cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

Powershell script to automate the creation of required Office 365 IP addresses or URLs in a Checkpoint management server

Hi,

Here is a Powershell script that will automate the creation of all Office 365 IP addresses and URLs in a management server R80+ :

*** UPDATE ***

Here is an improved version of the script : Create-O365CheckpointObjects.ps1

It depends on the ConvertFrom-O365AddressesXMLFile module (https://github.com/it-praktyk/Conver...dressesXMLFile). So you need to install it first.

Here is the help :

NOM
  Create-O365CheckpointObjects.ps1

RÉSUMÉ
  Create the required objects in a Checkpoint R80+ management server to allow Office 365 traffic


SYNTAXE
  Create-O365CheckpointObjects.ps1 [-Server] <String> [[-Port] <Int32>]
  [[-DomainName] <String>] [[-Service] <String>] [[-Prefix] <String>] [[-Category] <String>] [-Type] <String>
  [<CommonParameters>]


DESCRIPTION
  This script will connect to
https://support.content.office.net/en-us/static/O365IPAddresses.xml

  and download an XML file containing the required objects to allow Office 365 traffic to pass.
  It will then create the objects (IPv4, IPv6 addresses or URLs) into the Checkpoint management
  server using the R80+ API, according to the selected parameters.
  It depends on the ConvertFrom-O365AddressesXMLFile module
  (
https://github.com/it-praktyk/Convert-Office365NetworksData/tree/master/ConvertFrom-O365AddressesXMLFile
).



PARAMÈTRES
  -Server <String>
  The mandatory Checkpoint management server hostname or IP address

  -Port <Int32>
  The Checkpoint R80 API port
  By default, 443 will be used

  -DomainName <String>

  -Service <String>
  An optional Office 365 to filter on (among "WAC","Sway","Planner","Yammer","OfficeMobile", "ProPlus",
  "RCA","OneNote","OfficeiPad","EXO","SPO","Office365Video","LYO","Identity","CRLs","o365" and "EOP"
  If not specified, all Office 365 services objects will be created

  -Prefix <String>
  A prefix for the Office 365 objects in the Checkpoint management server
  By default, "O365" will be used

  -Category <String>
  The primary category for the Office 365 application objects in the Checkpoint management server
  By default, "Microsoft & Office365 Services" will be used

  -Type <String>
  A mandatory object type to filter on (among "IPv4","IPv6","URL")

  <CommonParameters>
  Cette applet de commande prend en charge les paramètres courants*: Verbose, Debug,
  ErrorAction, ErrorVariable, WarningAction, WarningVariable,
  OutBuffer, PipelineVariable et OutVariable. Pour plus d’informations, voir
  about_CommonParameters (
http://go.microsoft.com/fwlink/?LinkID=113216
).


  -------------------------- EXEMPLE 1 --------------------------

  PS C:\>Create-O365CheckpointObjects -Server cpserver -Type IPv4

  Description:
  Will create the IPv4 objects for all the Office 365 apps in a Checkpoint management server
  named "cpserver"




  -------------------------- EXEMPLE 2 --------------------------

  PS C:\>Create-O365CheckpointObjects -Server cpserver -Service LYO -Type IPv6 -Verbose

  Description:
  Will create the IPv6 network objects for Skype for Business in a Checkpoint management server
  named "cpserver"




  -------------------------- EXEMPLE 3 --------------------------

  PS C:\>Create-O365CheckpointObjects -Server cpserver -Service EOP -Type URL -Category "Exchange"

  Description:
  Will create an application object for Exchange Online, with the required URLs, and a primary
  category set to "Exchange"




REMARQUES
  Pour consulter les exemples, tapez: "get-help Create-O365CheckpointObjects.ps1 -examples".
  Pour plus d'informations, tapez: "get-help Create-O365CheckpointObjects.ps1
  -detailed".
  Pour obtenir des informations techniques, tapez: "get-help Create-O365CheckpointObjects.ps1 -full".
12 Replies
Quinn_Yost
Nickel

Re: Powershell script to automate the creation of required Office 365 IP addresses or URLs in a Checkpoint management server

Awesome stuff!    This is very similar to what I did in this thread Adding members to a group

0 Kudos

Re: Powershell script to automate the creation of required Office 365 IP addresses or URLs in a Checkpoint management server

The biggest issue we face with O365 is keeping the IP list up-to-date since it is so dynamic. What would happen if you run this script say every week? Is it designed for that?

0 Kudos

Re: Powershell script to automate the creation of required Office 365 IP addresses or URLs in a Checkpoint management server

Yes you can use this script to add new IP addresses every month for example. But I think it's not going to work perfectly, as Microsoft uses CDNs like Akamai to host some content, and these IP addresses are not documented.

We have chosen to use the AppControl + URL Filtering + HTTPS Inspection blades and to base our rules on URLs and applications, not IP ranges. We had to make HTTPS Inspection bypasses on specific IP addresses to make Skype and Outlook work flawlessly, but so far it's working. I can give you some details on our policy on demand.

Re: Powershell script to automate the creation of required Office 365 IP addresses or URLs in a Checkpoint management server

Hi David,

That would be great if you can.

One thing we have though is that we need to open certain ports towards Azure (for instance the MSSQL management ports). We do this towards the whole Azure range, since we can't determine beforehand what IP it will be. I guess it could be scripted as well, but I'll look at that once we move to R80.

0 Kudos
Employee
Employee

Re: Powershell script to automate the creation of required Office 365 IP addresses or URLs in a Checkpoint management server

Hi David, I am interested into the list of IP that you had to put for bypassing HTTPS inspection, could you please share it ?

Thank you.

0 Kudos

Re: Powershell script to automate the creation of required Office 365 IP addresses or URLs in a Checkpoint management server

Here are the HTTPS inspection bypass rules we had to create in order to make to services work :

Skype for Business :

Source / Destination / Services / Site Category / Action

Internal_Nets / O365_IPv4_LYO / Skype_Entreprise / Any / Bypass

Internal_Nets / Internet / Skype_Entreprise / Skype_Custom_URLs / Bypass

Exchange Online (autodiscovery, etc) :

Source / Destination / Services / Site Category / Action

Internal_Nets / O365_IPv4_EXO / https / Any / Bypass

Internal_Nets / Internet  / https / O365_URL_EXO / Bypass

We also had to add these rules in the Application policy :

Internal_Nets / O365_IPv4_EXO / http / Accept

Internal_Nets / O365_IPv4_EXO / https / Accept

Internal_Nets / O365_IPv4_LYO / Skype_Entreprise / Accept

Where :

O365_IPv4_LYO, O365_URL_EXO & O365_IPv4_EXO where created by our Powershell script, eg :

Create-O365CheckpointObjects -Server cpserver -Service EXO -Type URL

The "Skype_Entreprise" service matches :

https, TCP/50000-59999, UDP/50000-59999, TCP/5223, UDP/3478

The "Skype_Custom_URLs" application/site corresponds to :

*.lync.com, lync.com, *.skype.com, skype.com, *.skype.net, skype.net, *.trouter.io

Raj_Khatri
Copper

Re: Powershell script to automate the creation of required Office 365 IP addresses or URLs in a Checkpoint management server

Can you explain how the 'ConvertFrom-O365AddressesXMLFile' & 'Create-O365CheckpointObjects.ps1' work hand in hand to create the objects?  A little confused on how to get it working.

We are current using Python scripts to import AWS & Azure ranges.  Is there a Python script for creating the Office 365 ranges?

0 Kudos
Highlighted

Re: Powershell script to automate the creation of required Office 365 IP addresses or URLs in a Checkpoint management server

What is the best way to load the ConvertFrom-O365AddressesXMLFile module?

0 Kudos

Re: Powershell script to automate the creation of required Office 365 IP addresses or URLs in a Checkpoint management server

I found this to be helpful:

How to install PowerShell modules 

Overview - install updated version of powershell 5+

$Env:PSModulePath - Get the path to put the script

Create a directory for the script

Put the .ps1 in the directory

Rename it to .psm1

Import-module

Get-Module -ListAvailable - ensure it is showing in directory placed

run script

Notes

Run powershell as administrator

Likely will have to allow running unsigned scripts

Likely will have to enable api, ensure user has api access, and allow api access from a system other than the management server

0 Kudos

Re: Powershell script to automate the creation of required Office 365 IP addresses or URLs in a Checkpoint management server

We are utilizing this script to the MDS IP address for the Global Policy. The script says it has been successful but we do not see any of the objects yet in the global policy. Any thoughts?

Re: Powershell script to automate the creation of required Office 365 IP addresses or URLs in a Checkpoint management server

We are seeing similar issues as Eric. We can start the script, it will download the xml, match the filters, login to the Check Point api, the script will run, create 288 objects, create the 10 groups or so, and publish successfully. But in the object explorer the groups are created but there are only 11 objects / networks. We are at version 80.10 Take 121

0 Kudos
LBalmont
Ivory

Re: Powershell script to automate the creation of required Office 365 IP addresses or URLs in a Che

0 Kudos