It's Here!
CPX 360 2021 Content
Check Point Harmony
Highest Level of Security for Remote Users
Important certificate update to CloudGuard Controller, CME,
and Azure HA Security Gateways
Advanced Protection for
Small and Medium Business
Important! R80 and R80.10
End Of Support around the corner (May 2021)
Forrester Study Finds
CloudGuard Generates 169% ROI
Hi,
Here is a Powershell script that will automate the creation of all Office 365 IP addresses and URLs in a management server R80+ :
*** UPDATE ***
Here is an improved version of the script : Create-O365CheckpointObjects.ps1
It depends on the ConvertFrom-O365AddressesXMLFile module (https://github.com/it-praktyk/Conver...dressesXMLFile). So you need to install it first.
Here is the help :
NOM
Create-O365CheckpointObjects.ps1
RÉSUMÉ
Create the required objects in a Checkpoint R80+ management server to allow Office 365 traffic
SYNTAXE
Create-O365CheckpointObjects.ps1 [-Server] <String> [[-Port] <Int32>]
[[-DomainName] <String>] [[-Service] <String>] [[-Prefix] <String>] [[-Category] <String>] [-Type] <String>
[<CommonParameters>]
DESCRIPTION
This script will connect to
https://support.content.office.net/en-us/static/O365IPAddresses.xml
and download an XML file containing the required objects to allow Office 365 traffic to pass.
It will then create the objects (IPv4, IPv6 addresses or URLs) into the Checkpoint management
server using the R80+ API, according to the selected parameters.
It depends on the ConvertFrom-O365AddressesXMLFile module
(
https://github.com/it-praktyk/Convert-Office365NetworksData/tree/master/ConvertFrom-O365AddressesXMLFile
).
PARAMÈTRES
-Server <String>
The mandatory Checkpoint management server hostname or IP address
-Port <Int32>
The Checkpoint R80 API port
By default, 443 will be used
-DomainName <String>
-Service <String>
An optional Office 365 to filter on (among "WAC","Sway","Planner","Yammer","OfficeMobile", "ProPlus",
"RCA","OneNote","OfficeiPad","EXO","SPO","Office365Video","LYO","Identity","CRLs","o365" and "EOP"
If not specified, all Office 365 services objects will be created
-Prefix <String>
A prefix for the Office 365 objects in the Checkpoint management server
By default, "O365" will be used
-Category <String>
The primary category for the Office 365 application objects in the Checkpoint management server
By default, "Microsoft & Office365 Services" will be used
-Type <String>
A mandatory object type to filter on (among "IPv4","IPv6","URL")
<CommonParameters>
Cette applet de commande prend en charge les paramètres courants*: Verbose, Debug,
ErrorAction, ErrorVariable, WarningAction, WarningVariable,
OutBuffer, PipelineVariable et OutVariable. Pour plus d’informations, voir
about_CommonParameters (
http://go.microsoft.com/fwlink/?LinkID=113216
).
-------------------------- EXEMPLE 1 --------------------------
PS C:\>Create-O365CheckpointObjects -Server cpserver -Type IPv4
Description:
Will create the IPv4 objects for all the Office 365 apps in a Checkpoint management server
named "cpserver"
-------------------------- EXEMPLE 2 --------------------------
PS C:\>Create-O365CheckpointObjects -Server cpserver -Service LYO -Type IPv6 -Verbose
Description:
Will create the IPv6 network objects for Skype for Business in a Checkpoint management server
named "cpserver"
-------------------------- EXEMPLE 3 --------------------------
PS C:\>Create-O365CheckpointObjects -Server cpserver -Service EOP -Type URL -Category "Exchange"
Description:
Will create an application object for Exchange Online, with the required URLs, and a primary
category set to "Exchange"
REMARQUES
Pour consulter les exemples, tapez: "get-help Create-O365CheckpointObjects.ps1 -examples".
Pour plus d'informations, tapez: "get-help Create-O365CheckpointObjects.ps1
-detailed".
Pour obtenir des informations techniques, tapez: "get-help Create-O365CheckpointObjects.ps1 -full".
Awesome stuff! This is very similar to what I did in this thread Adding members to a group
The biggest issue we face with O365 is keeping the IP list up-to-date since it is so dynamic. What would happen if you run this script say every week? Is it designed for that?
Yes you can use this script to add new IP addresses every month for example. But I think it's not going to work perfectly, as Microsoft uses CDNs like Akamai to host some content, and these IP addresses are not documented.
We have chosen to use the AppControl + URL Filtering + HTTPS Inspection blades and to base our rules on URLs and applications, not IP ranges. We had to make HTTPS Inspection bypasses on specific IP addresses to make Skype and Outlook work flawlessly, but so far it's working. I can give you some details on our policy on demand.
Hi David,
That would be great if you can.
One thing we have though is that we need to open certain ports towards Azure (for instance the MSSQL management ports). We do this towards the whole Azure range, since we can't determine beforehand what IP it will be. I guess it could be scripted as well, but I'll look at that once we move to R80.
Regis_Klein
Hi David, I am interested into the list of IP that you had to put for bypassing HTTPS inspection, could you please share it ?
Thank you.
Here are the HTTPS inspection bypass rules we had to create in order to make to services work :
Skype for Business :
Source / Destination / Services / Site Category / Action
Internal_Nets / O365_IPv4_LYO / Skype_Entreprise / Any / Bypass
Internal_Nets / Internet / Skype_Entreprise / Skype_Custom_URLs / Bypass
Exchange Online (autodiscovery, etc) :
Source / Destination / Services / Site Category / Action
Internal_Nets / O365_IPv4_EXO / https / Any / Bypass
Internal_Nets / Internet / https / O365_URL_EXO / Bypass
We also had to add these rules in the Application policy :
Internal_Nets / O365_IPv4_EXO / http / Accept
Internal_Nets / O365_IPv4_EXO / https / Accept
Internal_Nets / O365_IPv4_LYO / Skype_Entreprise / Accept
Where :
O365_IPv4_LYO, O365_URL_EXO & O365_IPv4_EXO where created by our Powershell script, eg :
Create-O365CheckpointObjects -Server cpserver -Service EXO -Type URL
The "Skype_Entreprise" service matches :
https, TCP/50000-59999, UDP/50000-59999, TCP/5223, UDP/3478
The "Skype_Custom_URLs" application/site corresponds to :
*.lync.com, lync.com, *.skype.com, skype.com, *.skype.net, skype.net, *.trouter.io
Can you explain how the 'ConvertFrom-O365AddressesXMLFile' & 'Create-O365CheckpointObjects.ps1' work hand in hand to create the objects? A little confused on how to get it working.
We are current using Python scripts to import AWS & Azure ranges. Is there a Python script for creating the Office 365 ranges?
What is the best way to load the ConvertFrom-O365AddressesXMLFile module?
I found this to be helpful:
How to install PowerShell modules
Overview - install updated version of powershell 5+
$Env:PSModulePath - Get the path to put the script
Create a directory for the script
Put the .ps1 in the directory
Rename it to .psm1
Import-module
Get-Module -ListAvailable - ensure it is showing in directory placed
run script
Notes
Run powershell as administrator
Likely will have to allow running unsigned scripts
Likely will have to enable api, ensure user has api access, and allow api access from a system other than the management server
We are utilizing this script to the MDS IP address for the Global Policy. The script says it has been successful but we do not see any of the objects yet in the global policy. Any thoughts?
We are seeing similar issues as Eric. We can start the script, it will download the xml, match the filters, login to the Check Point api, the script will run, create 288 objects, create the 10 groups or so, and publish successfully. But in the object explorer the groups are created but there are only 11 objects / networks. We are at version 80.10 Take 121
Hello,
New URL to DL pre requisite module :
Danny
While reviewing David's code for my CPX 2020 presentation 'CheckMates - Best of Code Hub Contributions' in Vienna on February 5th, 2020 (14:00 - 14:30) I noticed that this solution has become OBSOLETE because:
About CheckMates
Learn Check Point
Advanced Learning
WELCOME TO THE FUTURE OF CYBER SECURITY