Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tim_Koopman
Contributor

R80 PowerShell Module

Power Shell module that hooks into the Check Point Web API for both Management and Identity Awareness.

LATEST UPDATE

2018-06-04 - v1.0.0 Released

Major Update

  • Now uses CheckPoint.NET class library in the back-end
  • Can now verify Server's SSL Hash when connecting
  • Lots of bug fixes and improvements

Please see Wiki page for more details.

2017-11-22 - v0.7.10 Released

New Cmdlets for one way syncs of groups into Check Point

Group Sync Examples (Office365 (Updated), Azure & AWS)

Fix session parameter in Export-CheckPointAccessRule

Initial PS views added. (More to come)

Added TagAction to all Set Cmdlets so you can add/remove Tags one at a time.

To see previous release notes head over to GitHub Releases Page

Installing

PS> Install-Module psCheckPoint [-Scope CurrentUser]

Documentation

Documentation can be found at https://tkoopman.github.io/psCheckPoint/

Code can be found at GitHub - tkoopman/psCheckPoint: Powershell Module for Check Point R80 Web API 

Please let me know via issue ticket if you find any bugs or have a particular API call, feature or even common example that would help others, you would like implemented.

I will try and prioritize those API calls that are requested.

Examples

Many example scripts can be found at psCheckPoint/Examples on GitHub 

It includes examples for the following (Most of which I am using myself in production):

  • Export to HTML
    Can be used to export parts of a rule-base including all objects used. Also can be used to export all rules where certain objects are used.
  • Group Sync
    Allows for one way syncing of Network Groups from an external source. Examples for this includes maintaining groups for Office 365, AWS & Azure.
    As this creates and maintains these as standard network objects means you can use this everywhere in the policy including but not limited to, Access Rules, NAT, Desktop Policy, HTTPS Rules.
  • Import from Excel
    Importing lots of different object types from an Excel workbook
  • Tor - Identity Awareness
    Used to assign all Tor IPs to an IA Role which you could then use to block all Tor IPs.
  • Save Configs
    Uses the command to run a script on multiple gateways to get the Gaia running configuration and saves them all to text files.
  • Close Sessions
    For when you may of forgotten to close a heap of API sessions. This will close all that don't have any changes associated to them.
31 Replies
Petter_Andersso
Participant

Hi Tim. Greait work. I have done a simular jobb creating a Powershell modue for the Checkpoit API. But i have yet publishit on GitHub, and i don't thing I will do that. I have specifyid some "custom" parameters i my module

A see you are a more experience powershell developer then I. I hope i can help you develop the POSH module. 

keep up your good work

Hugo_vd_Kooij
Advisor

As pet project I was looking for a script to fill objects based on an Active Directory list of machines.

So it would gather a list of machines in Active Directory and get their IP addresses (IPv4 and IPv6) and then check if the object is present allready. If it is still not present it would create one.

as it will also serve me as a way to learn yet another scripting language (PowerShell) it may take a while befoe anything usefull will be there.

As soon as the first bits are available I will post it somewhere.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Hugo_vd_Kooij
Advisor

I have been testing a script bug I wanted to add both IPv4 and IPv6 addresses where available. But it seems my syntax is not correct.

The relevant code snippet is:

foreach ($Computer in $ADcomputers) {
  $Computer
  $NU = Get-Date
  if ($Computer.Enabled -eq $True) {
    if ($Computer.IPv6Address -ne $Null -And $Computer.IPv4Address -ne $Null) {
      $IPaddress = ($Computer.IPv4Address,$Computer.IPv6Address)
    } elseif ($Computer.IPv4Address -ne $Null) {
      $IPaddress = $Computer.IPv4Address
    }
    $IPaddress
    Add-CPHost -Session $CPsession -Name $Computer.DNSHostName -Ipaddress $IPaddress -Tag ActiveDirectory,$Computer.DNSHostName -Color Red -Groups ActiveDirectoryHosts -Comments "$Computer.DistinguishedName added $NU"
  }
}

I as still finding my way around in PowerShell as scripting language so I might be doing something incredible stupid here and just not seeing it.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Hugo_vd_Kooij
Advisor

It seems you have not done any view of find snippets (yet).

At the moment I just get errors when I rerun the same script because the object are allready present. I would prefer to verify if the object is allready there before I attempt to add it.

Do you plan to add these features?

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Tim_Koopman
Contributor

Just updated the code to allow both IPv4 and IPv6 IPs to be added. Also added the option to SetIfExists.

Tim_Koopman
Contributor

I did just add SetIfExists option from the Web API. If it exists in the Web API then it is my plan to add it to the module as well but only as time permits.

Hugo_vd_Kooij
Advisor

Wonderful. I'll see if I can put it to good use.

Thanks.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Hugo_vd_Kooij
Advisor

I got it sort of working. But with a big issue. I now have group objects that are being locked. And I have no idea how I can unlock those objects so I can delete them.

The current script:

# PowerShell script to read Computer details from Comandline

# Import Modules
import-module ActiveDirectory
import-module .\CheckPoint.psm1

# Variables for customisation
$ADG = "ActiveDirectoryHosts"
$Color = "Cyan"
$Comments = "All hosts in the Active Directory"

# Get my Domain name and Fill in the blanks
$Domain = Get-ADDomain
$DNSRoot = $Domain.DNSRoot
$ADG = -join("$ADG", "-", "$DNSRoot")
$Comments = "$Comments $DNSRoot"

# Read Active Directory Computerlist
$ADComputers = Get-ADComputer -Filter * -Property Name,IPv4Address,IPv6Address

## Output to screen
$DNSRoot
$ADComputers|Format-Table Name,DNSHostname,IPv4Address,IPv6Address

# Ignore Certificate Block on self-sign certificate
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }

# Login to Check Point API to get Session ID
Write-Host " *** Log in to Check Point Smart Center API *** "
$CPsession = Invoke-CPLogin

# Create ActiveDirectory Group
Write-Host " *** Adding Group $ADG *** "
Add-CPGroup -Session $CPsession -Name $ADG -Tag ActiveDirectory,$DNSRoot -Color Red -Comments "$Comments"

foreach ($Computer in $ADcomputers) {
  $NOW = Get-Date
  if ($Computer.Enabled -eq $True) {
    $CDN = $Computer.DistinguishedName
    Write-Host " *** Adding Host $CDN *** "
    if ($Computer.IPv6Address -ne $Null -And $Computer.IPv4Address -ne $Null) {
      Add-CPHost -Session $CPsession -Name $Computer.DNSHostName -Ipv4address $Computer.IPv4Address -Ipv6address $Computer.IPv6Address -Tag ActiveDirectory,$DNSRoot -Color $Color -Groups $ADG -Comments "$CDN added $NOW"
    } elseif ($Computer.IPv4Address -ne $Null) {
      Add-CPHost -Session $CPsession -Name $Computer.DNSHostName -Ipv4address $Computer.IPv4Address -Tag ActiveDirectory,$DNSRoot -Color $Color -Groups $ADG -Comments "$CDN added $NOW"
    }
  }
}

# Publish Changes
Invoke-CPPublish -Session $CPsession

# Logout from Check Point API
Invoke-CPLogout -Session $CPsession

# Remove Modules
Remove-Module ActiveDirectory
Remove-Module CheckPoint

# DONE!

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Hugo_vd_Kooij
Advisor

My lab now looks like:

Object list

With the details:

Group Object

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Tim_Koopman
Contributor

Hey,

Can you check if you have any disconnected sessions? You can see this in SmartConsole > Manage & Settings > Sessions

If there is you can use the options there to fix the problem. If this happens from using the Web API it would normally be because a session was disconnected / logged off before publishing or discarding the changes.

Tim

Hugo_vd_Kooij
Advisor

Thank Ton,

It seems I have a load of them. I think I need to do this better in my script.

At the moment I do:

  1. Invoke-CPLogin
  2. Do my stuff with objects
  3. Invoke-CPPublish
  4. Invoke-CPLogout

I noticed you did use Invoke-CPContinueSessionInSmartconsole instead of my steps 3 and 4.

My option made more sense to me. But I might be totally wrong here. (Or the API might be off)

After cleaning out my list of sessions and discarding options there I lost the locks. I will do some more testing to see if the script does in fact result in unpublished and discarded sessions.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Hugo_vd_Kooij
Advisor

It seems you need to discard the session after the publish action to get rid of it. That sounds a bit ... odd to me but this worked:

# Login to Check Point API to get Session ID
Write-Host " *** Log in to Check Point Smart Center API *** "
$Session = Invoke-CPLogin

.....

# Publish Changes
Write-Host " *** Publish Session changes *** "
Invoke-CPPublish -Session $Session

# Logout from Check Point API
Write-Host " *** Logout Session *** "
Invoke-CPDiscard -Session $Session
Invoke-CPLogout -Session $Session

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Tim_Koopman
Contributor

That is weird and shouldn't be that way at all, and defiantly doesn't do that for me.

You running the latest R80.10 jumbo hotfix? Not sure if it will make any difference but that is what I am running on my test manager.

Regards

Tim

Hugo_vd_Kooij
Advisor

Installed Hotfixes:

• R80.10 Jumbo Hotfix Accumulator General Availability (Take 24)
• R80.10 SmartConsole Build 005
• 

HOTFIX_R80_10

Which looks arther up-to-date to me.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Hugo_vd_Kooij
Advisor

Tim,

I notied you updated the module and added a few functions. Are you planning on doing anything with the Show features on the API to get data out of the system?

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Tim_Koopman
Contributor

Morning Hugo,

The new module does already have get methods for hosts, networks & groups and more to be added as I add each other object type.

You can see a basic list of what has been implemented in the new module on the Git wiki page Home · tkoopman/psCheckPoint Wiki · GitHub .

As you have already used the old module just be away that I have renamed some of the methods in the new module to better align with the correct verbs and naming standards. They shouldn't change again now.

Look forward to more feedback.

Tim.

Hugo_vd_Kooij
Advisor

Tim,

It seems I mist understand the module.

If I get ALL the hosts I can see for example:

Groups : {ActiveDirectoryHosts-hvdk.qilab.lan}
ipv4Address : 172.21.15.14
ipv6Address : 2001:db8:15::14
Icon : Objects/host
MetaInfo : psCheckPoint.Objects.CheckPointMetaInfo
ReadOnly : False
Tags : {hvdk.qilab.lan, ActiveDirectory}
Color : cyan
Comments : CN=VP,CN=Computers,DC=hvdk,DC=qilab,DC=lan added 08/09/2017 12:45:49
Name : vp.hvdk.qilab.lan
UID : cbba1bc6-bdf0-47aa-9e9b-5e947de459f2
Type : host
Domain : psCheckPoint.Objects.CheckPointDomain

But finding a host by name fails:

Get-CheckPointHosts -Session $Session -Name "vp.hvdk.qilab.lan"
Get-CheckPointHosts : Cannot bind parameter 'Name'. Cannot convert value "vp.hvdk.qilab.lan" to type "System.Int32". Error: "Input string was not in a correct format."
At line:1 char:45
+ Get-CheckPointHosts -Session $Session -Name "vp.hvdk.qilab.lan"
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-CheckPointHosts], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,psCheckPoint.Objects.Host.GetCheckPointHosts

The Get-Help output suggest that -Name takes a string as argument.

  Am I missing something obvious here?

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Tim_Koopman
Contributor

Hi,

When getting a single host the command is Get-CheckPointHost with no "s" on the end.

Tim

Hugo_vd_Kooij
Advisor

Tim,

Check. I knew I was doing something silly.

Thanks for pointing out the typo.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Hugo_vd_Kooij
Advisor

Tim,

The module is also very usefull if you have a Linux machine with PowerShell on it.

It works just as easily.

Keep up the good work!

Let me know if I can lend a hand.

Regards,

Hugo

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Tim_Koopman
Contributor

Hi,

Thanks Hugo for feedback. I was wondering if it would work in Linux or if I would have to change to using .NET Core.

I am slowly adding more and more to it. Hoping to do a new release this weekend, which will add one new feature as well as more standard API commands added. That said if you have skills in either c# or currently could use someone who is good as HTML & JavaScript to help make new feature better looking. I am not so good with making good looking visual stuff Smiley Happy

New feature is, being able to do a export of a rule that will also get all objects used by that rule to export with it. I love Copy Rule as Image feature in SmartConsole but currently hate the follow-up questions it generates like what is in XYZ group. So this will fix that easily.

Other than that keep testing and letting me know of any problems, that is a big help.

Regards

Tim

Hugo_vd_Kooij
Advisor

Is there a lag between the GITHUB version and  the imported module?

I was trying to get-help on the rules but there is none there yet.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Tim_Koopman
Contributor

Yes. I don't publish a new release every time I update GitHub.

That said I did just publish v0.3.0.

Hugo_vd_Kooij
Advisor

Tim,

I have done a bit of tinkering myself and added the timestamp as a tag. If you can update each entry you can see if old timestamps are present and delete them as they are no longer in use.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Tim_Koopman
Contributor

Hi Hugo,

I take it this is for the O365 example? Good to see you also still working on it. I had already updated the copy in the Examples folder on GitHub, so it removes old entries by using the Compare-Object command. That way it doesn't even need to touch entries that have not changed.

I am thinking of adding a copy of all examples to the documentation site so they are easier found. Until then they can be found here.

Regards

Tim

Rafael_Apolinar
Explorer

I'm trying here to install the module, but I'm getting some error:

Você está instalando o(s) módulo(s) de um repositório não confiável. Se você confia nesse repositório, altere o
respectivo valor InstallationPolicy executando o cmdlet Set-PSRepository.
Are you sure you want to install software from 'https://www.powershellgallery.com/api/v2/'?
[S] Sim [A] Sim para Todos [N] Não [T] Não para Todos [U] Suspender [?] Ajuda (o padrão é "N"): S
AVISO: O módulo 'psCheckPoint' não pode ser instalado ou atualizado porque não é um módulo formado corretamente.

It is portuguese, but it says that the psCheckPoint module cannot be installed cause is not a "properly formed module"

Any clue?   

Tim_Koopman
Contributor

Hi,

That's not good. I am not getting any errors on my versions of PowerShell I tested. Could you please provide the output of the following commands. Please translate anything that looks important Smiley Happy

$PSVersionTable$PSUICultureInstall-Module psCheckPoint -Scope CurrentUser -Verbose‍‍‍

Once I get that I will see if I can reproduce the problem and fix it.

Regards

Tim

Robert_Decker
Advisor

Hi guys, impressive work until now.

If I remember correctly, there was an issue of disconnected sessions on management server database. This issue was already fixed.

Hugo, if you have one of latests jumbos installed, it should work without issue.

This is NOT due to Tim's tool!

In any case, read my answer in this post on a correct working procedures - 

https://community.checkpoint.com/thread/6877-how-to-properly-logoff-web-api-session-without-leaving-...

Robert.

Tim_Koopman
Contributor

New Beta Release v1.0.0-beta1

I have just released a beta of the new version which has many major changes.

I have started a Wiki page detailing the major changes.

You can also see updated Examples here.

If you would like to test you can install it using "Install-Module -Name psCheckPoint -AllowPrerelease".

Please either log Issue tickets on Github or reply here if you have any problems.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events