Create a Post
Showing results for 
Search instead for 
Did you mean: 

Powershell Script Server Error forbidden

Hi Guys,

i want to use the following PowerShell Script to Sync the Office 365 URLs for the Smart Dashboard, but i get a Server Error: Forbidden. I use the Checkpoint Admin User for this Task.

Is this a Rights Problem or a Missing "Checkbox" Error?

The Powershell Script:


One way sync of Microsoft Office365 hosts & networks into Check Point groups.

This script will create/update Check Point groups for each Microsoft Office365 product, with the list of hosts & networks Microsoft publish.

.PARAMETER ManagementServer
IP or Hostname of the Check point Management Server

.PARAMETER Credentials
PSCredential containing User name and Password. If not provided you will be prompted.

.PARAMETER CertificateHash
The server's SSL certificate hash

.PARAMETER ManagementPort
Port Web API running on.

Do not include IPv4 addresses.

Do not include IPv6 addresses.

If any changes made publish them automatically. By default session will just be closed pending you to manually open session in SmartConsole and publish the changes.
Publish will only happen if no errors during sync.

Weather Check Point warnings or errors should be ignored.

If existing object not found by name, first search by IP/Subnet and if matching object found rename it and add to group.

Check Point color to set on created objects.

Prefix used on host/network objects.

.PARAMETER GroupPrefix
Prefix used on group objects.

.PARAMETER CommentPrefix
Prefix used on comments (Groups, Session, Created Hosts & Networks).

Tag set when creating objects.

.PARAMETER CertificateValidation
Which certificate validation method(s) to use.

Specifies the instance to return the endpoints for.

./Office365_Group_Sync.ps1 -NoIPv6 -Rename -Verbose

Requires psCheckPoint v0.7.9+.



[Parameter(Mandatory = $true)]
[Parameter(Mandatory = $true)]
[int]$ManagementPort = 443,
[ValidateSet("No", "Warnings", "Errors")]
[string]$Ignore = "No",
[string]$Color = "red",
[string]$HostPrefix = "Microsoft",
[string]$GroupPrefix = "Microsoft_Office365",
[string]$CommentPrefix = "Microsoft Office365",
[string]$Tag = "Microsoft_Office365",
[ValidateSet("All", "Auto", "CertificatePinning", "None", "ValidCertificate")]
[string]$CertificateValidation = "Auto",
[ValidateSet("Worldwide", "China", "Germany", "USGovDoD", "USGovGCCHigh")]
[string]$Instance = "Worldwide"
# path where client ID will be stored
$datapath = $Env:TEMP + "\MS_O365_ClientRequestId.txt";
Write-Verbose "Client ID File: $datapath";

# fetch client ID if data file exists; otherwise create new file
if (Test-Path $datapath) {
$content = Get-Content $datapath;
$clientRequestId = $content;
else {
Write-Verbose "Creating new Client ID";
$clientRequestId = [GUID]::NewGuid().Guid;
$clientRequestId | Out-File $datapath;

Write-Verbose "Client ID: $clientRequestId";

# Download Microsoft Cloud IP Ranges and Names into Object
$Version = Invoke-RestMethod$($Instance)?ClientRequestId=$clientRequestId;
Write-Verbose "Version: $($Version.latest)";
$O365IPAddresses = Invoke-RestMethod$($Instance)?ClientRequestId=$clientRequestId;

# Set variables
$Updated = ([datetime]::parseexact($Version.latest.Substring(0, 8),"yyyyMMdd",[System.Globalization.CultureInfo]::InvariantCulture)).ToShortDateString();
$Comments = "$CommentPrefix added $Updated";
$GroupComments = "$CommentPrefix updated $Updated";
$Errors = 0;

# Login to Check Point API to get Session ID
Write-Verbose " *** Log in to Check Point Smart Center API *** ";
$Session = Open-CheckPointSession -SessionName $CommentPrefix -SessionComments "$CommentPrefix Group Sync" -ManagementServer $ManagementServer -ManagementPort $ManagementPort -Credentials $Credentials -CertificateValidation $CertificateValidation -CertificateHash $CertificateHash -PassThru;
if (-not $Session) {
# Failed login

$ServiceAreas = $O365IPAddresses | Select-Object -ExpandProperty serviceArea | Sort-Object -Unique

ForEach ($ServiceArea in $ServiceAreas) {
$GroupName = $GroupPrefix + "_" + $ServiceArea;
Write-Verbose "Processing $GroupName";

$ServiceAreaIPs = $O365IPAddresses | Where-Object {$_.serviceArea -eq $ServiceArea -and $_.ips} | Select-Object -ExpandProperty ips;
if ($NoIPv4.IsPresent) {
$ServiceAreaIPs = $ServiceAreaIPs | Where-Object { $_ -notmatch "\." }
if ($NoIPv6.IsPresent) {
$ServiceAreaIPs = $ServiceAreaIPs | Where-Object { $_ -notmatch ":" }

$ServiceAreaIPs |
Invoke-CheckPointGroupSync -Session $Session -GroupName $GroupName -Prefix "${HostPrefix}_" -Rename:$Rename.IsPresent -Ignore $Ignore -Color $Color -Comments $Comments -Tags $Tag -CreateGroup |
Tee-Object -Variable output;
if (($output | Where-Object {$_.Actions -ne 0 -and -not $_.Error} | Measure-Object).Count -ne 0) {
# Updates made
Write-Verbose "Updating $GroupName group's comment";
$Group = Set-CheckPointGroup -Session $Session -Name $GroupName -Comments "$GroupComments" -Verbose:$false -PassThru;
$Errors = $Errors + ($output | Where-Object {$_.Error} | Measure-Object).Count;

$Stats = Get-CheckPointSession -Session $Session -UID $Session.UID
Write-Verbose "Total Errors: $Errors";
if ($Stats.Changes -eq 0) {
Write-Host "No changes made. Closing session.";
Reset-CheckPointSession -Session $Session -Verbose:$false;
Close-CheckPointSession -Session $Session -Verbose:$false;
} elseif ($Publish.IsPresent -and $Errors -eq 0) {
# Publish Changes
Write-Host "Publishing $($Stats.Changes) changes.";
Publish-CheckPointSession -Session $Session -Verbose:$false;
Close-CheckPointSession -Session $Session -Verbose:$false;
} else {
# Logout from Check Point API
Write-Host "View $($Stats.Changes) changes in SmartConsole to publish.";
Close-CheckPointSession -Session $Session -ContinueSessionInSmartconsole -Verbose:$false;

the Error:

Open-CheckPointSession : Server Error: Forbidden
In C:\Users\PaGuenther\Downloads\psCheckPoint-Examples-GroupSync\Office365_Group_Sync.ps1:125 Zeichen:12
+ $Session = Open-CheckPointSession -SessionName $CommentPrefix -Sessio ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : Verbindungsfehler: (psCheckPoint.Se...eckPointSession:OpenCheckPointSession) [Open-CheckPointSession], GenericException
+ FullyQualifiedErrorId : Server Error: Forbidden,psCheckPoint.Session.OpenCheckPointSession

Thanks for your Help

0 Kudos
4 Replies

Since this was Tim Koopman‌'s script let's tag him.

Also might provide how you invoked this script.

0 Kudos

Also, did you enable the API server?

It's not enabled by default.


So if this is the first time using any API access I would first do as Dameon Welch Abernathy suggests and confirm the API is enabled. Forbidden is the expected error for the server to respond with if the API is enabled but not for your IP Address, or the API is disabled but the server is still listening on that port for other services.

So please confirm the api is started and your IP is allowed, by setting "Accept API calls from" to either "All IP addresses that can be used for GUI clients" or "All IP Addresses". The first is more secure, just make sure your IP is one of the allowed GUI client IPs.

Please let us know if this doesn't help.

0 Kudos

And make sure you are patched. Vanilla R80.10 has a  .... feature where it will fail to start if you select to allow only GUI clients to connect.

That was fixed in a jumbo hotfix.

0 Kudos