This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
David_GOURANTON
Participant
‎2017-03-13 02:35 AM

Powershell script to automate the creation of required Office 365 IP addresses or URLs in a Checkpoint management server

Hi,

Here is a Powershell script that will automate the creation of all Office 365 IP addresses and URLs in a management server R80+ :

*** UPDATE ***

Here is an improved version of the script : Create-O365CheckpointObjects.ps1

It depends on the ConvertFrom-O365AddressesXMLFile module (https://github.com/it-praktyk/Conver...dressesXMLFile). So you need to install it first.

Here is the help :

NOM  Create-O365CheckpointObjects.ps1RÉSUMÉ  Create the required objects in a Checkpoint R80+ management server to allow Office 365 trafficSYNTAXE  Create-O365CheckpointObjects.ps1 [-Server] <String> [[-Port] <Int32>]  [[-DomainName] <String>] [[-Service] <String>] [[-Prefix] <String>] [[-Category] <String>] [-Type] <String>  [<CommonParameters>]DESCRIPTION  This script will connect to https://support.content.office.net/en-us/static/O365IPAddresses.xml  and download an XML file containing the required objects to allow Office 365 traffic to pass.  It will then create the objects (IPv4, IPv6 addresses or URLs) into the Checkpoint management  server using the R80+ API, according to the selected parameters.  It depends on the ConvertFrom-O365AddressesXMLFile module  (https://github.com/it-praktyk/Convert-Office365NetworksData/tree/master/ConvertFrom-O365AddressesXMLFile).PARAMÈTRES  -Server <String>  The mandatory Checkpoint management server hostname or IP address  -Port <Int32>  The Checkpoint R80 API port  By default, 443 will be used  -DomainName <String>  -Service <String>  An optional Office 365 to filter on (among "WAC","Sway","Planner","Yammer","OfficeMobile", "ProPlus",  "RCA","OneNote","OfficeiPad","EXO","SPO","Office365Video","LYO","Identity","CRLs","o365" and "EOP"  If not specified, all Office 365 services objects will be created  -Prefix <String>  A prefix for the Office 365 objects in the Checkpoint management server  By default, "O365" will be used  -Category <String>  The primary category for the Office 365 application objects in the Checkpoint management server  By default, "Microsoft & Office365 Services" will be used  -Type <String>  A mandatory object type to filter on (among "IPv4","IPv6","URL")  <CommonParameters>  Cette applet de commande prend en charge les paramètres courants*: Verbose, Debug,  ErrorAction, ErrorVariable, WarningAction, WarningVariable,  OutBuffer, PipelineVariable et OutVariable. Pour plus d’informations, voir  about_CommonParameters (http://go.microsoft.com/fwlink/?LinkID=113216).  -------------------------- EXEMPLE 1 --------------------------  PS C:\>Create-O365CheckpointObjects -Server cpserver -Type IPv4  Description:  Will create the IPv4 objects for all the Office 365 apps in a Checkpoint management server  named "cpserver"  -------------------------- EXEMPLE 2 --------------------------  PS C:\>Create-O365CheckpointObjects -Server cpserver -Service LYO -Type IPv6 -Verbose  Description:  Will create the IPv6 network objects for Skype for Business in a Checkpoint management server  named "cpserver"  -------------------------- EXEMPLE 3 --------------------------  PS C:\>Create-O365CheckpointObjects -Server cpserver -Service EOP -Type URL -Category "Exchange"  Description:  Will create an application object for Exchange Online, with the required URLs, and a primary  category set to "Exchange"REMARQUES  Pour consulter les exemples, tapez: "get-help Create-O365CheckpointObjects.ps1 -examples".  Pour plus d'informations, tapez: "get-help Create-O365CheckpointObjects.ps1  -detailed".  Pour obtenir des informations techniques, tapez: "get-help Create-O365CheckpointObjects.ps1 -full".‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍
13 Replies
Quinn_Yost
Contributor
‎2017-03-21 07:22 PM

Awesome stuff!    This is very similar to what I did in this thread Adding members to a group

Stan_Damen
Participant
‎2017-03-30 02:32 AM

The biggest issue we face with O365 is keeping the IP list up-to-date since it is so dynamic. What would happen if you run this script say every week? Is it designed for that?

David_GOURANTON
Participant
‎2017-04-03 02:06 AM
In response to Stan_Damen

Yes you can use this script to add new IP addresses every month for example. But I think it's not going to work perfectly, as Microsoft uses CDNs like Akamai to host some content, and these IP addresses are not documented.

We have chosen to use the AppControl + URL Filtering + HTTPS Inspection blades and to base our rules on URLs and applications, not IP ranges. We had to make HTTPS Inspection bypasses on specific IP addresses to make Skype and Outlook work flawlessly, but so far it's working. I can give you some details on our policy on demand.

Stan_Damen
Participant
‎2017-04-07 04:35 AM
In response to David_GOURANTON

Hi David,

That would be great if you can.

One thing we have though is that we need to open certain ports towards Azure (for instance the MSSQL management ports). We do this towards the whole Azure range, since we can't determine beforehand what IP it will be. I guess it could be scripted as well, but I'll look at that once we move to R80.

Regis_Klein
Participant
‎2017-04-14 02:35 AM
In response to David_GOURANTON

Hi David, I am interested into the list of IP that you had to put for bypassing HTTPS inspection, could you please share it ?

Thank you.

David_GOURANTON
Participant
‎2017-04-19 04:01 AM
In response to Regis_Klein

Here are the HTTPS inspection bypass rules we had to create in order to make to services work :

Skype for Business :

Source / Destination / Services / Site Category / Action

Internal_Nets / O365_IPv4_LYO / Skype_Entreprise / Any / Bypass

Internal_Nets / Internet / Skype_Entreprise / Skype_Custom_URLs / Bypass

Exchange Online (autodiscovery, etc) :

Source / Destination / Services / Site Category / Action

Internal_Nets / O365_IPv4_EXO / https / Any / Bypass

Internal_Nets / Internet  / https / O365_URL_EXO / Bypass

We also had to add these rules in the Application policy :

Internal_Nets / O365_IPv4_EXO / http / Accept

Internal_Nets / O365_IPv4_EXO / https / Accept

Internal_Nets / O365_IPv4_LYO / Skype_Entreprise / Accept

Where :

O365_IPv4_LYO, O365_URL_EXO & O365_IPv4_EXO where created by our Powershell script, eg :

Create-O365CheckpointObjects -Server cpserver -Service EXO -Type URL

The "Skype_Entreprise" service matches :

https, TCP/50000-59999, UDP/50000-59999, TCP/5223, UDP/3478

The "Skype_Custom_URLs" application/site corresponds to :

*.lync.com, lync.com, *.skype.com, skype.com, *.skype.net, skype.net, *.trouter.io

Raj_Khatri
Advisor
‎2017-12-20 06:02 AM

Can you explain how the 'ConvertFrom-O365AddressesXMLFile' & 'Create-O365CheckpointObjects.ps1' work hand in hand to create the objects?  A little confused on how to get it working.

We are current using Python scripts to import AWS & Azure ranges.  Is there a Python script for creating the Office 365 ranges?

0 Kudos
Cecil_Jackson
Explorer
‎2018-07-23 02:17 PM

What is the best way to load the ConvertFrom-O365AddressesXMLFile module?

0 Kudos
Security_Admini
Explorer
‎2018-09-19 12:30 PM
In response to Cecil_Jackson

I found this to be helpful:

How to install PowerShell modules 

Overview - install updated version of powershell 5+

$Env:PSModulePath - Get the path to put the script

Create a directory for the script

Put the .ps1 in the directory

Rename it to .psm1

Import-module

Get-Module -ListAvailable - ensure it is showing in directory placed

run script

Notes

Run powershell as administrator

Likely will have to allow running unsigned scripts

Likely will have to enable api, ensure user has api access, and allow api access from a system other than the management server

0 Kudos
Eric_Knopp
Participant
‎2018-08-20 04:39 AM

We are utilizing this script to the MDS IP address for the Global Policy. The script says it has been successful but we do not see any of the objects yet in the global policy. Any thoughts?

Security_Admini
Explorer
‎2018-09-19 12:38 PM

We are seeing similar issues as Eric. We can start the script, it will download the xml, match the filters, login to the Check Point api, the script will run, create 288 objects, create the 10 groups or so, and publish successfully. But in the object explorer the groups are created but there are only 11 objects / networks. We are at version 80.10 Take 121

Danny
Champion Champion
Champion
‎2020-01-03 03:53 AM
In response to LBalmont

While reviewing David's code for my CPX 2020 presentation 'CheckMates - Best of Code Hub Contributions' in Vienna on February 5th, 2020 (14:00 - 14:30) I noticed that this solution has become OBSOLETE because:

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top