PowerShell, AD computers to Check Point objects

Reacties Geen

This is my attempt to create a PowerShell script to add all computers in an Active Directory as hosts in a Check Point firewall. It is a work in progress at the moment.
It requires at least Check Point R80!

In short it does:

  1. Import Modules
  2. Get list of AD computer and store name and IP addresses
  3. Open a session to the Smart Center
  4. Create a group for all AD computers
  5. Loop over all AD computers and create a Check Point host object for each of them and add them to the group from the previous step
  6. Publish the lot and log out.

#	PowerShell script to read Computer details from the current Active Directory and inster the machines into a Check point infinity firewall.

#	Import Modules
Write-Host " *** Loading Modules *** "
import-module ActiveDirectory
import-module .\CheckPoint.psm1

# Variables for customisation
$ADG = "ActiveDirectoryHosts"
$Color = "Cyan"
$Comments = "All hosts in the Active Directory"

# Get my Domain name and Fill in the blanks
$Domain = Get-ADDomain
$DNSRoot = $Domain.DNSRoot
$ADG = -join("$ADG", "-", "$DNSRoot")
$Comments = "$Comments $DNSRoot"

# Read Active Directory Computerlist
Write-Host " *** Reading Computerlist *** "
$ADComputers = Get-ADComputer -Filter * -Property Name,DNSHostName,IPv4Address,IPv6Address

## Output to screen
Write-Host " *** Active Directory Domain $DNSRoot *** "
$ADComputers|Format-Table DNSHostname,IPv4Address,IPv6Address

# Ignore Certificate Block on self-sign certificate
Write-Host " *** Ignore Private Certificates *** "
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }

# Login to Check Point API to get Session ID
Write-Host " *** Log in to Check Point Smart Center API *** "
$Session = Invoke-CPLogin

# Create ActiveDirectory Group
Write-Host " *** Adding Group $ADG *** "
Add-CPGroup -Session $Session -Name $ADG -Tag ActiveDirectory,$DNSRoot -Color Red -Comments "$Comments"

foreach ($Computer in $ADcomputers) {
    $NOW = Get-Date
    if ($Computer.Enabled -eq $True) {
        $CDN = $Computer.DistinguishedName
        Write-Host " *** Adding Host $CDN *** "
        if ($Computer.IPv6Address -ne $Null -And $Computer.IPv4Address -ne $Null) {
            Add-CPHost -Session $Session -Name $Computer.DNSHostName -Ipv4address $Computer.IPv4Address -Ipv6address $Computer.IPv6Address -Tag ActiveDirectory,$DNSRoot -Color $Color -Groups $ADG -Comments "$CDN added $NOW"
        } elseif ($Computer.IPv4Address -ne $Null) {
            Add-CPHost -Session $Session -Name $Computer.DNSHostName -Ipv4address $Computer.IPv4Address -Tag ActiveDirectory,$DNSRoot -Color $Color -Groups $ADG -Comments "$CDN added $NOW"

# Publish Changes
Write-Host " *** Publish Session changes *** "
Invoke-CPPublish -Session $Session

# Logout from Check Point API
Write-Host " *** Logout Session *** "
Invoke-CPDiscard -Session $Session
Invoke-CPLogout -Session $Session

# Ignore Certificate Block on self-sign certificate no longer
Write-Host " *** Ignore Private Certificates no longer *** "
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $False }

# Remove Modules
Write-Host " *** Remove Modules *** "
Remove-Module ActiveDirectory
Remove-Module CheckPoint


This is a basic working version. The might be some way to refine it but it works rather well for me.

Categorie ,


Op dit artikel kan niet gereageerd worden.

← Ouder Nieuwer →