Re: Generate list of OPSEC object which configured...

LowJ · ‎2020-02-26

I'm using MDS which have about 40 domains for customers.

Each domain have OPSEC configured for different purpose. I will like to generate a list of OPSEC configured for each domain. Instead of login to the domain one by one, is there a way to do so?

PhoneBoy · ‎2020-02-26

There isn’t API support for OPSEC objects, as I recall correctly.
Which means you’ll have to reverse engineer the generic-object type for these objects.

LowJ · ‎2020-02-26

Is this mean the best we can do are generate out the object list and from there filter out which one for OPSEC?

Sigbjorn · ‎2020-02-27

You can use show-opsec-applications to get the uid's and then show-opsec-application to get the details you want.

I tweaked a script I use for crawling our domains for various other purposes to fit your requirement.

(The API User needs access to all domains.)

This is a read only script, but please never run any scripts without understanding their purpose and what they do.

Param(
  #  [PSCredential]$CheckpointCredential,
    [string]$BaseUri = "https://10.10.10.10/web_api",   # Set your MDS IP
    [string]$domain = "MDS",                            # Set you main Multidomain Name
    [string]$user = "s_apiuser",
    [string]$password = "apipassword",
    [string]$debug = "off"
)

# Ignore SSL:
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true}

# Login and save headers #
$loginData = @{
    "user" = $user
    "password" = $password
    "domain" = $domain
} | ConvertTo-Json

Write-Output "Invoking Login"
$login = Invoke-RestMethod -Method Post -Uri "$BaseUri/login" -Body $loginData -Headers @{ "content-type" = "application/json" }

$headers = @{
    "content-type" = "application/json"
    "x-chkp-sid" = $login.sid
}

$domains = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-domains" -Body "{}" -Headers $headers


  foreach ($d in $domains.objects.name) {
      $loginData = @{
      "user" = $user
      "password" = $password
      "domain" = $d
      } | ConvertTo-Json

      if ($debug -eq "on") { Write-Output "Login to $($d) domain" }
      $login = Invoke-RestMethod -Method Post -Uri "$BaseUri/login" -Body $loginData -Headers @{ "content-type" = "application/json" }
      $headers = @{
      "content-type" = "application/json"
      "x-chkp-sid" = $login.sid
      } 
      if ($debug -eq "on") { Write-Output "Login complete" }

      $opsecobj = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-opsec-applications" -Body "{}" -Headers $headers
      if ($opsecobj.objects.count -gt 1) {
      foreach ($o in $opsecobj.objects) {
        $name = $o.name
        write-output "$($d): Found OPSec Object: $($name)"
        $opsecuid = $o.uid
        $body = @{
            "uid" = $opsecuid
            } | ConvertTo-Json
        
        ## Get the OPSEC Values you want by tweaking this section. 
        $opsec = Invoke-RestMethod -Method Post -Uri "$BaseUri/show-opsec-application" -Body $body -Headers $headers
        Write-Output "Random opsec value for $($opsec.name) (Lea enabled): $($opsec.lea.enabled)"
        ## 
        
        }
       }
      else { 
        Write-Output "Didnt find any opsec objects in domain $($d)" 
        }

      $null = Invoke-RestMethod -Method Post -Uri "$BaseUri/logout" -Body "{}" -Headers $headers 
      }

LowJ · ‎2020-02-27

Thanks. Let me try it in test environment.

Are you a member of CheckMates?

Generate list of OPSEC object which configured in the firewall mgmt domain