) that a client, once directed to a particular server, will continue to be directed to that same server.
- Server
Availability float64Check Interval - Sets how often (in seconds) ConnectControl checks to make sure the load balanced servers are running and responding to service requests.
- Server
Check float64Retries - Sets how many times ConnectControl attempts to contact a server before ceasing to direct traffic to it.
- load
Agents DoublePort - Sets the port number on which load measuring agents communicate with ConnectControl.
- load
Measurement DoubleInterval - sets how often (in seconds) the load measuring agents report their load status to ConnectControl.
- persistence
Server DoubleTimeout - Sets the amount of time (in seconds) that a client, once directed to a particular server, will continue to be directed to that same server.
- server
Availability DoubleCheck Interval - Sets how often (in seconds) ConnectControl checks to make sure the load balanced servers are running and responding to service requests.
- server
Check DoubleRetries - Sets how many times ConnectControl attempts to contact a server before ceasing to direct traffic to it.
- load
Agents numberPort - Sets the port number on which load measuring agents communicate with ConnectControl.
- load
Measurement numberInterval - sets how often (in seconds) the load measuring agents report their load status to ConnectControl.
- persistence
Server numberTimeout - Sets the amount of time (in seconds) that a client, once directed to a particular server, will continue to be directed to that same server.
- server
Availability numberCheck Interval - Sets how often (in seconds) ConnectControl checks to make sure the load balanced servers are running and responding to service requests.
- server
Check numberRetries - Sets how many times ConnectControl attempts to contact a server before ceasing to direct traffic to it.
- load_
agents_ floatport - Sets the port number on which load measuring agents communicate with ConnectControl.
- load_
measurement_ floatinterval - sets how often (in seconds) the load measuring agents report their load status to ConnectControl.
- persistence_
server_ floattimeout - Sets the amount of time (in seconds) that a client, once directed to a particular server, will continue to be directed to that same server.
- server_
availability_ floatcheck_ interval - Sets how often (in seconds) ConnectControl checks to make sure the load balanced servers are running and responding to service requests.
- server_
check_ floatretries - Sets how many times ConnectControl attempts to contact a server before ceasing to direct traffic to it.
- load
Agents NumberPort - Sets the port number on which load measuring agents communicate with ConnectControl.
- load
Measurement NumberInterval - sets how often (in seconds) the load measuring agents report their load status to ConnectControl.
- persistence
Server NumberTimeout - Sets the amount of time (in seconds) that a client, once directed to a particular server, will continue to be directed to that same server.
- server
Availability NumberCheck Interval - Sets how often (in seconds) ConnectControl checks to make sure the load balanced servers are running and responding to service requests.
- server
Check NumberRetries - Sets how many times ConnectControl attempts to contact a server before ceasing to direct traffic to it.
ManagementCommandSetGlobalPropertiesDataAccessControl, ManagementCommandSetGlobalPropertiesDataAccessControlArgs
- Auto
Download boolImportant Data - Automatically download and install Software Blade Contracts, security updates and other important data (highly recommended).
- Auto
Download boolSw Updates And New Features - Automatically download software updates and new features (highly recommended).Available only if auto-download-important-data is set to true.
- Send
Anonymous boolInfo - Help Check Point improve the product by sending anonymous information.
- bool
- Approve sharing core dump files and other relevant crash data which might contain personal information. All shared data will be processed in accordance with Check Point's Privacy Policy.Available only if send-anonymous-info is set to true.
- Auto
Download boolImportant Data - Automatically download and install Software Blade Contracts, security updates and other important data (highly recommended).
- Auto
Download boolSw Updates And New Features - Automatically download software updates and new features (highly recommended).Available only if auto-download-important-data is set to true.
- Send
Anonymous boolInfo - Help Check Point improve the product by sending anonymous information.
- bool
- Approve sharing core dump files and other relevant crash data which might contain personal information. All shared data will be processed in accordance with Check Point's Privacy Policy.Available only if send-anonymous-info is set to true.
- auto
Download BooleanImportant Data - Automatically download and install Software Blade Contracts, security updates and other important data (highly recommended).
- auto
Download BooleanSw Updates And New Features - Automatically download software updates and new features (highly recommended).Available only if auto-download-important-data is set to true.
- send
Anonymous BooleanInfo - Help Check Point improve the product by sending anonymous information.
- Boolean
- Approve sharing core dump files and other relevant crash data which might contain personal information. All shared data will be processed in accordance with Check Point's Privacy Policy.Available only if send-anonymous-info is set to true.
- auto
Download booleanImportant Data - Automatically download and install Software Blade Contracts, security updates and other important data (highly recommended).
- auto
Download booleanSw Updates And New Features - Automatically download software updates and new features (highly recommended).Available only if auto-download-important-data is set to true.
- send
Anonymous booleanInfo - Help Check Point improve the product by sending anonymous information.
- boolean
- Approve sharing core dump files and other relevant crash data which might contain personal information. All shared data will be processed in accordance with Check Point's Privacy Policy.Available only if send-anonymous-info is set to true.
- auto_
download_ boolimportant_ data - Automatically download and install Software Blade Contracts, security updates and other important data (highly recommended).
- auto_
download_ boolsw_ updates_ and_ new_ features - Automatically download software updates and new features (highly recommended).Available only if auto-download-important-data is set to true.
- send_
anonymous_ boolinfo - Help Check Point improve the product by sending anonymous information.
- bool
- Approve sharing core dump files and other relevant crash data which might contain personal information. All shared data will be processed in accordance with Check Point's Privacy Policy.Available only if send-anonymous-info is set to true.
- auto
Download BooleanImportant Data - Automatically download and install Software Blade Contracts, security updates and other important data (highly recommended).
- auto
Download BooleanSw Updates And New Features - Automatically download software updates and new features (highly recommended).Available only if auto-download-important-data is set to true.
- send
Anonymous BooleanInfo - Help Check Point improve the product by sending anonymous information.
- Boolean
- Approve sharing core dump files and other relevant crash data which might contain personal information. All shared data will be processed in accordance with Check Point's Privacy Policy.Available only if send-anonymous-info is set to true.
ManagementCommandSetGlobalPropertiesFirewall, ManagementCommandSetGlobalPropertiesFirewallArgs
- Accept
Control boolConnections - Used for: Installing the security policy from the Security Management server to the gateways. Sending logs from the gateways to the Security Management server.Communication between SmartConsole clients and the Security Management Server. Communication between Firewall daemons on different machines (Security Management Server, Security Gateway).< Connecting to OPSEC applications such as RADIUS and TACACS authentication servers. If you disable Accept Control Connections and you want Check Point components to communicate with each other and with OPSEC components, you must explicitly allow these connections in the Rule Base.
- Accept
Domain boolName Over Tcp - Accepts Domain Name (DNS) queries and replies over TCP, to allow downloading of the domain name-resolving tables used for zone transfers between servers. For clients, DNS over TCP is only used if the tables to be transferred are very large.
- Accept
Domain stringName Over Tcp Position - The position of the implied rules in the Rule Base. Available only if accept-domain-name-over-tcp is true.
- Accept
Domain boolName Over Udp - Accepts Domain Name (DNS) queries and replies over UDP.
- Accept
Domain stringName Over Udp Position - The position of the implied rules in the Rule Base. Available only if accept-domain-name-over-udp is true.
- Accept
Dynamic boolAddr Modules Outgoing Internet Connections - Accept Dynamic Address modules' outgoing internet connections.Accepts DHCP traffic for DAIP (Dynamically Assigned IP Address) gateways. In Small Office Appliance gateways, this rule allows outgoing DHCP, PPP, PPTP and L2TP Internet connections (regardless of whether it is or is not a DAIP gateway).
- Accept
Icmp boolRequests - Accepts Internet Control Message Protocol messages.
- Accept
Icmp stringRequests Position - The position of the implied rules in the Rule Base. Available only if accept-icmp-requests is true.
- Accept
Identity boolAwareness Control Connections - Accepts traffic between Security Gateways in distributed environment configurations of Identity Awareness.
- Accept
Identity stringAwareness Control Connections Position - The position of the implied rules in the Rule Base.Available only if accept-identity-awareness-control-connections is true.
- Accept
Incoming boolTraffic To Dhcp And Dns Services Of Gws - Allows the Small Office Appliance gateway to provide DHCP relay, DHCP server and DNS proxy services regardless of the rule base.
- Accept
Ips1Management boolConnections - Accepts IPS-1 connections. Available only if accept-control-connections is true.
- Accept
Outgoing boolPackets Originating From Connectra Gw - Accepts outgoing packets originating from Connectra gateway. Available only if accept-outgoing-packets-originating-from-gw is false.
- Accept
Outgoing boolPackets Originating From Gw - Accepts all packets from connections that originate at the Check Point Security Gateway.
- Accept
Outgoing stringPackets Originating From Gw Position - The position of the implied rules in the Rule Base. Available only if accept-outgoing-packets-originating-from-gw is false.
- Accept
Outgoing boolPackets To Cp Online Services - Allow Security Gateways to access Check Point online services. Supported for R80.10 Gateway and higher. Available only if accept-outgoing-packets-originating-from-gw is false.
- Accept
Outgoing stringPackets To Cp Online Services Position - The position of the implied rules in the Rule Base. Available only if accept-outgoing-packets-to-cp-online-services is true.
- Accept
Remote boolAccess Control Connections - Accepts Remote Access connections. Available only if accept-control-connections is true.
- Accept
Rip bool - Accepts Routing Information Protocol (RIP), using UDP on port 520.
- Accept
Rip stringPosition - The position of the implied rules in the Rule Base. Available only if accept-rip is true.
- Accept
Smart boolUpdate Connections - Accepts SmartUpdate connections.
- Accept
Vrrp boolPackets Originating From Cluster Members - Selecting this option creates an implied rule in the security policy Rule Base that accepts VRRP inbound and outbound traffic to and from the members of the cluster.
- Accept
Web boolAnd Ssh Connections For Gw Administration - Accepts Web and SSH connections for Small Office Appliance gateways.
- Log
Implied boolRules - Produces log records for communications that match the implied rules that are generated in the Rule Base from the properties defined in this window.
- Security
Server ManagementCommand Set Global Properties Firewall Security Server - Control the welcome messages that users will see when logging in to servers behind Check Point Security Gateways.
- Accept
Control boolConnections - Used for: Installing the security policy from the Security Management server to the gateways. Sending logs from the gateways to the Security Management server.Communication between SmartConsole clients and the Security Management Server. Communication between Firewall daemons on different machines (Security Management Server, Security Gateway).< Connecting to OPSEC applications such as RADIUS and TACACS authentication servers. If you disable Accept Control Connections and you want Check Point components to communicate with each other and with OPSEC components, you must explicitly allow these connections in the Rule Base.
- Accept
Domain boolName Over Tcp - Accepts Domain Name (DNS) queries and replies over TCP, to allow downloading of the domain name-resolving tables used for zone transfers between servers. For clients, DNS over TCP is only used if the tables to be transferred are very large.
- Accept
Domain stringName Over Tcp Position - The position of the implied rules in the Rule Base. Available only if accept-domain-name-over-tcp is true.
- Accept
Domain boolName Over Udp - Accepts Domain Name (DNS) queries and replies over UDP.
- Accept
Domain stringName Over Udp Position - The position of the implied rules in the Rule Base. Available only if accept-domain-name-over-udp is true.
- Accept
Dynamic boolAddr Modules Outgoing Internet Connections - Accept Dynamic Address modules' outgoing internet connections.Accepts DHCP traffic for DAIP (Dynamically Assigned IP Address) gateways. In Small Office Appliance gateways, this rule allows outgoing DHCP, PPP, PPTP and L2TP Internet connections (regardless of whether it is or is not a DAIP gateway).
- Accept
Icmp boolRequests - Accepts Internet Control Message Protocol messages.
- Accept
Icmp stringRequests Position - The position of the implied rules in the Rule Base. Available only if accept-icmp-requests is true.
- Accept
Identity boolAwareness Control Connections - Accepts traffic between Security Gateways in distributed environment configurations of Identity Awareness.
- Accept
Identity stringAwareness Control Connections Position - The position of the implied rules in the Rule Base.Available only if accept-identity-awareness-control-connections is true.
- Accept
Incoming boolTraffic To Dhcp And Dns Services Of Gws - Allows the Small Office Appliance gateway to provide DHCP relay, DHCP server and DNS proxy services regardless of the rule base.
- Accept
Ips1Management boolConnections - Accepts IPS-1 connections. Available only if accept-control-connections is true.
- Accept
Outgoing boolPackets Originating From Connectra Gw - Accepts outgoing packets originating from Connectra gateway. Available only if accept-outgoing-packets-originating-from-gw is false.
- Accept
Outgoing boolPackets Originating From Gw - Accepts all packets from connections that originate at the Check Point Security Gateway.
- Accept
Outgoing stringPackets Originating From Gw Position - The position of the implied rules in the Rule Base. Available only if accept-outgoing-packets-originating-from-gw is false.
- Accept
Outgoing boolPackets To Cp Online Services - Allow Security Gateways to access Check Point online services. Supported for R80.10 Gateway and higher. Available only if accept-outgoing-packets-originating-from-gw is false.
- Accept
Outgoing stringPackets To Cp Online Services Position - The position of the implied rules in the Rule Base. Available only if accept-outgoing-packets-to-cp-online-services is true.
- Accept
Remote boolAccess Control Connections - Accepts Remote Access connections. Available only if accept-control-connections is true.
- Accept
Rip bool - Accepts Routing Information Protocol (RIP), using UDP on port 520.
- Accept
Rip stringPosition - The position of the implied rules in the Rule Base. Available only if accept-rip is true.
- Accept
Smart boolUpdate Connections - Accepts SmartUpdate connections.
- Accept
Vrrp boolPackets Originating From Cluster Members - Selecting this option creates an implied rule in the security policy Rule Base that accepts VRRP inbound and outbound traffic to and from the members of the cluster.
- Accept
Web boolAnd Ssh Connections For Gw Administration - Accepts Web and SSH connections for Small Office Appliance gateways.
- Log
Implied boolRules - Produces log records for communications that match the implied rules that are generated in the Rule Base from the properties defined in this window.
- Security
Server ManagementCommand Set Global Properties Firewall Security Server - Control the welcome messages that users will see when logging in to servers behind Check Point Security Gateways.
- accept
Control BooleanConnections - Used for: Installing the security policy from the Security Management server to the gateways. Sending logs from the gateways to the Security Management server.Communication between SmartConsole clients and the Security Management Server. Communication between Firewall daemons on different machines (Security Management Server, Security Gateway).< Connecting to OPSEC applications such as RADIUS and TACACS authentication servers. If you disable Accept Control Connections and you want Check Point components to communicate with each other and with OPSEC components, you must explicitly allow these connections in the Rule Base.
- accept
Domain BooleanName Over Tcp - Accepts Domain Name (DNS) queries and replies over TCP, to allow downloading of the domain name-resolving tables used for zone transfers between servers. For clients, DNS over TCP is only used if the tables to be transferred are very large.
- accept
Domain StringName Over Tcp Position - The position of the implied rules in the Rule Base. Available only if accept-domain-name-over-tcp is true.
- accept
Domain BooleanName Over Udp - Accepts Domain Name (DNS) queries and replies over UDP.
- accept
Domain StringName Over Udp Position - The position of the implied rules in the Rule Base. Available only if accept-domain-name-over-udp is true.
- accept
Dynamic BooleanAddr Modules Outgoing Internet Connections - Accept Dynamic Address modules' outgoing internet connections.Accepts DHCP traffic for DAIP (Dynamically Assigned IP Address) gateways. In Small Office Appliance gateways, this rule allows outgoing DHCP, PPP, PPTP and L2TP Internet connections (regardless of whether it is or is not a DAIP gateway).
- accept
Icmp BooleanRequests - Accepts Internet Control Message Protocol messages.
- accept
Icmp StringRequests Position - The position of the implied rules in the Rule Base. Available only if accept-icmp-requests is true.
- accept
Identity BooleanAwareness Control Connections - Accepts traffic between Security Gateways in distributed environment configurations of Identity Awareness.
- accept
Identity StringAwareness Control Connections Position - The position of the implied rules in the Rule Base.Available only if accept-identity-awareness-control-connections is true.
- accept
Incoming BooleanTraffic To Dhcp And Dns Services Of Gws - Allows the Small Office Appliance gateway to provide DHCP relay, DHCP server and DNS proxy services regardless of the rule base.
- accept
Ips1Management BooleanConnections - Accepts IPS-1 connections. Available only if accept-control-connections is true.
- accept
Outgoing BooleanPackets Originating From Connectra Gw - Accepts outgoing packets originating from Connectra gateway. Available only if accept-outgoing-packets-originating-from-gw is false.
- accept
Outgoing BooleanPackets Originating From Gw - Accepts all packets from connections that originate at the Check Point Security Gateway.
- accept
Outgoing StringPackets Originating From Gw Position - The position of the implied rules in the Rule Base. Available only if accept-outgoing-packets-originating-from-gw is false.
- accept
Outgoing BooleanPackets To Cp Online Services - Allow Security Gateways to access Check Point online services. Supported for R80.10 Gateway and higher. Available only if accept-outgoing-packets-originating-from-gw is false.
- accept
Outgoing StringPackets To Cp Online Services Position - The position of the implied rules in the Rule Base. Available only if accept-outgoing-packets-to-cp-online-services is true.
- accept
Remote BooleanAccess Control Connections - Accepts Remote Access connections. Available only if accept-control-connections is true.
- accept
Rip Boolean - Accepts Routing Information Protocol (RIP), using UDP on port 520.
- accept
Rip StringPosition - The position of the implied rules in the Rule Base. Available only if accept-rip is true.
- accept
Smart BooleanUpdate Connections - Accepts SmartUpdate connections.
- accept
Vrrp BooleanPackets Originating From Cluster Members - Selecting this option creates an implied rule in the security policy Rule Base that accepts VRRP inbound and outbound traffic to and from the members of the cluster.
- accept
Web BooleanAnd Ssh Connections For Gw Administration - Accepts Web and SSH connections for Small Office Appliance gateways.
- log
Implied BooleanRules - Produces log records for communications that match the implied rules that are generated in the Rule Base from the properties defined in this window.
- security
Server ManagementCommand Set Global Properties Firewall Security Server - Control the welcome messages that users will see when logging in to servers behind Check Point Security Gateways.
- accept
Control booleanConnections - Used for: Installing the security policy from the Security Management server to the gateways. Sending logs from the gateways to the Security Management server.Communication between SmartConsole clients and the Security Management Server. Communication between Firewall daemons on different machines (Security Management Server, Security Gateway).< Connecting to OPSEC applications such as RADIUS and TACACS authentication servers. If you disable Accept Control Connections and you want Check Point components to communicate with each other and with OPSEC components, you must explicitly allow these connections in the Rule Base.
- accept
Domain booleanName Over Tcp - Accepts Domain Name (DNS) queries and replies over TCP, to allow downloading of the domain name-resolving tables used for zone transfers between servers. For clients, DNS over TCP is only used if the tables to be transferred are very large.
- accept
Domain stringName Over Tcp Position - The position of the implied rules in the Rule Base. Available only if accept-domain-name-over-tcp is true.
- accept
Domain booleanName Over Udp - Accepts Domain Name (DNS) queries and replies over UDP.
- accept
Domain stringName Over Udp Position - The position of the implied rules in the Rule Base. Available only if accept-domain-name-over-udp is true.
- accept
Dynamic booleanAddr Modules Outgoing Internet Connections - Accept Dynamic Address modules' outgoing internet connections.Accepts DHCP traffic for DAIP (Dynamically Assigned IP Address) gateways. In Small Office Appliance gateways, this rule allows outgoing DHCP, PPP, PPTP and L2TP Internet connections (regardless of whether it is or is not a DAIP gateway).
- accept
Icmp booleanRequests - Accepts Internet Control Message Protocol messages.
- accept
Icmp stringRequests Position - The position of the implied rules in the Rule Base. Available only if accept-icmp-requests is true.
- accept
Identity booleanAwareness Control Connections - Accepts traffic between Security Gateways in distributed environment configurations of Identity Awareness.
- accept
Identity stringAwareness Control Connections Position - The position of the implied rules in the Rule Base.Available only if accept-identity-awareness-control-connections is true.
- accept
Incoming booleanTraffic To Dhcp And Dns Services Of Gws - Allows the Small Office Appliance gateway to provide DHCP relay, DHCP server and DNS proxy services regardless of the rule base.
- accept
Ips1Management booleanConnections - Accepts IPS-1 connections. Available only if accept-control-connections is true.
- accept
Outgoing booleanPackets Originating From Connectra Gw - Accepts outgoing packets originating from Connectra gateway. Available only if accept-outgoing-packets-originating-from-gw is false.
- accept
Outgoing booleanPackets Originating From Gw - Accepts all packets from connections that originate at the Check Point Security Gateway.
- accept
Outgoing stringPackets Originating From Gw Position - The position of the implied rules in the Rule Base. Available only if accept-outgoing-packets-originating-from-gw is false.
- accept
Outgoing booleanPackets To Cp Online Services - Allow Security Gateways to access Check Point online services. Supported for R80.10 Gateway and higher. Available only if accept-outgoing-packets-originating-from-gw is false.
- accept
Outgoing stringPackets To Cp Online Services Position - The position of the implied rules in the Rule Base. Available only if accept-outgoing-packets-to-cp-online-services is true.
- accept
Remote booleanAccess Control Connections - Accepts Remote Access connections. Available only if accept-control-connections is true.
- accept
Rip boolean - Accepts Routing Information Protocol (RIP), using UDP on port 520.
- accept
Rip stringPosition - The position of the implied rules in the Rule Base. Available only if accept-rip is true.
- accept
Smart booleanUpdate Connections - Accepts SmartUpdate connections.
- accept
Vrrp booleanPackets Originating From Cluster Members - Selecting this option creates an implied rule in the security policy Rule Base that accepts VRRP inbound and outbound traffic to and from the members of the cluster.
- accept
Web booleanAnd Ssh Connections For Gw Administration - Accepts Web and SSH connections for Small Office Appliance gateways.
- log
Implied booleanRules - Produces log records for communications that match the implied rules that are generated in the Rule Base from the properties defined in this window.
- security
Server ManagementCommand Set Global Properties Firewall Security Server - Control the welcome messages that users will see when logging in to servers behind Check Point Security Gateways.
- accept_
control_ boolconnections - Used for: Installing the security policy from the Security Management server to the gateways. Sending logs from the gateways to the Security Management server.Communication between SmartConsole clients and the Security Management Server. Communication between Firewall daemons on different machines (Security Management Server, Security Gateway).< Connecting to OPSEC applications such as RADIUS and TACACS authentication servers. If you disable Accept Control Connections and you want Check Point components to communicate with each other and with OPSEC components, you must explicitly allow these connections in the Rule Base.
- accept_
domain_ boolname_ over_ tcp - Accepts Domain Name (DNS) queries and replies over TCP, to allow downloading of the domain name-resolving tables used for zone transfers between servers. For clients, DNS over TCP is only used if the tables to be transferred are very large.
- accept_
domain_ strname_ over_ tcp_ position - The position of the implied rules in the Rule Base. Available only if accept-domain-name-over-tcp is true.
- accept_
domain_ boolname_ over_ udp - Accepts Domain Name (DNS) queries and replies over UDP.
- accept_
domain_ strname_ over_ udp_ position - The position of the implied rules in the Rule Base. Available only if accept-domain-name-over-udp is true.
- accept_
dynamic_ booladdr_ modules_ outgoing_ internet_ connections - Accept Dynamic Address modules' outgoing internet connections.Accepts DHCP traffic for DAIP (Dynamically Assigned IP Address) gateways. In Small Office Appliance gateways, this rule allows outgoing DHCP, PPP, PPTP and L2TP Internet connections (regardless of whether it is or is not a DAIP gateway).
- accept_
icmp_ boolrequests - Accepts Internet Control Message Protocol messages.
- accept_
icmp_ strrequests_ position - The position of the implied rules in the Rule Base. Available only if accept-icmp-requests is true.
- accept_
identity_ boolawareness_ control_ connections - Accepts traffic between Security Gateways in distributed environment configurations of Identity Awareness.
- accept_
identity_ strawareness_ control_ connections_ position - The position of the implied rules in the Rule Base.Available only if accept-identity-awareness-control-connections is true.
- accept_
incoming_ booltraffic_ to_ dhcp_ and_ dns_ services_ of_ gws - Allows the Small Office Appliance gateway to provide DHCP relay, DHCP server and DNS proxy services regardless of the rule base.
- accept_
ips1_ boolmanagement_ connections - Accepts IPS-1 connections. Available only if accept-control-connections is true.
- accept_
outgoing_ boolpackets_ originating_ from_ connectra_ gw - Accepts outgoing packets originating from Connectra gateway. Available only if accept-outgoing-packets-originating-from-gw is false.
- accept_
outgoing_ boolpackets_ originating_ from_ gw - Accepts all packets from connections that originate at the Check Point Security Gateway.
- accept_
outgoing_ strpackets_ originating_ from_ gw_ position - The position of the implied rules in the Rule Base. Available only if accept-outgoing-packets-originating-from-gw is false.
- accept_
outgoing_ boolpackets_ to_ cp_ online_ services - Allow Security Gateways to access Check Point online services. Supported for R80.10 Gateway and higher. Available only if accept-outgoing-packets-originating-from-gw is false.
- accept_
outgoing_ strpackets_ to_ cp_ online_ services_ position - The position of the implied rules in the Rule Base. Available only if accept-outgoing-packets-to-cp-online-services is true.
- accept_
remote_ boolaccess_ control_ connections - Accepts Remote Access connections. Available only if accept-control-connections is true.
- accept_
rip bool - Accepts Routing Information Protocol (RIP), using UDP on port 520.
- accept_
rip_ strposition - The position of the implied rules in the Rule Base. Available only if accept-rip is true.
- accept_
smart_ boolupdate_ connections - Accepts SmartUpdate connections.
- accept_
vrrp_ boolpackets_ originating_ from_ cluster_ members - Selecting this option creates an implied rule in the security policy Rule Base that accepts VRRP inbound and outbound traffic to and from the members of the cluster.
- accept_
web_ booland_ ssh_ connections_ for_ gw_ administration - Accepts Web and SSH connections for Small Office Appliance gateways.
- log_
implied_ boolrules - Produces log records for communications that match the implied rules that are generated in the Rule Base from the properties defined in this window.
- security_
server ManagementCommand Set Global Properties Firewall Security Server - Control the welcome messages that users will see when logging in to servers behind Check Point Security Gateways.
- accept
Control BooleanConnections - Used for: Installing the security policy from the Security Management server to the gateways. Sending logs from the gateways to the Security Management server.Communication between SmartConsole clients and the Security Management Server. Communication between Firewall daemons on different machines (Security Management Server, Security Gateway).< Connecting to OPSEC applications such as RADIUS and TACACS authentication servers. If you disable Accept Control Connections and you want Check Point components to communicate with each other and with OPSEC components, you must explicitly allow these connections in the Rule Base.
- accept
Domain BooleanName Over Tcp - Accepts Domain Name (DNS) queries and replies over TCP, to allow downloading of the domain name-resolving tables used for zone transfers between servers. For clients, DNS over TCP is only used if the tables to be transferred are very large.
- accept
Domain StringName Over Tcp Position - The position of the implied rules in the Rule Base. Available only if accept-domain-name-over-tcp is true.
- accept
Domain BooleanName Over Udp - Accepts Domain Name (DNS) queries and replies over UDP.
- accept
Domain StringName Over Udp Position - The position of the implied rules in the Rule Base. Available only if accept-domain-name-over-udp is true.
- accept
Dynamic BooleanAddr Modules Outgoing Internet Connections - Accept Dynamic Address modules' outgoing internet connections.Accepts DHCP traffic for DAIP (Dynamically Assigned IP Address) gateways. In Small Office Appliance gateways, this rule allows outgoing DHCP, PPP, PPTP and L2TP Internet connections (regardless of whether it is or is not a DAIP gateway).
- accept
Icmp BooleanRequests - Accepts Internet Control Message Protocol messages.
- accept
Icmp StringRequests Position - The position of the implied rules in the Rule Base. Available only if accept-icmp-requests is true.
- accept
Identity BooleanAwareness Control Connections - Accepts traffic between Security Gateways in distributed environment configurations of Identity Awareness.
- accept
Identity StringAwareness Control Connections Position - The position of the implied rules in the Rule Base.Available only if accept-identity-awareness-control-connections is true.
- accept
Incoming BooleanTraffic To Dhcp And Dns Services Of Gws - Allows the Small Office Appliance gateway to provide DHCP relay, DHCP server and DNS proxy services regardless of the rule base.
- accept
Ips1Management BooleanConnections - Accepts IPS-1 connections. Available only if accept-control-connections is true.
- accept
Outgoing BooleanPackets Originating From Connectra Gw - Accepts outgoing packets originating from Connectra gateway. Available only if accept-outgoing-packets-originating-from-gw is false.
- accept
Outgoing BooleanPackets Originating From Gw - Accepts all packets from connections that originate at the Check Point Security Gateway.
- accept
Outgoing StringPackets Originating From Gw Position - The position of the implied rules in the Rule Base. Available only if accept-outgoing-packets-originating-from-gw is false.
- accept
Outgoing BooleanPackets To Cp Online Services - Allow Security Gateways to access Check Point online services. Supported for R80.10 Gateway and higher. Available only if accept-outgoing-packets-originating-from-gw is false.
- accept
Outgoing StringPackets To Cp Online Services Position - The position of the implied rules in the Rule Base. Available only if accept-outgoing-packets-to-cp-online-services is true.
- accept
Remote BooleanAccess Control Connections - Accepts Remote Access connections. Available only if accept-control-connections is true.
- accept
Rip Boolean - Accepts Routing Information Protocol (RIP), using UDP on port 520.
- accept
Rip StringPosition - The position of the implied rules in the Rule Base. Available only if accept-rip is true.
- accept
Smart BooleanUpdate Connections - Accepts SmartUpdate connections.
- accept
Vrrp BooleanPackets Originating From Cluster Members - Selecting this option creates an implied rule in the security policy Rule Base that accepts VRRP inbound and outbound traffic to and from the members of the cluster.
- accept
Web BooleanAnd Ssh Connections For Gw Administration - Accepts Web and SSH connections for Small Office Appliance gateways.
- log
Implied BooleanRules - Produces log records for communications that match the implied rules that are generated in the Rule Base from the properties defined in this window.
- security
Server Property Map - Control the welcome messages that users will see when logging in to servers behind Check Point Security Gateways.
ManagementCommandSetGlobalPropertiesFirewallSecurityServer, ManagementCommandSetGlobalPropertiesFirewallSecurityServerArgs
- Client
Auth stringWelcome File - Client authentication welcome file is the name of a file whose contents are to be displayed when a user begins a Client Authenticated session (optional) using the Manual Sign On Method. Client Authenticated Sessions initiated by Manual Sign On are not mediated by a security server.
- Ftp
Welcome stringMsg File - FTP welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated FTP session.
- Http
Next stringProxy Host - HTTP next proxy host is the host name of the HTTP proxy behind the Check Point Security Gateway HTTP security server (if there is one). Changing the HTTP Next Proxy fields takes effect after the Security Gateway database is downloaded to the authenticating gateway, or after the security policy is re-installed. These settings apply only to firewalled gateways prior to NG. For later versions, these settings should be defined in the Node Properties window.
- Http
Next doubleProxy Port - HTTP next proxy port is the port of the HTTP proxy behind the Check Point Security Gateway HTTP security server (if there is one). Changing the HTTP Next Proxy fields takes effect after the Security Gateway database is downloaded to the authenticating gateway, or after the security policy is re-installed. These settings apply only to firewalled gateways prior to NG. For later versions, these settings should be defined in the Node Properties window.
- Http
Servers List<ManagementCommand Set Global Properties Firewall Security Server Http Server> - This list specifies the HTTP servers. Defining HTTP servers allows you to restrict incoming HTTP.
- Mdq
Welcome stringMsg - MDQ Welcome Message is the message to be displayed when a user begins an MDQ session. The MDQ Welcome Message should contain characters according to RFC 1035 and it must follow the ARPANET host name rules: - This message must begin with a number or letter. After the first letter or number character the remaining characters can be a letter, number, space, tab or hyphen. - This message must not end with a space or a tab and is limited to 63 characters.
- Rlogin
Welcome stringMsg File - Rlogin welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated RLOGIN session.
- Server
For stringNull Requests - The Logical Name of a Null Requests Server from http-servers.
- Smtp
Welcome stringMsg - SMTP Welcome Message is the message to be displayed when a user begins an SMTP session.
- Telnet
Welcome stringMsg File - Telnet welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated Telnet session.
- Client
Auth stringWelcome File - Client authentication welcome file is the name of a file whose contents are to be displayed when a user begins a Client Authenticated session (optional) using the Manual Sign On Method. Client Authenticated Sessions initiated by Manual Sign On are not mediated by a security server.
- Ftp
Welcome stringMsg File - FTP welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated FTP session.
- Http
Next stringProxy Host - HTTP next proxy host is the host name of the HTTP proxy behind the Check Point Security Gateway HTTP security server (if there is one). Changing the HTTP Next Proxy fields takes effect after the Security Gateway database is downloaded to the authenticating gateway, or after the security policy is re-installed. These settings apply only to firewalled gateways prior to NG. For later versions, these settings should be defined in the Node Properties window.
- Http
Next float64Proxy Port - HTTP next proxy port is the port of the HTTP proxy behind the Check Point Security Gateway HTTP security server (if there is one). Changing the HTTP Next Proxy fields takes effect after the Security Gateway database is downloaded to the authenticating gateway, or after the security policy is re-installed. These settings apply only to firewalled gateways prior to NG. For later versions, these settings should be defined in the Node Properties window.
- Http
Servers []ManagementCommand Set Global Properties Firewall Security Server Http Server - This list specifies the HTTP servers. Defining HTTP servers allows you to restrict incoming HTTP.
- Mdq
Welcome stringMsg - MDQ Welcome Message is the message to be displayed when a user begins an MDQ session. The MDQ Welcome Message should contain characters according to RFC 1035 and it must follow the ARPANET host name rules: - This message must begin with a number or letter. After the first letter or number character the remaining characters can be a letter, number, space, tab or hyphen. - This message must not end with a space or a tab and is limited to 63 characters.
- Rlogin
Welcome stringMsg File - Rlogin welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated RLOGIN session.
- Server
For stringNull Requests - The Logical Name of a Null Requests Server from http-servers.
- Smtp
Welcome stringMsg - SMTP Welcome Message is the message to be displayed when a user begins an SMTP session.
- Telnet
Welcome stringMsg File - Telnet welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated Telnet session.
- client
Auth StringWelcome File - Client authentication welcome file is the name of a file whose contents are to be displayed when a user begins a Client Authenticated session (optional) using the Manual Sign On Method. Client Authenticated Sessions initiated by Manual Sign On are not mediated by a security server.
- ftp
Welcome StringMsg File - FTP welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated FTP session.
- http
Next StringProxy Host - HTTP next proxy host is the host name of the HTTP proxy behind the Check Point Security Gateway HTTP security server (if there is one). Changing the HTTP Next Proxy fields takes effect after the Security Gateway database is downloaded to the authenticating gateway, or after the security policy is re-installed. These settings apply only to firewalled gateways prior to NG. For later versions, these settings should be defined in the Node Properties window.
- http
Next DoubleProxy Port - HTTP next proxy port is the port of the HTTP proxy behind the Check Point Security Gateway HTTP security server (if there is one). Changing the HTTP Next Proxy fields takes effect after the Security Gateway database is downloaded to the authenticating gateway, or after the security policy is re-installed. These settings apply only to firewalled gateways prior to NG. For later versions, these settings should be defined in the Node Properties window.
- http
Servers List<ManagementCommand Set Global Properties Firewall Security Server Http Server> - This list specifies the HTTP servers. Defining HTTP servers allows you to restrict incoming HTTP.
- mdq
Welcome StringMsg - MDQ Welcome Message is the message to be displayed when a user begins an MDQ session. The MDQ Welcome Message should contain characters according to RFC 1035 and it must follow the ARPANET host name rules: - This message must begin with a number or letter. After the first letter or number character the remaining characters can be a letter, number, space, tab or hyphen. - This message must not end with a space or a tab and is limited to 63 characters.
- rlogin
Welcome StringMsg File - Rlogin welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated RLOGIN session.
- server
For StringNull Requests - The Logical Name of a Null Requests Server from http-servers.
- smtp
Welcome StringMsg - SMTP Welcome Message is the message to be displayed when a user begins an SMTP session.
- telnet
Welcome StringMsg File - Telnet welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated Telnet session.
- client
Auth stringWelcome File - Client authentication welcome file is the name of a file whose contents are to be displayed when a user begins a Client Authenticated session (optional) using the Manual Sign On Method. Client Authenticated Sessions initiated by Manual Sign On are not mediated by a security server.
- ftp
Welcome stringMsg File - FTP welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated FTP session.
- http
Next stringProxy Host - HTTP next proxy host is the host name of the HTTP proxy behind the Check Point Security Gateway HTTP security server (if there is one). Changing the HTTP Next Proxy fields takes effect after the Security Gateway database is downloaded to the authenticating gateway, or after the security policy is re-installed. These settings apply only to firewalled gateways prior to NG. For later versions, these settings should be defined in the Node Properties window.
- http
Next numberProxy Port - HTTP next proxy port is the port of the HTTP proxy behind the Check Point Security Gateway HTTP security server (if there is one). Changing the HTTP Next Proxy fields takes effect after the Security Gateway database is downloaded to the authenticating gateway, or after the security policy is re-installed. These settings apply only to firewalled gateways prior to NG. For later versions, these settings should be defined in the Node Properties window.
- http
Servers ManagementCommand Set Global Properties Firewall Security Server Http Server[] - This list specifies the HTTP servers. Defining HTTP servers allows you to restrict incoming HTTP.
- mdq
Welcome stringMsg - MDQ Welcome Message is the message to be displayed when a user begins an MDQ session. The MDQ Welcome Message should contain characters according to RFC 1035 and it must follow the ARPANET host name rules: - This message must begin with a number or letter. After the first letter or number character the remaining characters can be a letter, number, space, tab or hyphen. - This message must not end with a space or a tab and is limited to 63 characters.
- rlogin
Welcome stringMsg File - Rlogin welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated RLOGIN session.
- server
For stringNull Requests - The Logical Name of a Null Requests Server from http-servers.
- smtp
Welcome stringMsg - SMTP Welcome Message is the message to be displayed when a user begins an SMTP session.
- telnet
Welcome stringMsg File - Telnet welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated Telnet session.
- client_
auth_ strwelcome_ file - Client authentication welcome file is the name of a file whose contents are to be displayed when a user begins a Client Authenticated session (optional) using the Manual Sign On Method. Client Authenticated Sessions initiated by Manual Sign On are not mediated by a security server.
- ftp_
welcome_ strmsg_ file - FTP welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated FTP session.
- http_
next_ strproxy_ host - HTTP next proxy host is the host name of the HTTP proxy behind the Check Point Security Gateway HTTP security server (if there is one). Changing the HTTP Next Proxy fields takes effect after the Security Gateway database is downloaded to the authenticating gateway, or after the security policy is re-installed. These settings apply only to firewalled gateways prior to NG. For later versions, these settings should be defined in the Node Properties window.
- http_
next_ floatproxy_ port - HTTP next proxy port is the port of the HTTP proxy behind the Check Point Security Gateway HTTP security server (if there is one). Changing the HTTP Next Proxy fields takes effect after the Security Gateway database is downloaded to the authenticating gateway, or after the security policy is re-installed. These settings apply only to firewalled gateways prior to NG. For later versions, these settings should be defined in the Node Properties window.
- http_
servers Sequence[ManagementCommand Set Global Properties Firewall Security Server Http Server] - This list specifies the HTTP servers. Defining HTTP servers allows you to restrict incoming HTTP.
- mdq_
welcome_ strmsg - MDQ Welcome Message is the message to be displayed when a user begins an MDQ session. The MDQ Welcome Message should contain characters according to RFC 1035 and it must follow the ARPANET host name rules: - This message must begin with a number or letter. After the first letter or number character the remaining characters can be a letter, number, space, tab or hyphen. - This message must not end with a space or a tab and is limited to 63 characters.
- rlogin_
welcome_ strmsg_ file - Rlogin welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated RLOGIN session.
- server_
for_ strnull_ requests - The Logical Name of a Null Requests Server from http-servers.
- smtp_
welcome_ strmsg - SMTP Welcome Message is the message to be displayed when a user begins an SMTP session.
- telnet_
welcome_ strmsg_ file - Telnet welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated Telnet session.
- client
Auth StringWelcome File - Client authentication welcome file is the name of a file whose contents are to be displayed when a user begins a Client Authenticated session (optional) using the Manual Sign On Method. Client Authenticated Sessions initiated by Manual Sign On are not mediated by a security server.
- ftp
Welcome StringMsg File - FTP welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated FTP session.
- http
Next StringProxy Host - HTTP next proxy host is the host name of the HTTP proxy behind the Check Point Security Gateway HTTP security server (if there is one). Changing the HTTP Next Proxy fields takes effect after the Security Gateway database is downloaded to the authenticating gateway, or after the security policy is re-installed. These settings apply only to firewalled gateways prior to NG. For later versions, these settings should be defined in the Node Properties window.
- http
Next NumberProxy Port - HTTP next proxy port is the port of the HTTP proxy behind the Check Point Security Gateway HTTP security server (if there is one). Changing the HTTP Next Proxy fields takes effect after the Security Gateway database is downloaded to the authenticating gateway, or after the security policy is re-installed. These settings apply only to firewalled gateways prior to NG. For later versions, these settings should be defined in the Node Properties window.
- http
Servers List<Property Map> - This list specifies the HTTP servers. Defining HTTP servers allows you to restrict incoming HTTP.
- mdq
Welcome StringMsg - MDQ Welcome Message is the message to be displayed when a user begins an MDQ session. The MDQ Welcome Message should contain characters according to RFC 1035 and it must follow the ARPANET host name rules: - This message must begin with a number or letter. After the first letter or number character the remaining characters can be a letter, number, space, tab or hyphen. - This message must not end with a space or a tab and is limited to 63 characters.
- rlogin
Welcome StringMsg File - Rlogin welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated RLOGIN session.
- server
For StringNull Requests - The Logical Name of a Null Requests Server from http-servers.
- smtp
Welcome StringMsg - SMTP Welcome Message is the message to be displayed when a user begins an SMTP session.
- telnet
Welcome StringMsg File - Telnet welcome message file is the name of a file whose contents are to be displayed when a user begins an Authenticated Telnet session.
ManagementCommandSetGlobalPropertiesFirewallSecurityServerHttpServer, ManagementCommandSetGlobalPropertiesFirewallSecurityServerHttpServerArgs
- Host string
- Host name of the HTTP Server.
- Logical
Name string - Unique Logical Name of the HTTP Server.
- Port double
- Port number of the HTTP Server.
- Reauthentication string
- Specify whether users must reauthenticate when accessing a specific server.
- Host string
- Host name of the HTTP Server.
- Logical
Name string - Unique Logical Name of the HTTP Server.
- Port float64
- Port number of the HTTP Server.
- Reauthentication string
- Specify whether users must reauthenticate when accessing a specific server.
- host String
- Host name of the HTTP Server.
- logical
Name String - Unique Logical Name of the HTTP Server.
- port Double
- Port number of the HTTP Server.
- reauthentication String
- Specify whether users must reauthenticate when accessing a specific server.
- host string
- Host name of the HTTP Server.
- logical
Name string - Unique Logical Name of the HTTP Server.
- port number
- Port number of the HTTP Server.
- reauthentication string
- Specify whether users must reauthenticate when accessing a specific server.
- host str
- Host name of the HTTP Server.
- logical_
name str - Unique Logical Name of the HTTP Server.
- port float
- Port number of the HTTP Server.
- reauthentication str
- Specify whether users must reauthenticate when accessing a specific server.
- host String
- Host name of the HTTP Server.
- logical
Name String - Unique Logical Name of the HTTP Server.
- port Number
- Port number of the HTTP Server.
- reauthentication String
- Specify whether users must reauthenticate when accessing a specific server.
ManagementCommandSetGlobalPropertiesHitCount, ManagementCommandSetGlobalPropertiesHitCountArgs
- Enable
Hit boolCount - Select to enable or clear to disable all Security Gateways to monitor the number of connections each rule matches.
- Keep
Hit stringCount Data Up To - Select one of the time range options. Data is kept in the Security Management Server database for this period and is shown in the Hits column.
- Enable
Hit boolCount - Select to enable or clear to disable all Security Gateways to monitor the number of connections each rule matches.
- Keep
Hit stringCount Data Up To - Select one of the time range options. Data is kept in the Security Management Server database for this period and is shown in the Hits column.
- enable
Hit BooleanCount - Select to enable or clear to disable all Security Gateways to monitor the number of connections each rule matches.
- keep
Hit StringCount Data Up To - Select one of the time range options. Data is kept in the Security Management Server database for this period and is shown in the Hits column.
- enable
Hit booleanCount - Select to enable or clear to disable all Security Gateways to monitor the number of connections each rule matches.
- keep
Hit stringCount Data Up To - Select one of the time range options. Data is kept in the Security Management Server database for this period and is shown in the Hits column.
- enable_
hit_ boolcount - Select to enable or clear to disable all Security Gateways to monitor the number of connections each rule matches.
- keep_
hit_ strcount_ data_ up_ to - Select one of the time range options. Data is kept in the Security Management Server database for this period and is shown in the Hits column.
- enable
Hit BooleanCount - Select to enable or clear to disable all Security Gateways to monitor the number of connections each rule matches.
- keep
Hit StringCount Data Up To - Select one of the time range options. Data is kept in the Security Management Server database for this period and is shown in the Hits column.
ManagementCommandSetGlobalPropertiesLogAndAlert, ManagementCommandSetGlobalPropertiesLogAndAlertArgs
- Administrative
Notifications string - Administrative notifications specifies the action to be taken when an administrative event (for example, when a certificate is about to expire) occurs.
- Alerts
Management
Command Set Global Properties Log And Alert Alerts - Define the behavior of alert logs and the type of alert used for System Alert logs.
- Connection
Matched stringBy Sam - Connection matched by SAM specifies the action to be taken when a connection is blocked by SAM (Suspicious Activities Monitoring).
- Dynamic
Object stringResolution Failure - Dynamic object resolution failure specifies the action to be taken when a dynamic object cannot be resolved.
- Log
Every boolAuthenticated Http Connection - Log every authenticated HTTP connection specifies that a log entry should be generated for every authenticated HTTP connection.
- Log
Traffic string - Log Traffic specifies whether or not to log traffic.
- Packet
Is stringIncorrectly Tagged - Packet is incorrectly tagged.
- Packet
Tagging stringBrute Force Attack - Packet tagging brute force attack.
- Sla
Violation string - SLA violation specifies the action to be taken when an SLA violation occurs, as defined in the Virtual Links window.
- Time
Settings ManagementCommand Set Global Properties Log And Alert Time Settings - Configure the time settings associated with system-wide logging and alerting parameters.
- Vpn
Conf stringAnd Key Exchange Errors - VPN configuration & key exchange errors specifies the action to be taken when logging configuration or key exchange errors occur, for example, when attempting to establish encrypted communication with a network object inside the same encryption domain.
- Vpn
Packet stringHandling Error - VPN packet handling errors specifies the action to be taken when encryption or decryption errors occurs. A log entry contains the action performed (Drop or Reject) and a short description of the error cause, for example, scheme or method mismatch.
- Vpn
Successful stringKey Exchange - VPN successful key exchange specifies the action to be taken when VPN keys are successfully exchanged.
- Administrative
Notifications string - Administrative notifications specifies the action to be taken when an administrative event (for example, when a certificate is about to expire) occurs.
- Alerts
Management
Command Set Global Properties Log And Alert Alerts - Define the behavior of alert logs and the type of alert used for System Alert logs.
- Connection
Matched stringBy Sam - Connection matched by SAM specifies the action to be taken when a connection is blocked by SAM (Suspicious Activities Monitoring).
- Dynamic
Object stringResolution Failure - Dynamic object resolution failure specifies the action to be taken when a dynamic object cannot be resolved.
- Log
Every boolAuthenticated Http Connection - Log every authenticated HTTP connection specifies that a log entry should be generated for every authenticated HTTP connection.
- Log
Traffic string - Log Traffic specifies whether or not to log traffic.
- Packet
Is stringIncorrectly Tagged - Packet is incorrectly tagged.
- Packet
Tagging stringBrute Force Attack - Packet tagging brute force attack.
- Sla
Violation string - SLA violation specifies the action to be taken when an SLA violation occurs, as defined in the Virtual Links window.
- Time
Settings ManagementCommand Set Global Properties Log And Alert Time Settings - Configure the time settings associated with system-wide logging and alerting parameters.
- Vpn
Conf stringAnd Key Exchange Errors - VPN configuration & key exchange errors specifies the action to be taken when logging configuration or key exchange errors occur, for example, when attempting to establish encrypted communication with a network object inside the same encryption domain.
- Vpn
Packet stringHandling Error - VPN packet handling errors specifies the action to be taken when encryption or decryption errors occurs. A log entry contains the action performed (Drop or Reject) and a short description of the error cause, for example, scheme or method mismatch.
- Vpn
Successful stringKey Exchange - VPN successful key exchange specifies the action to be taken when VPN keys are successfully exchanged.
- administrative
Notifications String - Administrative notifications specifies the action to be taken when an administrative event (for example, when a certificate is about to expire) occurs.
- alerts
Management
Command Set Global Properties Log And Alert Alerts - Define the behavior of alert logs and the type of alert used for System Alert logs.
- connection
Matched StringBy Sam - Connection matched by SAM specifies the action to be taken when a connection is blocked by SAM (Suspicious Activities Monitoring).
- dynamic
Object StringResolution Failure - Dynamic object resolution failure specifies the action to be taken when a dynamic object cannot be resolved.
- log
Every BooleanAuthenticated Http Connection - Log every authenticated HTTP connection specifies that a log entry should be generated for every authenticated HTTP connection.
- log
Traffic String - Log Traffic specifies whether or not to log traffic.
- packet
Is StringIncorrectly Tagged - Packet is incorrectly tagged.
- packet
Tagging StringBrute Force Attack - Packet tagging brute force attack.
- sla
Violation String - SLA violation specifies the action to be taken when an SLA violation occurs, as defined in the Virtual Links window.
- time
Settings ManagementCommand Set Global Properties Log And Alert Time Settings - Configure the time settings associated with system-wide logging and alerting parameters.
- vpn
Conf StringAnd Key Exchange Errors - VPN configuration & key exchange errors specifies the action to be taken when logging configuration or key exchange errors occur, for example, when attempting to establish encrypted communication with a network object inside the same encryption domain.
- vpn
Packet StringHandling Error - VPN packet handling errors specifies the action to be taken when encryption or decryption errors occurs. A log entry contains the action performed (Drop or Reject) and a short description of the error cause, for example, scheme or method mismatch.
- vpn
Successful StringKey Exchange - VPN successful key exchange specifies the action to be taken when VPN keys are successfully exchanged.
- administrative
Notifications string - Administrative notifications specifies the action to be taken when an administrative event (for example, when a certificate is about to expire) occurs.
- alerts
Management
Command Set Global Properties Log And Alert Alerts - Define the behavior of alert logs and the type of alert used for System Alert logs.
- connection
Matched stringBy Sam - Connection matched by SAM specifies the action to be taken when a connection is blocked by SAM (Suspicious Activities Monitoring).
- dynamic
Object stringResolution Failure - Dynamic object resolution failure specifies the action to be taken when a dynamic object cannot be resolved.
- log
Every booleanAuthenticated Http Connection - Log every authenticated HTTP connection specifies that a log entry should be generated for every authenticated HTTP connection.
- log
Traffic string - Log Traffic specifies whether or not to log traffic.
- packet
Is stringIncorrectly Tagged - Packet is incorrectly tagged.
- packet
Tagging stringBrute Force Attack - Packet tagging brute force attack.
- sla
Violation string - SLA violation specifies the action to be taken when an SLA violation occurs, as defined in the Virtual Links window.
- time
Settings ManagementCommand Set Global Properties Log And Alert Time Settings - Configure the time settings associated with system-wide logging and alerting parameters.
- vpn
Conf stringAnd Key Exchange Errors - VPN configuration & key exchange errors specifies the action to be taken when logging configuration or key exchange errors occur, for example, when attempting to establish encrypted communication with a network object inside the same encryption domain.
- vpn
Packet stringHandling Error - VPN packet handling errors specifies the action to be taken when encryption or decryption errors occurs. A log entry contains the action performed (Drop or Reject) and a short description of the error cause, for example, scheme or method mismatch.
- vpn
Successful stringKey Exchange - VPN successful key exchange specifies the action to be taken when VPN keys are successfully exchanged.
- administrative_
notifications str - Administrative notifications specifies the action to be taken when an administrative event (for example, when a certificate is about to expire) occurs.
- alerts
Management
Command Set Global Properties Log And Alert Alerts - Define the behavior of alert logs and the type of alert used for System Alert logs.
- connection_
matched_ strby_ sam - Connection matched by SAM specifies the action to be taken when a connection is blocked by SAM (Suspicious Activities Monitoring).
- dynamic_
object_ strresolution_ failure - Dynamic object resolution failure specifies the action to be taken when a dynamic object cannot be resolved.
- log_
every_ boolauthenticated_ http_ connection - Log every authenticated HTTP connection specifies that a log entry should be generated for every authenticated HTTP connection.
- log_
traffic str - Log Traffic specifies whether or not to log traffic.
- packet_
is_ strincorrectly_ tagged - Packet is incorrectly tagged.
- packet_
tagging_ strbrute_ force_ attack - Packet tagging brute force attack.
- sla_
violation str - SLA violation specifies the action to be taken when an SLA violation occurs, as defined in the Virtual Links window.
- time_
settings ManagementCommand Set Global Properties Log And Alert Time Settings - Configure the time settings associated with system-wide logging and alerting parameters.
- vpn_
conf_ strand_ key_ exchange_ errors - VPN configuration & key exchange errors specifies the action to be taken when logging configuration or key exchange errors occur, for example, when attempting to establish encrypted communication with a network object inside the same encryption domain.
- vpn_
packet_ strhandling_ error - VPN packet handling errors specifies the action to be taken when encryption or decryption errors occurs. A log entry contains the action performed (Drop or Reject) and a short description of the error cause, for example, scheme or method mismatch.
- vpn_
successful_ strkey_ exchange - VPN successful key exchange specifies the action to be taken when VPN keys are successfully exchanged.
- administrative
Notifications String - Administrative notifications specifies the action to be taken when an administrative event (for example, when a certificate is about to expire) occurs.
- alerts Property Map
- Define the behavior of alert logs and the type of alert used for System Alert logs.
- connection
Matched StringBy Sam - Connection matched by SAM specifies the action to be taken when a connection is blocked by SAM (Suspicious Activities Monitoring).
- dynamic
Object StringResolution Failure - Dynamic object resolution failure specifies the action to be taken when a dynamic object cannot be resolved.
- log
Every BooleanAuthenticated Http Connection - Log every authenticated HTTP connection specifies that a log entry should be generated for every authenticated HTTP connection.
- log
Traffic String - Log Traffic specifies whether or not to log traffic.
- packet
Is StringIncorrectly Tagged - Packet is incorrectly tagged.
- packet
Tagging StringBrute Force Attack - Packet tagging brute force attack.
- sla
Violation String - SLA violation specifies the action to be taken when an SLA violation occurs, as defined in the Virtual Links window.
- time
Settings Property Map - Configure the time settings associated with system-wide logging and alerting parameters.
- vpn
Conf StringAnd Key Exchange Errors - VPN configuration & key exchange errors specifies the action to be taken when logging configuration or key exchange errors occur, for example, when attempting to establish encrypted communication with a network object inside the same encryption domain.
- vpn
Packet StringHandling Error - VPN packet handling errors specifies the action to be taken when encryption or decryption errors occurs. A log entry contains the action performed (Drop or Reject) and a short description of the error cause, for example, scheme or method mismatch.
- vpn
Successful StringKey Exchange - VPN successful key exchange specifies the action to be taken when VPN keys are successfully exchanged.
ManagementCommandSetGlobalPropertiesLogAndAlertAlerts, ManagementCommandSetGlobalPropertiesLogAndAlertAlertsArgs
- Default
Track stringOption For System Alerts - Set the default track option for System Alerts.
- Mail
Alert stringScript - Run mail alert script the operating system script to be executed when Mail is specified as the Track in a rule. The default is internal_sendmail, which is not a script but an internal Security Gateway command.
- Popup
Alert stringScript - Run popup alert script the operating system script to be executed when an alert is issued. For example, set another form of notification, such as an email or a user-defined command.
- Send
Mail boolAlert To Smartview Monitor - Send mail alert to SmartView Monitor when a mail alert is issued, it is also sent to SmartView Monitor.
- Send
Popup boolAlert To Smartview Monitor - Send popup alert to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- Send
Snmp boolTrap Alert To Smartview Monitor - Send SNMP trap alert to SmartView Monitor when an SNMP trap alert is issued, it is also sent to SmartView Monitor.
- Send
User boolDefined Alert Num1To Smartview Monitor - Send user defined alert no. 1 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- Send
User boolDefined Alert Num2To Smartview Monitor - Send user defined alert no. 2 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- Send
User boolDefined Alert Num3To Smartview Monitor - Send user defined alert no. 3 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- Snmp
Trap stringAlert Script - Run SNMP trap alert script command to be executed when SNMP Trap is specified as the Track in a rule. By default the internal_snmp_trap is used. This command is executed by the fwd process.
- User
Defined stringScript Num1 - Run user defined script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 1 is selected as a Track Option.
- User
Defined stringScript Num2 - Run user defined 2 script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 2 is selected as a Track Option.
- User
Defined stringScript Num3 - Run user defined 3 script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 3 is selected as a Track Option.
- Default
Track stringOption For System Alerts - Set the default track option for System Alerts.
- Mail
Alert stringScript - Run mail alert script the operating system script to be executed when Mail is specified as the Track in a rule. The default is internal_sendmail, which is not a script but an internal Security Gateway command.
- Popup
Alert stringScript - Run popup alert script the operating system script to be executed when an alert is issued. For example, set another form of notification, such as an email or a user-defined command.
- Send
Mail boolAlert To Smartview Monitor - Send mail alert to SmartView Monitor when a mail alert is issued, it is also sent to SmartView Monitor.
- Send
Popup boolAlert To Smartview Monitor - Send popup alert to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- Send
Snmp boolTrap Alert To Smartview Monitor - Send SNMP trap alert to SmartView Monitor when an SNMP trap alert is issued, it is also sent to SmartView Monitor.
- Send
User boolDefined Alert Num1To Smartview Monitor - Send user defined alert no. 1 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- Send
User boolDefined Alert Num2To Smartview Monitor - Send user defined alert no. 2 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- Send
User boolDefined Alert Num3To Smartview Monitor - Send user defined alert no. 3 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- Snmp
Trap stringAlert Script - Run SNMP trap alert script command to be executed when SNMP Trap is specified as the Track in a rule. By default the internal_snmp_trap is used. This command is executed by the fwd process.
- User
Defined stringScript Num1 - Run user defined script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 1 is selected as a Track Option.
- User
Defined stringScript Num2 - Run user defined 2 script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 2 is selected as a Track Option.
- User
Defined stringScript Num3 - Run user defined 3 script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 3 is selected as a Track Option.
- default
Track StringOption For System Alerts - Set the default track option for System Alerts.
- mail
Alert StringScript - Run mail alert script the operating system script to be executed when Mail is specified as the Track in a rule. The default is internal_sendmail, which is not a script but an internal Security Gateway command.
- popup
Alert StringScript - Run popup alert script the operating system script to be executed when an alert is issued. For example, set another form of notification, such as an email or a user-defined command.
- send
Mail BooleanAlert To Smartview Monitor - Send mail alert to SmartView Monitor when a mail alert is issued, it is also sent to SmartView Monitor.
- send
Popup BooleanAlert To Smartview Monitor - Send popup alert to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- send
Snmp BooleanTrap Alert To Smartview Monitor - Send SNMP trap alert to SmartView Monitor when an SNMP trap alert is issued, it is also sent to SmartView Monitor.
- send
User BooleanDefined Alert Num1To Smartview Monitor - Send user defined alert no. 1 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- send
User BooleanDefined Alert Num2To Smartview Monitor - Send user defined alert no. 2 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- send
User BooleanDefined Alert Num3To Smartview Monitor - Send user defined alert no. 3 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- snmp
Trap StringAlert Script - Run SNMP trap alert script command to be executed when SNMP Trap is specified as the Track in a rule. By default the internal_snmp_trap is used. This command is executed by the fwd process.
- user
Defined StringScript Num1 - Run user defined script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 1 is selected as a Track Option.
- user
Defined StringScript Num2 - Run user defined 2 script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 2 is selected as a Track Option.
- user
Defined StringScript Num3 - Run user defined 3 script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 3 is selected as a Track Option.
- default
Track stringOption For System Alerts - Set the default track option for System Alerts.
- mail
Alert stringScript - Run mail alert script the operating system script to be executed when Mail is specified as the Track in a rule. The default is internal_sendmail, which is not a script but an internal Security Gateway command.
- popup
Alert stringScript - Run popup alert script the operating system script to be executed when an alert is issued. For example, set another form of notification, such as an email or a user-defined command.
- send
Mail booleanAlert To Smartview Monitor - Send mail alert to SmartView Monitor when a mail alert is issued, it is also sent to SmartView Monitor.
- send
Popup booleanAlert To Smartview Monitor - Send popup alert to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- send
Snmp booleanTrap Alert To Smartview Monitor - Send SNMP trap alert to SmartView Monitor when an SNMP trap alert is issued, it is also sent to SmartView Monitor.
- send
User booleanDefined Alert Num1To Smartview Monitor - Send user defined alert no. 1 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- send
User booleanDefined Alert Num2To Smartview Monitor - Send user defined alert no. 2 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- send
User booleanDefined Alert Num3To Smartview Monitor - Send user defined alert no. 3 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- snmp
Trap stringAlert Script - Run SNMP trap alert script command to be executed when SNMP Trap is specified as the Track in a rule. By default the internal_snmp_trap is used. This command is executed by the fwd process.
- user
Defined stringScript Num1 - Run user defined script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 1 is selected as a Track Option.
- user
Defined stringScript Num2 - Run user defined 2 script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 2 is selected as a Track Option.
- user
Defined stringScript Num3 - Run user defined 3 script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 3 is selected as a Track Option.
- default_
track_ stroption_ for_ system_ alerts - Set the default track option for System Alerts.
- mail_
alert_ strscript - Run mail alert script the operating system script to be executed when Mail is specified as the Track in a rule. The default is internal_sendmail, which is not a script but an internal Security Gateway command.
- popup_
alert_ strscript - Run popup alert script the operating system script to be executed when an alert is issued. For example, set another form of notification, such as an email or a user-defined command.
- send_
mail_ boolalert_ to_ smartview_ monitor - Send mail alert to SmartView Monitor when a mail alert is issued, it is also sent to SmartView Monitor.
- send_
popup_ boolalert_ to_ smartview_ monitor - Send popup alert to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- send_
snmp_ booltrap_ alert_ to_ smartview_ monitor - Send SNMP trap alert to SmartView Monitor when an SNMP trap alert is issued, it is also sent to SmartView Monitor.
- send_
user_ booldefined_ alert_ num1_ to_ smartview_ monitor - Send user defined alert no. 1 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- send_
user_ booldefined_ alert_ num2_ to_ smartview_ monitor - Send user defined alert no. 2 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- send_
user_ booldefined_ alert_ num3_ to_ smartview_ monitor - Send user defined alert no. 3 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- snmp_
trap_ stralert_ script - Run SNMP trap alert script command to be executed when SNMP Trap is specified as the Track in a rule. By default the internal_snmp_trap is used. This command is executed by the fwd process.
- user_
defined_ strscript_ num1 - Run user defined script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 1 is selected as a Track Option.
- user_
defined_ strscript_ num2 - Run user defined 2 script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 2 is selected as a Track Option.
- user_
defined_ strscript_ num3 - Run user defined 3 script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 3 is selected as a Track Option.
- default
Track StringOption For System Alerts - Set the default track option for System Alerts.
- mail
Alert StringScript - Run mail alert script the operating system script to be executed when Mail is specified as the Track in a rule. The default is internal_sendmail, which is not a script but an internal Security Gateway command.
- popup
Alert StringScript - Run popup alert script the operating system script to be executed when an alert is issued. For example, set another form of notification, such as an email or a user-defined command.
- send
Mail BooleanAlert To Smartview Monitor - Send mail alert to SmartView Monitor when a mail alert is issued, it is also sent to SmartView Monitor.
- send
Popup BooleanAlert To Smartview Monitor - Send popup alert to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- send
Snmp BooleanTrap Alert To Smartview Monitor - Send SNMP trap alert to SmartView Monitor when an SNMP trap alert is issued, it is also sent to SmartView Monitor.
- send
User BooleanDefined Alert Num1To Smartview Monitor - Send user defined alert no. 1 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- send
User BooleanDefined Alert Num2To Smartview Monitor - Send user defined alert no. 2 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- send
User BooleanDefined Alert Num3To Smartview Monitor - Send user defined alert no. 3 to SmartView Monitor when an alert is issued, it is also sent to SmartView Monitor.
- snmp
Trap StringAlert Script - Run SNMP trap alert script command to be executed when SNMP Trap is specified as the Track in a rule. By default the internal_snmp_trap is used. This command is executed by the fwd process.
- user
Defined StringScript Num1 - Run user defined script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 1 is selected as a Track Option.
- user
Defined StringScript Num2 - Run user defined 2 script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 2 is selected as a Track Option.
- user
Defined StringScript Num3 - Run user defined 3 script the operating system script to be run when User-Defined is specified as the Track in a rule, or when User Defined Alert no. 3 is selected as a Track Option.
ManagementCommandSetGlobalPropertiesLogAndAlertTimeSettings, ManagementCommandSetGlobalPropertiesLogAndAlertTimeSettingsArgs
- Excessive
Log doubleGrace Period - Specifies the minimum amount of time (in seconds) between consecutive logs of similar packets. Two packets are considered similar if they have the same source address, source port, destination address, and destination port; and the same protocol was used. After the first packet, similar packets encountered in the grace period will be acted upon according to the security policy, but only the first packet generates a log entry or an alert. Any value from 0 to 90 seconds can be entered in this field.Note: This option only applies for DROP rules with logging.
- Logs
Resolving doubleTimeout - Specifies the amount of time (in seconds), after which the log page is displayed without resolving names and while showing only IP addresses. Any value from 0 to 90 seconds can be entered in this field.
- Status
Fetching doubleInterval - Specifies the frequency at which the Security Management server queries the Check Point Security gateway, Check Point QoS and other gateways it manages for status information. Any value from 30 to 900 seconds can be entered in this field.
- Virtual
Link doubleStatistics Logging Interval - Specifies the frequency (in seconds) with which Virtual Link statistics will be logged. This parameter is relevant only for Virtual Links defined with SmartView Monitor statistics enabled in the SLA Parameters tab of the Virtual Link window. Any value from 60 to 3600 seconds can be entered in this field.
- Excessive
Log float64Grace Period - Specifies the minimum amount of time (in seconds) between consecutive logs of similar packets. Two packets are considered similar if they have the same source address, source port, destination address, and destination port; and the same protocol was used. After the first packet, similar packets encountered in the grace period will be acted upon according to the security policy, but only the first packet generates a log entry or an alert. Any value from 0 to 90 seconds can be entered in this field.Note: This option only applies for DROP rules with logging.
- Logs
Resolving float64Timeout - Specifies the amount of time (in seconds), after which the log page is displayed without resolving names and while showing only IP addresses. Any value from 0 to 90 seconds can be entered in this field.
- Status
Fetching float64Interval - Specifies the frequency at which the Security Management server queries the Check Point Security gateway, Check Point QoS and other gateways it manages for status information. Any value from 30 to 900 seconds can be entered in this field.
- Virtual
Link float64Statistics Logging Interval - Specifies the frequency (in seconds) with which Virtual Link statistics will be logged. This parameter is relevant only for Virtual Links defined with SmartView Monitor statistics enabled in the SLA Parameters tab of the Virtual Link window. Any value from 60 to 3600 seconds can be entered in this field.
- excessive
Log DoubleGrace Period - Specifies the minimum amount of time (in seconds) between consecutive logs of similar packets. Two packets are considered similar if they have the same source address, source port, destination address, and destination port; and the same protocol was used. After the first packet, similar packets encountered in the grace period will be acted upon according to the security policy, but only the first packet generates a log entry or an alert. Any value from 0 to 90 seconds can be entered in this field.Note: This option only applies for DROP rules with logging.
- logs
Resolving DoubleTimeout - Specifies the amount of time (in seconds), after which the log page is displayed without resolving names and while showing only IP addresses. Any value from 0 to 90 seconds can be entered in this field.
- status
Fetching DoubleInterval - Specifies the frequency at which the Security Management server queries the Check Point Security gateway, Check Point QoS and other gateways it manages for status information. Any value from 30 to 900 seconds can be entered in this field.
- virtual
Link DoubleStatistics Logging Interval - Specifies the frequency (in seconds) with which Virtual Link statistics will be logged. This parameter is relevant only for Virtual Links defined with SmartView Monitor statistics enabled in the SLA Parameters tab of the Virtual Link window. Any value from 60 to 3600 seconds can be entered in this field.
- excessive
Log numberGrace Period - Specifies the minimum amount of time (in seconds) between consecutive logs of similar packets. Two packets are considered similar if they have the same source address, source port, destination address, and destination port; and the same protocol was used. After the first packet, similar packets encountered in the grace period will be acted upon according to the security policy, but only the first packet generates a log entry or an alert. Any value from 0 to 90 seconds can be entered in this field.Note: This option only applies for DROP rules with logging.
- logs
Resolving numberTimeout - Specifies the amount of time (in seconds), after which the log page is displayed without resolving names and while showing only IP addresses. Any value from 0 to 90 seconds can be entered in this field.
- status
Fetching numberInterval - Specifies the frequency at which the Security Management server queries the Check Point Security gateway, Check Point QoS and other gateways it manages for status information. Any value from 30 to 900 seconds can be entered in this field.
- virtual
Link numberStatistics Logging Interval - Specifies the frequency (in seconds) with which Virtual Link statistics will be logged. This parameter is relevant only for Virtual Links defined with SmartView Monitor statistics enabled in the SLA Parameters tab of the Virtual Link window. Any value from 60 to 3600 seconds can be entered in this field.
- excessive_
log_ floatgrace_ period - Specifies the minimum amount of time (in seconds) between consecutive logs of similar packets. Two packets are considered similar if they have the same source address, source port, destination address, and destination port; and the same protocol was used. After the first packet, similar packets encountered in the grace period will be acted upon according to the security policy, but only the first packet generates a log entry or an alert. Any value from 0 to 90 seconds can be entered in this field.Note: This option only applies for DROP rules with logging.
- logs_
resolving_ floattimeout - Specifies the amount of time (in seconds), after which the log page is displayed without resolving names and while showing only IP addresses. Any value from 0 to 90 seconds can be entered in this field.
- status_
fetching_ floatinterval - Specifies the frequency at which the Security Management server queries the Check Point Security gateway, Check Point QoS and other gateways it manages for status information. Any value from 30 to 900 seconds can be entered in this field.
- virtual_
link_ floatstatistics_ logging_ interval - Specifies the frequency (in seconds) with which Virtual Link statistics will be logged. This parameter is relevant only for Virtual Links defined with SmartView Monitor statistics enabled in the SLA Parameters tab of the Virtual Link window. Any value from 60 to 3600 seconds can be entered in this field.
- excessive
Log NumberGrace Period - Specifies the minimum amount of time (in seconds) between consecutive logs of similar packets. Two packets are considered similar if they have the same source address, source port, destination address, and destination port; and the same protocol was used. After the first packet, similar packets encountered in the grace period will be acted upon according to the security policy, but only the first packet generates a log entry or an alert. Any value from 0 to 90 seconds can be entered in this field.Note: This option only applies for DROP rules with logging.
- logs
Resolving NumberTimeout - Specifies the amount of time (in seconds), after which the log page is displayed without resolving names and while showing only IP addresses. Any value from 0 to 90 seconds can be entered in this field.
- status
Fetching NumberInterval - Specifies the frequency at which the Security Management server queries the Check Point Security gateway, Check Point QoS and other gateways it manages for status information. Any value from 30 to 900 seconds can be entered in this field.
- virtual
Link NumberStatistics Logging Interval - Specifies the frequency (in seconds) with which Virtual Link statistics will be logged. This parameter is relevant only for Virtual Links defined with SmartView Monitor statistics enabled in the SLA Parameters tab of the Virtual Link window. Any value from 60 to 3600 seconds can be entered in this field.
ManagementCommandSetGlobalPropertiesNat, ManagementCommandSetGlobalPropertiesNatArgs
- Addr
Alloc stringAnd Release Track - Specifies whether to log each allocation and release of an IP address from the IP Pool. Available only if enable-ip-pool-nat is true.
- Addr
Exhaustion stringTrack - Specifies the action to take if the IP Pool is exhausted. Available only if enable-ip-pool-nat is true.
- Allow
Bi boolDirectional Nat - Applies to automatic NAT rules in the NAT Rule Base, and allows two automatic NAT rules to match a connection. Without Bidirectional NAT, only one automatic NAT rule can match a connection.
- Auto
Arp boolConf - Ensures that ARP requests for a translated (NATed) machine, network or address range are answered by the Check Point Security Gateway.
- Auto
Translate boolDest On Client Side - Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side.
- Enable
Ip boolPool Nat - Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side.
- Manually
Translate boolDest On Client Side - Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side.
- Merge
Manual boolProxy Arp Conf - Merges the automatic and manual ARP configurations. Manual proxy ARP configuration is required for manual Static NAT rules.Available only if auto-arp-conf is true.
- Addr
Alloc stringAnd Release Track - Specifies whether to log each allocation and release of an IP address from the IP Pool. Available only if enable-ip-pool-nat is true.
- Addr
Exhaustion stringTrack - Specifies the action to take if the IP Pool is exhausted. Available only if enable-ip-pool-nat is true.
- Allow
Bi boolDirectional Nat - Applies to automatic NAT rules in the NAT Rule Base, and allows two automatic NAT rules to match a connection. Without Bidirectional NAT, only one automatic NAT rule can match a connection.
- Auto
Arp boolConf - Ensures that ARP requests for a translated (NATed) machine, network or address range are answered by the Check Point Security Gateway.
- Auto
Translate boolDest On Client Side - Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side.
- Enable
Ip boolPool Nat - Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side.
- Manually
Translate boolDest On Client Side - Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side.
- Merge
Manual boolProxy Arp Conf - Merges the automatic and manual ARP configurations. Manual proxy ARP configuration is required for manual Static NAT rules.Available only if auto-arp-conf is true.
- addr
Alloc StringAnd Release Track - Specifies whether to log each allocation and release of an IP address from the IP Pool. Available only if enable-ip-pool-nat is true.
- addr
Exhaustion StringTrack - Specifies the action to take if the IP Pool is exhausted. Available only if enable-ip-pool-nat is true.
- allow
Bi BooleanDirectional Nat - Applies to automatic NAT rules in the NAT Rule Base, and allows two automatic NAT rules to match a connection. Without Bidirectional NAT, only one automatic NAT rule can match a connection.
- auto
Arp BooleanConf - Ensures that ARP requests for a translated (NATed) machine, network or address range are answered by the Check Point Security Gateway.
- auto
Translate BooleanDest On Client Side - Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side.
- enable
Ip BooleanPool Nat - Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side.
- manually
Translate BooleanDest On Client Side - Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side.
- merge
Manual BooleanProxy Arp Conf - Merges the automatic and manual ARP configurations. Manual proxy ARP configuration is required for manual Static NAT rules.Available only if auto-arp-conf is true.
- addr
Alloc stringAnd Release Track - Specifies whether to log each allocation and release of an IP address from the IP Pool. Available only if enable-ip-pool-nat is true.
- addr
Exhaustion stringTrack - Specifies the action to take if the IP Pool is exhausted. Available only if enable-ip-pool-nat is true.
- allow
Bi booleanDirectional Nat - Applies to automatic NAT rules in the NAT Rule Base, and allows two automatic NAT rules to match a connection. Without Bidirectional NAT, only one automatic NAT rule can match a connection.
- auto
Arp booleanConf - Ensures that ARP requests for a translated (NATed) machine, network or address range are answered by the Check Point Security Gateway.
- auto
Translate booleanDest On Client Side - Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side.
- enable
Ip booleanPool Nat - Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side.
- manually
Translate booleanDest On Client Side - Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side.
- merge
Manual booleanProxy Arp Conf - Merges the automatic and manual ARP configurations. Manual proxy ARP configuration is required for manual Static NAT rules.Available only if auto-arp-conf is true.
- addr_
alloc_ strand_ release_ track - Specifies whether to log each allocation and release of an IP address from the IP Pool. Available only if enable-ip-pool-nat is true.
- addr_
exhaustion_ strtrack - Specifies the action to take if the IP Pool is exhausted. Available only if enable-ip-pool-nat is true.
- allow_
bi_ booldirectional_ nat - Applies to automatic NAT rules in the NAT Rule Base, and allows two automatic NAT rules to match a connection. Without Bidirectional NAT, only one automatic NAT rule can match a connection.
- auto_
arp_ boolconf - Ensures that ARP requests for a translated (NATed) machine, network or address range are answered by the Check Point Security Gateway.
- auto_
translate_ booldest_ on_ client_ side - Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side.
- enable_
ip_ boolpool_ nat - Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side.
- manually_
translate_ booldest_ on_ client_ side - Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side.
- merge_
manual_ boolproxy_ arp_ conf - Merges the automatic and manual ARP configurations. Manual proxy ARP configuration is required for manual Static NAT rules.Available only if auto-arp-conf is true.
- addr
Alloc StringAnd Release Track - Specifies whether to log each allocation and release of an IP address from the IP Pool. Available only if enable-ip-pool-nat is true.
- addr
Exhaustion StringTrack - Specifies the action to take if the IP Pool is exhausted. Available only if enable-ip-pool-nat is true.
- allow
Bi BooleanDirectional Nat - Applies to automatic NAT rules in the NAT Rule Base, and allows two automatic NAT rules to match a connection. Without Bidirectional NAT, only one automatic NAT rule can match a connection.
- auto
Arp BooleanConf - Ensures that ARP requests for a translated (NATed) machine, network or address range are answered by the Check Point Security Gateway.
- auto
Translate BooleanDest On Client Side - Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side.
- enable
Ip BooleanPool Nat - Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side.
- manually
Translate BooleanDest On Client Side - Applies to packets originating at the client, with the server as its destination. Static NAT for the server is performed on the client side.
- merge
Manual BooleanProxy Arp Conf - Merges the automatic and manual ARP configurations. Manual proxy ARP configuration is required for manual Static NAT rules.Available only if auto-arp-conf is true.
ManagementCommandSetGlobalPropertiesNonUniqueIpAddressRange, ManagementCommandSetGlobalPropertiesNonUniqueIpAddressRangeArgs
- Address
Type string - The type of the IP Address.
- First
Ipv4Address string - The first IPV4 Address in the range.
- First
Ipv6Address string - The first IPV6 Address in the range.
- Last
Ipv4Address string - The last IPV4 Address in the range.
- Last
Ipv6Address string - The last IPV6 Address in the range.
- Address
Type string - The type of the IP Address.
- First
Ipv4Address string - The first IPV4 Address in the range.
- First
Ipv6Address string - The first IPV6 Address in the range.
- Last
Ipv4Address string - The last IPV4 Address in the range.
- Last
Ipv6Address string - The last IPV6 Address in the range.
- address
Type String - The type of the IP Address.
- first
Ipv4Address String - The first IPV4 Address in the range.
- first
Ipv6Address String - The first IPV6 Address in the range.
- last
Ipv4Address String - The last IPV4 Address in the range.
- last
Ipv6Address String - The last IPV6 Address in the range.
- address
Type string - The type of the IP Address.
- first
Ipv4Address string - The first IPV4 Address in the range.
- first
Ipv6Address string - The first IPV6 Address in the range.
- last
Ipv4Address string - The last IPV4 Address in the range.
- last
Ipv6Address string - The last IPV6 Address in the range.
- address_
type str - The type of the IP Address.
- first_
ipv4_ straddress - The first IPV4 Address in the range.
- first_
ipv6_ straddress - The first IPV6 Address in the range.
- last_
ipv4_ straddress - The last IPV4 Address in the range.
- last_
ipv6_ straddress - The last IPV6 Address in the range.
- address
Type String - The type of the IP Address.
- first
Ipv4Address String - The first IPV4 Address in the range.
- first
Ipv6Address String - The first IPV6 Address in the range.
- last
Ipv4Address String - The last IPV4 Address in the range.
- last
Ipv6Address String - The last IPV6 Address in the range.
ManagementCommandSetGlobalPropertiesProxy, ManagementCommandSetGlobalPropertiesProxyArgs
- Proxy
Address string - Specify the URL or IP address of the proxy server.Available only if use-proxy-server is set to true.
- Proxy
Port double - Specify the Port on which the server will be accessed.Available only if use-proxy-server is set to true.
- Use
Proxy boolServer - If set to true, a proxy server is used when features need to access the internet.
- Proxy
Address string - Specify the URL or IP address of the proxy server.Available only if use-proxy-server is set to true.
- Proxy
Port float64 - Specify the Port on which the server will be accessed.Available only if use-proxy-server is set to true.
- Use
Proxy boolServer - If set to true, a proxy server is used when features need to access the internet.
- proxy
Address String - Specify the URL or IP address of the proxy server.Available only if use-proxy-server is set to true.
- proxy
Port Double - Specify the Port on which the server will be accessed.Available only if use-proxy-server is set to true.
- use
Proxy BooleanServer - If set to true, a proxy server is used when features need to access the internet.
- proxy
Address string - Specify the URL or IP address of the proxy server.Available only if use-proxy-server is set to true.
- proxy
Port number - Specify the Port on which the server will be accessed.Available only if use-proxy-server is set to true.
- use
Proxy booleanServer - If set to true, a proxy server is used when features need to access the internet.
- proxy_
address str - Specify the URL or IP address of the proxy server.Available only if use-proxy-server is set to true.
- proxy_
port float - Specify the Port on which the server will be accessed.Available only if use-proxy-server is set to true.
- use_
proxy_ boolserver - If set to true, a proxy server is used when features need to access the internet.
- proxy
Address String - Specify the URL or IP address of the proxy server.Available only if use-proxy-server is set to true.
- proxy
Port Number - Specify the Port on which the server will be accessed.Available only if use-proxy-server is set to true.
- use
Proxy BooleanServer - If set to true, a proxy server is used when features need to access the internet.
ManagementCommandSetGlobalPropertiesQos, ManagementCommandSetGlobalPropertiesQosArgs
- Authenticated
Ip doubleExpiration - Define the Authentication time-out for QoS. This timeout is set in minutes. In an Authenticated IP all connections which are open in a specified time limit will be guaranteed bandwidth, but will not be guaranteed bandwidth after the time limit.
- Default
Weight doubleOf Rule - Define a Weight at which bandwidth will be guaranteed. Set a default weight for a rule.Note: Value will be applied to new rules only.
- Max
Weight doubleOf Rule - Define a Weight at which bandwidth will be guaranteed. Set a maximum weight for a rule.
- Non
Authenticated doubleIp Expiration - Define the Authentication time-out for QoS. This timeout is set in minutes.
- Unanswered
Queried doubleIp Expiration - Define the Authentication time-out for QoS. This timeout is set in minutes.
- Unit
Of stringMeasure - Define the Rate at which packets are transmitted, for which bandwidth will be guaranteed. Set a Unit of measure.
- Authenticated
Ip float64Expiration - Define the Authentication time-out for QoS. This timeout is set in minutes. In an Authenticated IP all connections which are open in a specified time limit will be guaranteed bandwidth, but will not be guaranteed bandwidth after the time limit.
- Default
Weight float64Of Rule - Define a Weight at which bandwidth will be guaranteed. Set a default weight for a rule.Note: Value will be applied to new rules only.
- Max
Weight float64Of Rule - Define a Weight at which bandwidth will be guaranteed. Set a maximum weight for a rule.
- Non
Authenticated float64Ip Expiration - Define the Authentication time-out for QoS. This timeout is set in minutes.
- Unanswered
Queried float64Ip Expiration - Define the Authentication time-out for QoS. This timeout is set in minutes.
- Unit
Of stringMeasure - Define the Rate at which packets are transmitted, for which bandwidth will be guaranteed. Set a Unit of measure.
- authenticated
Ip DoubleExpiration - Define the Authentication time-out for QoS. This timeout is set in minutes. In an Authenticated IP all connections which are open in a specified time limit will be guaranteed bandwidth, but will not be guaranteed bandwidth after the time limit.
- default
Weight DoubleOf Rule - Define a Weight at which bandwidth will be guaranteed. Set a default weight for a rule.Note: Value will be applied to new rules only.
- max
Weight DoubleOf Rule - Define a Weight at which bandwidth will be guaranteed. Set a maximum weight for a rule.
- non
Authenticated DoubleIp Expiration - Define the Authentication time-out for QoS. This timeout is set in minutes.
- unanswered
Queried DoubleIp Expiration - Define the Authentication time-out for QoS. This timeout is set in minutes.
- unit
Of StringMeasure - Define the Rate at which packets are transmitted, for which bandwidth will be guaranteed. Set a Unit of measure.
- authenticated
Ip numberExpiration - Define the Authentication time-out for QoS. This timeout is set in minutes. In an Authenticated IP all connections which are open in a specified time limit will be guaranteed bandwidth, but will not be guaranteed bandwidth after the time limit.
- default
Weight numberOf Rule - Define a Weight at which bandwidth will be guaranteed. Set a default weight for a rule.Note: Value will be applied to new rules only.
- max
Weight numberOf Rule - Define a Weight at which bandwidth will be guaranteed. Set a maximum weight for a rule.
- non
Authenticated numberIp Expiration - Define the Authentication time-out for QoS. This timeout is set in minutes.
- unanswered
Queried numberIp Expiration - Define the Authentication time-out for QoS. This timeout is set in minutes.
- unit
Of stringMeasure - Define the Rate at which packets are transmitted, for which bandwidth will be guaranteed. Set a Unit of measure.
- authenticated_
ip_ floatexpiration - Define the Authentication time-out for QoS. This timeout is set in minutes. In an Authenticated IP all connections which are open in a specified time limit will be guaranteed bandwidth, but will not be guaranteed bandwidth after the time limit.
- default_
weight_ floatof_ rule - Define a Weight at which bandwidth will be guaranteed. Set a default weight for a rule.Note: Value will be applied to new rules only.
- max_
weight_ floatof_ rule - Define a Weight at which bandwidth will be guaranteed. Set a maximum weight for a rule.
- non_
authenticated_ floatip_ expiration - Define the Authentication time-out for QoS. This timeout is set in minutes.
- unanswered_
queried_ floatip_ expiration - Define the Authentication time-out for QoS. This timeout is set in minutes.
- unit_
of_ strmeasure - Define the Rate at which packets are transmitted, for which bandwidth will be guaranteed. Set a Unit of measure.
- authenticated
Ip NumberExpiration - Define the Authentication time-out for QoS. This timeout is set in minutes. In an Authenticated IP all connections which are open in a specified time limit will be guaranteed bandwidth, but will not be guaranteed bandwidth after the time limit.
- default
Weight NumberOf Rule - Define a Weight at which bandwidth will be guaranteed. Set a default weight for a rule.Note: Value will be applied to new rules only.
- max
Weight NumberOf Rule - Define a Weight at which bandwidth will be guaranteed. Set a maximum weight for a rule.
- non
Authenticated NumberIp Expiration - Define the Authentication time-out for QoS. This timeout is set in minutes.
- unanswered
Queried NumberIp Expiration - Define the Authentication time-out for QoS. This timeout is set in minutes.
- unit
Of StringMeasure - Define the Rate at which packets are transmitted, for which bandwidth will be guaranteed. Set a Unit of measure.
ManagementCommandSetGlobalPropertiesRemoteAccess, ManagementCommandSetGlobalPropertiesRemoteAccessArgs
- Enable
Back boolConnections - Usually communication with remote clients must be initialized by the clients. However, once a client has opened a connection, the hosts behind VPN can open a return or back connection to the client. For a back connection, the client's details must be maintained on all the devices between the client and the gateway, and on the gateway itself. Determine whether the back connection is enabled.
- Encrypt
Dns boolTraffic - You can decide whether DNS queries sent by the remote client to a DNS server located on the corporate LAN are passed through the VPN tunnel or not. Disable this option if the client has to make DNS queries to the DNS server on the corporate LAN while connecting to the organization but without using the SecuRemote client.
- Endpoint
Connect ManagementCommand Set Global Properties Remote Access Endpoint Connect - Configure global settings for Endpoint Connect. These settings apply to all gateways.
- Hot
Spot ManagementAnd Hotel Registration Command Set Global Properties Remote Access Hot Spot And Hotel Registration - Configure the settings for Wireless Hot Spot and Hotel Internet access registration.
- Keep
Alive doublePacket To Gw Interval - Usually communication with remote clients must be initialized by the clients. However, once a client has opened a connection, the hosts behind VPN can open a return or back connection to the client. For a back connection, the client's details must be maintained on all the devices between the client and the gateway, and on the gateway itself. Determine frequency (in seconds) of the Keep Alive packets sent by the client in order to maintain the connection with the gateway.Available only if enable-back-connections is true.
- Scv
Management
Command Set Global Properties Remote Access Scv - Define properties of the Secure Configuration Verification process.
- Secure
Client ManagementMobile Command Set Global Properties Remote Access Secure Client Mobile - Define properties for SecureClient Mobile.
- Simultaneous
Login stringMode - Select the simultaneous login mode.
- Ssl
Network ManagementExtender Command Set Global Properties Remote Access Ssl Network Extender - Define properties for SSL Network Extender users.
- Vpn
Advanced ManagementCommand Set Global Properties Remote Access Vpn Advanced - Configure encryption methods and interface resolution for remote access clients.
- Vpn
Authentication List<ManagementAnd Encryptions Command Set Global Properties Remote Access Vpn Authentication And Encryption> - configure supported Encryption and Authentication methods for Remote Access clients.
- Enable
Back boolConnections - Usually communication with remote clients must be initialized by the clients. However, once a client has opened a connection, the hosts behind VPN can open a return or back connection to the client. For a back connection, the client's details must be maintained on all the devices between the client and the gateway, and on the gateway itself. Determine whether the back connection is enabled.
- Encrypt
Dns boolTraffic - You can decide whether DNS queries sent by the remote client to a DNS server located on the corporate LAN are passed through the VPN tunnel or not. Disable this option if the client has to make DNS queries to the DNS server on the corporate LAN while connecting to the organization but without using the SecuRemote client.
- Endpoint
Connect ManagementCommand Set Global Properties Remote Access Endpoint Connect - Configure global settings for Endpoint Connect. These settings apply to all gateways.
- Hot
Spot ManagementAnd Hotel Registration Command Set Global Properties Remote Access Hot Spot And Hotel Registration - Configure the settings for Wireless Hot Spot and Hotel Internet access registration.
- Keep
Alive float64Packet To Gw Interval - Usually communication with remote clients must be initialized by the clients. However, once a client has opened a connection, the hosts behind VPN can open a return or back connection to the client. For a back connection, the client's details must be maintained on all the devices between the client and the gateway, and on the gateway itself. Determine frequency (in seconds) of the Keep Alive packets sent by the client in order to maintain the connection with the gateway.Available only if enable-back-connections is true.
- Scv
Management
Command Set Global Properties Remote Access Scv - Define properties of the Secure Configuration Verification process.
- Secure
Client ManagementMobile Command Set Global Properties Remote Access Secure Client Mobile - Define properties for SecureClient Mobile.
- Simultaneous
Login stringMode - Select the simultaneous login mode.
- Ssl
Network ManagementExtender Command Set Global Properties Remote Access Ssl Network Extender - Define properties for SSL Network Extender users.
- Vpn
Advanced ManagementCommand Set Global Properties Remote Access Vpn Advanced - Configure encryption methods and interface resolution for remote access clients.
- Vpn
Authentication []ManagementAnd Encryptions Command Set Global Properties Remote Access Vpn Authentication And Encryption - configure supported Encryption and Authentication methods for Remote Access clients.
- enable
Back BooleanConnections - Usually communication with remote clients must be initialized by the clients. However, once a client has opened a connection, the hosts behind VPN can open a return or back connection to the client. For a back connection, the client's details must be maintained on all the devices between the client and the gateway, and on the gateway itself. Determine whether the back connection is enabled.
- encrypt
Dns BooleanTraffic - You can decide whether DNS queries sent by the remote client to a DNS server located on the corporate LAN are passed through the VPN tunnel or not. Disable this option if the client has to make DNS queries to the DNS server on the corporate LAN while connecting to the organization but without using the SecuRemote client.
- endpoint
Connect ManagementCommand Set Global Properties Remote Access Endpoint Connect - Configure global settings for Endpoint Connect. These settings apply to all gateways.
- hot
Spot ManagementAnd Hotel Registration Command Set Global Properties Remote Access Hot Spot And Hotel Registration - Configure the settings for Wireless Hot Spot and Hotel Internet access registration.
- keep
Alive DoublePacket To Gw Interval - Usually communication with remote clients must be initialized by the clients. However, once a client has opened a connection, the hosts behind VPN can open a return or back connection to the client. For a back connection, the client's details must be maintained on all the devices between the client and the gateway, and on the gateway itself. Determine frequency (in seconds) of the Keep Alive packets sent by the client in order to maintain the connection with the gateway.Available only if enable-back-connections is true.
- scv
Management
Command Set Global Properties Remote Access Scv - Define properties of the Secure Configuration Verification process.
- secure
Client ManagementMobile Command Set Global Properties Remote Access Secure Client Mobile - Define properties for SecureClient Mobile.
- simultaneous
Login StringMode - Select the simultaneous login mode.
- ssl
Network ManagementExtender Command Set Global Properties Remote Access Ssl Network Extender - Define properties for SSL Network Extender users.
- vpn
Advanced ManagementCommand Set Global Properties Remote Access Vpn Advanced - Configure encryption methods and interface resolution for remote access clients.
- vpn
Authentication List<ManagementAnd Encryptions Command Set Global Properties Remote Access Vpn Authentication And Encryption> - configure supported Encryption and Authentication methods for Remote Access clients.
- enable
Back booleanConnections - Usually communication with remote clients must be initialized by the clients. However, once a client has opened a connection, the hosts behind VPN can open a return or back connection to the client. For a back connection, the client's details must be maintained on all the devices between the client and the gateway, and on the gateway itself. Determine whether the back connection is enabled.
- encrypt
Dns booleanTraffic - You can decide whether DNS queries sent by the remote client to a DNS server located on the corporate LAN are passed through the VPN tunnel or not. Disable this option if the client has to make DNS queries to the DNS server on the corporate LAN while connecting to the organization but without using the SecuRemote client.
- endpoint
Connect ManagementCommand Set Global Properties Remote Access Endpoint Connect - Configure global settings for Endpoint Connect. These settings apply to all gateways.
- hot
Spot ManagementAnd Hotel Registration Command Set Global Properties Remote Access Hot Spot And Hotel Registration - Configure the settings for Wireless Hot Spot and Hotel Internet access registration.
- keep
Alive numberPacket To Gw Interval - Usually communication with remote clients must be initialized by the clients. However, once a client has opened a connection, the hosts behind VPN can open a return or back connection to the client. For a back connection, the client's details must be maintained on all the devices between the client and the gateway, and on the gateway itself. Determine frequency (in seconds) of the Keep Alive packets sent by the client in order to maintain the connection with the gateway.Available only if enable-back-connections is true.
- scv
Management
Command Set Global Properties Remote Access Scv - Define properties of the Secure Configuration Verification process.
- secure
Client ManagementMobile Command Set Global Properties Remote Access Secure Client Mobile - Define properties for SecureClient Mobile.
- simultaneous
Login stringMode - Select the simultaneous login mode.
- ssl
Network ManagementExtender Command Set Global Properties Remote Access Ssl Network Extender - Define properties for SSL Network Extender users.
- vpn
Advanced ManagementCommand Set Global Properties Remote Access Vpn Advanced - Configure encryption methods and interface resolution for remote access clients.
- vpn
Authentication ManagementAnd Encryptions Command Set Global Properties Remote Access Vpn Authentication And Encryption[] - configure supported Encryption and Authentication methods for Remote Access clients.
- enable_
back_ boolconnections - Usually communication with remote clients must be initialized by the clients. However, once a client has opened a connection, the hosts behind VPN can open a return or back connection to the client. For a back connection, the client's details must be maintained on all the devices between the client and the gateway, and on the gateway itself. Determine whether the back connection is enabled.
- encrypt_
dns_ booltraffic - You can decide whether DNS queries sent by the remote client to a DNS server located on the corporate LAN are passed through the VPN tunnel or not. Disable this option if the client has to make DNS queries to the DNS server on the corporate LAN while connecting to the organization but without using the SecuRemote client.
- endpoint_
connect ManagementCommand Set Global Properties Remote Access Endpoint Connect - Configure global settings for Endpoint Connect. These settings apply to all gateways.
- hot_
spot_ Managementand_ hotel_ registration Command Set Global Properties Remote Access Hot Spot And Hotel Registration - Configure the settings for Wireless Hot Spot and Hotel Internet access registration.
- keep_
alive_ floatpacket_ to_ gw_ interval - Usually communication with remote clients must be initialized by the clients. However, once a client has opened a connection, the hosts behind VPN can open a return or back connection to the client. For a back connection, the client's details must be maintained on all the devices between the client and the gateway, and on the gateway itself. Determine frequency (in seconds) of the Keep Alive packets sent by the client in order to maintain the connection with the gateway.Available only if enable-back-connections is true.
- scv
Management
Command Set Global Properties Remote Access Scv - Define properties of the Secure Configuration Verification process.
- secure_
client_ Managementmobile Command Set Global Properties Remote Access Secure Client Mobile - Define properties for SecureClient Mobile.
- simultaneous_
login_ strmode - Select the simultaneous login mode.
- ssl_
network_ Managementextender Command Set Global Properties Remote Access Ssl Network Extender - Define properties for SSL Network Extender users.
- vpn_
advanced ManagementCommand Set Global Properties Remote Access Vpn Advanced - Configure encryption methods and interface resolution for remote access clients.
- vpn_
authentication_ Sequence[Managementand_ encryptions Command Set Global Properties Remote Access Vpn Authentication And Encryption] - configure supported Encryption and Authentication methods for Remote Access clients.
- enable
Back BooleanConnections - Usually communication with remote clients must be initialized by the clients. However, once a client has opened a connection, the hosts behind VPN can open a return or back connection to the client. For a back connection, the client's details must be maintained on all the devices between the client and the gateway, and on the gateway itself. Determine whether the back connection is enabled.
- encrypt
Dns BooleanTraffic - You can decide whether DNS queries sent by the remote client to a DNS server located on the corporate LAN are passed through the VPN tunnel or not. Disable this option if the client has to make DNS queries to the DNS server on the corporate LAN while connecting to the organization but without using the SecuRemote client.
- endpoint
Connect Property Map - Configure global settings for Endpoint Connect. These settings apply to all gateways.
- hot
Spot Property MapAnd Hotel Registration - Configure the settings for Wireless Hot Spot and Hotel Internet access registration.
- keep
Alive NumberPacket To Gw Interval - Usually communication with remote clients must be initialized by the clients. However, once a client has opened a connection, the hosts behind VPN can open a return or back connection to the client. For a back connection, the client's details must be maintained on all the devices between the client and the gateway, and on the gateway itself. Determine frequency (in seconds) of the Keep Alive packets sent by the client in order to maintain the connection with the gateway.Available only if enable-back-connections is true.
- scv Property Map
- Define properties of the Secure Configuration Verification process.
- secure
Client Property MapMobile - Define properties for SecureClient Mobile.
- simultaneous
Login StringMode - Select the simultaneous login mode.
- ssl
Network Property MapExtender - Define properties for SSL Network Extender users.
- vpn
Advanced Property Map - Configure encryption methods and interface resolution for remote access clients.
- vpn
Authentication List<Property Map>And Encryptions - configure supported Encryption and Authentication methods for Remote Access clients.
ManagementCommandSetGlobalPropertiesRemoteAccessEndpointConnect, ManagementCommandSetGlobalPropertiesRemoteAccessEndpointConnectArgs
- Cache
Password doubleTimeout - Cached password timeout (in minutes).
- Client
Upgrade stringMode - Select an option to determine how the client is upgraded.
- Connect
Mode string - Methods by which a connection to the gateway will be initiated:Manual - VPN connections will not be initiated automatically.Always connected - Endpoint Connect will automatically establish a connection to the last connected gateway under the following circumstances: (a) the device has a valid IP address, (b) when the device "wakes up" from a low-power state or a soft-reset, or (c) after a condition that caused the device to automatically disconnect ceases to exist (for example, Device is out of PC Sync, Disconnect is not idle.).Configured on endpoint client - the method used for initiating a connection to a gateway is determined by the endpoint client.
- Disconnect
When stringConn To Network Is Lost - Enabling this feature disconnects users from the gateway when connectivity to the network is lost.
- Disconnect
When stringDevice Is Idle - Enabling this feature will disconnect users from the gateway if there is no traffic sent during the defined time period.
- Enable
Password stringCaching - If the password entered to authenticate is saved locally on the user's machine.
- Network
Location stringAwareness - Wide Impact: Also applies for Check Point GO clients!Endpoint Connect intelligently detects whether it is inside or outside of the VPN domain (Enterprise LAN), and automatically connects or disconnects as required. Select true and edit network-location-awareness-conf to configure this capability.
- Network
Location ManagementAwareness Conf Command Set Global Properties Remote Access Endpoint Connect Network Location Awareness Conf - Configure how the client determines its location in relation to the internal network.
- Re
Auth doubleUser Interval - The length of time (in minutes) until the user's credentials are resent to the gateway to verify authorization.
- Route
All stringTraffic To Gw - Operates the client in Hub Mode, sending all traffic to the VPN server for routing, filtering, and processing.
- Cache
Password float64Timeout - Cached password timeout (in minutes).
- Client
Upgrade stringMode - Select an option to determine how the client is upgraded.
- Connect
Mode string - Methods by which a connection to the gateway will be initiated:Manual - VPN connections will not be initiated automatically.Always connected - Endpoint Connect will automatically establish a connection to the last connected gateway under the following circumstances: (a) the device has a valid IP address, (b) when the device "wakes up" from a low-power state or a soft-reset, or (c) after a condition that caused the device to automatically disconnect ceases to exist (for example, Device is out of PC Sync, Disconnect is not idle.).Configured on endpoint client - the method used for initiating a connection to a gateway is determined by the endpoint client.
- Disconnect
When stringConn To Network Is Lost - Enabling this feature disconnects users from the gateway when connectivity to the network is lost.
- Disconnect
When stringDevice Is Idle - Enabling this feature will disconnect users from the gateway if there is no traffic sent during the defined time period.
- Enable
Password stringCaching - If the password entered to authenticate is saved locally on the user's machine.
- Network
Location stringAwareness - Wide Impact: Also applies for Check Point GO clients!Endpoint Connect intelligently detects whether it is inside or outside of the VPN domain (Enterprise LAN), and automatically connects or disconnects as required. Select true and edit network-location-awareness-conf to configure this capability.
- Network
Location ManagementAwareness Conf Command Set Global Properties Remote Access Endpoint Connect Network Location Awareness Conf - Configure how the client determines its location in relation to the internal network.
- Re
Auth float64User Interval - The length of time (in minutes) until the user's credentials are resent to the gateway to verify authorization.
- Route
All stringTraffic To Gw - Operates the client in Hub Mode, sending all traffic to the VPN server for routing, filtering, and processing.
- cache
Password DoubleTimeout - Cached password timeout (in minutes).
- client
Upgrade StringMode - Select an option to determine how the client is upgraded.
- connect
Mode String - Methods by which a connection to the gateway will be initiated:Manual - VPN connections will not be initiated automatically.Always connected - Endpoint Connect will automatically establish a connection to the last connected gateway under the following circumstances: (a) the device has a valid IP address, (b) when the device "wakes up" from a low-power state or a soft-reset, or (c) after a condition that caused the device to automatically disconnect ceases to exist (for example, Device is out of PC Sync, Disconnect is not idle.).Configured on endpoint client - the method used for initiating a connection to a gateway is determined by the endpoint client.
- disconnect
When StringConn To Network Is Lost - Enabling this feature disconnects users from the gateway when connectivity to the network is lost.
- disconnect
When StringDevice Is Idle - Enabling this feature will disconnect users from the gateway if there is no traffic sent during the defined time period.
- enable
Password StringCaching - If the password entered to authenticate is saved locally on the user's machine.
- network
Location StringAwareness - Wide Impact: Also applies for Check Point GO clients!Endpoint Connect intelligently detects whether it is inside or outside of the VPN domain (Enterprise LAN), and automatically connects or disconnects as required. Select true and edit network-location-awareness-conf to configure this capability.
- network
Location ManagementAwareness Conf Command Set Global Properties Remote Access Endpoint Connect Network Location Awareness Conf - Configure how the client determines its location in relation to the internal network.
- re
Auth DoubleUser Interval - The length of time (in minutes) until the user's credentials are resent to the gateway to verify authorization.
- route
All StringTraffic To Gw - Operates the client in Hub Mode, sending all traffic to the VPN server for routing, filtering, and processing.
- cache
Password numberTimeout - Cached password timeout (in minutes).
- client
Upgrade stringMode - Select an option to determine how the client is upgraded.
- connect
Mode string - Methods by which a connection to the gateway will be initiated:Manual - VPN connections will not be initiated automatically.Always connected - Endpoint Connect will automatically establish a connection to the last connected gateway under the following circumstances: (a) the device has a valid IP address, (b) when the device "wakes up" from a low-power state or a soft-reset, or (c) after a condition that caused the device to automatically disconnect ceases to exist (for example, Device is out of PC Sync, Disconnect is not idle.).Configured on endpoint client - the method used for initiating a connection to a gateway is determined by the endpoint client.
- disconnect
When stringConn To Network Is Lost - Enabling this feature disconnects users from the gateway when connectivity to the network is lost.
- disconnect
When stringDevice Is Idle - Enabling this feature will disconnect users from the gateway if there is no traffic sent during the defined time period.
- enable
Password stringCaching - If the password entered to authenticate is saved locally on the user's machine.
- network
Location stringAwareness - Wide Impact: Also applies for Check Point GO clients!Endpoint Connect intelligently detects whether it is inside or outside of the VPN domain (Enterprise LAN), and automatically connects or disconnects as required. Select true and edit network-location-awareness-conf to configure this capability.
- network
Location ManagementAwareness Conf Command Set Global Properties Remote Access Endpoint Connect Network Location Awareness Conf - Configure how the client determines its location in relation to the internal network.
- re
Auth numberUser Interval - The length of time (in minutes) until the user's credentials are resent to the gateway to verify authorization.
- route
All stringTraffic To Gw - Operates the client in Hub Mode, sending all traffic to the VPN server for routing, filtering, and processing.
- cache_
password_ floattimeout - Cached password timeout (in minutes).
- client_
upgrade_ strmode - Select an option to determine how the client is upgraded.
- connect_
mode str - Methods by which a connection to the gateway will be initiated:Manual - VPN connections will not be initiated automatically.Always connected - Endpoint Connect will automatically establish a connection to the last connected gateway under the following circumstances: (a) the device has a valid IP address, (b) when the device "wakes up" from a low-power state or a soft-reset, or (c) after a condition that caused the device to automatically disconnect ceases to exist (for example, Device is out of PC Sync, Disconnect is not idle.).Configured on endpoint client - the method used for initiating a connection to a gateway is determined by the endpoint client.
- disconnect_
when_ strconn_ to_ network_ is_ lost - Enabling this feature disconnects users from the gateway when connectivity to the network is lost.
- disconnect_
when_ strdevice_ is_ idle - Enabling this feature will disconnect users from the gateway if there is no traffic sent during the defined time period.
- enable_
password_ strcaching - If the password entered to authenticate is saved locally on the user's machine.
- network_
location_ strawareness - Wide Impact: Also applies for Check Point GO clients!Endpoint Connect intelligently detects whether it is inside or outside of the VPN domain (Enterprise LAN), and automatically connects or disconnects as required. Select true and edit network-location-awareness-conf to configure this capability.
- network_
location_ Managementawareness_ conf Command Set Global Properties Remote Access Endpoint Connect Network Location Awareness Conf - Configure how the client determines its location in relation to the internal network.
- re_
auth_ floatuser_ interval - The length of time (in minutes) until the user's credentials are resent to the gateway to verify authorization.
- route_
all_ strtraffic_ to_ gw - Operates the client in Hub Mode, sending all traffic to the VPN server for routing, filtering, and processing.
- cache
Password NumberTimeout - Cached password timeout (in minutes).
- client
Upgrade StringMode - Select an option to determine how the client is upgraded.
- connect
Mode String - Methods by which a connection to the gateway will be initiated:Manual - VPN connections will not be initiated automatically.Always connected - Endpoint Connect will automatically establish a connection to the last connected gateway under the following circumstances: (a) the device has a valid IP address, (b) when the device "wakes up" from a low-power state or a soft-reset, or (c) after a condition that caused the device to automatically disconnect ceases to exist (for example, Device is out of PC Sync, Disconnect is not idle.).Configured on endpoint client - the method used for initiating a connection to a gateway is determined by the endpoint client.
- disconnect
When StringConn To Network Is Lost - Enabling this feature disconnects users from the gateway when connectivity to the network is lost.
- disconnect
When StringDevice Is Idle - Enabling this feature will disconnect users from the gateway if there is no traffic sent during the defined time period.
- enable
Password StringCaching - If the password entered to authenticate is saved locally on the user's machine.
- network
Location StringAwareness - Wide Impact: Also applies for Check Point GO clients!Endpoint Connect intelligently detects whether it is inside or outside of the VPN domain (Enterprise LAN), and automatically connects or disconnects as required. Select true and edit network-location-awareness-conf to configure this capability.
- network
Location Property MapAwareness Conf - Configure how the client determines its location in relation to the internal network.
- re
Auth NumberUser Interval - The length of time (in minutes) until the user's credentials are resent to the gateway to verify authorization.
- route
All StringTraffic To Gw - Operates the client in Hub Mode, sending all traffic to the VPN server for routing, filtering, and processing.
ManagementCommandSetGlobalPropertiesRemoteAccessEndpointConnectNetworkLocationAwarenessConf, ManagementCommandSetGlobalPropertiesRemoteAccessEndpointConnectNetworkLocationAwarenessConfArgs
- Consider
Undefined boolDns Suffixes As External - The speed at which locations are classified as internal or external can be increased by creating a list of DNS suffixes that are known to be external. Enable this to be able to define DNS suffixes which won't be considered external.
- Consider
Wireless boolNetworks As External - The speed at which locations are classified as internal or external can be increased by creating a list of wireless networks that are known to be external. A wireless network is identified by its Service Set Identifier (SSID) a name used to identify a particular 802.11 wireless LAN.
- Dns
Suffixes List<string> - DNS suffixes not defined here will be considered as external. If this list is empty consider-undefined-dns-suffixes-as-external will automatically be set to false.Available only if consider-undefined-dns-suffixes-as-external is set to true.
- Excluded
Internal List<string>Wireless Networks - Excludes the specified internal networks names (SSIDs).Available only if consider-wireless-networks-as-external is set to true.
- Network
Or stringGroup Of Conn Vpn Client - Name or UID of Network or Group the VPN client is connected from.Available only if vpn-clients-are-considered-inside-the-internal-network-when-the-client is set to "Connects from network or group".
- Remember
Previously boolDetected External Networks - The speed at which locations are classified as internal or external can be increased by caching (on the client side) names of networks that were previously determined to be external.
- Vpn
Clients stringAre Considered Inside The Internal Network When The Client - When a VPN client is within the internal network, the internal resources are available and the VPN tunnel should be disconnected. Determine when VPN clients are considered inside the internal network:Connects to GW through internal interface - The client connects to the gateway through one of its internal interfaces (recommended).Connects from network or group - The client connects from a network or group specified in network-or-group-of-conn-vpn-client.Runs on computer with access to Active Directory domain - The client runs on a computer that can access its Active Directory domain.Note: The VPN tunnel will resume automatically when the VPN client is no longer in the internal network and the client is set to "Always connected" mode.
- Consider
Undefined boolDns Suffixes As External - The speed at which locations are classified as internal or external can be increased by creating a list of DNS suffixes that are known to be external. Enable this to be able to define DNS suffixes which won't be considered external.
- Consider
Wireless boolNetworks As External - The speed at which locations are classified as internal or external can be increased by creating a list of wireless networks that are known to be external. A wireless network is identified by its Service Set Identifier (SSID) a name used to identify a particular 802.11 wireless LAN.
- Dns
Suffixes []string - DNS suffixes not defined here will be considered as external. If this list is empty consider-undefined-dns-suffixes-as-external will automatically be set to false.Available only if consider-undefined-dns-suffixes-as-external is set to true.
- Excluded
Internal []stringWireless Networks - Excludes the specified internal networks names (SSIDs).Available only if consider-wireless-networks-as-external is set to true.
- Network
Or stringGroup Of Conn Vpn Client - Name or UID of Network or Group the VPN client is connected from.Available only if vpn-clients-are-considered-inside-the-internal-network-when-the-client is set to "Connects from network or group".
- Remember
Previously boolDetected External Networks - The speed at which locations are classified as internal or external can be increased by caching (on the client side) names of networks that were previously determined to be external.
- Vpn
Clients stringAre Considered Inside The Internal Network When The Client - When a VPN client is within the internal network, the internal resources are available and the VPN tunnel should be disconnected. Determine when VPN clients are considered inside the internal network:Connects to GW through internal interface - The client connects to the gateway through one of its internal interfaces (recommended).Connects from network or group - The client connects from a network or group specified in network-or-group-of-conn-vpn-client.Runs on computer with access to Active Directory domain - The client runs on a computer that can access its Active Directory domain.Note: The VPN tunnel will resume automatically when the VPN client is no longer in the internal network and the client is set to "Always connected" mode.
- consider
Undefined BooleanDns Suffixes As External - The speed at which locations are classified as internal or external can be increased by creating a list of DNS suffixes that are known to be external. Enable this to be able to define DNS suffixes which won't be considered external.
- consider
Wireless BooleanNetworks As External - The speed at which locations are classified as internal or external can be increased by creating a list of wireless networks that are known to be external. A wireless network is identified by its Service Set Identifier (SSID) a name used to identify a particular 802.11 wireless LAN.
- dns
Suffixes List<String> - DNS suffixes not defined here will be considered as external. If this list is empty consider-undefined-dns-suffixes-as-external will automatically be set to false.Available only if consider-undefined-dns-suffixes-as-external is set to true.
- excluded
Internal List<String>Wireless Networks - Excludes the specified internal networks names (SSIDs).Available only if consider-wireless-networks-as-external is set to true.
- network
Or StringGroup Of Conn Vpn Client - Name or UID of Network or Group the VPN client is connected from.Available only if vpn-clients-are-considered-inside-the-internal-network-when-the-client is set to "Connects from network or group".
- remember
Previously BooleanDetected External Networks - The speed at which locations are classified as internal or external can be increased by caching (on the client side) names of networks that were previously determined to be external.
- vpn
Clients StringAre Considered Inside The Internal Network When The Client - When a VPN client is within the internal network, the internal resources are available and the VPN tunnel should be disconnected. Determine when VPN clients are considered inside the internal network:Connects to GW through internal interface - The client connects to the gateway through one of its internal interfaces (recommended).Connects from network or group - The client connects from a network or group specified in network-or-group-of-conn-vpn-client.Runs on computer with access to Active Directory domain - The client runs on a computer that can access its Active Directory domain.Note: The VPN tunnel will resume automatically when the VPN client is no longer in the internal network and the client is set to "Always connected" mode.
- consider
Undefined booleanDns Suffixes As External - The speed at which locations are classified as internal or external can be increased by creating a list of DNS suffixes that are known to be external. Enable this to be able to define DNS suffixes which won't be considered external.
- consider
Wireless booleanNetworks As External - The speed at which locations are classified as internal or external can be increased by creating a list of wireless networks that are known to be external. A wireless network is identified by its Service Set Identifier (SSID) a name used to identify a particular 802.11 wireless LAN.
- dns
Suffixes string[] - DNS suffixes not defined here will be considered as external. If this list is empty consider-undefined-dns-suffixes-as-external will automatically be set to false.Available only if consider-undefined-dns-suffixes-as-external is set to true.
- excluded
Internal string[]Wireless Networks - Excludes the specified internal networks names (SSIDs).Available only if consider-wireless-networks-as-external is set to true.
- network
Or stringGroup Of Conn Vpn Client - Name or UID of Network or Group the VPN client is connected from.Available only if vpn-clients-are-considered-inside-the-internal-network-when-the-client is set to "Connects from network or group".
- remember
Previously booleanDetected External Networks - The speed at which locations are classified as internal or external can be increased by caching (on the client side) names of networks that were previously determined to be external.
- vpn
Clients stringAre Considered Inside The Internal Network When The Client - When a VPN client is within the internal network, the internal resources are available and the VPN tunnel should be disconnected. Determine when VPN clients are considered inside the internal network:Connects to GW through internal interface - The client connects to the gateway through one of its internal interfaces (recommended).Connects from network or group - The client connects from a network or group specified in network-or-group-of-conn-vpn-client.Runs on computer with access to Active Directory domain - The client runs on a computer that can access its Active Directory domain.Note: The VPN tunnel will resume automatically when the VPN client is no longer in the internal network and the client is set to "Always connected" mode.
- consider_
undefined_ booldns_ suffixes_ as_ external - The speed at which locations are classified as internal or external can be increased by creating a list of DNS suffixes that are known to be external. Enable this to be able to define DNS suffixes which won't be considered external.
- consider_
wireless_ boolnetworks_ as_ external - The speed at which locations are classified as internal or external can be increased by creating a list of wireless networks that are known to be external. A wireless network is identified by its Service Set Identifier (SSID) a name used to identify a particular 802.11 wireless LAN.
- dns_
suffixes Sequence[str] - DNS suffixes not defined here will be considered as external. If this list is empty consider-undefined-dns-suffixes-as-external will automatically be set to false.Available only if consider-undefined-dns-suffixes-as-external is set to true.
- excluded_
internal_ Sequence[str]wireless_ networks - Excludes the specified internal networks names (SSIDs).Available only if consider-wireless-networks-as-external is set to true.
- network_
or_ strgroup_ of_ conn_ vpn_ client - Name or UID of Network or Group the VPN client is connected from.Available only if vpn-clients-are-considered-inside-the-internal-network-when-the-client is set to "Connects from network or group".
- remember_
previously_ booldetected_ external_ networks - The speed at which locations are classified as internal or external can be increased by caching (on the client side) names of networks that were previously determined to be external.
- vpn_
clients_ strare_ considered_ inside_ the_ internal_ network_ when_ the_ client - When a VPN client is within the internal network, the internal resources are available and the VPN tunnel should be disconnected. Determine when VPN clients are considered inside the internal network:Connects to GW through internal interface - The client connects to the gateway through one of its internal interfaces (recommended).Connects from network or group - The client connects from a network or group specified in network-or-group-of-conn-vpn-client.Runs on computer with access to Active Directory domain - The client runs on a computer that can access its Active Directory domain.Note: The VPN tunnel will resume automatically when the VPN client is no longer in the internal network and the client is set to "Always connected" mode.
- consider
Undefined BooleanDns Suffixes As External - The speed at which locations are classified as internal or external can be increased by creating a list of DNS suffixes that are known to be external. Enable this to be able to define DNS suffixes which won't be considered external.
- consider
Wireless BooleanNetworks As External - The speed at which locations are classified as internal or external can be increased by creating a list of wireless networks that are known to be external. A wireless network is identified by its Service Set Identifier (SSID) a name used to identify a particular 802.11 wireless LAN.
- dns
Suffixes List<String> - DNS suffixes not defined here will be considered as external. If this list is empty consider-undefined-dns-suffixes-as-external will automatically be set to false.Available only if consider-undefined-dns-suffixes-as-external is set to true.
- excluded
Internal List<String>Wireless Networks - Excludes the specified internal networks names (SSIDs).Available only if consider-wireless-networks-as-external is set to true.
- network
Or StringGroup Of Conn Vpn Client - Name or UID of Network or Group the VPN client is connected from.Available only if vpn-clients-are-considered-inside-the-internal-network-when-the-client is set to "Connects from network or group".
- remember
Previously BooleanDetected External Networks - The speed at which locations are classified as internal or external can be increased by caching (on the client side) names of networks that were previously determined to be external.
- vpn
Clients StringAre Considered Inside The Internal Network When The Client - When a VPN client is within the internal network, the internal resources are available and the VPN tunnel should be disconnected. Determine when VPN clients are considered inside the internal network:Connects to GW through internal interface - The client connects to the gateway through one of its internal interfaces (recommended).Connects from network or group - The client connects from a network or group specified in network-or-group-of-conn-vpn-client.Runs on computer with access to Active Directory domain - The client runs on a computer that can access its Active Directory domain.Note: The VPN tunnel will resume automatically when the VPN client is no longer in the internal network and the client is set to "Always connected" mode.
ManagementCommandSetGlobalPropertiesRemoteAccessHotSpotAndHotelRegistration, ManagementCommandSetGlobalPropertiesRemoteAccessHotSpotAndHotelRegistrationArgs
- Enable
Registration bool - Set Enable registration to true in order to configure settings. Set Enable registration to false in order to cancel registration (the configurations below won't be available). When the feature is enabled, you have several minutes to complete registration.
- Local
Subnets boolAccess Only - Local subnets access only.
- Max
Ip doubleAccess During Registration - Maximum number of addresses to allow access to during registration.
- Ports List<string>
- Ports to be opened during registration (up to 10 ports).
- Registration
Timeout double - Maximum time (in seconds) to complete registration.
- Track
Log bool - Track log.
- Enable
Registration bool - Set Enable registration to true in order to configure settings. Set Enable registration to false in order to cancel registration (the configurations below won't be available). When the feature is enabled, you have several minutes to complete registration.
- Local
Subnets boolAccess Only - Local subnets access only.
- Max
Ip float64Access During Registration - Maximum number of addresses to allow access to during registration.
- Ports []string
- Ports to be opened during registration (up to 10 ports).
- Registration
Timeout float64 - Maximum time (in seconds) to complete registration.
- Track
Log bool - Track log.
- enable
Registration Boolean - Set Enable registration to true in order to configure settings. Set Enable registration to false in order to cancel registration (the configurations below won't be available). When the feature is enabled, you have several minutes to complete registration.
- local
Subnets BooleanAccess Only - Local subnets access only.
- max
Ip DoubleAccess During Registration - Maximum number of addresses to allow access to during registration.
- ports List<String>
- Ports to be opened during registration (up to 10 ports).
- registration
Timeout Double - Maximum time (in seconds) to complete registration.
- track
Log Boolean - Track log.
- enable
Registration boolean - Set Enable registration to true in order to configure settings. Set Enable registration to false in order to cancel registration (the configurations below won't be available). When the feature is enabled, you have several minutes to complete registration.
- local
Subnets booleanAccess Only - Local subnets access only.
- max
Ip numberAccess During Registration - Maximum number of addresses to allow access to during registration.
- ports string[]
- Ports to be opened during registration (up to 10 ports).
- registration
Timeout number - Maximum time (in seconds) to complete registration.
- track
Log boolean - Track log.
- enable_
registration bool - Set Enable registration to true in order to configure settings. Set Enable registration to false in order to cancel registration (the configurations below won't be available). When the feature is enabled, you have several minutes to complete registration.
- local_
subnets_ boolaccess_ only - Local subnets access only.
- max_
ip_ floataccess_ during_ registration - Maximum number of addresses to allow access to during registration.
- ports Sequence[str]
- Ports to be opened during registration (up to 10 ports).
- registration_
timeout float - Maximum time (in seconds) to complete registration.
- track_
log bool - Track log.
- enable
Registration Boolean - Set Enable registration to true in order to configure settings. Set Enable registration to false in order to cancel registration (the configurations below won't be available). When the feature is enabled, you have several minutes to complete registration.
- local
Subnets BooleanAccess Only - Local subnets access only.
- max
Ip NumberAccess During Registration - Maximum number of addresses to allow access to during registration.
- ports List<String>
- Ports to be opened during registration (up to 10 ports).
- registration
Timeout Number - Maximum time (in seconds) to complete registration.
- track
Log Boolean - Track log.
ManagementCommandSetGlobalPropertiesRemoteAccessScv, ManagementCommandSetGlobalPropertiesRemoteAccessScvArgs
- Apply
Scv boolOn Simplified Mode Fw Policies - Determine whether the gateway verifies that remote access clients are securely configured. This is set here only if the security policy is defined in the Simplified Mode. If the security policy is defined in the Traditional Mode, verification takes place per rule.
- Exceptions
List<Management
Command Set Global Properties Remote Access Scv Exception> - Specify the hosts that can be accessed using the selected services even if the client is not verified.Available only if apply-scv-on-simplified-mode-fw-policies is true.
- Generate
Log bool - If the client identifies that the secure configuration has been violated, select whether a log is generated by the remote access client and sent to the Security Management server.
- No
Scv boolFor Unsupported Cp Clients - Do not apply Secure Configuration Verification for connections from Check Point VPN clients that don't support it, such as SSL Network Extender, GO, Capsule VPN / Connect, Endpoint Connects lower than R75, or L2TP clients.Available only if apply-scv-on-simplified-mode-fw-policies is true.
- Notify
User bool - If the client identifies that the secure configuration has been violated, select whether to user should be notified.
- Only
Tcp boolIp Protocols Are Used - Most SCV checks are configured via the SCV policy. Specify whether to verify that only TCP/IP protocols are used.
- Policy
Installed boolOn All Interfaces - Most SCV checks are configured via the SCV policy. Specify whether to verify that the Desktop Security Policy is installed on all the interfaces of the client.
- Upon
Verification boolAccept And Log Client Connection - If the gateway verifies the client's configuration, decide how the gateway should handle connections with clients that fail the Security Configuration Verification. It is possible to either drop the connection or Accept the connection and log it.
- Apply
Scv boolOn Simplified Mode Fw Policies - Determine whether the gateway verifies that remote access clients are securely configured. This is set here only if the security policy is defined in the Simplified Mode. If the security policy is defined in the Traditional Mode, verification takes place per rule.
- Exceptions
[]Management
Command Set Global Properties Remote Access Scv Exception - Specify the hosts that can be accessed using the selected services even if the client is not verified.Available only if apply-scv-on-simplified-mode-fw-policies is true.
- Generate
Log bool - If the client identifies that the secure configuration has been violated, select whether a log is generated by the remote access client and sent to the Security Management server.
- No
Scv boolFor Unsupported Cp Clients - Do not apply Secure Configuration Verification for connections from Check Point VPN clients that don't support it, such as SSL Network Extender, GO, Capsule VPN / Connect, Endpoint Connects lower than R75, or L2TP clients.Available only if apply-scv-on-simplified-mode-fw-policies is true.
- Notify
User bool - If the client identifies that the secure configuration has been violated, select whether to user should be notified.
- Only
Tcp boolIp Protocols Are Used - Most SCV checks are configured via the SCV policy. Specify whether to verify that only TCP/IP protocols are used.
- Policy
Installed boolOn All Interfaces - Most SCV checks are configured via the SCV policy. Specify whether to verify that the Desktop Security Policy is installed on all the interfaces of the client.
- Upon
Verification boolAccept And Log Client Connection - If the gateway verifies the client's configuration, decide how the gateway should handle connections with clients that fail the Security Configuration Verification. It is possible to either drop the connection or Accept the connection and log it.
- apply
Scv BooleanOn Simplified Mode Fw Policies - Determine whether the gateway verifies that remote access clients are securely configured. This is set here only if the security policy is defined in the Simplified Mode. If the security policy is defined in the Traditional Mode, verification takes place per rule.
- exceptions
List<Management
Command Set Global Properties Remote Access Scv Exception> - Specify the hosts that can be accessed using the selected services even if the client is not verified.Available only if apply-scv-on-simplified-mode-fw-policies is true.
- generate
Log Boolean - If the client identifies that the secure configuration has been violated, select whether a log is generated by the remote access client and sent to the Security Management server.
- no
Scv BooleanFor Unsupported Cp Clients - Do not apply Secure Configuration Verification for connections from Check Point VPN clients that don't support it, such as SSL Network Extender, GO, Capsule VPN / Connect, Endpoint Connects lower than R75, or L2TP clients.Available only if apply-scv-on-simplified-mode-fw-policies is true.
- notify
User Boolean - If the client identifies that the secure configuration has been violated, select whether to user should be notified.
- only
Tcp BooleanIp Protocols Are Used - Most SCV checks are configured via the SCV policy. Specify whether to verify that only TCP/IP protocols are used.
- policy
Installed BooleanOn All Interfaces - Most SCV checks are configured via the SCV policy. Specify whether to verify that the Desktop Security Policy is installed on all the interfaces of the client.
- upon
Verification BooleanAccept And Log Client Connection - If the gateway verifies the client's configuration, decide how the gateway should handle connections with clients that fail the Security Configuration Verification. It is possible to either drop the connection or Accept the connection and log it.
- apply
Scv booleanOn Simplified Mode Fw Policies - Determine whether the gateway verifies that remote access clients are securely configured. This is set here only if the security policy is defined in the Simplified Mode. If the security policy is defined in the Traditional Mode, verification takes place per rule.
- exceptions
Management
Command Set Global Properties Remote Access Scv Exception[] - Specify the hosts that can be accessed using the selected services even if the client is not verified.Available only if apply-scv-on-simplified-mode-fw-policies is true.
- generate
Log boolean - If the client identifies that the secure configuration has been violated, select whether a log is generated by the remote access client and sent to the Security Management server.
- no
Scv booleanFor Unsupported Cp Clients - Do not apply Secure Configuration Verification for connections from Check Point VPN clients that don't support it, such as SSL Network Extender, GO, Capsule VPN / Connect, Endpoint Connects lower than R75, or L2TP clients.Available only if apply-scv-on-simplified-mode-fw-policies is true.
- notify
User boolean - If the client identifies that the secure configuration has been violated, select whether to user should be notified.
- only
Tcp booleanIp Protocols Are Used - Most SCV checks are configured via the SCV policy. Specify whether to verify that only TCP/IP protocols are used.
- policy
Installed booleanOn All Interfaces - Most SCV checks are configured via the SCV policy. Specify whether to verify that the Desktop Security Policy is installed on all the interfaces of the client.
- upon
Verification booleanAccept And Log Client Connection - If the gateway verifies the client's configuration, decide how the gateway should handle connections with clients that fail the Security Configuration Verification. It is possible to either drop the connection or Accept the connection and log it.
- apply_
scv_ boolon_ simplified_ mode_ fw_ policies - Determine whether the gateway verifies that remote access clients are securely configured. This is set here only if the security policy is defined in the Simplified Mode. If the security policy is defined in the Traditional Mode, verification takes place per rule.
- exceptions
Sequence[Management
Command Set Global Properties Remote Access Scv Exception] - Specify the hosts that can be accessed using the selected services even if the client is not verified.Available only if apply-scv-on-simplified-mode-fw-policies is true.
- generate_
log bool - If the client identifies that the secure configuration has been violated, select whether a log is generated by the remote access client and sent to the Security Management server.
- no_
scv_ boolfor_ unsupported_ cp_ clients - Do not apply Secure Configuration Verification for connections from Check Point VPN clients that don't support it, such as SSL Network Extender, GO, Capsule VPN / Connect, Endpoint Connects lower than R75, or L2TP clients.Available only if apply-scv-on-simplified-mode-fw-policies is true.
- notify_
user bool - If the client identifies that the secure configuration has been violated, select whether to user should be notified.
- only_
tcp_ boolip_ protocols_ are_ used - Most SCV checks are configured via the SCV policy. Specify whether to verify that only TCP/IP protocols are used.
- policy_
installed_ boolon_ all_ interfaces - Most SCV checks are configured via the SCV policy. Specify whether to verify that the Desktop Security Policy is installed on all the interfaces of the client.
- upon_
verification_ boolaccept_ and_ log_ client_ connection - If the gateway verifies the client's configuration, decide how the gateway should handle connections with clients that fail the Security Configuration Verification. It is possible to either drop the connection or Accept the connection and log it.
- apply
Scv BooleanOn Simplified Mode Fw Policies - Determine whether the gateway verifies that remote access clients are securely configured. This is set here only if the security policy is defined in the Simplified Mode. If the security policy is defined in the Traditional Mode, verification takes place per rule.
- exceptions List<Property Map>
- Specify the hosts that can be accessed using the selected services even if the client is not verified.Available only if apply-scv-on-simplified-mode-fw-policies is true.
- generate
Log Boolean - If the client identifies that the secure configuration has been violated, select whether a log is generated by the remote access client and sent to the Security Management server.
- no
Scv BooleanFor Unsupported Cp Clients - Do not apply Secure Configuration Verification for connections from Check Point VPN clients that don't support it, such as SSL Network Extender, GO, Capsule VPN / Connect, Endpoint Connects lower than R75, or L2TP clients.Available only if apply-scv-on-simplified-mode-fw-policies is true.
- notify
User Boolean - If the client identifies that the secure configuration has been violated, select whether to user should be notified.
- only
Tcp BooleanIp Protocols Are Used - Most SCV checks are configured via the SCV policy. Specify whether to verify that only TCP/IP protocols are used.
- policy
Installed BooleanOn All Interfaces - Most SCV checks are configured via the SCV policy. Specify whether to verify that the Desktop Security Policy is installed on all the interfaces of the client.
- upon
Verification BooleanAccept And Log Client Connection - If the gateway verifies the client's configuration, decide how the gateway should handle connections with clients that fail the Security Configuration Verification. It is possible to either drop the connection or Accept the connection and log it.
ManagementCommandSetGlobalPropertiesRemoteAccessScvException, ManagementCommandSetGlobalPropertiesRemoteAccessScvExceptionArgs
ManagementCommandSetGlobalPropertiesRemoteAccessSecureClientMobile, ManagementCommandSetGlobalPropertiesRemoteAccessSecureClientMobileArgs
- Automatically
Initiate stringDialup - When selected, the client will initiate a GPRS dialup connection before attempting to establish the VPN connection. Note that if a local IP address is already available through another network interface, then the GPRS dialup is not initiated.
- Cache
Password doubleTimeout - Cached password timeout (in minutes).
- Connect
Mode string - Methods by which a connection to the gateway will be initiated:Configured On Endpoint Client - the method used for initiating a connection to a gateway is determined by the endpoint clientManual - VPN connections will not be initiated automatically.Always connected - SecureClient Mobile will automatically establish a connection to the last connected gateway under the following circumstances: (a) the device has a valid IP address, (b) when the device "wakes up" from a low-power state or a soft-reset, or (c) after a condition that caused the device to automatically disconnect ceases to exist (for example, Device is out of PC Sync, Disconnect is not idle.).On application request - Applications requiring access to resources through the VPN will be able to initiate a VPN connection.
- Disconnect
When stringDevice Is Idle - Enabling this feature will disconnect users from the gateway if there is no traffic sent during the defined time period.
- Enable
Password stringCaching - If the password entered to authenticate is saved locally on the user's machine.
- Re
Auth doubleUser Interval - Wide Impact: Also applies for SSL Network Extender clients!The length of time (in minutes) until the user's credentials are resent to the gateway to verify authorization.
- Route
All stringTraffic To Gw - Operates the client in Hub Mode, sending all traffic to the VPN server for routing, filtering, and processing.
- Supported
Encryption stringMethods - Wide Impact: Also applies for SSL Network Extender clients!Select the encryption algorithms that will be supported with remote users.
- User
Auth stringMethod - Wide Impact: Also applies for SSL Network Extender clients and Check Point GO clients.How the user will be authenticated by the gateway.
- Automatically
Initiate stringDialup - When selected, the client will initiate a GPRS dialup connection before attempting to establish the VPN connection. Note that if a local IP address is already available through another network interface, then the GPRS dialup is not initiated.
- Cache
Password float64Timeout - Cached password timeout (in minutes).
- Connect
Mode string - Methods by which a connection to the gateway will be initiated:Configured On Endpoint Client - the method used for initiating a connection to a gateway is determined by the endpoint clientManual - VPN connections will not be initiated automatically.Always connected - SecureClient Mobile will automatically establish a connection to the last connected gateway under the following circumstances: (a) the device has a valid IP address, (b) when the device "wakes up" from a low-power state or a soft-reset, or (c) after a condition that caused the device to automatically disconnect ceases to exist (for example, Device is out of PC Sync, Disconnect is not idle.).On application request - Applications requiring access to resources through the VPN will be able to initiate a VPN connection.
- Disconnect
When stringDevice Is Idle - Enabling this feature will disconnect users from the gateway if there is no traffic sent during the defined time period.
- Enable
Password stringCaching - If the password entered to authenticate is saved locally on the user's machine.
- Re
Auth float64User Interval - Wide Impact: Also applies for SSL Network Extender clients!The length of time (in minutes) until the user's credentials are resent to the gateway to verify authorization.
- Route
All stringTraffic To Gw - Operates the client in Hub Mode, sending all traffic to the VPN server for routing, filtering, and processing.
- Supported
Encryption stringMethods - Wide Impact: Also applies for SSL Network Extender clients!Select the encryption algorithms that will be supported with remote users.
- User
Auth stringMethod - Wide Impact: Also applies for SSL Network Extender clients and Check Point GO clients.How the user will be authenticated by the gateway.
- automatically
Initiate StringDialup - When selected, the client will initiate a GPRS dialup connection before attempting to establish the VPN connection. Note that if a local IP address is already available through another network interface, then the GPRS dialup is not initiated.
- cache
Password DoubleTimeout - Cached password timeout (in minutes).
- connect
Mode String - Methods by which a connection to the gateway will be initiated:Configured On Endpoint Client - the method used for initiating a connection to a gateway is determined by the endpoint clientManual - VPN connections will not be initiated automatically.Always connected - SecureClient Mobile will automatically establish a connection to the last connected gateway under the following circumstances: (a) the device has a valid IP address, (b) when the device "wakes up" from a low-power state or a soft-reset, or (c) after a condition that caused the device to automatically disconnect ceases to exist (for example, Device is out of PC Sync, Disconnect is not idle.).On application request - Applications requiring access to resources through the VPN will be able to initiate a VPN connection.
- disconnect
When StringDevice Is Idle - Enabling this feature will disconnect users from the gateway if there is no traffic sent during the defined time period.
- enable
Password StringCaching - If the password entered to authenticate is saved locally on the user's machine.
- re
Auth DoubleUser Interval - Wide Impact: Also applies for SSL Network Extender clients!The length of time (in minutes) until the user's credentials are resent to the gateway to verify authorization.
- route
All StringTraffic To Gw - Operates the client in Hub Mode, sending all traffic to the VPN server for routing, filtering, and processing.
- supported
Encryption StringMethods - Wide Impact: Also applies for SSL Network Extender clients!Select the encryption algorithms that will be supported with remote users.
- user
Auth StringMethod - Wide Impact: Also applies for SSL Network Extender clients and Check Point GO clients.How the user will be authenticated by the gateway.
- automatically
Initiate stringDialup - When selected, the client will initiate a GPRS dialup connection before attempting to establish the VPN connection. Note that if a local IP address is already available through another network interface, then the GPRS dialup is not initiated.
- cache
Password numberTimeout - Cached password timeout (in minutes).
- connect
Mode string - Methods by which a connection to the gateway will be initiated:Configured On Endpoint Client - the method used for initiating a connection to a gateway is determined by the endpoint clientManual - VPN connections will not be initiated automatically.Always connected - SecureClient Mobile will automatically establish a connection to the last connected gateway under the following circumstances: (a) the device has a valid IP address, (b) when the device "wakes up" from a low-power state or a soft-reset, or (c) after a condition that caused the device to automatically disconnect ceases to exist (for example, Device is out of PC Sync, Disconnect is not idle.).On application request - Applications requiring access to resources through the VPN will be able to initiate a VPN connection.
- disconnect
When stringDevice Is Idle - Enabling this feature will disconnect users from the gateway if there is no traffic sent during the defined time period.
- enable
Password stringCaching - If the password entered to authenticate is saved locally on the user's machine.
- re
Auth numberUser Interval - Wide Impact: Also applies for SSL Network Extender clients!The length of time (in minutes) until the user's credentials are resent to the gateway to verify authorization.
- route
All stringTraffic To Gw - Operates the client in Hub Mode, sending all traffic to the VPN server for routing, filtering, and processing.
- supported
Encryption stringMethods - Wide Impact: Also applies for SSL Network Extender clients!Select the encryption algorithms that will be supported with remote users.
- user
Auth stringMethod - Wide Impact: Also applies for SSL Network Extender clients and Check Point GO clients.How the user will be authenticated by the gateway.
- automatically_
initiate_ strdialup - When selected, the client will initiate a GPRS dialup connection before attempting to establish the VPN connection. Note that if a local IP address is already available through another network interface, then the GPRS dialup is not initiated.
- cache_
password_ floattimeout - Cached password timeout (in minutes).
- connect_
mode str - Methods by which a connection to the gateway will be initiated:Configured On Endpoint Client - the method used for initiating a connection to a gateway is determined by the endpoint clientManual - VPN connections will not be initiated automatically.Always connected - SecureClient Mobile will automatically establish a connection to the last connected gateway under the following circumstances: (a) the device has a valid IP address, (b) when the device "wakes up" from a low-power state or a soft-reset, or (c) after a condition that caused the device to automatically disconnect ceases to exist (for example, Device is out of PC Sync, Disconnect is not idle.).On application request - Applications requiring access to resources through the VPN will be able to initiate a VPN connection.
- disconnect_
when_ strdevice_ is_ idle - Enabling this feature will disconnect users from the gateway if there is no traffic sent during the defined time period.
- enable_
password_ strcaching - If the password entered to authenticate is saved locally on the user's machine.
- re_
auth_ floatuser_ interval - Wide Impact: Also applies for SSL Network Extender clients!The length of time (in minutes) until the user's credentials are resent to the gateway to verify authorization.
- route_
all_ strtraffic_ to_ gw - Operates the client in Hub Mode, sending all traffic to the VPN server for routing, filtering, and processing.
- supported_
encryption_ strmethods - Wide Impact: Also applies for SSL Network Extender clients!Select the encryption algorithms that will be supported with remote users.
- user_
auth_ strmethod - Wide Impact: Also applies for SSL Network Extender clients and Check Point GO clients.How the user will be authenticated by the gateway.
- automatically
Initiate StringDialup - When selected, the client will initiate a GPRS dialup connection before attempting to establish the VPN connection. Note that if a local IP address is already available through another network interface, then the GPRS dialup is not initiated.
- cache
Password NumberTimeout - Cached password timeout (in minutes).
- connect
Mode String - Methods by which a connection to the gateway will be initiated:Configured On Endpoint Client - the method used for initiating a connection to a gateway is determined by the endpoint clientManual - VPN connections will not be initiated automatically.Always connected - SecureClient Mobile will automatically establish a connection to the last connected gateway under the following circumstances: (a) the device has a valid IP address, (b) when the device "wakes up" from a low-power state or a soft-reset, or (c) after a condition that caused the device to automatically disconnect ceases to exist (for example, Device is out of PC Sync, Disconnect is not idle.).On application request - Applications requiring access to resources through the VPN will be able to initiate a VPN connection.
- disconnect
When StringDevice Is Idle - Enabling this feature will disconnect users from the gateway if there is no traffic sent during the defined time period.
- enable
Password StringCaching - If the password entered to authenticate is saved locally on the user's machine.
- re
Auth NumberUser Interval - Wide Impact: Also applies for SSL Network Extender clients!The length of time (in minutes) until the user's credentials are resent to the gateway to verify authorization.
- route
All StringTraffic To Gw - Operates the client in Hub Mode, sending all traffic to the VPN server for routing, filtering, and processing.
- supported
Encryption StringMethods - Wide Impact: Also applies for SSL Network Extender clients!Select the encryption algorithms that will be supported with remote users.
- user
Auth StringMethod - Wide Impact: Also applies for SSL Network Extender clients and Check Point GO clients.How the user will be authenticated by the gateway.
ManagementCommandSetGlobalPropertiesRemoteAccessSslNetworkExtender, ManagementCommandSetGlobalPropertiesRemoteAccessSslNetworkExtenderArgs
- Client
Outgoing doubleKeep Alive Packets Frequency - Select the interval which the keep-alive packets are sent.
- Client
Uninstall stringUpon Disconnection - Select whether the client should automatically uninstall SSL Network Extender when it disconnects from the gateway.
- Client
Upgrade stringUpon Connection - When a client connects to the gateway with SSL Network Extender, the client automatically checks for upgrade. Select whether the client should automatically upgrade.
- Re
Auth doubleUser Interval - Wide Impact: Applies for the SecureClient Mobile!Select the interval that users will need to reauthenticate.
- Scan
Ep boolMachine For Compliance With Ep Compliance Policy - Set to true if you want endpoint machines to be scanned for compliance with the Endpoint Compliance Policy.
- Supported
Encryption stringMethods - Wide Impact: Also applies to SecureClient Mobile devices!Select the encryption algorithms that will be supported for remote users. Changes made here will also apply for all SSL clients.
- User
Auth stringMethod - Wide Impact: Also applies for SecureClient Mobile devices and Check Point GO clients!User authentication method indicates how the user will be authenticated by the gateway. Changes made here will also apply for SSL clients.Legacy - Username and password only.Certificate - Certificate only with an existing certificate.Certificate with Enrollment - Allows you to obtain a new certificate and then use certificate authentication only.Mixed - Can use either username and password or certificate.
- Client
Outgoing float64Keep Alive Packets Frequency - Select the interval which the keep-alive packets are sent.
- Client
Uninstall stringUpon Disconnection - Select whether the client should automatically uninstall SSL Network Extender when it disconnects from the gateway.
- Client
Upgrade stringUpon Connection - When a client connects to the gateway with SSL Network Extender, the client automatically checks for upgrade. Select whether the client should automatically upgrade.
- Re
Auth float64User Interval - Wide Impact: Applies for the SecureClient Mobile!Select the interval that users will need to reauthenticate.
- Scan
Ep boolMachine For Compliance With Ep Compliance Policy - Set to true if you want endpoint machines to be scanned for compliance with the Endpoint Compliance Policy.
- Supported
Encryption stringMethods - Wide Impact: Also applies to SecureClient Mobile devices!Select the encryption algorithms that will be supported for remote users. Changes made here will also apply for all SSL clients.
- User
Auth stringMethod - Wide Impact: Also applies for SecureClient Mobile devices and Check Point GO clients!User authentication method indicates how the user will be authenticated by the gateway. Changes made here will also apply for SSL clients.Legacy - Username and password only.Certificate - Certificate only with an existing certificate.Certificate with Enrollment - Allows you to obtain a new certificate and then use certificate authentication only.Mixed - Can use either username and password or certificate.
- client
Outgoing DoubleKeep Alive Packets Frequency - Select the interval which the keep-alive packets are sent.
- client
Uninstall StringUpon Disconnection - Select whether the client should automatically uninstall SSL Network Extender when it disconnects from the gateway.
- client
Upgrade StringUpon Connection - When a client connects to the gateway with SSL Network Extender, the client automatically checks for upgrade. Select whether the client should automatically upgrade.
- re
Auth DoubleUser Interval - Wide Impact: Applies for the SecureClient Mobile!Select the interval that users will need to reauthenticate.
- scan
Ep BooleanMachine For Compliance With Ep Compliance Policy - Set to true if you want endpoint machines to be scanned for compliance with the Endpoint Compliance Policy.
- supported
Encryption StringMethods - Wide Impact: Also applies to SecureClient Mobile devices!Select the encryption algorithms that will be supported for remote users. Changes made here will also apply for all SSL clients.
- user
Auth StringMethod - Wide Impact: Also applies for SecureClient Mobile devices and Check Point GO clients!User authentication method indicates how the user will be authenticated by the gateway. Changes made here will also apply for SSL clients.Legacy - Username and password only.Certificate - Certificate only with an existing certificate.Certificate with Enrollment - Allows you to obtain a new certificate and then use certificate authentication only.Mixed - Can use either username and password or certificate.
- client
Outgoing numberKeep Alive Packets Frequency - Select the interval which the keep-alive packets are sent.
- client
Uninstall stringUpon Disconnection - Select whether the client should automatically uninstall SSL Network Extender when it disconnects from the gateway.
- client
Upgrade stringUpon Connection - When a client connects to the gateway with SSL Network Extender, the client automatically checks for upgrade. Select whether the client should automatically upgrade.
- re
Auth numberUser Interval - Wide Impact: Applies for the SecureClient Mobile!Select the interval that users will need to reauthenticate.
- scan
Ep booleanMachine For Compliance With Ep Compliance Policy - Set to true if you want endpoint machines to be scanned for compliance with the Endpoint Compliance Policy.
- supported
Encryption stringMethods - Wide Impact: Also applies to SecureClient Mobile devices!Select the encryption algorithms that will be supported for remote users. Changes made here will also apply for all SSL clients.
- user
Auth stringMethod - Wide Impact: Also applies for SecureClient Mobile devices and Check Point GO clients!User authentication method indicates how the user will be authenticated by the gateway. Changes made here will also apply for SSL clients.Legacy - Username and password only.Certificate - Certificate only with an existing certificate.Certificate with Enrollment - Allows you to obtain a new certificate and then use certificate authentication only.Mixed - Can use either username and password or certificate.
- client_
outgoing_ floatkeep_ alive_ packets_ frequency - Select the interval which the keep-alive packets are sent.
- client_
uninstall_ strupon_ disconnection - Select whether the client should automatically uninstall SSL Network Extender when it disconnects from the gateway.
- client_
upgrade_ strupon_ connection - When a client connects to the gateway with SSL Network Extender, the client automatically checks for upgrade. Select whether the client should automatically upgrade.
- re_
auth_ floatuser_ interval - Wide Impact: Applies for the SecureClient Mobile!Select the interval that users will need to reauthenticate.
- scan_
ep_ boolmachine_ for_ compliance_ with_ ep_ compliance_ policy - Set to true if you want endpoint machines to be scanned for compliance with the Endpoint Compliance Policy.
- supported_
encryption_ strmethods - Wide Impact: Also applies to SecureClient Mobile devices!Select the encryption algorithms that will be supported for remote users. Changes made here will also apply for all SSL clients.
- user_
auth_ strmethod - Wide Impact: Also applies for SecureClient Mobile devices and Check Point GO clients!User authentication method indicates how the user will be authenticated by the gateway. Changes made here will also apply for SSL clients.Legacy - Username and password only.Certificate - Certificate only with an existing certificate.Certificate with Enrollment - Allows you to obtain a new certificate and then use certificate authentication only.Mixed - Can use either username and password or certificate.
- client
Outgoing NumberKeep Alive Packets Frequency - Select the interval which the keep-alive packets are sent.
- client
Uninstall StringUpon Disconnection - Select whether the client should automatically uninstall SSL Network Extender when it disconnects from the gateway.
- client
Upgrade StringUpon Connection - When a client connects to the gateway with SSL Network Extender, the client automatically checks for upgrade. Select whether the client should automatically upgrade.
- re
Auth NumberUser Interval - Wide Impact: Applies for the SecureClient Mobile!Select the interval that users will need to reauthenticate.
- scan
Ep BooleanMachine For Compliance With Ep Compliance Policy - Set to true if you want endpoint machines to be scanned for compliance with the Endpoint Compliance Policy.
- supported
Encryption StringMethods - Wide Impact: Also applies to SecureClient Mobile devices!Select the encryption algorithms that will be supported for remote users. Changes made here will also apply for all SSL clients.
- user
Auth StringMethod - Wide Impact: Also applies for SecureClient Mobile devices and Check Point GO clients!User authentication method indicates how the user will be authenticated by the gateway. Changes made here will also apply for SSL clients.Legacy - Username and password only.Certificate - Certificate only with an existing certificate.Certificate with Enrollment - Allows you to obtain a new certificate and then use certificate authentication only.Mixed - Can use either username and password or certificate.
ManagementCommandSetGlobalPropertiesRemoteAccessVpnAdvanced, ManagementCommandSetGlobalPropertiesRemoteAccessVpnAdvancedArgs
- Allow
Clear boolTraffic To Encryption Domain When Disconnected - SecuRemote/SecureClient behavior while disconnected - How traffic to the VPN domain is handled when the Remote Access VPN client is not connected to the site. Traffic can either be dropped or sent in clear without encryption.
- Enable
Load boolDistribution For Mep Conf - Load distribution for Multiple Entry Points configurations - Remote access clients will randomly select a gateway from the list of entry points. Make sure to define the same VPN domain for all the Security Gateways you want to be entry points.
- Use
First boolAllocated Om Ip Addr For All Conn To The Gws Of The Site - Use first allocated Office Mode IP Address for all connections to the Gateways of the site.After a remote user connects and receives an Office Mode IP address from a gateway, every connection to that gateways encryption domain will go out with the Office Mode IP as the internal source IP. The Office Mode IP is what hosts in the encryption domain will recognize as the remote user's IP address. The Office Mode IP address assigned by a specific gateway can be used in its own encryption domain and in neighboring encryption domains as well. The neighboring encryption domains should reside behind gateways that are members of the same VPN community as the assigning gateway. Since the remote hosts connections are dependant on the Office Mode IP address it received, should the gateway that issued the IP become unavailable, all the connections to the site will terminate.
- Allow
Clear boolTraffic To Encryption Domain When Disconnected - SecuRemote/SecureClient behavior while disconnected - How traffic to the VPN domain is handled when the Remote Access VPN client is not connected to the site. Traffic can either be dropped or sent in clear without encryption.
- Enable
Load boolDistribution For Mep Conf - Load distribution for Multiple Entry Points configurations - Remote access clients will randomly select a gateway from the list of entry points. Make sure to define the same VPN domain for all the Security Gateways you want to be entry points.
- Use
First boolAllocated Om Ip Addr For All Conn To The Gws Of The Site - Use first allocated Office Mode IP Address for all connections to the Gateways of the site.After a remote user connects and receives an Office Mode IP address from a gateway, every connection to that gateways encryption domain will go out with the Office Mode IP as the internal source IP. The Office Mode IP is what hosts in the encryption domain will recognize as the remote user's IP address. The Office Mode IP address assigned by a specific gateway can be used in its own encryption domain and in neighboring encryption domains as well. The neighboring encryption domains should reside behind gateways that are members of the same VPN community as the assigning gateway. Since the remote hosts connections are dependant on the Office Mode IP address it received, should the gateway that issued the IP become unavailable, all the connections to the site will terminate.
- allow
Clear BooleanTraffic To Encryption Domain When Disconnected - SecuRemote/SecureClient behavior while disconnected - How traffic to the VPN domain is handled when the Remote Access VPN client is not connected to the site. Traffic can either be dropped or sent in clear without encryption.
- enable
Load BooleanDistribution For Mep Conf - Load distribution for Multiple Entry Points configurations - Remote access clients will randomly select a gateway from the list of entry points. Make sure to define the same VPN domain for all the Security Gateways you want to be entry points.
- use
First BooleanAllocated Om Ip Addr For All Conn To The Gws Of The Site - Use first allocated Office Mode IP Address for all connections to the Gateways of the site.After a remote user connects and receives an Office Mode IP address from a gateway, every connection to that gateways encryption domain will go out with the Office Mode IP as the internal source IP. The Office Mode IP is what hosts in the encryption domain will recognize as the remote user's IP address. The Office Mode IP address assigned by a specific gateway can be used in its own encryption domain and in neighboring encryption domains as well. The neighboring encryption domains should reside behind gateways that are members of the same VPN community as the assigning gateway. Since the remote hosts connections are dependant on the Office Mode IP address it received, should the gateway that issued the IP become unavailable, all the connections to the site will terminate.
- allow
Clear booleanTraffic To Encryption Domain When Disconnected - SecuRemote/SecureClient behavior while disconnected - How traffic to the VPN domain is handled when the Remote Access VPN client is not connected to the site. Traffic can either be dropped or sent in clear without encryption.
- enable
Load booleanDistribution For Mep Conf - Load distribution for Multiple Entry Points configurations - Remote access clients will randomly select a gateway from the list of entry points. Make sure to define the same VPN domain for all the Security Gateways you want to be entry points.
- use
First booleanAllocated Om Ip Addr For All Conn To The Gws Of The Site - Use first allocated Office Mode IP Address for all connections to the Gateways of the site.After a remote user connects and receives an Office Mode IP address from a gateway, every connection to that gateways encryption domain will go out with the Office Mode IP as the internal source IP. The Office Mode IP is what hosts in the encryption domain will recognize as the remote user's IP address. The Office Mode IP address assigned by a specific gateway can be used in its own encryption domain and in neighboring encryption domains as well. The neighboring encryption domains should reside behind gateways that are members of the same VPN community as the assigning gateway. Since the remote hosts connections are dependant on the Office Mode IP address it received, should the gateway that issued the IP become unavailable, all the connections to the site will terminate.
- allow_
clear_ booltraffic_ to_ encryption_ domain_ when_ disconnected - SecuRemote/SecureClient behavior while disconnected - How traffic to the VPN domain is handled when the Remote Access VPN client is not connected to the site. Traffic can either be dropped or sent in clear without encryption.
- enable_
load_ booldistribution_ for_ mep_ conf - Load distribution for Multiple Entry Points configurations - Remote access clients will randomly select a gateway from the list of entry points. Make sure to define the same VPN domain for all the Security Gateways you want to be entry points.
- use_
first_ boolallocated_ om_ ip_ addr_ for_ all_ conn_ to_ the_ gws_ of_ the_ site - Use first allocated Office Mode IP Address for all connections to the Gateways of the site.After a remote user connects and receives an Office Mode IP address from a gateway, every connection to that gateways encryption domain will go out with the Office Mode IP as the internal source IP. The Office Mode IP is what hosts in the encryption domain will recognize as the remote user's IP address. The Office Mode IP address assigned by a specific gateway can be used in its own encryption domain and in neighboring encryption domains as well. The neighboring encryption domains should reside behind gateways that are members of the same VPN community as the assigning gateway. Since the remote hosts connections are dependant on the Office Mode IP address it received, should the gateway that issued the IP become unavailable, all the connections to the site will terminate.
- allow
Clear BooleanTraffic To Encryption Domain When Disconnected - SecuRemote/SecureClient behavior while disconnected - How traffic to the VPN domain is handled when the Remote Access VPN client is not connected to the site. Traffic can either be dropped or sent in clear without encryption.
- enable
Load BooleanDistribution For Mep Conf - Load distribution for Multiple Entry Points configurations - Remote access clients will randomly select a gateway from the list of entry points. Make sure to define the same VPN domain for all the Security Gateways you want to be entry points.
- use
First BooleanAllocated Om Ip Addr For All Conn To The Gws Of The Site - Use first allocated Office Mode IP Address for all connections to the Gateways of the site.After a remote user connects and receives an Office Mode IP address from a gateway, every connection to that gateways encryption domain will go out with the Office Mode IP as the internal source IP. The Office Mode IP is what hosts in the encryption domain will recognize as the remote user's IP address. The Office Mode IP address assigned by a specific gateway can be used in its own encryption domain and in neighboring encryption domains as well. The neighboring encryption domains should reside behind gateways that are members of the same VPN community as the assigning gateway. Since the remote hosts connections are dependant on the Office Mode IP address it received, should the gateway that issued the IP become unavailable, all the connections to the site will terminate.
ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryption, ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionArgs
- Encryption
Algorithms ManagementCommand Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms - Select the methods negotiated in IKE phase 2 and used in IPSec connections.
- Encryption
Method string - Select the encryption method.
- string
- Type in the pre-shared key.Available only if support-l2tp-with-pre-shared-key is set to true.
- bool
- the user password is specified in the Authentication tab in the user's IKE properties (in the user properties window: Encryption tab > Edit).
- bool
- Use a centrally managed pre-shared key for IKE.
- Support
Legacy boolAuth For Sc L2tp Nokia Clients - Support Legacy Authentication for SC (hybrid mode), L2TP (PAP) and Nokia clients (CRACK).
- Support
Legacy boolEap - Support Legacy EAP (Extensible Authentication Protocol).
- Encryption
Algorithms ManagementCommand Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms - Select the methods negotiated in IKE phase 2 and used in IPSec connections.
- Encryption
Method string - Select the encryption method.
- string
- Type in the pre-shared key.Available only if support-l2tp-with-pre-shared-key is set to true.
- bool
- the user password is specified in the Authentication tab in the user's IKE properties (in the user properties window: Encryption tab > Edit).
- bool
- Use a centrally managed pre-shared key for IKE.
- Support
Legacy boolAuth For Sc L2tp Nokia Clients - Support Legacy Authentication for SC (hybrid mode), L2TP (PAP) and Nokia clients (CRACK).
- Support
Legacy boolEap - Support Legacy EAP (Extensible Authentication Protocol).
- encryption
Algorithms ManagementCommand Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms - Select the methods negotiated in IKE phase 2 and used in IPSec connections.
- encryption
Method String - Select the encryption method.
- String
- Type in the pre-shared key.Available only if support-l2tp-with-pre-shared-key is set to true.
- Boolean
- the user password is specified in the Authentication tab in the user's IKE properties (in the user properties window: Encryption tab > Edit).
- Boolean
- Use a centrally managed pre-shared key for IKE.
- support
Legacy BooleanAuth For Sc L2tp Nokia Clients - Support Legacy Authentication for SC (hybrid mode), L2TP (PAP) and Nokia clients (CRACK).
- support
Legacy BooleanEap - Support Legacy EAP (Extensible Authentication Protocol).
- encryption
Algorithms ManagementCommand Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms - Select the methods negotiated in IKE phase 2 and used in IPSec connections.
- encryption
Method string - Select the encryption method.
- string
- Type in the pre-shared key.Available only if support-l2tp-with-pre-shared-key is set to true.
- boolean
- the user password is specified in the Authentication tab in the user's IKE properties (in the user properties window: Encryption tab > Edit).
- boolean
- Use a centrally managed pre-shared key for IKE.
- support
Legacy booleanAuth For Sc L2tp Nokia Clients - Support Legacy Authentication for SC (hybrid mode), L2TP (PAP) and Nokia clients (CRACK).
- support
Legacy booleanEap - Support Legacy EAP (Extensible Authentication Protocol).
- encryption_
algorithms ManagementCommand Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms - Select the methods negotiated in IKE phase 2 and used in IPSec connections.
- encryption_
method str - Select the encryption method.
- str
- Type in the pre-shared key.Available only if support-l2tp-with-pre-shared-key is set to true.
- bool
- the user password is specified in the Authentication tab in the user's IKE properties (in the user properties window: Encryption tab > Edit).
- bool
- Use a centrally managed pre-shared key for IKE.
- support_
legacy_ boolauth_ for_ sc_ l2tp_ nokia_ clients - Support Legacy Authentication for SC (hybrid mode), L2TP (PAP) and Nokia clients (CRACK).
- support_
legacy_ booleap - Support Legacy EAP (Extensible Authentication Protocol).
- encryption
Algorithms Property Map - Select the methods negotiated in IKE phase 2 and used in IPSec connections.
- encryption
Method String - Select the encryption method.
- String
- Type in the pre-shared key.Available only if support-l2tp-with-pre-shared-key is set to true.
- Boolean
- the user password is specified in the Authentication tab in the user's IKE properties (in the user properties window: Encryption tab > Edit).
- Boolean
- Use a centrally managed pre-shared key for IKE.
- support
Legacy BooleanAuth For Sc L2tp Nokia Clients - Support Legacy Authentication for SC (hybrid mode), L2TP (PAP) and Nokia clients (CRACK).
- support
Legacy BooleanEap - Support Legacy EAP (Extensible Authentication Protocol).
ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithms, ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsArgs
- Ike
Management
Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ike - Configure the IKE Phase 1 settings.
- Ipsec
Management
Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ipsec - Configure the IPSEC Phase 2 settings.
- Ike
Management
Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ike - Configure the IKE Phase 1 settings.
- Ipsec
Management
Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ipsec - Configure the IPSEC Phase 2 settings.
- ike
Management
Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ike - Configure the IKE Phase 1 settings.
- ipsec
Management
Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ipsec - Configure the IPSEC Phase 2 settings.
- ike
Management
Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ike - Configure the IKE Phase 1 settings.
- ipsec
Management
Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ipsec - Configure the IPSEC Phase 2 settings.
- ike
Management
Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ike - Configure the IKE Phase 1 settings.
- ipsec
Management
Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ipsec - Configure the IPSEC Phase 2 settings.
- ike Property Map
- Configure the IKE Phase 1 settings.
- ipsec Property Map
- Configure the IPSEC Phase 2 settings.
ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIke, ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIkeArgs
- Support
Data ManagementIntegrity Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ike Support Data Integrity - Select the hash algorithms that will be supported with remote hosts to ensure data integrity.
- Support
Diffie ManagementHellman Groups Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ike Support Diffie Hellman Groups - Select the Diffie-Hellman groups that will be supported with remote hosts.
- Support
Encryption ManagementAlgorithms Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ike Support Encryption Algorithms - Select the encryption algorithms that will be supported with remote hosts.
- Use
Data stringIntegrity - The hash algorithm chosen here will be given the highest priority if more than one choice is offered.
- Use
Diffie stringHellman Group - SecureClient users utilize the Diffie-Hellman group selected in this field.
- Use
Encryption stringAlgorithm - Choose the encryption algorithm that will have the highest priority of the selected algorithms. If given a choice of more that one encryption algorithm to use, the algorithm selected in this field will be used.
- Support
Data ManagementIntegrity Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ike Support Data Integrity - Select the hash algorithms that will be supported with remote hosts to ensure data integrity.
- Support
Diffie ManagementHellman Groups Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ike Support Diffie Hellman Groups - Select the Diffie-Hellman groups that will be supported with remote hosts.
- Support
Encryption ManagementAlgorithms Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ike Support Encryption Algorithms - Select the encryption algorithms that will be supported with remote hosts.
- Use
Data stringIntegrity - The hash algorithm chosen here will be given the highest priority if more than one choice is offered.
- Use
Diffie stringHellman Group - SecureClient users utilize the Diffie-Hellman group selected in this field.
- Use
Encryption stringAlgorithm - Choose the encryption algorithm that will have the highest priority of the selected algorithms. If given a choice of more that one encryption algorithm to use, the algorithm selected in this field will be used.
- support
Data ManagementIntegrity Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ike Support Data Integrity - Select the hash algorithms that will be supported with remote hosts to ensure data integrity.
- support
Diffie ManagementHellman Groups Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ike Support Diffie Hellman Groups - Select the Diffie-Hellman groups that will be supported with remote hosts.
- support
Encryption ManagementAlgorithms Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ike Support Encryption Algorithms - Select the encryption algorithms that will be supported with remote hosts.
- use
Data StringIntegrity - The hash algorithm chosen here will be given the highest priority if more than one choice is offered.
- use
Diffie StringHellman Group - SecureClient users utilize the Diffie-Hellman group selected in this field.
- use
Encryption StringAlgorithm - Choose the encryption algorithm that will have the highest priority of the selected algorithms. If given a choice of more that one encryption algorithm to use, the algorithm selected in this field will be used.
- support
Data ManagementIntegrity Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ike Support Data Integrity - Select the hash algorithms that will be supported with remote hosts to ensure data integrity.
- support
Diffie ManagementHellman Groups Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ike Support Diffie Hellman Groups - Select the Diffie-Hellman groups that will be supported with remote hosts.
- support
Encryption ManagementAlgorithms Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ike Support Encryption Algorithms - Select the encryption algorithms that will be supported with remote hosts.
- use
Data stringIntegrity - The hash algorithm chosen here will be given the highest priority if more than one choice is offered.
- use
Diffie stringHellman Group - SecureClient users utilize the Diffie-Hellman group selected in this field.
- use
Encryption stringAlgorithm - Choose the encryption algorithm that will have the highest priority of the selected algorithms. If given a choice of more that one encryption algorithm to use, the algorithm selected in this field will be used.
- support_
data_ Managementintegrity Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ike Support Data Integrity - Select the hash algorithms that will be supported with remote hosts to ensure data integrity.
- support_
diffie_ Managementhellman_ groups Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ike Support Diffie Hellman Groups - Select the Diffie-Hellman groups that will be supported with remote hosts.
- support_
encryption_ Managementalgorithms Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ike Support Encryption Algorithms - Select the encryption algorithms that will be supported with remote hosts.
- use_
data_ strintegrity - The hash algorithm chosen here will be given the highest priority if more than one choice is offered.
- use_
diffie_ strhellman_ group - SecureClient users utilize the Diffie-Hellman group selected in this field.
- use_
encryption_ stralgorithm - Choose the encryption algorithm that will have the highest priority of the selected algorithms. If given a choice of more that one encryption algorithm to use, the algorithm selected in this field will be used.
- support
Data Property MapIntegrity - Select the hash algorithms that will be supported with remote hosts to ensure data integrity.
- support
Diffie Property MapHellman Groups - Select the Diffie-Hellman groups that will be supported with remote hosts.
- support
Encryption Property MapAlgorithms - Select the encryption algorithms that will be supported with remote hosts.
- use
Data StringIntegrity - The hash algorithm chosen here will be given the highest priority if more than one choice is offered.
- use
Diffie StringHellman Group - SecureClient users utilize the Diffie-Hellman group selected in this field.
- use
Encryption StringAlgorithm - Choose the encryption algorithm that will have the highest priority of the selected algorithms. If given a choice of more that one encryption algorithm to use, the algorithm selected in this field will be used.
ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIkeSupportDataIntegrity, ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIkeSupportDataIntegrityArgs
- Aes
Xcbc bool - Select whether the AES-XCBC hash algorithm will be supported with remote hosts to ensure data integrity.
- Md5 bool
- Select whether the MD5 hash algorithm will be supported with remote hosts to ensure data integrity.
- Sha1 bool
- Select whether the SHA1 hash algorithm will be supported with remote hosts to ensure data integrity.
- Sha256 bool
- Select whether the SHA256 hash algorithm will be supported with remote hosts to ensure data integrity.
- Aes
Xcbc bool - Select whether the AES-XCBC hash algorithm will be supported with remote hosts to ensure data integrity.
- Md5 bool
- Select whether the MD5 hash algorithm will be supported with remote hosts to ensure data integrity.
- Sha1 bool
- Select whether the SHA1 hash algorithm will be supported with remote hosts to ensure data integrity.
- Sha256 bool
- Select whether the SHA256 hash algorithm will be supported with remote hosts to ensure data integrity.
- aes
Xcbc Boolean - Select whether the AES-XCBC hash algorithm will be supported with remote hosts to ensure data integrity.
- md5 Boolean
- Select whether the MD5 hash algorithm will be supported with remote hosts to ensure data integrity.
- sha1 Boolean
- Select whether the SHA1 hash algorithm will be supported with remote hosts to ensure data integrity.
- sha256 Boolean
- Select whether the SHA256 hash algorithm will be supported with remote hosts to ensure data integrity.
- aes
Xcbc boolean - Select whether the AES-XCBC hash algorithm will be supported with remote hosts to ensure data integrity.
- md5 boolean
- Select whether the MD5 hash algorithm will be supported with remote hosts to ensure data integrity.
- sha1 boolean
- Select whether the SHA1 hash algorithm will be supported with remote hosts to ensure data integrity.
- sha256 boolean
- Select whether the SHA256 hash algorithm will be supported with remote hosts to ensure data integrity.
- aes_
xcbc bool - Select whether the AES-XCBC hash algorithm will be supported with remote hosts to ensure data integrity.
- md5 bool
- Select whether the MD5 hash algorithm will be supported with remote hosts to ensure data integrity.
- sha1 bool
- Select whether the SHA1 hash algorithm will be supported with remote hosts to ensure data integrity.
- sha256 bool
- Select whether the SHA256 hash algorithm will be supported with remote hosts to ensure data integrity.
- aes
Xcbc Boolean - Select whether the AES-XCBC hash algorithm will be supported with remote hosts to ensure data integrity.
- md5 Boolean
- Select whether the MD5 hash algorithm will be supported with remote hosts to ensure data integrity.
- sha1 Boolean
- Select whether the SHA1 hash algorithm will be supported with remote hosts to ensure data integrity.
- sha256 Boolean
- Select whether the SHA256 hash algorithm will be supported with remote hosts to ensure data integrity.
ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIkeSupportDiffieHellmanGroups, ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIkeSupportDiffieHellmanGroupsArgs
- Group1 bool
- Select whether Diffie-Hellman Group 1 (768 bit) will be supported with remote hosts.
- Group14 bool
- Select whether Diffie-Hellman Group 14 (2048 bit) will be supported with remote hosts.
- Group2 bool
- Select whether Diffie-Hellman Group 2 (1024 bit) will be supported with remote hosts.
- Group5 bool
- Select whether Diffie-Hellman Group 5 (1536 bit) will be supported with remote hosts.
- Group1 bool
- Select whether Diffie-Hellman Group 1 (768 bit) will be supported with remote hosts.
- Group14 bool
- Select whether Diffie-Hellman Group 14 (2048 bit) will be supported with remote hosts.
- Group2 bool
- Select whether Diffie-Hellman Group 2 (1024 bit) will be supported with remote hosts.
- Group5 bool
- Select whether Diffie-Hellman Group 5 (1536 bit) will be supported with remote hosts.
- group1 Boolean
- Select whether Diffie-Hellman Group 1 (768 bit) will be supported with remote hosts.
- group14 Boolean
- Select whether Diffie-Hellman Group 14 (2048 bit) will be supported with remote hosts.
- group2 Boolean
- Select whether Diffie-Hellman Group 2 (1024 bit) will be supported with remote hosts.
- group5 Boolean
- Select whether Diffie-Hellman Group 5 (1536 bit) will be supported with remote hosts.
- group1 boolean
- Select whether Diffie-Hellman Group 1 (768 bit) will be supported with remote hosts.
- group14 boolean
- Select whether Diffie-Hellman Group 14 (2048 bit) will be supported with remote hosts.
- group2 boolean
- Select whether Diffie-Hellman Group 2 (1024 bit) will be supported with remote hosts.
- group5 boolean
- Select whether Diffie-Hellman Group 5 (1536 bit) will be supported with remote hosts.
- group1 bool
- Select whether Diffie-Hellman Group 1 (768 bit) will be supported with remote hosts.
- group14 bool
- Select whether Diffie-Hellman Group 14 (2048 bit) will be supported with remote hosts.
- group2 bool
- Select whether Diffie-Hellman Group 2 (1024 bit) will be supported with remote hosts.
- group5 bool
- Select whether Diffie-Hellman Group 5 (1536 bit) will be supported with remote hosts.
- group1 Boolean
- Select whether Diffie-Hellman Group 1 (768 bit) will be supported with remote hosts.
- group14 Boolean
- Select whether Diffie-Hellman Group 14 (2048 bit) will be supported with remote hosts.
- group2 Boolean
- Select whether Diffie-Hellman Group 2 (1024 bit) will be supported with remote hosts.
- group5 Boolean
- Select whether Diffie-Hellman Group 5 (1536 bit) will be supported with remote hosts.
ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIkeSupportEncryptionAlgorithms, ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIkeSupportEncryptionAlgorithmsArgs
- Aes128 bool
- Select whether the AES-128 encryption algorithm will be supported with remote hosts.
- Aes256 bool
- Select whether the AES-256 encryption algorithm will be supported with remote hosts.
- Des bool
- Select whether the DES encryption algorithm will be supported with remote hosts.
- Tdes bool
- Select whether the Triple DES encryption algorithm will be supported with remote hosts.
- Aes128 bool
- Select whether the AES-128 encryption algorithm will be supported with remote hosts.
- Aes256 bool
- Select whether the AES-256 encryption algorithm will be supported with remote hosts.
- Des bool
- Select whether the DES encryption algorithm will be supported with remote hosts.
- Tdes bool
- Select whether the Triple DES encryption algorithm will be supported with remote hosts.
- aes128 Boolean
- Select whether the AES-128 encryption algorithm will be supported with remote hosts.
- aes256 Boolean
- Select whether the AES-256 encryption algorithm will be supported with remote hosts.
- des Boolean
- Select whether the DES encryption algorithm will be supported with remote hosts.
- tdes Boolean
- Select whether the Triple DES encryption algorithm will be supported with remote hosts.
- aes128 boolean
- Select whether the AES-128 encryption algorithm will be supported with remote hosts.
- aes256 boolean
- Select whether the AES-256 encryption algorithm will be supported with remote hosts.
- des boolean
- Select whether the DES encryption algorithm will be supported with remote hosts.
- tdes boolean
- Select whether the Triple DES encryption algorithm will be supported with remote hosts.
- aes128 bool
- Select whether the AES-128 encryption algorithm will be supported with remote hosts.
- aes256 bool
- Select whether the AES-256 encryption algorithm will be supported with remote hosts.
- des bool
- Select whether the DES encryption algorithm will be supported with remote hosts.
- tdes bool
- Select whether the Triple DES encryption algorithm will be supported with remote hosts.
- aes128 Boolean
- Select whether the AES-128 encryption algorithm will be supported with remote hosts.
- aes256 Boolean
- Select whether the AES-256 encryption algorithm will be supported with remote hosts.
- des Boolean
- Select whether the DES encryption algorithm will be supported with remote hosts.
- tdes Boolean
- Select whether the Triple DES encryption algorithm will be supported with remote hosts.
ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIpsec, ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIpsecArgs
- Enforce
Encryption boolAlg And Data Integrity On All Users - Enforce Encryption Algorithm and Data Integrity on all users.
- Support
Data ManagementIntegrity Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ipsec Support Data Integrity - Select the hash algorithms that will be supported with remote hosts to ensure data integrity.
- Support
Encryption ManagementAlgorithms Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ipsec Support Encryption Algorithms - Select the encryption algorithms that will be supported with remote hosts.
- Use
Data stringIntegrity - The hash algorithm chosen here will be given the highest priority if more than one choice is offered.
- Use
Encryption stringAlgorithm - Choose the encryption algorithm that will have the highest priority of the selected algorithms. If given a choice of more that one encryption algorithm to use, the algorithm selected in this field will be used.
- Enforce
Encryption boolAlg And Data Integrity On All Users - Enforce Encryption Algorithm and Data Integrity on all users.
- Support
Data ManagementIntegrity Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ipsec Support Data Integrity - Select the hash algorithms that will be supported with remote hosts to ensure data integrity.
- Support
Encryption ManagementAlgorithms Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ipsec Support Encryption Algorithms - Select the encryption algorithms that will be supported with remote hosts.
- Use
Data stringIntegrity - The hash algorithm chosen here will be given the highest priority if more than one choice is offered.
- Use
Encryption stringAlgorithm - Choose the encryption algorithm that will have the highest priority of the selected algorithms. If given a choice of more that one encryption algorithm to use, the algorithm selected in this field will be used.
- enforce
Encryption BooleanAlg And Data Integrity On All Users - Enforce Encryption Algorithm and Data Integrity on all users.
- support
Data ManagementIntegrity Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ipsec Support Data Integrity - Select the hash algorithms that will be supported with remote hosts to ensure data integrity.
- support
Encryption ManagementAlgorithms Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ipsec Support Encryption Algorithms - Select the encryption algorithms that will be supported with remote hosts.
- use
Data StringIntegrity - The hash algorithm chosen here will be given the highest priority if more than one choice is offered.
- use
Encryption StringAlgorithm - Choose the encryption algorithm that will have the highest priority of the selected algorithms. If given a choice of more that one encryption algorithm to use, the algorithm selected in this field will be used.
- enforce
Encryption booleanAlg And Data Integrity On All Users - Enforce Encryption Algorithm and Data Integrity on all users.
- support
Data ManagementIntegrity Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ipsec Support Data Integrity - Select the hash algorithms that will be supported with remote hosts to ensure data integrity.
- support
Encryption ManagementAlgorithms Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ipsec Support Encryption Algorithms - Select the encryption algorithms that will be supported with remote hosts.
- use
Data stringIntegrity - The hash algorithm chosen here will be given the highest priority if more than one choice is offered.
- use
Encryption stringAlgorithm - Choose the encryption algorithm that will have the highest priority of the selected algorithms. If given a choice of more that one encryption algorithm to use, the algorithm selected in this field will be used.
- enforce_
encryption_ boolalg_ and_ data_ integrity_ on_ all_ users - Enforce Encryption Algorithm and Data Integrity on all users.
- support_
data_ Managementintegrity Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ipsec Support Data Integrity - Select the hash algorithms that will be supported with remote hosts to ensure data integrity.
- support_
encryption_ Managementalgorithms Command Set Global Properties Remote Access Vpn Authentication And Encryption Encryption Algorithms Ipsec Support Encryption Algorithms - Select the encryption algorithms that will be supported with remote hosts.
- use_
data_ strintegrity - The hash algorithm chosen here will be given the highest priority if more than one choice is offered.
- use_
encryption_ stralgorithm - Choose the encryption algorithm that will have the highest priority of the selected algorithms. If given a choice of more that one encryption algorithm to use, the algorithm selected in this field will be used.
- enforce
Encryption BooleanAlg And Data Integrity On All Users - Enforce Encryption Algorithm and Data Integrity on all users.
- support
Data Property MapIntegrity - Select the hash algorithms that will be supported with remote hosts to ensure data integrity.
- support
Encryption Property MapAlgorithms - Select the encryption algorithms that will be supported with remote hosts.
- use
Data StringIntegrity - The hash algorithm chosen here will be given the highest priority if more than one choice is offered.
- use
Encryption StringAlgorithm - Choose the encryption algorithm that will have the highest priority of the selected algorithms. If given a choice of more that one encryption algorithm to use, the algorithm selected in this field will be used.
ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIpsecSupportDataIntegrity, ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIpsecSupportDataIntegrityArgs
- Aes
Xcbc bool - Select whether the AES-XCBC hash algorithm will be supported with remote hosts to ensure data integrity.
- Md5 bool
- Select whether the MD5 hash algorithm will be supported with remote hosts to ensure data integrity.
- Sha1 bool
- Select whether the SHA1 hash algorithm will be supported with remote hosts to ensure data integrity.
- Sha256 bool
- Select whether the SHA256 hash algorithm will be supported with remote hosts to ensure data integrity.
- Aes
Xcbc bool - Select whether the AES-XCBC hash algorithm will be supported with remote hosts to ensure data integrity.
- Md5 bool
- Select whether the MD5 hash algorithm will be supported with remote hosts to ensure data integrity.
- Sha1 bool
- Select whether the SHA1 hash algorithm will be supported with remote hosts to ensure data integrity.
- Sha256 bool
- Select whether the SHA256 hash algorithm will be supported with remote hosts to ensure data integrity.
- aes
Xcbc Boolean - Select whether the AES-XCBC hash algorithm will be supported with remote hosts to ensure data integrity.
- md5 Boolean
- Select whether the MD5 hash algorithm will be supported with remote hosts to ensure data integrity.
- sha1 Boolean
- Select whether the SHA1 hash algorithm will be supported with remote hosts to ensure data integrity.
- sha256 Boolean
- Select whether the SHA256 hash algorithm will be supported with remote hosts to ensure data integrity.
- aes
Xcbc boolean - Select whether the AES-XCBC hash algorithm will be supported with remote hosts to ensure data integrity.
- md5 boolean
- Select whether the MD5 hash algorithm will be supported with remote hosts to ensure data integrity.
- sha1 boolean
- Select whether the SHA1 hash algorithm will be supported with remote hosts to ensure data integrity.
- sha256 boolean
- Select whether the SHA256 hash algorithm will be supported with remote hosts to ensure data integrity.
- aes_
xcbc bool - Select whether the AES-XCBC hash algorithm will be supported with remote hosts to ensure data integrity.
- md5 bool
- Select whether the MD5 hash algorithm will be supported with remote hosts to ensure data integrity.
- sha1 bool
- Select whether the SHA1 hash algorithm will be supported with remote hosts to ensure data integrity.
- sha256 bool
- Select whether the SHA256 hash algorithm will be supported with remote hosts to ensure data integrity.
- aes
Xcbc Boolean - Select whether the AES-XCBC hash algorithm will be supported with remote hosts to ensure data integrity.
- md5 Boolean
- Select whether the MD5 hash algorithm will be supported with remote hosts to ensure data integrity.
- sha1 Boolean
- Select whether the SHA1 hash algorithm will be supported with remote hosts to ensure data integrity.
- sha256 Boolean
- Select whether the SHA256 hash algorithm will be supported with remote hosts to ensure data integrity.
ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIpsecSupportEncryptionAlgorithms, ManagementCommandSetGlobalPropertiesRemoteAccessVpnAuthenticationAndEncryptionEncryptionAlgorithmsIpsecSupportEncryptionAlgorithmsArgs
- Aes128 bool
- Select whether the AES-128 encryption algorithm will be supported with remote hosts.
- Aes256 bool
- Select whether the AES-256 encryption algorithm will be supported with remote hosts.
- Des bool
- Select whether the DES encryption algorithm will be supported with remote hosts.
- Tdes bool
- Select whether the Triple DES encryption algorithm will be supported with remote hosts.
- Aes128 bool
- Select whether the AES-128 encryption algorithm will be supported with remote hosts.
- Aes256 bool
- Select whether the AES-256 encryption algorithm will be supported with remote hosts.
- Des bool
- Select whether the DES encryption algorithm will be supported with remote hosts.
- Tdes bool
- Select whether the Triple DES encryption algorithm will be supported with remote hosts.
- aes128 Boolean
- Select whether the AES-128 encryption algorithm will be supported with remote hosts.
- aes256 Boolean
- Select whether the AES-256 encryption algorithm will be supported with remote hosts.
- des Boolean
- Select whether the DES encryption algorithm will be supported with remote hosts.
- tdes Boolean
- Select whether the Triple DES encryption algorithm will be supported with remote hosts.
- aes128 boolean
- Select whether the AES-128 encryption algorithm will be supported with remote hosts.
- aes256 boolean
- Select whether the AES-256 encryption algorithm will be supported with remote hosts.
- des boolean
- Select whether the DES encryption algorithm will be supported with remote hosts.
- tdes boolean
- Select whether the Triple DES encryption algorithm will be supported with remote hosts.
- aes128 bool
- Select whether the AES-128 encryption algorithm will be supported with remote hosts.
- aes256 bool
- Select whether the AES-256 encryption algorithm will be supported with remote hosts.
- des bool
- Select whether the DES encryption algorithm will be supported with remote hosts.
- tdes bool
- Select whether the Triple DES encryption algorithm will be supported with remote hosts.
- aes128 Boolean
- Select whether the AES-128 encryption algorithm will be supported with remote hosts.
- aes256 Boolean
- Select whether the AES-256 encryption algorithm will be supported with remote hosts.
- des Boolean
- Select whether the DES encryption algorithm will be supported with remote hosts.
- tdes Boolean
- Select whether the Triple DES encryption algorithm will be supported with remote hosts.
ManagementCommandSetGlobalPropertiesStatefulInspection, ManagementCommandSetGlobalPropertiesStatefulInspectionArgs
- Accept
Stateful boolIcmp Errors - Accept ICMP error packets which refer to another non-ICMP connection (for example, to an ongoing TCP or UDP connection) that was accepted by the Rule Base.
- Accept
Stateful boolIcmp Replies - Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base.
- Accept
Stateful boolOther Ip Protocols Replies For Unknown Services - Accept reply packets for other undefined services (that is, services which are not one of the following: TCP, UDP, ICMP).
- Accept
Stateful boolUdp Replies For Unknown Services - Specifies if UDP replies are to be accepted for unknown services.
- Drop
Out boolOf State Icmp Packets - Drop ICMP packets which are not consistent with the current state of the connection.
- Drop
Out boolOf State Sctp Packets - Drop SCTP packets which are not consistent with the current state of the connection.
- Drop
Out boolOf State Tcp Packets - Drop TCP packets which are not consistent with the current state of the connection.
- Icmp
Virtual doubleSession Timeout - An ICMP virtual session will be considered to have timed out after this time period (in seconds).
- Log
On boolDrop Out Of State Icmp Packets - Generates a log entry when these out of state ICMP packets are dropped.Available only if drop-out-of-state-icmp-packets is true.
- Log
On boolDrop Out Of State Sctp Packets - Generates a log entry when these out of state SCTP packets are dropped.Available only if drop-out-of-state-sctp-packets is true.
- Log
On boolDrop Out Of State Tcp Packets - Generates a log entry when these out of state TCP packets are dropped.Available only if drop-out-of-state-tcp-packets is true.
- Other
Ip doubleProtocols Virtual Session Timeout - A virtual session of services which are not explicitly configured here will be considered to have timed out after this time period (in seconds).
- Sctp
End doubleTimeout - SCTP connections end after this number of seconds, after the connection ends or is reset, to allow for stray ACKs of the connection that arrive late.
- Sctp
Session doubleTimeout - Time (in seconds) an idle connection will remain in the Security Gateway connections table.
- Sctp
Start doubleTimeout - SCTP connections will be timed out if the interval between the arrival of the first packet and establishment of the connection exceeds this value (in seconds).
- Tcp
End doubleTimeout - A TCP connection will only terminate TCP end timeout seconds after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST packet. When a TCP connection ends (FIN packets sent or connection reset) the Check Point Security Gateway will keep the connection in the connections table for another TCP end timeout seconds, to allow for stray ACKs of the connection that arrive late.
- Tcp
End doubleTimeout R8020Gw And Above - A TCP connection will only terminate TCP end timeout seconds after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST packet. When a TCP connection ends (FIN packets sent or connection reset) the Check Point Security Gateway will keep the connection in the connections table for another TCP end timeout seconds, to allow for stray ACKs of the connection that arrive late.
- Tcp
Out List<string>Of State Drop Exceptions - Name or uid of the gateways and clusters for which Out of State packets are allowed.
- Tcp
Session doubleTimeout - The length of time (in seconds) an idle connection will remain in the Security Gateway connections table.
- Tcp
Start doubleTimeout - A TCP connection will be timed out if the interval between the arrival of the first packet and establishment of the connection (TCP three-way handshake) exceeds TCP start timeout seconds.
- Udp
Virtual doubleSession Timeout - Specifies the amount of time (in seconds) a UDP reply channel may remain open without any packets being returned.
- Accept
Stateful boolIcmp Errors - Accept ICMP error packets which refer to another non-ICMP connection (for example, to an ongoing TCP or UDP connection) that was accepted by the Rule Base.
- Accept
Stateful boolIcmp Replies - Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base.
- Accept
Stateful boolOther Ip Protocols Replies For Unknown Services - Accept reply packets for other undefined services (that is, services which are not one of the following: TCP, UDP, ICMP).
- Accept
Stateful boolUdp Replies For Unknown Services - Specifies if UDP replies are to be accepted for unknown services.
- Drop
Out boolOf State Icmp Packets - Drop ICMP packets which are not consistent with the current state of the connection.
- Drop
Out boolOf State Sctp Packets - Drop SCTP packets which are not consistent with the current state of the connection.
- Drop
Out boolOf State Tcp Packets - Drop TCP packets which are not consistent with the current state of the connection.
- Icmp
Virtual float64Session Timeout - An ICMP virtual session will be considered to have timed out after this time period (in seconds).
- Log
On boolDrop Out Of State Icmp Packets - Generates a log entry when these out of state ICMP packets are dropped.Available only if drop-out-of-state-icmp-packets is true.
- Log
On boolDrop Out Of State Sctp Packets - Generates a log entry when these out of state SCTP packets are dropped.Available only if drop-out-of-state-sctp-packets is true.
- Log
On boolDrop Out Of State Tcp Packets - Generates a log entry when these out of state TCP packets are dropped.Available only if drop-out-of-state-tcp-packets is true.
- Other
Ip float64Protocols Virtual Session Timeout - A virtual session of services which are not explicitly configured here will be considered to have timed out after this time period (in seconds).
- Sctp
End float64Timeout - SCTP connections end after this number of seconds, after the connection ends or is reset, to allow for stray ACKs of the connection that arrive late.
- Sctp
Session float64Timeout - Time (in seconds) an idle connection will remain in the Security Gateway connections table.
- Sctp
Start float64Timeout - SCTP connections will be timed out if the interval between the arrival of the first packet and establishment of the connection exceeds this value (in seconds).
- Tcp
End float64Timeout - A TCP connection will only terminate TCP end timeout seconds after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST packet. When a TCP connection ends (FIN packets sent or connection reset) the Check Point Security Gateway will keep the connection in the connections table for another TCP end timeout seconds, to allow for stray ACKs of the connection that arrive late.
- Tcp
End float64Timeout R8020Gw And Above - A TCP connection will only terminate TCP end timeout seconds after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST packet. When a TCP connection ends (FIN packets sent or connection reset) the Check Point Security Gateway will keep the connection in the connections table for another TCP end timeout seconds, to allow for stray ACKs of the connection that arrive late.
- Tcp
Out []stringOf State Drop Exceptions - Name or uid of the gateways and clusters for which Out of State packets are allowed.
- Tcp
Session float64Timeout - The length of time (in seconds) an idle connection will remain in the Security Gateway connections table.
- Tcp
Start float64Timeout - A TCP connection will be timed out if the interval between the arrival of the first packet and establishment of the connection (TCP three-way handshake) exceeds TCP start timeout seconds.
- Udp
Virtual float64Session Timeout - Specifies the amount of time (in seconds) a UDP reply channel may remain open without any packets being returned.
- accept
Stateful BooleanIcmp Errors - Accept ICMP error packets which refer to another non-ICMP connection (for example, to an ongoing TCP or UDP connection) that was accepted by the Rule Base.
- accept
Stateful BooleanIcmp Replies - Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base.
- accept
Stateful BooleanOther Ip Protocols Replies For Unknown Services - Accept reply packets for other undefined services (that is, services which are not one of the following: TCP, UDP, ICMP).
- accept
Stateful BooleanUdp Replies For Unknown Services - Specifies if UDP replies are to be accepted for unknown services.
- drop
Out BooleanOf State Icmp Packets - Drop ICMP packets which are not consistent with the current state of the connection.
- drop
Out BooleanOf State Sctp Packets - Drop SCTP packets which are not consistent with the current state of the connection.
- drop
Out BooleanOf State Tcp Packets - Drop TCP packets which are not consistent with the current state of the connection.
- icmp
Virtual DoubleSession Timeout - An ICMP virtual session will be considered to have timed out after this time period (in seconds).
- log
On BooleanDrop Out Of State Icmp Packets - Generates a log entry when these out of state ICMP packets are dropped.Available only if drop-out-of-state-icmp-packets is true.
- log
On BooleanDrop Out Of State Sctp Packets - Generates a log entry when these out of state SCTP packets are dropped.Available only if drop-out-of-state-sctp-packets is true.
- log
On BooleanDrop Out Of State Tcp Packets - Generates a log entry when these out of state TCP packets are dropped.Available only if drop-out-of-state-tcp-packets is true.
- other
Ip DoubleProtocols Virtual Session Timeout - A virtual session of services which are not explicitly configured here will be considered to have timed out after this time period (in seconds).
- sctp
End DoubleTimeout - SCTP connections end after this number of seconds, after the connection ends or is reset, to allow for stray ACKs of the connection that arrive late.
- sctp
Session DoubleTimeout - Time (in seconds) an idle connection will remain in the Security Gateway connections table.
- sctp
Start DoubleTimeout - SCTP connections will be timed out if the interval between the arrival of the first packet and establishment of the connection exceeds this value (in seconds).
- tcp
End DoubleTimeout - A TCP connection will only terminate TCP end timeout seconds after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST packet. When a TCP connection ends (FIN packets sent or connection reset) the Check Point Security Gateway will keep the connection in the connections table for another TCP end timeout seconds, to allow for stray ACKs of the connection that arrive late.
- tcp
End DoubleTimeout R8020Gw And Above - A TCP connection will only terminate TCP end timeout seconds after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST packet. When a TCP connection ends (FIN packets sent or connection reset) the Check Point Security Gateway will keep the connection in the connections table for another TCP end timeout seconds, to allow for stray ACKs of the connection that arrive late.
- tcp
Out List<String>Of State Drop Exceptions - Name or uid of the gateways and clusters for which Out of State packets are allowed.
- tcp
Session DoubleTimeout - The length of time (in seconds) an idle connection will remain in the Security Gateway connections table.
- tcp
Start DoubleTimeout - A TCP connection will be timed out if the interval between the arrival of the first packet and establishment of the connection (TCP three-way handshake) exceeds TCP start timeout seconds.
- udp
Virtual DoubleSession Timeout - Specifies the amount of time (in seconds) a UDP reply channel may remain open without any packets being returned.
- accept
Stateful booleanIcmp Errors - Accept ICMP error packets which refer to another non-ICMP connection (for example, to an ongoing TCP or UDP connection) that was accepted by the Rule Base.
- accept
Stateful booleanIcmp Replies - Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base.
- accept
Stateful booleanOther Ip Protocols Replies For Unknown Services - Accept reply packets for other undefined services (that is, services which are not one of the following: TCP, UDP, ICMP).
- accept
Stateful booleanUdp Replies For Unknown Services - Specifies if UDP replies are to be accepted for unknown services.
- drop
Out booleanOf State Icmp Packets - Drop ICMP packets which are not consistent with the current state of the connection.
- drop
Out booleanOf State Sctp Packets - Drop SCTP packets which are not consistent with the current state of the connection.
- drop
Out booleanOf State Tcp Packets - Drop TCP packets which are not consistent with the current state of the connection.
- icmp
Virtual numberSession Timeout - An ICMP virtual session will be considered to have timed out after this time period (in seconds).
- log
On booleanDrop Out Of State Icmp Packets - Generates a log entry when these out of state ICMP packets are dropped.Available only if drop-out-of-state-icmp-packets is true.
- log
On booleanDrop Out Of State Sctp Packets - Generates a log entry when these out of state SCTP packets are dropped.Available only if drop-out-of-state-sctp-packets is true.
- log
On booleanDrop Out Of State Tcp Packets - Generates a log entry when these out of state TCP packets are dropped.Available only if drop-out-of-state-tcp-packets is true.
- other
Ip numberProtocols Virtual Session Timeout - A virtual session of services which are not explicitly configured here will be considered to have timed out after this time period (in seconds).
- sctp
End numberTimeout - SCTP connections end after this number of seconds, after the connection ends or is reset, to allow for stray ACKs of the connection that arrive late.
- sctp
Session numberTimeout - Time (in seconds) an idle connection will remain in the Security Gateway connections table.
- sctp
Start numberTimeout - SCTP connections will be timed out if the interval between the arrival of the first packet and establishment of the connection exceeds this value (in seconds).
- tcp
End numberTimeout - A TCP connection will only terminate TCP end timeout seconds after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST packet. When a TCP connection ends (FIN packets sent or connection reset) the Check Point Security Gateway will keep the connection in the connections table for another TCP end timeout seconds, to allow for stray ACKs of the connection that arrive late.
- tcp
End numberTimeout R8020Gw And Above - A TCP connection will only terminate TCP end timeout seconds after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST packet. When a TCP connection ends (FIN packets sent or connection reset) the Check Point Security Gateway will keep the connection in the connections table for another TCP end timeout seconds, to allow for stray ACKs of the connection that arrive late.
- tcp
Out string[]Of State Drop Exceptions - Name or uid of the gateways and clusters for which Out of State packets are allowed.
- tcp
Session numberTimeout - The length of time (in seconds) an idle connection will remain in the Security Gateway connections table.
- tcp
Start numberTimeout - A TCP connection will be timed out if the interval between the arrival of the first packet and establishment of the connection (TCP three-way handshake) exceeds TCP start timeout seconds.
- udp
Virtual numberSession Timeout - Specifies the amount of time (in seconds) a UDP reply channel may remain open without any packets being returned.
- accept_
stateful_ boolicmp_ errors - Accept ICMP error packets which refer to another non-ICMP connection (for example, to an ongoing TCP or UDP connection) that was accepted by the Rule Base.
- accept_
stateful_ boolicmp_ replies - Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base.
- accept_
stateful_ boolother_ ip_ protocols_ replies_ for_ unknown_ services - Accept reply packets for other undefined services (that is, services which are not one of the following: TCP, UDP, ICMP).
- accept_
stateful_ booludp_ replies_ for_ unknown_ services - Specifies if UDP replies are to be accepted for unknown services.
- drop_
out_ boolof_ state_ icmp_ packets - Drop ICMP packets which are not consistent with the current state of the connection.
- drop_
out_ boolof_ state_ sctp_ packets - Drop SCTP packets which are not consistent with the current state of the connection.
- drop_
out_ boolof_ state_ tcp_ packets - Drop TCP packets which are not consistent with the current state of the connection.
- icmp_
virtual_ floatsession_ timeout - An ICMP virtual session will be considered to have timed out after this time period (in seconds).
- log_
on_ booldrop_ out_ of_ state_ icmp_ packets - Generates a log entry when these out of state ICMP packets are dropped.Available only if drop-out-of-state-icmp-packets is true.
- log_
on_ booldrop_ out_ of_ state_ sctp_ packets - Generates a log entry when these out of state SCTP packets are dropped.Available only if drop-out-of-state-sctp-packets is true.
- log_
on_ booldrop_ out_ of_ state_ tcp_ packets - Generates a log entry when these out of state TCP packets are dropped.Available only if drop-out-of-state-tcp-packets is true.
- other_
ip_ floatprotocols_ virtual_ session_ timeout - A virtual session of services which are not explicitly configured here will be considered to have timed out after this time period (in seconds).
- sctp_
end_ floattimeout - SCTP connections end after this number of seconds, after the connection ends or is reset, to allow for stray ACKs of the connection that arrive late.
- sctp_
session_ floattimeout - Time (in seconds) an idle connection will remain in the Security Gateway connections table.
- sctp_
start_ floattimeout - SCTP connections will be timed out if the interval between the arrival of the first packet and establishment of the connection exceeds this value (in seconds).
- tcp_
end_ floattimeout - A TCP connection will only terminate TCP end timeout seconds after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST packet. When a TCP connection ends (FIN packets sent or connection reset) the Check Point Security Gateway will keep the connection in the connections table for another TCP end timeout seconds, to allow for stray ACKs of the connection that arrive late.
- tcp_
end_ floattimeout_ r8020_ gw_ and_ above - A TCP connection will only terminate TCP end timeout seconds after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST packet. When a TCP connection ends (FIN packets sent or connection reset) the Check Point Security Gateway will keep the connection in the connections table for another TCP end timeout seconds, to allow for stray ACKs of the connection that arrive late.
- tcp_
out_ Sequence[str]of_ state_ drop_ exceptions - Name or uid of the gateways and clusters for which Out of State packets are allowed.
- tcp_
session_ floattimeout - The length of time (in seconds) an idle connection will remain in the Security Gateway connections table.
- tcp_
start_ floattimeout - A TCP connection will be timed out if the interval between the arrival of the first packet and establishment of the connection (TCP three-way handshake) exceeds TCP start timeout seconds.
- udp_
virtual_ floatsession_ timeout - Specifies the amount of time (in seconds) a UDP reply channel may remain open without any packets being returned.
- accept
Stateful BooleanIcmp Errors - Accept ICMP error packets which refer to another non-ICMP connection (for example, to an ongoing TCP or UDP connection) that was accepted by the Rule Base.
- accept
Stateful BooleanIcmp Replies - Accept ICMP reply packets for ICMP requests that were accepted by the Rule Base.
- accept
Stateful BooleanOther Ip Protocols Replies For Unknown Services - Accept reply packets for other undefined services (that is, services which are not one of the following: TCP, UDP, ICMP).
- accept
Stateful BooleanUdp Replies For Unknown Services - Specifies if UDP replies are to be accepted for unknown services.
- drop
Out BooleanOf State Icmp Packets - Drop ICMP packets which are not consistent with the current state of the connection.
- drop
Out BooleanOf State Sctp Packets - Drop SCTP packets which are not consistent with the current state of the connection.
- drop
Out BooleanOf State Tcp Packets - Drop TCP packets which are not consistent with the current state of the connection.
- icmp
Virtual NumberSession Timeout - An ICMP virtual session will be considered to have timed out after this time period (in seconds).
- log
On BooleanDrop Out Of State Icmp Packets - Generates a log entry when these out of state ICMP packets are dropped.Available only if drop-out-of-state-icmp-packets is true.
- log
On BooleanDrop Out Of State Sctp Packets - Generates a log entry when these out of state SCTP packets are dropped.Available only if drop-out-of-state-sctp-packets is true.
- log
On BooleanDrop Out Of State Tcp Packets - Generates a log entry when these out of state TCP packets are dropped.Available only if drop-out-of-state-tcp-packets is true.
- other
Ip NumberProtocols Virtual Session Timeout - A virtual session of services which are not explicitly configured here will be considered to have timed out after this time period (in seconds).
- sctp
End NumberTimeout - SCTP connections end after this number of seconds, after the connection ends or is reset, to allow for stray ACKs of the connection that arrive late.
- sctp
Session NumberTimeout - Time (in seconds) an idle connection will remain in the Security Gateway connections table.
- sctp
Start NumberTimeout - SCTP connections will be timed out if the interval between the arrival of the first packet and establishment of the connection exceeds this value (in seconds).
- tcp
End NumberTimeout - A TCP connection will only terminate TCP end timeout seconds after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST packet. When a TCP connection ends (FIN packets sent or connection reset) the Check Point Security Gateway will keep the connection in the connections table for another TCP end timeout seconds, to allow for stray ACKs of the connection that arrive late.
- tcp
End NumberTimeout R8020Gw And Above - A TCP connection will only terminate TCP end timeout seconds after two FIN packets (one in each direction: client-to-server, and server-to-client) or an RST packet. When a TCP connection ends (FIN packets sent or connection reset) the Check Point Security Gateway will keep the connection in the connections table for another TCP end timeout seconds, to allow for stray ACKs of the connection that arrive late.
- tcp
Out List<String>Of State Drop Exceptions - Name or uid of the gateways and clusters for which Out of State packets are allowed.
- tcp
Session NumberTimeout - The length of time (in seconds) an idle connection will remain in the Security Gateway connections table.
- tcp
Start NumberTimeout - A TCP connection will be timed out if the interval between the arrival of the first packet and establishment of the connection (TCP three-way handshake) exceeds TCP start timeout seconds.
- udp
Virtual NumberSession Timeout - Specifies the amount of time (in seconds) a UDP reply channel may remain open without any packets being returned.
ManagementCommandSetGlobalPropertiesUserAccounts, ManagementCommandSetGlobalPropertiesUserAccountsArgs
- Days
Until doubleExpiration - Account expires after the number of days that you select.Available only if expiration-date-method is set to "expire after".
- Expiration
Date string - Specify an Expiration Date in the following format: YYYY-MM-DD.Available only if expiration-date-method is set to "expire at".
- Expiration
Date stringMethod - Select an Expiration Date Method.Expire at - Account expires on the date that you select.Expire after - Account expires after the number of days that you select.
- Show
Accounts boolExpiration Indication Days In Advance - Activates the Expired Accounts link, to open the Expired Accounts window.
- Days
Until float64Expiration - Account expires after the number of days that you select.Available only if expiration-date-method is set to "expire after".
- Expiration
Date string - Specify an Expiration Date in the following format: YYYY-MM-DD.Available only if expiration-date-method is set to "expire at".
- Expiration
Date stringMethod - Select an Expiration Date Method.Expire at - Account expires on the date that you select.Expire after - Account expires after the number of days that you select.
- Show
Accounts boolExpiration Indication Days In Advance - Activates the Expired Accounts link, to open the Expired Accounts window.
- days
Until DoubleExpiration - Account expires after the number of days that you select.Available only if expiration-date-method is set to "expire after".
- expiration
Date String - Specify an Expiration Date in the following format: YYYY-MM-DD.Available only if expiration-date-method is set to "expire at".
- expiration
Date StringMethod - Select an Expiration Date Method.Expire at - Account expires on the date that you select.Expire after - Account expires after the number of days that you select.
- show
Accounts BooleanExpiration Indication Days In Advance - Activates the Expired Accounts link, to open the Expired Accounts window.
- days
Until numberExpiration - Account expires after the number of days that you select.Available only if expiration-date-method is set to "expire after".
- expiration
Date string - Specify an Expiration Date in the following format: YYYY-MM-DD.Available only if expiration-date-method is set to "expire at".
- expiration
Date stringMethod - Select an Expiration Date Method.Expire at - Account expires on the date that you select.Expire after - Account expires after the number of days that you select.
- show
Accounts booleanExpiration Indication Days In Advance - Activates the Expired Accounts link, to open the Expired Accounts window.
- days_
until_ floatexpiration - Account expires after the number of days that you select.Available only if expiration-date-method is set to "expire after".
- expiration_
date str - Specify an Expiration Date in the following format: YYYY-MM-DD.Available only if expiration-date-method is set to "expire at".
- expiration_
date_ strmethod - Select an Expiration Date Method.Expire at - Account expires on the date that you select.Expire after - Account expires after the number of days that you select.
- show_
accounts_ boolexpiration_ indication_ days_ in_ advance - Activates the Expired Accounts link, to open the Expired Accounts window.
- days
Until NumberExpiration - Account expires after the number of days that you select.Available only if expiration-date-method is set to "expire after".
- expiration
Date String - Specify an Expiration Date in the following format: YYYY-MM-DD.Available only if expiration-date-method is set to "expire at".
- expiration
Date StringMethod - Select an Expiration Date Method.Expire at - Account expires on the date that you select.Expire after - Account expires after the number of days that you select.
- show
Accounts BooleanExpiration Indication Days In Advance - Activates the Expired Accounts link, to open the Expired Accounts window.
ManagementCommandSetGlobalPropertiesUserAuthority, ManagementCommandSetGlobalPropertiesUserAuthorityArgs
- Display
Web boolAccess View - Specify whether or not to display the WebAccess rule base. This rule base is used for UserAuthority.
- Trust
Only List<string>Following Windows Domains - Specify which Windows domains will have access to the internal sites of the organization.Available only if windows-domains-to-trust is set to SELECTIVELY.
- Windows
Domains stringTo Trust - When matching Firewall usernames to Windows Domains usernames for Single Sign on, selectwhether to trust all or specify which Windows Domain should be trusted.ALL - Enables you to allow all Windows domains to access the internal sites of the organization.SELECTIVELY - Enables you to specify which Windows domains will have access to the internal sites of the organization.
- Display
Web boolAccess View - Specify whether or not to display the WebAccess rule base. This rule base is used for UserAuthority.
- Trust
Only []stringFollowing Windows Domains - Specify which Windows domains will have access to the internal sites of the organization.Available only if windows-domains-to-trust is set to SELECTIVELY.
- Windows
Domains stringTo Trust - When matching Firewall usernames to Windows Domains usernames for Single Sign on, selectwhether to trust all or specify which Windows Domain should be trusted.ALL - Enables you to allow all Windows domains to access the internal sites of the organization.SELECTIVELY - Enables you to specify which Windows domains will have access to the internal sites of the organization.
- display
Web BooleanAccess View - Specify whether or not to display the WebAccess rule base. This rule base is used for UserAuthority.
- trust
Only List<String>Following Windows Domains - Specify which Windows domains will have access to the internal sites of the organization.Available only if windows-domains-to-trust is set to SELECTIVELY.
- windows
Domains StringTo Trust - When matching Firewall usernames to Windows Domains usernames for Single Sign on, selectwhether to trust all or specify which Windows Domain should be trusted.ALL - Enables you to allow all Windows domains to access the internal sites of the organization.SELECTIVELY - Enables you to specify which Windows domains will have access to the internal sites of the organization.
- display
Web booleanAccess View - Specify whether or not to display the WebAccess rule base. This rule base is used for UserAuthority.
- trust
Only string[]Following Windows Domains - Specify which Windows domains will have access to the internal sites of the organization.Available only if windows-domains-to-trust is set to SELECTIVELY.
- windows
Domains stringTo Trust - When matching Firewall usernames to Windows Domains usernames for Single Sign on, selectwhether to trust all or specify which Windows Domain should be trusted.ALL - Enables you to allow all Windows domains to access the internal sites of the organization.SELECTIVELY - Enables you to specify which Windows domains will have access to the internal sites of the organization.
- display_
web_ boolaccess_ view - Specify whether or not to display the WebAccess rule base. This rule base is used for UserAuthority.
- trust_
only_ Sequence[str]following_ windows_ domains - Specify which Windows domains will have access to the internal sites of the organization.Available only if windows-domains-to-trust is set to SELECTIVELY.
- windows_
domains_ strto_ trust - When matching Firewall usernames to Windows Domains usernames for Single Sign on, selectwhether to trust all or specify which Windows Domain should be trusted.ALL - Enables you to allow all Windows domains to access the internal sites of the organization.SELECTIVELY - Enables you to specify which Windows domains will have access to the internal sites of the organization.
- display
Web BooleanAccess View - Specify whether or not to display the WebAccess rule base. This rule base is used for UserAuthority.
- trust
Only List<String>Following Windows Domains - Specify which Windows domains will have access to the internal sites of the organization.Available only if windows-domains-to-trust is set to SELECTIVELY.
- windows
Domains StringTo Trust - When matching Firewall usernames to Windows Domains usernames for Single Sign on, selectwhether to trust all or specify which Windows Domain should be trusted.ALL - Enables you to allow all Windows domains to access the internal sites of the organization.SELECTIVELY - Enables you to specify which Windows domains will have access to the internal sites of the organization.
ManagementCommandSetGlobalPropertiesUserCheck, ManagementCommandSetGlobalPropertiesUserCheckArgs
- Preferred
Language string - The preferred language for new UserCheck message.
- Send
Emails stringUsing Mail Server - Name or UID of mail server to send emails to.
- Preferred
Language string - The preferred language for new UserCheck message.
- Send
Emails stringUsing Mail Server - Name or UID of mail server to send emails to.
- preferred
Language String - The preferred language for new UserCheck message.
- send
Emails StringUsing Mail Server - Name or UID of mail server to send emails to.
- preferred
Language string - The preferred language for new UserCheck message.
- send
Emails stringUsing Mail Server - Name or UID of mail server to send emails to.
- preferred_
language str - The preferred language for new UserCheck message.
- send_
emails_ strusing_ mail_ server - Name or UID of mail server to send emails to.
- preferred
Language String - The preferred language for new UserCheck message.
- send
Emails StringUsing Mail Server - Name or UID of mail server to send emails to.
ManagementCommandSetGlobalPropertiesUserDirectory, ManagementCommandSetGlobalPropertiesUserDirectoryArgs
- Cache
Size double - The maximum number of cached users allowed. The cache is FIFO (first-in, first-out). When a new user is added to a full cache, the first user is deleted to make room for the new user. The Check Point Security Gateway does not query the LDAP server for users already in the cache, unless the cache has timed out.
- Display
User stringDn At Login - Decide whether or not you would like to display the user's DN when logging in. If you choose to display the user DN, you can select whether to display it, when the user is prompted for the password at login, or on the request of the authentication scheme. This property is a useful diagnostic tool when there is more than one user with the same name in an Account Unit. In this case, the first one is chosen and the others are ignored.
- Enable
Password boolChange When User Active Directory Expires - For organizations using MS Active Directory, this setting enables users whose passwords have expired to automatically create new passwords.
- Enable
Password boolExpiration Configuration - Enable configuring of the number of days during which the password is valid.If enable-password-change-when-user-active-directory-expires is true, the password expiration time is determined by the Active Directory. In this case it is recommended not to set this to true.
- Enforce
Rules boolFor User Mgmt Admins - Enforces password strength rules on LDAP users when you create or modify a Check Point Password.
- Min
Password doubleLength - Specifies the minimum length (in characters) of the password.
- Password
Expires doubleAfter - Specifies the number of days during which the password is valid. Users are authenticated using a special LDAP password. Should this password expire, a new password must be defined.Available only if enable-password-expiration-configuration is true.
- Password
Must boolInclude ADigit - Password must include a digit.
- Password
Must boolInclude ASymbol - Password must include a symbol.
- Password
Must boolInclude Lowercase Char - Password must include a lowercase character.
- Password
Must boolInclude Uppercase Char - Password must include an uppercase character.
- Timeout
On doubleCached Users - The period of time in which a cached user is timed out and will need to be fetched again from the LDAP server.
- Cache
Size float64 - The maximum number of cached users allowed. The cache is FIFO (first-in, first-out). When a new user is added to a full cache, the first user is deleted to make room for the new user. The Check Point Security Gateway does not query the LDAP server for users already in the cache, unless the cache has timed out.
- Display
User stringDn At Login - Decide whether or not you would like to display the user's DN when logging in. If you choose to display the user DN, you can select whether to display it, when the user is prompted for the password at login, or on the request of the authentication scheme. This property is a useful diagnostic tool when there is more than one user with the same name in an Account Unit. In this case, the first one is chosen and the others are ignored.
- Enable
Password boolChange When User Active Directory Expires - For organizations using MS Active Directory, this setting enables users whose passwords have expired to automatically create new passwords.
- Enable
Password boolExpiration Configuration - Enable configuring of the number of days during which the password is valid.If enable-password-change-when-user-active-directory-expires is true, the password expiration time is determined by the Active Directory. In this case it is recommended not to set this to true.
- Enforce
Rules boolFor User Mgmt Admins - Enforces password strength rules on LDAP users when you create or modify a Check Point Password.
- Min
Password float64Length - Specifies the minimum length (in characters) of the password.
- Password
Expires float64After - Specifies the number of days during which the password is valid. Users are authenticated using a special LDAP password. Should this password expire, a new password must be defined.Available only if enable-password-expiration-configuration is true.
- Password
Must boolInclude ADigit - Password must include a digit.
- Password
Must boolInclude ASymbol - Password must include a symbol.
- Password
Must boolInclude Lowercase Char - Password must include a lowercase character.
- Password
Must boolInclude Uppercase Char - Password must include an uppercase character.
- Timeout
On float64Cached Users - The period of time in which a cached user is timed out and will need to be fetched again from the LDAP server.
- cache
Size Double - The maximum number of cached users allowed. The cache is FIFO (first-in, first-out). When a new user is added to a full cache, the first user is deleted to make room for the new user. The Check Point Security Gateway does not query the LDAP server for users already in the cache, unless the cache has timed out.
- display
User StringDn At Login - Decide whether or not you would like to display the user's DN when logging in. If you choose to display the user DN, you can select whether to display it, when the user is prompted for the password at login, or on the request of the authentication scheme. This property is a useful diagnostic tool when there is more than one user with the same name in an Account Unit. In this case, the first one is chosen and the others are ignored.
- enable
Password BooleanChange When User Active Directory Expires - For organizations using MS Active Directory, this setting enables users whose passwords have expired to automatically create new passwords.
- enable
Password BooleanExpiration Configuration - Enable configuring of the number of days during which the password is valid.If enable-password-change-when-user-active-directory-expires is true, the password expiration time is determined by the Active Directory. In this case it is recommended not to set this to true.
- enforce
Rules BooleanFor User Mgmt Admins - Enforces password strength rules on LDAP users when you create or modify a Check Point Password.
- min
Password DoubleLength - Specifies the minimum length (in characters) of the password.
- password
Expires DoubleAfter - Specifies the number of days during which the password is valid. Users are authenticated using a special LDAP password. Should this password expire, a new password must be defined.Available only if enable-password-expiration-configuration is true.
- password
Must BooleanInclude ADigit - Password must include a digit.
- password
Must BooleanInclude ASymbol - Password must include a symbol.
- password
Must BooleanInclude Lowercase Char - Password must include a lowercase character.
- password
Must BooleanInclude Uppercase Char - Password must include an uppercase character.
- timeout
On DoubleCached Users - The period of time in which a cached user is timed out and will need to be fetched again from the LDAP server.
- cache
Size number - The maximum number of cached users allowed. The cache is FIFO (first-in, first-out). When a new user is added to a full cache, the first user is deleted to make room for the new user. The Check Point Security Gateway does not query the LDAP server for users already in the cache, unless the cache has timed out.
- display
User stringDn At Login - Decide whether or not you would like to display the user's DN when logging in. If you choose to display the user DN, you can select whether to display it, when the user is prompted for the password at login, or on the request of the authentication scheme. This property is a useful diagnostic tool when there is more than one user with the same name in an Account Unit. In this case, the first one is chosen and the others are ignored.
- enable
Password booleanChange When User Active Directory Expires - For organizations using MS Active Directory, this setting enables users whose passwords have expired to automatically create new passwords.
- enable
Password booleanExpiration Configuration - Enable configuring of the number of days during which the password is valid.If enable-password-change-when-user-active-directory-expires is true, the password expiration time is determined by the Active Directory. In this case it is recommended not to set this to true.
- enforce
Rules booleanFor User Mgmt Admins - Enforces password strength rules on LDAP users when you create or modify a Check Point Password.
- min
Password numberLength - Specifies the minimum length (in characters) of the password.
- password
Expires numberAfter - Specifies the number of days during which the password is valid. Users are authenticated using a special LDAP password. Should this password expire, a new password must be defined.Available only if enable-password-expiration-configuration is true.
- password
Must booleanInclude ADigit - Password must include a digit.
- password
Must booleanInclude ASymbol - Password must include a symbol.
- password
Must booleanInclude Lowercase Char - Password must include a lowercase character.
- password
Must booleanInclude Uppercase Char - Password must include an uppercase character.
- timeout
On numberCached Users - The period of time in which a cached user is timed out and will need to be fetched again from the LDAP server.
- cache_
size float - The maximum number of cached users allowed. The cache is FIFO (first-in, first-out). When a new user is added to a full cache, the first user is deleted to make room for the new user. The Check Point Security Gateway does not query the LDAP server for users already in the cache, unless the cache has timed out.
- display_
user_ strdn_ at_ login - Decide whether or not you would like to display the user's DN when logging in. If you choose to display the user DN, you can select whether to display it, when the user is prompted for the password at login, or on the request of the authentication scheme. This property is a useful diagnostic tool when there is more than one user with the same name in an Account Unit. In this case, the first one is chosen and the others are ignored.
- enable_
password_ boolchange_ when_ user_ active_ directory_ expires - For organizations using MS Active Directory, this setting enables users whose passwords have expired to automatically create new passwords.
- enable_
password_ boolexpiration_ configuration - Enable configuring of the number of days during which the password is valid.If enable-password-change-when-user-active-directory-expires is true, the password expiration time is determined by the Active Directory. In this case it is recommended not to set this to true.
- enforce_
rules_ boolfor_ user_ mgmt_ admins - Enforces password strength rules on LDAP users when you create or modify a Check Point Password.
- min_
password_ floatlength - Specifies the minimum length (in characters) of the password.
- password_
expires_ floatafter - Specifies the number of days during which the password is valid. Users are authenticated using a special LDAP password. Should this password expire, a new password must be defined.Available only if enable-password-expiration-configuration is true.
- password_
must_ boolinclude_ a_ digit - Password must include a digit.
- password_
must_ boolinclude_ a_ symbol - Password must include a symbol.
- password_
must_ boolinclude_ lowercase_ char - Password must include a lowercase character.
- password_
must_ boolinclude_ uppercase_ char - Password must include an uppercase character.
- timeout_
on_ floatcached_ users - The period of time in which a cached user is timed out and will need to be fetched again from the LDAP server.
- cache
Size Number - The maximum number of cached users allowed. The cache is FIFO (first-in, first-out). When a new user is added to a full cache, the first user is deleted to make room for the new user. The Check Point Security Gateway does not query the LDAP server for users already in the cache, unless the cache has timed out.
- display
User StringDn At Login - Decide whether or not you would like to display the user's DN when logging in. If you choose to display the user DN, you can select whether to display it, when the user is prompted for the password at login, or on the request of the authentication scheme. This property is a useful diagnostic tool when there is more than one user with the same name in an Account Unit. In this case, the first one is chosen and the others are ignored.
- enable
Password BooleanChange When User Active Directory Expires - For organizations using MS Active Directory, this setting enables users whose passwords have expired to automatically create new passwords.
- enable
Password BooleanExpiration Configuration - Enable configuring of the number of days during which the password is valid.If enable-password-change-when-user-active-directory-expires is true, the password expiration time is determined by the Active Directory. In this case it is recommended not to set this to true.
- enforce
Rules BooleanFor User Mgmt Admins - Enforces password strength rules on LDAP users when you create or modify a Check Point Password.
- min
Password NumberLength - Specifies the minimum length (in characters) of the password.
- password
Expires NumberAfter - Specifies the number of days during which the password is valid. Users are authenticated using a special LDAP password. Should this password expire, a new password must be defined.Available only if enable-password-expiration-configuration is true.
- password
Must BooleanInclude ADigit - Password must include a digit.
- password
Must BooleanInclude ASymbol - Password must include a symbol.
- password
Must BooleanInclude Lowercase Char - Password must include a lowercase character.
- password
Must BooleanInclude Uppercase Char - Password must include an uppercase character.
- timeout
On NumberCached Users - The period of time in which a cached user is timed out and will need to be fetched again from the LDAP server.
ManagementCommandSetGlobalPropertiesVpn, ManagementCommandSetGlobalPropertiesVpnArgs
- Domain
Name stringFor Dns Resolving - Enter the domain name that will be used for gateways DNS lookup. The DNS host name that is used is "gateway_name.domain_name".
- Enable
Backup boolGw - Enable Backup Gateway.
- Enable
Decrypt boolOn Accept For Gw To Gw Traffic - Enable decrypt on accept for gateway to gateway traffic. This is only relevant for policies in traditional mode. In Traditional Mode, the 'Accept' action determines that a connection is allowed, while the 'Encrypt' action determines that a connection is allowed and encrypted. Select whether VPN accepts an encrypted packet that matches a rule with an 'Accept' action or drops it.
- Enable
Load boolDistribution For Mep Conf - Enable load distribution for Multiple Entry Points configurations (Site To Site connections). The VPN Multiple Entry Point (MEP) feature supplies high availability and load distribution for Check Point Security Gateways. MEP works in four modes: First to Respond, in which the first gateway to reply to the peer gateway is chosen. An organization would choose this option if, for example, the organization has two gateways in a MEPed configuration - one in London, the other in New York. It makes sense for Check Point Security Gateway peers located in England to try the London gateway first and the NY gateway second. Being geographically closer to Check Point Security Gateway peers in England, the London gateway will be the first to respond, and becomes the entry point to the internal network. VPN Domain, is when the destination IP belongs to a particular VPN domain, the gateway of that domain becomes the chosen entry point. This gateway becomes the primary gateway while other gateways in the MEP configuration become its backup gateways. Random Selection, in which the remote Check Point Security Gateway peer randomly selects a gateway with which to open a VPN connection. For each IP source/destination address pair, a new gateway is randomly selected. An organization might have a number of machines with equal performance abilities. In this case, it makes sense to enable load distribution. The machines are used in a random and equal way. Manually set priority list, gateway priorities can be set manually for the entire community or for individual satellite gateways..
- Enable
Vpn boolDirectional Match In Vpn Column - Enable VPN Directional Match in VPN Column.Note: VPN Directional Match is supported only on Gaia, SecurePlatform, Linux and IPSO.
- Grace
Period doubleAfter The Crl Is Not Valid - When establishing VPN tunnels, the peer presents its certificate for authentication. The clock on the gateway machine must be synchronized with the clock on the Certificate Authority machine. Otherwise, the Certificate Revocation List (CRL) used for validating the peer's certificate may be considered invalid and thus the authentication fails. To resolve the issue of differing clock times, a Grace Period permits a wider window for CRL validity.
- Grace
Period doubleBefore The Crl Is Valid - When establishing VPN tunnels, the peer presents its certificate for authentication. The clock on the gateway machine must be synchronized with the clock on the Certificate Authority machine. Otherwise, the Certificate Revocation List (CRL) used for validating the peer's certificate may be considered invalid and thus the authentication fails. To resolve the issue of differing clock times, a Grace Period permits a wider window for CRL validity.
- Grace
Period doubleExtension For Secure Remote Secure Client - When dealing with remote clients the Grace Period needs to be extended. The remote client sometimes relies on the peer gateway to supply the CRL. If the client's clock is not synchronized with the gateway's clock, a CRL that is considered valid by the gateway may be considered invalid by the client.
- Support
Ike stringDos Protection From Identified Src - When the number of IKE negotiations handled simultaneously exceeds a threshold above VPN's capacity, a gateway concludes that it is either under a high load or experiencing a Denial of Service attack. VPN can filter out peers that are the probable source of the potential Denial of Service attack. There are two kinds of protection: Stateless - the peer has to respond to an IKE notification in a way that proves the peer's IP address is not spoofed. If the peer cannot prove this, VPN does not allocate resources for the IKE negotiation Puzzles - this is the same as Stateless, but in addition, the peer has to solve a mathematical puzzle. Solving this puzzle consumes peer CPU resources in a way that makes it difficult to initiate multiple IKE negotiations simultaneously.Puzzles is more secure then Stateless, but affects performance.Since these kinds of attacks involve a new proprietary addition to the IKE protocol, enabling these protection mechanisms may cause difficulties with non Check Point VPN products or older versions of VPN.
- Support
Ike stringDos Protection From Unidentified Src - When the number of IKE negotiations handled simultaneously exceeds a threshold above VPN's capacity, a gateway concludes that it is either under a high load or experiencing a Denial of Service attack. VPN can filter out peers that are the probable source of the potential Denial of Service attack. There are two kinds of protection: Stateless - the peer has to respond to an IKE notification in a way that proves the peer's IP address is not spoofed. If the peer cannot prove this, VPN does not allocate resources for the IKE negotiation Puzzles - this is the same as Stateless, but in addition, the peer has to solve a mathematical puzzle. Solving this puzzle consumes peer CPU resources in a way that makes it difficult to initiate multiple IKE negotiations simultaneously.Puzzles is more secure then Stateless, but affects performance.Since these kinds of attacks involve a new proprietary addition to the IKE protocol, enabling these protection mechanisms may cause difficulties with non Check Point VPN products or older versions of VPN.
- Vpn
Conf stringMethod - Decide on Simplified or Traditional mode for all new security policies or decide which mode to use on a policy by policy basis.
- Domain
Name stringFor Dns Resolving - Enter the domain name that will be used for gateways DNS lookup. The DNS host name that is used is "gateway_name.domain_name".
- Enable
Backup boolGw - Enable Backup Gateway.
- Enable
Decrypt boolOn Accept For Gw To Gw Traffic - Enable decrypt on accept for gateway to gateway traffic. This is only relevant for policies in traditional mode. In Traditional Mode, the 'Accept' action determines that a connection is allowed, while the 'Encrypt' action determines that a connection is allowed and encrypted. Select whether VPN accepts an encrypted packet that matches a rule with an 'Accept' action or drops it.
- Enable
Load boolDistribution For Mep Conf - Enable load distribution for Multiple Entry Points configurations (Site To Site connections). The VPN Multiple Entry Point (MEP) feature supplies high availability and load distribution for Check Point Security Gateways. MEP works in four modes: First to Respond, in which the first gateway to reply to the peer gateway is chosen. An organization would choose this option if, for example, the organization has two gateways in a MEPed configuration - one in London, the other in New York. It makes sense for Check Point Security Gateway peers located in England to try the London gateway first and the NY gateway second. Being geographically closer to Check Point Security Gateway peers in England, the London gateway will be the first to respond, and becomes the entry point to the internal network. VPN Domain, is when the destination IP belongs to a particular VPN domain, the gateway of that domain becomes the chosen entry point. This gateway becomes the primary gateway while other gateways in the MEP configuration become its backup gateways. Random Selection, in which the remote Check Point Security Gateway peer randomly selects a gateway with which to open a VPN connection. For each IP source/destination address pair, a new gateway is randomly selected. An organization might have a number of machines with equal performance abilities. In this case, it makes sense to enable load distribution. The machines are used in a random and equal way. Manually set priority list, gateway priorities can be set manually for the entire community or for individual satellite gateways..
- Enable
Vpn boolDirectional Match In Vpn Column - Enable VPN Directional Match in VPN Column.Note: VPN Directional Match is supported only on Gaia, SecurePlatform, Linux and IPSO.
- Grace
Period float64After The Crl Is Not Valid - When establishing VPN tunnels, the peer presents its certificate for authentication. The clock on the gateway machine must be synchronized with the clock on the Certificate Authority machine. Otherwise, the Certificate Revocation List (CRL) used for validating the peer's certificate may be considered invalid and thus the authentication fails. To resolve the issue of differing clock times, a Grace Period permits a wider window for CRL validity.
- Grace
Period float64Before The Crl Is Valid - When establishing VPN tunnels, the peer presents its certificate for authentication. The clock on the gateway machine must be synchronized with the clock on the Certificate Authority machine. Otherwise, the Certificate Revocation List (CRL) used for validating the peer's certificate may be considered invalid and thus the authentication fails. To resolve the issue of differing clock times, a Grace Period permits a wider window for CRL validity.
- Grace
Period float64Extension For Secure Remote Secure Client - When dealing with remote clients the Grace Period needs to be extended. The remote client sometimes relies on the peer gateway to supply the CRL. If the client's clock is not synchronized with the gateway's clock, a CRL that is considered valid by the gateway may be considered invalid by the client.
- Support
Ike stringDos Protection From Identified Src - When the number of IKE negotiations handled simultaneously exceeds a threshold above VPN's capacity, a gateway concludes that it is either under a high load or experiencing a Denial of Service attack. VPN can filter out peers that are the probable source of the potential Denial of Service attack. There are two kinds of protection: Stateless - the peer has to respond to an IKE notification in a way that proves the peer's IP address is not spoofed. If the peer cannot prove this, VPN does not allocate resources for the IKE negotiation Puzzles - this is the same as Stateless, but in addition, the peer has to solve a mathematical puzzle. Solving this puzzle consumes peer CPU resources in a way that makes it difficult to initiate multiple IKE negotiations simultaneously.Puzzles is more secure then Stateless, but affects performance.Since these kinds of attacks involve a new proprietary addition to the IKE protocol, enabling these protection mechanisms may cause difficulties with non Check Point VPN products or older versions of VPN.
- Support
Ike stringDos Protection From Unidentified Src - When the number of IKE negotiations handled simultaneously exceeds a threshold above VPN's capacity, a gateway concludes that it is either under a high load or experiencing a Denial of Service attack. VPN can filter out peers that are the probable source of the potential Denial of Service attack. There are two kinds of protection: Stateless - the peer has to respond to an IKE notification in a way that proves the peer's IP address is not spoofed. If the peer cannot prove this, VPN does not allocate resources for the IKE negotiation Puzzles - this is the same as Stateless, but in addition, the peer has to solve a mathematical puzzle. Solving this puzzle consumes peer CPU resources in a way that makes it difficult to initiate multiple IKE negotiations simultaneously.Puzzles is more secure then Stateless, but affects performance.Since these kinds of attacks involve a new proprietary addition to the IKE protocol, enabling these protection mechanisms may cause difficulties with non Check Point VPN products or older versions of VPN.
- Vpn
Conf stringMethod - Decide on Simplified or Traditional mode for all new security policies or decide which mode to use on a policy by policy basis.
- domain
Name StringFor Dns Resolving - Enter the domain name that will be used for gateways DNS lookup. The DNS host name that is used is "gateway_name.domain_name".
- enable
Backup BooleanGw - Enable Backup Gateway.
- enable
Decrypt BooleanOn Accept For Gw To Gw Traffic - Enable decrypt on accept for gateway to gateway traffic. This is only relevant for policies in traditional mode. In Traditional Mode, the 'Accept' action determines that a connection is allowed, while the 'Encrypt' action determines that a connection is allowed and encrypted. Select whether VPN accepts an encrypted packet that matches a rule with an 'Accept' action or drops it.
- enable
Load BooleanDistribution For Mep Conf - Enable load distribution for Multiple Entry Points configurations (Site To Site connections). The VPN Multiple Entry Point (MEP) feature supplies high availability and load distribution for Check Point Security Gateways. MEP works in four modes: First to Respond, in which the first gateway to reply to the peer gateway is chosen. An organization would choose this option if, for example, the organization has two gateways in a MEPed configuration - one in London, the other in New York. It makes sense for Check Point Security Gateway peers located in England to try the London gateway first and the NY gateway second. Being geographically closer to Check Point Security Gateway peers in England, the London gateway will be the first to respond, and becomes the entry point to the internal network. VPN Domain, is when the destination IP belongs to a particular VPN domain, the gateway of that domain becomes the chosen entry point. This gateway becomes the primary gateway while other gateways in the MEP configuration become its backup gateways. Random Selection, in which the remote Check Point Security Gateway peer randomly selects a gateway with which to open a VPN connection. For each IP source/destination address pair, a new gateway is randomly selected. An organization might have a number of machines with equal performance abilities. In this case, it makes sense to enable load distribution. The machines are used in a random and equal way. Manually set priority list, gateway priorities can be set manually for the entire community or for individual satellite gateways..
- enable
Vpn BooleanDirectional Match In Vpn Column - Enable VPN Directional Match in VPN Column.Note: VPN Directional Match is supported only on Gaia, SecurePlatform, Linux and IPSO.
- grace
Period DoubleAfter The Crl Is Not Valid - When establishing VPN tunnels, the peer presents its certificate for authentication. The clock on the gateway machine must be synchronized with the clock on the Certificate Authority machine. Otherwise, the Certificate Revocation List (CRL) used for validating the peer's certificate may be considered invalid and thus the authentication fails. To resolve the issue of differing clock times, a Grace Period permits a wider window for CRL validity.
- grace
Period DoubleBefore The Crl Is Valid - When establishing VPN tunnels, the peer presents its certificate for authentication. The clock on the gateway machine must be synchronized with the clock on the Certificate Authority machine. Otherwise, the Certificate Revocation List (CRL) used for validating the peer's certificate may be considered invalid and thus the authentication fails. To resolve the issue of differing clock times, a Grace Period permits a wider window for CRL validity.
- grace
Period DoubleExtension For Secure Remote Secure Client - When dealing with remote clients the Grace Period needs to be extended. The remote client sometimes relies on the peer gateway to supply the CRL. If the client's clock is not synchronized with the gateway's clock, a CRL that is considered valid by the gateway may be considered invalid by the client.
- support
Ike StringDos Protection From Identified Src - When the number of IKE negotiations handled simultaneously exceeds a threshold above VPN's capacity, a gateway concludes that it is either under a high load or experiencing a Denial of Service attack. VPN can filter out peers that are the probable source of the potential Denial of Service attack. There are two kinds of protection: Stateless - the peer has to respond to an IKE notification in a way that proves the peer's IP address is not spoofed. If the peer cannot prove this, VPN does not allocate resources for the IKE negotiation Puzzles - this is the same as Stateless, but in addition, the peer has to solve a mathematical puzzle. Solving this puzzle consumes peer CPU resources in a way that makes it difficult to initiate multiple IKE negotiations simultaneously.Puzzles is more secure then Stateless, but affects performance.Since these kinds of attacks involve a new proprietary addition to the IKE protocol, enabling these protection mechanisms may cause difficulties with non Check Point VPN products or older versions of VPN.
- support
Ike StringDos Protection From Unidentified Src - When the number of IKE negotiations handled simultaneously exceeds a threshold above VPN's capacity, a gateway concludes that it is either under a high load or experiencing a Denial of Service attack. VPN can filter out peers that are the probable source of the potential Denial of Service attack. There are two kinds of protection: Stateless - the peer has to respond to an IKE notification in a way that proves the peer's IP address is not spoofed. If the peer cannot prove this, VPN does not allocate resources for the IKE negotiation Puzzles - this is the same as Stateless, but in addition, the peer has to solve a mathematical puzzle. Solving this puzzle consumes peer CPU resources in a way that makes it difficult to initiate multiple IKE negotiations simultaneously.Puzzles is more secure then Stateless, but affects performance.Since these kinds of attacks involve a new proprietary addition to the IKE protocol, enabling these protection mechanisms may cause difficulties with non Check Point VPN products or older versions of VPN.
- vpn
Conf StringMethod - Decide on Simplified or Traditional mode for all new security policies or decide which mode to use on a policy by policy basis.
- domain
Name stringFor Dns Resolving - Enter the domain name that will be used for gateways DNS lookup. The DNS host name that is used is "gateway_name.domain_name".
- enable
Backup booleanGw - Enable Backup Gateway.
- enable
Decrypt booleanOn Accept For Gw To Gw Traffic - Enable decrypt on accept for gateway to gateway traffic. This is only relevant for policies in traditional mode. In Traditional Mode, the 'Accept' action determines that a connection is allowed, while the 'Encrypt' action determines that a connection is allowed and encrypted. Select whether VPN accepts an encrypted packet that matches a rule with an 'Accept' action or drops it.
- enable
Load booleanDistribution For Mep Conf - Enable load distribution for Multiple Entry Points configurations (Site To Site connections). The VPN Multiple Entry Point (MEP) feature supplies high availability and load distribution for Check Point Security Gateways. MEP works in four modes: First to Respond, in which the first gateway to reply to the peer gateway is chosen. An organization would choose this option if, for example, the organization has two gateways in a MEPed configuration - one in London, the other in New York. It makes sense for Check Point Security Gateway peers located in England to try the London gateway first and the NY gateway second. Being geographically closer to Check Point Security Gateway peers in England, the London gateway will be the first to respond, and becomes the entry point to the internal network. VPN Domain, is when the destination IP belongs to a particular VPN domain, the gateway of that domain becomes the chosen entry point. This gateway becomes the primary gateway while other gateways in the MEP configuration become its backup gateways. Random Selection, in which the remote Check Point Security Gateway peer randomly selects a gateway with which to open a VPN connection. For each IP source/destination address pair, a new gateway is randomly selected. An organization might have a number of machines with equal performance abilities. In this case, it makes sense to enable load distribution. The machines are used in a random and equal way. Manually set priority list, gateway priorities can be set manually for the entire community or for individual satellite gateways..
- enable
Vpn booleanDirectional Match In Vpn Column - Enable VPN Directional Match in VPN Column.Note: VPN Directional Match is supported only on Gaia, SecurePlatform, Linux and IPSO.
- grace
Period numberAfter The Crl Is Not Valid - When establishing VPN tunnels, the peer presents its certificate for authentication. The clock on the gateway machine must be synchronized with the clock on the Certificate Authority machine. Otherwise, the Certificate Revocation List (CRL) used for validating the peer's certificate may be considered invalid and thus the authentication fails. To resolve the issue of differing clock times, a Grace Period permits a wider window for CRL validity.
- grace
Period numberBefore The Crl Is Valid - When establishing VPN tunnels, the peer presents its certificate for authentication. The clock on the gateway machine must be synchronized with the clock on the Certificate Authority machine. Otherwise, the Certificate Revocation List (CRL) used for validating the peer's certificate may be considered invalid and thus the authentication fails. To resolve the issue of differing clock times, a Grace Period permits a wider window for CRL validity.
- grace
Period numberExtension For Secure Remote Secure Client - When dealing with remote clients the Grace Period needs to be extended. The remote client sometimes relies on the peer gateway to supply the CRL. If the client's clock is not synchronized with the gateway's clock, a CRL that is considered valid by the gateway may be considered invalid by the client.
- support
Ike stringDos Protection From Identified Src - When the number of IKE negotiations handled simultaneously exceeds a threshold above VPN's capacity, a gateway concludes that it is either under a high load or experiencing a Denial of Service attack. VPN can filter out peers that are the probable source of the potential Denial of Service attack. There are two kinds of protection: Stateless - the peer has to respond to an IKE notification in a way that proves the peer's IP address is not spoofed. If the peer cannot prove this, VPN does not allocate resources for the IKE negotiation Puzzles - this is the same as Stateless, but in addition, the peer has to solve a mathematical puzzle. Solving this puzzle consumes peer CPU resources in a way that makes it difficult to initiate multiple IKE negotiations simultaneously.Puzzles is more secure then Stateless, but affects performance.Since these kinds of attacks involve a new proprietary addition to the IKE protocol, enabling these protection mechanisms may cause difficulties with non Check Point VPN products or older versions of VPN.
- support
Ike stringDos Protection From Unidentified Src - When the number of IKE negotiations handled simultaneously exceeds a threshold above VPN's capacity, a gateway concludes that it is either under a high load or experiencing a Denial of Service attack. VPN can filter out peers that are the probable source of the potential Denial of Service attack. There are two kinds of protection: Stateless - the peer has to respond to an IKE notification in a way that proves the peer's IP address is not spoofed. If the peer cannot prove this, VPN does not allocate resources for the IKE negotiation Puzzles - this is the same as Stateless, but in addition, the peer has to solve a mathematical puzzle. Solving this puzzle consumes peer CPU resources in a way that makes it difficult to initiate multiple IKE negotiations simultaneously.Puzzles is more secure then Stateless, but affects performance.Since these kinds of attacks involve a new proprietary addition to the IKE protocol, enabling these protection mechanisms may cause difficulties with non Check Point VPN products or older versions of VPN.
- vpn
Conf stringMethod - Decide on Simplified or Traditional mode for all new security policies or decide which mode to use on a policy by policy basis.
- domain_
name_ strfor_ dns_ resolving - Enter the domain name that will be used for gateways DNS lookup. The DNS host name that is used is "gateway_name.domain_name".
- enable_
backup_ boolgw - Enable Backup Gateway.
- enable_
decrypt_ boolon_ accept_ for_ gw_ to_ gw_ traffic - Enable decrypt on accept for gateway to gateway traffic. This is only relevant for policies in traditional mode. In Traditional Mode, the 'Accept' action determines that a connection is allowed, while the 'Encrypt' action determines that a connection is allowed and encrypted. Select whether VPN accepts an encrypted packet that matches a rule with an 'Accept' action or drops it.
- enable_
load_ booldistribution_ for_ mep_ conf - Enable load distribution for Multiple Entry Points configurations (Site To Site connections). The VPN Multiple Entry Point (MEP) feature supplies high availability and load distribution for Check Point Security Gateways. MEP works in four modes: First to Respond, in which the first gateway to reply to the peer gateway is chosen. An organization would choose this option if, for example, the organization has two gateways in a MEPed configuration - one in London, the other in New York. It makes sense for Check Point Security Gateway peers located in England to try the London gateway first and the NY gateway second. Being geographically closer to Check Point Security Gateway peers in England, the London gateway will be the first to respond, and becomes the entry point to the internal network. VPN Domain, is when the destination IP belongs to a particular VPN domain, the gateway of that domain becomes the chosen entry point. This gateway becomes the primary gateway while other gateways in the MEP configuration become its backup gateways. Random Selection, in which the remote Check Point Security Gateway peer randomly selects a gateway with which to open a VPN connection. For each IP source/destination address pair, a new gateway is randomly selected. An organization might have a number of machines with equal performance abilities. In this case, it makes sense to enable load distribution. The machines are used in a random and equal way. Manually set priority list, gateway priorities can be set manually for the entire community or for individual satellite gateways..
- enable_
vpn_ booldirectional_ match_ in_ vpn_ column - Enable VPN Directional Match in VPN Column.Note: VPN Directional Match is supported only on Gaia, SecurePlatform, Linux and IPSO.
- grace_
period_ floatafter_ the_ crl_ is_ not_ valid - When establishing VPN tunnels, the peer presents its certificate for authentication. The clock on the gateway machine must be synchronized with the clock on the Certificate Authority machine. Otherwise, the Certificate Revocation List (CRL) used for validating the peer's certificate may be considered invalid and thus the authentication fails. To resolve the issue of differing clock times, a Grace Period permits a wider window for CRL validity.
- grace_
period_ floatbefore_ the_ crl_ is_ valid - When establishing VPN tunnels, the peer presents its certificate for authentication. The clock on the gateway machine must be synchronized with the clock on the Certificate Authority machine. Otherwise, the Certificate Revocation List (CRL) used for validating the peer's certificate may be considered invalid and thus the authentication fails. To resolve the issue of differing clock times, a Grace Period permits a wider window for CRL validity.
- grace_
period_ floatextension_ for_ secure_ remote_ secure_ client - When dealing with remote clients the Grace Period needs to be extended. The remote client sometimes relies on the peer gateway to supply the CRL. If the client's clock is not synchronized with the gateway's clock, a CRL that is considered valid by the gateway may be considered invalid by the client.
- support_
ike_ strdos_ protection_ from_ identified_ src - When the number of IKE negotiations handled simultaneously exceeds a threshold above VPN's capacity, a gateway concludes that it is either under a high load or experiencing a Denial of Service attack. VPN can filter out peers that are the probable source of the potential Denial of Service attack. There are two kinds of protection: Stateless - the peer has to respond to an IKE notification in a way that proves the peer's IP address is not spoofed. If the peer cannot prove this, VPN does not allocate resources for the IKE negotiation Puzzles - this is the same as Stateless, but in addition, the peer has to solve a mathematical puzzle. Solving this puzzle consumes peer CPU resources in a way that makes it difficult to initiate multiple IKE negotiations simultaneously.Puzzles is more secure then Stateless, but affects performance.Since these kinds of attacks involve a new proprietary addition to the IKE protocol, enabling these protection mechanisms may cause difficulties with non Check Point VPN products or older versions of VPN.
- support_
ike_ strdos_ protection_ from_ unidentified_ src - When the number of IKE negotiations handled simultaneously exceeds a threshold above VPN's capacity, a gateway concludes that it is either under a high load or experiencing a Denial of Service attack. VPN can filter out peers that are the probable source of the potential Denial of Service attack. There are two kinds of protection: Stateless - the peer has to respond to an IKE notification in a way that proves the peer's IP address is not spoofed. If the peer cannot prove this, VPN does not allocate resources for the IKE negotiation Puzzles - this is the same as Stateless, but in addition, the peer has to solve a mathematical puzzle. Solving this puzzle consumes peer CPU resources in a way that makes it difficult to initiate multiple IKE negotiations simultaneously.Puzzles is more secure then Stateless, but affects performance.Since these kinds of attacks involve a new proprietary addition to the IKE protocol, enabling these protection mechanisms may cause difficulties with non Check Point VPN products or older versions of VPN.
- vpn_
conf_ strmethod - Decide on Simplified or Traditional mode for all new security policies or decide which mode to use on a policy by policy basis.
- domain
Name StringFor Dns Resolving - Enter the domain name that will be used for gateways DNS lookup. The DNS host name that is used is "gateway_name.domain_name".
- enable
Backup BooleanGw - Enable Backup Gateway.
- enable
Decrypt BooleanOn Accept For Gw To Gw Traffic - Enable decrypt on accept for gateway to gateway traffic. This is only relevant for policies in traditional mode. In Traditional Mode, the 'Accept' action determines that a connection is allowed, while the 'Encrypt' action determines that a connection is allowed and encrypted. Select whether VPN accepts an encrypted packet that matches a rule with an 'Accept' action or drops it.
- enable
Load BooleanDistribution For Mep Conf - Enable load distribution for Multiple Entry Points configurations (Site To Site connections). The VPN Multiple Entry Point (MEP) feature supplies high availability and load distribution for Check Point Security Gateways. MEP works in four modes: First to Respond, in which the first gateway to reply to the peer gateway is chosen. An organization would choose this option if, for example, the organization has two gateways in a MEPed configuration - one in London, the other in New York. It makes sense for Check Point Security Gateway peers located in England to try the London gateway first and the NY gateway second. Being geographically closer to Check Point Security Gateway peers in England, the London gateway will be the first to respond, and becomes the entry point to the internal network. VPN Domain, is when the destination IP belongs to a particular VPN domain, the gateway of that domain becomes the chosen entry point. This gateway becomes the primary gateway while other gateways in the MEP configuration become its backup gateways. Random Selection, in which the remote Check Point Security Gateway peer randomly selects a gateway with which to open a VPN connection. For each IP source/destination address pair, a new gateway is randomly selected. An organization might have a number of machines with equal performance abilities. In this case, it makes sense to enable load distribution. The machines are used in a random and equal way. Manually set priority list, gateway priorities can be set manually for the entire community or for individual satellite gateways..
- enable
Vpn BooleanDirectional Match In Vpn Column - Enable VPN Directional Match in VPN Column.Note: VPN Directional Match is supported only on Gaia, SecurePlatform, Linux and IPSO.
- grace
Period NumberAfter The Crl Is Not Valid - When establishing VPN tunnels, the peer presents its certificate for authentication. The clock on the gateway machine must be synchronized with the clock on the Certificate Authority machine. Otherwise, the Certificate Revocation List (CRL) used for validating the peer's certificate may be considered invalid and thus the authentication fails. To resolve the issue of differing clock times, a Grace Period permits a wider window for CRL validity.
- grace
Period NumberBefore The Crl Is Valid - When establishing VPN tunnels, the peer presents its certificate for authentication. The clock on the gateway machine must be synchronized with the clock on the Certificate Authority machine. Otherwise, the Certificate Revocation List (CRL) used for validating the peer's certificate may be considered invalid and thus the authentication fails. To resolve the issue of differing clock times, a Grace Period permits a wider window for CRL validity.
- grace
Period NumberExtension For Secure Remote Secure Client - When dealing with remote clients the Grace Period needs to be extended. The remote client sometimes relies on the peer gateway to supply the CRL. If the client's clock is not synchronized with the gateway's clock, a CRL that is considered valid by the gateway may be considered invalid by the client.
- support
Ike StringDos Protection From Identified Src - When the number of IKE negotiations handled simultaneously exceeds a threshold above VPN's capacity, a gateway concludes that it is either under a high load or experiencing a Denial of Service attack. VPN can filter out peers that are the probable source of the potential Denial of Service attack. There are two kinds of protection: Stateless - the peer has to respond to an IKE notification in a way that proves the peer's IP address is not spoofed. If the peer cannot prove this, VPN does not allocate resources for the IKE negotiation Puzzles - this is the same as Stateless, but in addition, the peer has to solve a mathematical puzzle. Solving this puzzle consumes peer CPU resources in a way that makes it difficult to initiate multiple IKE negotiations simultaneously.Puzzles is more secure then Stateless, but affects performance.Since these kinds of attacks involve a new proprietary addition to the IKE protocol, enabling these protection mechanisms may cause difficulties with non Check Point VPN products or older versions of VPN.
- support
Ike StringDos Protection From Unidentified Src - When the number of IKE negotiations handled simultaneously exceeds a threshold above VPN's capacity, a gateway concludes that it is either under a high load or experiencing a Denial of Service attack. VPN can filter out peers that are the probable source of the potential Denial of Service attack. There are two kinds of protection: Stateless - the peer has to respond to an IKE notification in a way that proves the peer's IP address is not spoofed. If the peer cannot prove this, VPN does not allocate resources for the IKE negotiation Puzzles - this is the same as Stateless, but in addition, the peer has to solve a mathematical puzzle. Solving this puzzle consumes peer CPU resources in a way that makes it difficult to initiate multiple IKE negotiations simultaneously.Puzzles is more secure then Stateless, but affects performance.Since these kinds of attacks involve a new proprietary addition to the IKE protocol, enabling these protection mechanisms may cause difficulties with non Check Point VPN products or older versions of VPN.
- vpn
Conf StringMethod - Decide on Simplified or Traditional mode for all new security policies or decide which mode to use on a policy by policy basis.
Package Details
- Repository
- checkpoint checkpointsw/terraform-provider-checkpoint
- License
- Notes
- This Pulumi package is based on the
checkpointTerraform Provider.
Viewing docs for checkpoint 3.0.0
published on Monday, Mar 30, 2026 by checkpointsw
published on Monday, Mar 30, 2026 by checkpointsw
