As pet project I was looking for a script to fill objects based on an Active Directory list of machines.

So it would gather a list of machines in Active Directory and get their IP addresses (IPv4 and IPv6) and then check if the object is present allready. If it is still not present it would create one.

as it will also serve me as a way to learn yet another scripting language (PowerShell) it may take a while befoe anything usefull will be there.

As soon as the first bits are available I will post it somewhere.

I have been testing a script bug I wanted to add both IPv4 and IPv6 addresses where available. But it seems my syntax is not correct.

The relevant code snippet is:

foreach ($Computer in $ADcomputers) {
  $Computer
  $NU = Get-Date
  if ($Computer.Enabled -eq $True) {
    if ($Computer.IPv6Address -ne $Null -And $Computer.IPv4Address -ne $Null) {
      $IPaddress = ($Computer.IPv4Address,$Computer.IPv6Address)
    } elseif ($Computer.IPv4Address -ne $Null) {
      $IPaddress = $Computer.IPv4Address
    }
    $IPaddress
    Add-CPHost -Session $CPsession -Name $Computer.DNSHostName -Ipaddress $IPaddress -Tag ActiveDirectory,$Computer.DNSHostName -Color Red -Groups ActiveDirectoryHosts -Comments "$Computer.DistinguishedName added $NU"
  }
}

I as still finding my way around in PowerShell as scripting language so I might be doing something incredible stupid here and just not seeing it.

It seems you have not done any view of find snippets (yet).

At the moment I just get errors when I rerun the same script because the object are allready present. I would prefer to verify if the object is allready there before I attempt to add it.

Do you plan to add these features?

Just updated the code to allow both IPv4 and IPv6 IPs to be added. Also added the option to SetIfExists.

I did just add SetIfExists option from the Web API. If it exists in the Web API then it is my plan to add it to the module as well but only as time permits.

Wonderful. I'll see if I can put it to good use.

Thanks.

I got it sort of working. But with a big issue. I now have group objects that are being locked. And I have no idea how I can unlock those objects so I can delete them.

The current script:

# PowerShell script to read Computer details from Comandline

# Import Modules
import-module ActiveDirectory
import-module .\CheckPoint.psm1

# Variables for customisation
$ADG = "ActiveDirectoryHosts"
$Color = "Cyan"
$Comments = "All hosts in the Active Directory"

# Get my Domain name and Fill in the blanks
$Domain = Get-ADDomain
$DNSRoot = $Domain.DNSRoot
$ADG = -join("$ADG", "-", "$DNSRoot")
$Comments = "$Comments $DNSRoot"

# Read Active Directory Computerlist
$ADComputers = Get-ADComputer -Filter * -Property Name,IPv4Address,IPv6Address

## Output to screen
$DNSRoot
$ADComputers|Format-Table Name,DNSHostname,IPv4Address,IPv6Address

# Ignore Certificate Block on self-sign certificate
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }

# Login to Check Point API to get Session ID
Write-Host " *** Log in to Check Point Smart Center API *** "
$CPsession = Invoke-CPLogin

# Create ActiveDirectory Group
Write-Host " *** Adding Group $ADG *** "
Add-CPGroup -Session $CPsession -Name $ADG -Tag ActiveDirectory,$DNSRoot -Color Red -Comments "$Comments"

foreach ($Computer in $ADcomputers) {
  $NOW = Get-Date
  if ($Computer.Enabled -eq $True) {
    $CDN = $Computer.DistinguishedName
    Write-Host " *** Adding Host $CDN *** "
    if ($Computer.IPv6Address -ne $Null -And $Computer.IPv4Address -ne $Null) {
      Add-CPHost -Session $CPsession -Name $Computer.DNSHostName -Ipv4address $Computer.IPv4Address -Ipv6address $Computer.IPv6Address -Tag ActiveDirectory,$DNSRoot -Color $Color -Groups $ADG -Comments "$CDN added $NOW"
    } elseif ($Computer.IPv4Address -ne $Null) {
      Add-CPHost -Session $CPsession -Name $Computer.DNSHostName -Ipv4address $Computer.IPv4Address -Tag ActiveDirectory,$DNSRoot -Color $Color -Groups $ADG -Comments "$CDN added $NOW"
    }
  }
}

# Publish Changes
Invoke-CPPublish -Session $CPsession

# Logout from Check Point API
Invoke-CPLogout -Session $CPsession

# Remove Modules
Remove-Module ActiveDirectory
Remove-Module CheckPoint

# DONE!

My lab now looks like:

With the details:

Hey,

Can you check if you have any disconnected sessions? You can see this in SmartConsole > Manage & Settings > Sessions

If there is you can use the options there to fix the problem. If this happens from using the Web API it would normally be because a session was disconnected / logged off before publishing or discarding the changes.

Tim

Thank Ton,

It seems I have a load of them. I think I need to do this better in my script.

At the moment I do:

1. Invoke-CPLogin
2. Do my stuff with objects
3. Invoke-CPPublish
4. Invoke-CPLogout

I noticed you did use Invoke-CPContinueSessionInSmartconsole instead of my steps 3 and 4.

My option made more sense to me. But I might be totally wrong here. (Or the API might be off)

After cleaning out my list of sessions and discarding options there I lost the locks. I will do some more testing to see if the script does in fact result in unpublished and discarded sessions.

It seems you need to discard the session after the publish action to get rid of it. That sounds a bit ... odd to me but this worked:

# Login to Check Point API to get Session ID
Write-Host " *** Log in to Check Point Smart Center API *** "
$Session = Invoke-CPLogin

.....

# Publish Changes
Write-Host " *** Publish Session changes *** "
Invoke-CPPublish -Session $Session

# Logout from Check Point API
Write-Host " *** Logout Session *** "
Invoke-CPDiscard -Session $Session
Invoke-CPLogout -Session $Session

That is weird and shouldn't be that way at all, and defiantly doesn't do that for me.

You running the latest R80.10 jumbo hotfix? Not sure if it will make any difference but that is what I am running on my test manager.

Regards

Tim

Installed Hotfixes:

Which looks arther up-to-date to me.

Tim,

I notied you updated the module and added a few functions. Are you planning on doing anything with the Show features on the API to get data out of the system?

Morning Hugo,

The new module does already have get methods for hosts, networks & groups and more to be added as I add each other object type.

You can see a basic list of what has been implemented in the new module on the Git wiki page Home · tkoopman/psCheckPoint Wiki · GitHub .

As you have already used the old module just be away that I have renamed some of the methods in the new module to better align with the correct verbs and naming standards. They shouldn't change again now.

Look forward to more feedback.

Tim.

Tim,

It seems I mist understand the module.

If I get ALL the hosts I can see for example:

Groups : {ActiveDirectoryHosts-hvdk.qilab.lan}
ipv4Address : 172.21.15.14
ipv6Address : 2001:db8:15::14
Icon : Objects/host
MetaInfo : psCheckPoint.Objects.CheckPointMetaInfo
ReadOnly : False
Tags : {hvdk.qilab.lan, ActiveDirectory}
Color : cyan
Comments : CN=VP,CN=Computers,DC=hvdk,DC=qilab,DC=lan added 08/09/2017 12:45:49
Name : vp.hvdk.qilab.lan
UID : cbba1bc6-bdf0-47aa-9e9b-5e947de459f2
Type : host
Domain : psCheckPoint.Objects.CheckPointDomain

But finding a host by name fails:

Get-CheckPointHosts -Session $Session -Name "vp.hvdk.qilab.lan"
Get-CheckPointHosts : Cannot bind parameter 'Name'. Cannot convert value "vp.hvdk.qilab.lan" to type "System.Int32". Error: "Input string was not in a correct format."
At line:1 char:45
+ Get-CheckPointHosts -Session $Session -Name "vp.hvdk.qilab.lan"
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-CheckPointHosts], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,psCheckPoint.Objects.Host.GetCheckPointHosts

The Get-Help output suggest that -Name takes a string as argument.

  Am I missing something obvious here?

Hi,

When getting a single host the command is Get-CheckPointHost with no "s" on the end.

Tim

Tim,

Check. I knew I was doing something silly.

Thanks for pointing out the typo.

Tim,

The module is also very usefull if you have a Linux machine with PowerShell on it.

It works just as easily.

Keep up the good work!

Let me know if I can lend a hand.

Regards,

Hugo

Hi,

Thanks Hugo for feedback. I was wondering if it would work in Linux or if I would have to change to using .NET Core.

I am slowly adding more and more to it. Hoping to do a new release this weekend, which will add one new feature as well as more standard API commands added. That said if you have skills in either c# or currently could use someone who is good as HTML & JavaScript to help make new feature better looking. I am not so good with making good looking visual stuff

New feature is, being able to do a export of a rule that will also get all objects used by that rule to export with it. I love Copy Rule as Image feature in SmartConsole but currently hate the follow-up questions it generates like what is in XYZ group. So this will fix that easily.

Other than that keep testing and letting me know of any problems, that is a big help.

Regards

Tim

Is there a lag between the GITHUB version and  the imported module?

I was trying to get-help on the rules but there is none there yet.

Yes. I don't publish a new release every time I update GitHub.

That said I did just publish v0.3.0.

Tim,

I have done a bit of tinkering myself and added the timestamp as a tag. If you can update each entry you can see if old timestamps are present and delete them as they are no longer in use.

Hi Hugo,

I take it this is for the O365 example? Good to see you also still working on it. I had already updated the copy in the Examples folder on GitHub, so it removes old entries by using the Compare-Object command. That way it doesn't even need to touch entries that have not changed.

I am thinking of adding a copy of all examples to the documentation site so they are easier found. Until then they can be found here.

Regards

Tim

I'm trying here to install the module, but I'm getting some error:

Você está instalando o(s) módulo(s) de um repositório não confiável. Se você confia nesse repositório, altere o
respectivo valor InstallationPolicy executando o cmdlet Set-PSRepository.
Are you sure you want to install software from 'https://www.powershellgallery.com/api/v2/'?
[S] Sim [A] Sim para Todos [N] Não [T] Não para Todos [U] Suspender [?] Ajuda (o padrão é "N"): S
AVISO: O módulo 'psCheckPoint' não pode ser instalado ou atualizado porque não é um módulo formado corretamente.

It is portuguese, but it says that the psCheckPoint module cannot be installed cause is not a "properly formed module"

Any clue?   

Hi,

That's not good. I am not getting any errors on my versions of PowerShell I tested. Could you please provide the output of the following commands. Please translate anything that looks important

$PSVersionTable
$PSUICulture
Install-Module psCheckPoint -Scope CurrentUser -Verbose‍‍‍

Once I get that I will see if I can reproduce the problem and fix it.

Regards

Tim

Hi guys, impressive work until now.

If I remember correctly, there was an issue of disconnected sessions on management server database. This issue was already fixed.

Hugo, if you have one of latests jumbos installed, it should work without issue.

This is NOT due to Tim's tool!

In any case, read my answer in this post on a correct working procedures - 

https://community.checkpoint.com/thread/6877-how-to-properly-logoff-web-api-session-without-leaving-...

Robert.

New Beta Release v1.0.0-beta1

I have just released a beta of the new version which has many major changes.

I have started a Wiki page detailing the major changes.

You can also see updated Examples here.

If you would like to test you can install it using "Install-Module -Name psCheckPoint -AllowPrerelease".

Please either log Issue tickets on Github or reply here if you have any problems.