- CheckMates
- :
- Products
- :
- Developers
- :
- API / CLI Discussion
- :
- R80 PowerShell Module
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R80 PowerShell Module
Power Shell module that hooks into the Check Point Web API for both Management and Identity Awareness.
LATEST UPDATE
2018-06-04 - v1.0.0 Released
Major Update
- Now uses CheckPoint.NET class library in the back-end
- Can now verify Server's SSL Hash when connecting
- Lots of bug fixes and improvements
Please see Wiki page for more details.
2017-11-22 - v0.7.10 Released
New Cmdlets for one way syncs of groups into Check Point
Group Sync Examples (Office365 (Updated), Azure & AWS)
Fix session parameter in Export-CheckPointAccessRule
Initial PS views added. (More to come)
Added TagAction to all Set Cmdlets so you can add/remove Tags one at a time.
To see previous release notes head over to GitHub Releases Page
Installing
PS> Install-Module psCheckPoint [-Scope CurrentUser]
Documentation
Documentation can be found at https://tkoopman.github.io/psCheckPoint/
Code can be found at GitHub - tkoopman/psCheckPoint: Powershell Module for Check Point R80 Web API
Please let me know via issue ticket if you find any bugs or have a particular API call, feature or even common example that would help others, you would like implemented.
I will try and prioritize those API calls that are requested.
Examples
Many example scripts can be found at psCheckPoint/Examples on GitHub
It includes examples for the following (Most of which I am using myself in production):
- Export to HTML
Can be used to export parts of a rule-base including all objects used. Also can be used to export all rules where certain objects are used. - Group Sync
Allows for one way syncing of Network Groups from an external source. Examples for this includes maintaining groups for Office 365, AWS & Azure.
As this creates and maintains these as standard network objects means you can use this everywhere in the policy including but not limited to, Access Rules, NAT, Desktop Policy, HTTPS Rules. - Import from Excel
Importing lots of different object types from an Excel workbook - Tor - Identity Awareness
Used to assign all Tor IPs to an IA Role which you could then use to block all Tor IPs. - Save Configs
Uses the command to run a script on multiple gateways to get the Gaia running configuration and saves them all to text files. - Close Sessions
For when you may of forgotten to close a heap of API sessions. This will close all that don't have any changes associated to them.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tim. Greait work. I have done a simular jobb creating a Powershell modue for the Checkpoit API. But i have yet publishit on GitHub, and i don't thing I will do that. I have specifyid some "custom" parameters i my module
A see you are a more experience powershell developer then I. I hope i can help you develop the POSH module.
keep up your good work
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As pet project I was looking for a script to fill objects based on an Active Directory list of machines.
So it would gather a list of machines in Active Directory and get their IP addresses (IPv4 and IPv6) and then check if the object is present allready. If it is still not present it would create one.
as it will also serve me as a way to learn yet another scripting language (PowerShell) it may take a while befoe anything usefull will be there.
As soon as the first bits are available I will post it somewhere.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have been testing a script bug I wanted to add both IPv4 and IPv6 addresses where available. But it seems my syntax is not correct.
The relevant code snippet is:
foreach ($Computer in $ADcomputers) {
$Computer
$NU = Get-Date
if ($Computer.Enabled -eq $True) {
if ($Computer.IPv6Address -ne $Null -And $Computer.IPv4Address -ne $Null) {
$IPaddress = ($Computer.IPv4Address,$Computer.IPv6Address)
} elseif ($Computer.IPv4Address -ne $Null) {
$IPaddress = $Computer.IPv4Address
}
$IPaddress
Add-CPHost -Session $CPsession -Name $Computer.DNSHostName -Ipaddress $IPaddress -Tag ActiveDirectory,$Computer.DNSHostName -Color Red -Groups ActiveDirectoryHosts -Comments "$Computer.DistinguishedName added $NU"
}
}
I as still finding my way around in PowerShell as scripting language so I might be doing something incredible stupid here and just not seeing it.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems you have not done any view of find snippets (yet).
At the moment I just get errors when I rerun the same script because the object are allready present. I would prefer to verify if the object is allready there before I attempt to add it.
Do you plan to add these features?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just updated the code to allow both IPv4 and IPv6 IPs to be added. Also added the option to SetIfExists.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did just add SetIfExists option from the Web API. If it exists in the Web API then it is my plan to add it to the module as well but only as time permits.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Wonderful. I'll see if I can put it to good use.
Thanks.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I got it sort of working. But with a big issue. I now have group objects that are being locked. And I have no idea how I can unlock those objects so I can delete them.
The current script:
# PowerShell script to read Computer details from Comandline
# Import Modules
import-module ActiveDirectory
import-module .\CheckPoint.psm1
# Variables for customisation
$ADG = "ActiveDirectoryHosts"
$Color = "Cyan"
$Comments = "All hosts in the Active Directory"
# Get my Domain name and Fill in the blanks
$Domain = Get-ADDomain
$DNSRoot = $Domain.DNSRoot
$ADG = -join("$ADG", "-", "$DNSRoot")
$Comments = "$Comments $DNSRoot"
# Read Active Directory Computerlist
$ADComputers = Get-ADComputer -Filter * -Property Name,IPv4Address,IPv6Address
## Output to screen
$DNSRoot
$ADComputers|Format-Table Name,DNSHostname,IPv4Address,IPv6Address
# Ignore Certificate Block on self-sign certificate
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }
# Login to Check Point API to get Session ID
Write-Host " *** Log in to Check Point Smart Center API *** "
$CPsession = Invoke-CPLogin
# Create ActiveDirectory Group
Write-Host " *** Adding Group $ADG *** "
Add-CPGroup -Session $CPsession -Name $ADG -Tag ActiveDirectory,$DNSRoot -Color Red -Comments "$Comments"
foreach ($Computer in $ADcomputers) {
$NOW = Get-Date
if ($Computer.Enabled -eq $True) {
$CDN = $Computer.DistinguishedName
Write-Host " *** Adding Host $CDN *** "
if ($Computer.IPv6Address -ne $Null -And $Computer.IPv4Address -ne $Null) {
Add-CPHost -Session $CPsession -Name $Computer.DNSHostName -Ipv4address $Computer.IPv4Address -Ipv6address $Computer.IPv6Address -Tag ActiveDirectory,$DNSRoot -Color $Color -Groups $ADG -Comments "$CDN added $NOW"
} elseif ($Computer.IPv4Address -ne $Null) {
Add-CPHost -Session $CPsession -Name $Computer.DNSHostName -Ipv4address $Computer.IPv4Address -Tag ActiveDirectory,$DNSRoot -Color $Color -Groups $ADG -Comments "$CDN added $NOW"
}
}
}
# Publish Changes
Invoke-CPPublish -Session $CPsession
# Logout from Check Point API
Invoke-CPLogout -Session $CPsession
# Remove Modules
Remove-Module ActiveDirectory
Remove-Module CheckPoint
# DONE!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
My lab now looks like:
With the details:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hey,
Can you check if you have any disconnected sessions? You can see this in SmartConsole > Manage & Settings > Sessions
If there is you can use the options there to fix the problem. If this happens from using the Web API it would normally be because a session was disconnected / logged off before publishing or discarding the changes.
Tim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank Ton,
It seems I have a load of them. I think I need to do this better in my script.
At the moment I do:
- Invoke-CPLogin
- Do my stuff with objects
- Invoke-CPPublish
- Invoke-CPLogout
I noticed you did use Invoke-CPContinueSessionInSmartconsole instead of my steps 3 and 4.
My option made more sense to me. But I might be totally wrong here. (Or the API might be off)
After cleaning out my list of sessions and discarding options there I lost the locks. I will do some more testing to see if the script does in fact result in unpublished and discarded sessions.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It seems you need to discard the session after the publish action to get rid of it. That sounds a bit ... odd to me but this worked:
# Login to Check Point API to get Session ID
Write-Host " *** Log in to Check Point Smart Center API *** "
$Session = Invoke-CPLogin
.....
# Publish Changes
Write-Host " *** Publish Session changes *** "
Invoke-CPPublish -Session $Session
# Logout from Check Point API
Write-Host " *** Logout Session *** "
Invoke-CPDiscard -Session $Session
Invoke-CPLogout -Session $Session
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
That is weird and shouldn't be that way at all, and defiantly doesn't do that for me.
You running the latest R80.10 jumbo hotfix? Not sure if it will make any difference but that is what I am running on my test manager.
Regards
Tim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Installed Hotfixes:
• | R80.10 Jumbo Hotfix Accumulator General Availability (Take 24) |
• | R80.10 SmartConsole Build 005 |
• | HOTFIX_R80_10 |
Which looks arther up-to-date to me.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tim,
I notied you updated the module and added a few functions. Are you planning on doing anything with the Show features on the API to get data out of the system?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Morning Hugo,
The new module does already have get methods for hosts, networks & groups and more to be added as I add each other object type.
You can see a basic list of what has been implemented in the new module on the Git wiki page Home · tkoopman/psCheckPoint Wiki · GitHub .
As you have already used the old module just be away that I have renamed some of the methods in the new module to better align with the correct verbs and naming standards. They shouldn't change again now.
Look forward to more feedback.
Tim.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tim,
It seems I mist understand the module.
If I get ALL the hosts I can see for example:
Groups : {ActiveDirectoryHosts-hvdk.qilab.lan}
ipv4Address : 172.21.15.14
ipv6Address : 2001:db8:15::14
Icon : Objects/host
MetaInfo : psCheckPoint.Objects.CheckPointMetaInfo
ReadOnly : False
Tags : {hvdk.qilab.lan, ActiveDirectory}
Color : cyan
Comments : CN=VP,CN=Computers,DC=hvdk,DC=qilab,DC=lan added 08/09/2017 12:45:49
Name : vp.hvdk.qilab.lan
UID : cbba1bc6-bdf0-47aa-9e9b-5e947de459f2
Type : host
Domain : psCheckPoint.Objects.CheckPointDomain
But finding a host by name fails:
Get-CheckPointHosts -Session $Session -Name "vp.hvdk.qilab.lan"
Get-CheckPointHosts : Cannot bind parameter 'Name'. Cannot convert value "vp.hvdk.qilab.lan" to type "System.Int32". Error: "Input string was not in a correct format."
At line:1 char:45
+ Get-CheckPointHosts -Session $Session -Name "vp.hvdk.qilab.lan"
+ ~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (:) [Get-CheckPointHosts], ParameterBindingException
+ FullyQualifiedErrorId : CannotConvertArgumentNoMessage,psCheckPoint.Objects.Host.GetCheckPointHosts
The Get-Help output suggest that -Name takes a string as argument.
Am I missing something obvious here?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
When getting a single host the command is Get-CheckPointHost with no "s" on the end.
Tim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tim,
Check. I knew I was doing something silly.
Thanks for pointing out the typo.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tim,
The module is also very usefull if you have a Linux machine with PowerShell on it.
It works just as easily.
Keep up the good work!
Let me know if I can lend a hand.
Regards,
Hugo
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Thanks Hugo for feedback. I was wondering if it would work in Linux or if I would have to change to using .NET Core.
I am slowly adding more and more to it. Hoping to do a new release this weekend, which will add one new feature as well as more standard API commands added. That said if you have skills in either c# or currently could use someone who is good as HTML & JavaScript to help make new feature better looking. I am not so good with making good looking visual stuff
New feature is, being able to do a export of a rule that will also get all objects used by that rule to export with it. I love Copy Rule as Image feature in SmartConsole but currently hate the follow-up questions it generates like what is in XYZ group. So this will fix that easily.
Other than that keep testing and letting me know of any problems, that is a big help.
Regards
Tim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Is there a lag between the GITHUB version and the imported module?
I was trying to get-help on the rules but there is none there yet.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes. I don't publish a new release every time I update GitHub.
That said I did just publish v0.3.0.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Tim,
I have done a bit of tinkering myself and added the timestamp as a tag. If you can update each entry you can see if old timestamps are present and delete them as they are no longer in use.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Hugo,
I take it this is for the O365 example? Good to see you also still working on it. I had already updated the copy in the Examples folder on GitHub, so it removes old entries by using the Compare-Object command. That way it doesn't even need to touch entries that have not changed.
I am thinking of adding a copy of all examples to the documentation site so they are easier found. Until then they can be found here.
Regards
Tim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I'm trying here to install the module, but I'm getting some error:
Você está instalando o(s) módulo(s) de um repositório não confiável. Se você confia nesse repositório, altere o
respectivo valor InstallationPolicy executando o cmdlet Set-PSRepository.
Are you sure you want to install software from 'https://www.powershellgallery.com/api/v2/'?
[S] Sim [A] Sim para Todos [N] Não [T] Não para Todos [U] Suspender [?] Ajuda (o padrão é "N"): S
AVISO: O módulo 'psCheckPoint' não pode ser instalado ou atualizado porque não é um módulo formado corretamente.
It is portuguese, but it says that the psCheckPoint module cannot be installed cause is not a "properly formed module"
Any clue?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
That's not good. I am not getting any errors on my versions of PowerShell I tested. Could you please provide the output of the following commands. Please translate anything that looks important
$PSVersionTable$PSUICultureInstall-Module psCheckPoint -Scope CurrentUser -Verbose
Once I get that I will see if I can reproduce the problem and fix it.
Regards
Tim
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi guys, impressive work until now.
If I remember correctly, there was an issue of disconnected sessions on management server database. This issue was already fixed.
Hugo, if you have one of latests jumbos installed, it should work without issue.
This is NOT due to Tim's tool!
In any case, read my answer in this post on a correct working procedures -
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
New Beta Release v1.0.0-beta1
I have just released a beta of the new version which has many major changes.
I have started a Wiki page detailing the major changes.
You can also see updated Examples here.
If you would like to test you can install it using "Install-Module -Name psCheckPoint -AllowPrerelease
".
Please either log Issue tickets on Github or reply here if you have any problems.