cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Powershell Script Server Error forbidden

Hi Guys,

i want to use the following PowerShell Script to Sync the Office 365 URLs for the Smart Dashboard, but i get a Server Error: Forbidden. I use the Checkpoint Admin User for this Task.

Is this a Rights Problem or a Missing "Checkbox" Error?

The Powershell Script:

<#

.SYNOPSIS
One way sync of Microsoft Office365 hosts & networks into Check Point groups.

.DESCRIPTION
This script will create/update Check Point groups for each Microsoft Office365 product, with the list of hosts & networks Microsoft publish.

.PARAMETER ManagementServer
IP or Hostname of the Check point Management Server

.PARAMETER Credentials
PSCredential containing User name and Password. If not provided you will be prompted.

.PARAMETER CertificateHash
The server's SSL certificate hash

.PARAMETER ManagementPort
Port Web API running on.

.PARAMETER NoIPv4
Do not include IPv4 addresses.

.PARAMETER NoIPv6
Do not include IPv6 addresses.

.PARAMETER Publish
If any changes made publish them automatically. By default session will just be closed pending you to manually open session in SmartConsole and publish the changes.
Publish will only happen if no errors during sync.

.PARAMETER Ignore
Weather Check Point warnings or errors should be ignored.

.PARAMETER Rename
If existing object not found by name, first search by IP/Subnet and if matching object found rename it and add to group.

.PARAMETER Color
Check Point color to set on created objects.

.PARAMETER Prefix
Prefix used on host/network objects.

.PARAMETER GroupPrefix
Prefix used on group objects.

.PARAMETER CommentPrefix
Prefix used on comments (Groups, Session, Created Hosts & Networks).

.PARAMETER Tag
Tag set when creating objects.

.PARAMETER CertificateValidation
Which certificate validation method(s) to use.

.PARAMETER Instance
Specifies the instance to return the endpoints for.

.EXAMPLE
./Office365_Group_Sync.ps1 -NoIPv6 -Rename -Verbose

.NOTES
Requires psCheckPoint v0.7.9+.

.LINK
https://github.com/tkoopman/psCheckPoint

.LINK
https://support.content.office.net/en-us/static/O365IPAddresses.xml

#>
[CmdletBinding()]
param(
[Parameter(Mandatory = $true)]
[string]$ManagementServer,
[Parameter(Mandatory = $true)]
[PSCredential]$Credentials,
[string]$CertificateHash,
[int]$ManagementPort = 443,
[switch]$NoIPv4,
[switch]$NoIPv6,
[switch]$Publish,
[ValidateSet("No", "Warnings", "Errors")]
[string]$Ignore = "No",
[switch]$Rename,
[string]$Color = "red",
[string]$HostPrefix = "Microsoft",
[string]$GroupPrefix = "Microsoft_Office365",
[string]$CommentPrefix = "Microsoft Office365",
[string]$Tag = "Microsoft_Office365",
[ValidateSet("All", "Auto", "CertificatePinning", "None", "ValidCertificate")]
[string]$CertificateValidation = "Auto",
[ValidateSet("Worldwide", "China", "Germany", "USGovDoD", "USGovGCCHigh")]
[string]$Instance = "Worldwide"
)
# path where client ID will be stored
$datapath = $Env:TEMP + "\MS_O365_ClientRequestId.txt";
Write-Verbose "Client ID File: $datapath";

# fetch client ID if data file exists; otherwise create new file
if (Test-Path $datapath) {
$content = Get-Content $datapath;
$clientRequestId = $content;
}
else {
Write-Verbose "Creating new Client ID";
$clientRequestId = [GUID]::NewGuid().Guid;
$clientRequestId | Out-File $datapath;
}

Write-Verbose "Client ID: $clientRequestId";

# Download Microsoft Cloud IP Ranges and Names into Object
$Version = Invoke-RestMethod https://endpoints.office.com/version/$($Instance)?ClientRequestId=$clientRequestId;
Write-Verbose "Version: $($Version.latest)";
$O365IPAddresses = Invoke-RestMethod https://endpoints.office.com/endpoints/$($Instance)?ClientRequestId=$clientRequestId;

# Set variables
$Updated = ([datetime]::parseexact($Version.latest.Substring(0, 8),"yyyyMMdd",[System.Globalization.CultureInfo]::InvariantCulture)).ToShortDateString();
$Comments = "$CommentPrefix added $Updated";
$GroupComments = "$CommentPrefix updated $Updated";
$Errors = 0;

# Login to Check Point API to get Session ID
Write-Verbose " *** Log in to Check Point Smart Center API *** ";
$Session = Open-CheckPointSession -SessionName $CommentPrefix -SessionComments "$CommentPrefix Group Sync" -ManagementServer $ManagementServer -ManagementPort $ManagementPort -Credentials $Credentials -CertificateValidation $CertificateValidation -CertificateHash $CertificateHash -PassThru;
if (-not $Session) {
# Failed login
exit;
}

$ServiceAreas = $O365IPAddresses | Select-Object -ExpandProperty serviceArea | Sort-Object -Unique

ForEach ($ServiceArea in $ServiceAreas) {
$GroupName = $GroupPrefix + "_" + $ServiceArea;
Write-Verbose "Processing $GroupName";

$ServiceAreaIPs = $O365IPAddresses | Where-Object {$_.serviceArea -eq $ServiceArea -and $_.ips} | Select-Object -ExpandProperty ips;
if ($NoIPv4.IsPresent) {
$ServiceAreaIPs = $ServiceAreaIPs | Where-Object { $_ -notmatch "\." }
}
if ($NoIPv6.IsPresent) {
$ServiceAreaIPs = $ServiceAreaIPs | Where-Object { $_ -notmatch ":" }
}

$ServiceAreaIPs |
Invoke-CheckPointGroupSync -Session $Session -GroupName $GroupName -Prefix "${HostPrefix}_" -Rename:$Rename.IsPresent -Ignore $Ignore -Color $Color -Comments $Comments -Tags $Tag -CreateGroup |
Tee-Object -Variable output;
if (($output | Where-Object {$_.Actions -ne 0 -and -not $_.Error} | Measure-Object).Count -ne 0) {
# Updates made
Write-Verbose "Updating $GroupName group's comment";
$Group = Set-CheckPointGroup -Session $Session -Name $GroupName -Comments "$GroupComments" -Verbose:$false -PassThru;
}
$Errors = $Errors + ($output | Where-Object {$_.Error} | Measure-Object).Count;
}

$Stats = Get-CheckPointSession -Session $Session -UID $Session.UID
Write-Verbose "Total Errors: $Errors";
if ($Stats.Changes -eq 0) {
Write-Host "No changes made. Closing session.";
Reset-CheckPointSession -Session $Session -Verbose:$false;
Close-CheckPointSession -Session $Session -Verbose:$false;
} elseif ($Publish.IsPresent -and $Errors -eq 0) {
# Publish Changes
Write-Host "Publishing $($Stats.Changes) changes.";
Publish-CheckPointSession -Session $Session -Verbose:$false;
Close-CheckPointSession -Session $Session -Verbose:$false;
} else {
# Logout from Check Point API
Write-Host "View $($Stats.Changes) changes in SmartConsole to publish.";
Close-CheckPointSession -Session $Session -ContinueSessionInSmartconsole -Verbose:$false;
}
# DONE!

the Error:

Open-CheckPointSession : Server Error: Forbidden
In C:\Users\PaGuenther\Downloads\psCheckPoint-Examples-GroupSync\Office365_Group_Sync.ps1:125 Zeichen:12
+ $Session = Open-CheckPointSession -SessionName $CommentPrefix -Sessio ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : Verbindungsfehler: (psCheckPoint.Se...eckPointSession:OpenCheckPointSession) [Open-CheckPointSession], GenericException
+ FullyQualifiedErrorId : Server Error: Forbidden,psCheckPoint.Session.OpenCheckPointSession

Thanks for your Help

0 Kudos
4 Replies
Admin
Admin

Re: Powershell Script Server Error forbidden

Since this was Tim Koopman‌'s script let's tag him.

Also might provide how you invoked this script.

0 Kudos
Admin
Admin

Re: Powershell Script Server Error forbidden

Also, did you enable the API server?

It's not enabled by default.

Tim_Koopman
Nickel

Re: Powershell Script Server Error forbidden

So if this is the first time using any API access I would first do as Dameon Welch Abernathy suggests and confirm the API is enabled. Forbidden is the expected error for the server to respond with if the API is enabled but not for your IP Address, or the API is disabled but the server is still listening on that port for other services.

So please confirm the api is started and your IP is allowed, by setting "Accept API calls from" to either "All IP addresses that can be used for GUI clients" or "All IP Addresses". The first is more secure, just make sure your IP is one of the allowed GUI client IPs.

Please let us know if this doesn't help.

0 Kudos

Re: Powershell Script Server Error forbidden

And make sure you are patched. Vanilla R80.10 has a  .... feature where it will fail to start if you select to allow only GUI clients to connect.

That was fixed in a jumbo hotfix.

0 Kudos