PowerShell, AD computers to Check Point objects

Reacties Geen

This is my attempt to create a PowerShell script to add all computers in an Active Directory as hosts in a Check Point R80 firewall. It is a work in progress at the moment.
It requires at least Check Point R80!
(I tested it only with R80.10)

If you have not done so allready make sure you install the Check Point for PowerShell modules by running this as administrator:

Install-Module psCheckPoint
Install-Module psCheckPointAI

The functions of the module psCheckPoint are documented in the psCheckPoint WIKI
and (as ever) Get-Help is your friend!

Once installed you don’t need administrator rights for the Check Point connection. This script might however need elevated rights to find all machines in Active Directory.

In short this script does:

  1. Import Modules
  2. Get list of AD computer and store names and IP addresses
  3. Open a session to the Smart Center
  4. Create a group for all AD computers
  5. Loop over all AD computers and create a Check Point host object for each of them and add them to the group from the previous step
  6. Publish the lot and log out.

#	PowerShell script to read Computer details from the current Active Directory and inster the machines into a Check point infinity firewall.

#	Import Modules
Write-Verbose " *** Loading Modules *** "
Import-Module ActiveDirectory
Import-Module psCheckPoint

# Variables for customisation
$ADG = "ActiveDirectoryHosts"
$Color = "Cyan"
$Comments = "All hosts in the Active Directory"

# Get my Domain name and Fill in the blanks
$Domain = Get-ADDomain
$DNSRoot = $Domain.DNSRoot
$ADG = -join("$ADG", "-", "$DNSRoot")
$Comments = "$Comments $DNSRoot"
$TimeStamp = Get-Date -UFormat "%Y/%m/%d %H:%M"

# Read Active Directory Computerlist
Write-Verbose " *** Reading Computerlist *** "
$ADComputers = Get-ADComputer -Filter * -Property Name,DNSHostName,IPv4Address,IPv6Address

## Output to screen
Write-Verbose " *** Active Directory Domain $DNSRoot *** "
$ADComputers|Format-Table DNSHostname,IPv4Address,IPv6Address

# Login to Check Point API to get Session ID
Write-Verbose " *** Log in to Check Point Smart Center API *** "
#$MyCC = Get-Credential -Message "Check Point Management Center login"
$Session = Open-CheckPointSession -SessionName "API $TimeStamp" -SessionDescription "WEB API session started at $TimeStamp to update ActiveDirectory Hosts" -NoCertificateValidation

# Create ActiveDirectory Group
Write-Verbose " *** Adding Group $ADG *** "
New-CheckPointGroup -Session $Session -Name $ADG -Tag ActiveDirectory,$DNSRoot -Color Red -Comments "$Comments changed $TimeStamp" -SetIfExists

foreach ($Computer in $ADcomputers) {
    if ($Computer.Enabled -eq $True) {
        $CDN = $Computer.DistinguishedName
        Write-Verbose " *** Adding Host $CDN *** "
        if ($Computer.IPv6Address -ne $Null -And $Computer.IPv4Address -ne $Null) {
            $Result = New-CheckPointHost -Session $Session -Name $Computer.DNSHostName -Ipv4address $Computer.IPv4Address -Ipv6address $Computer.IPv6Address -Tag ActiveDirectory,$DNSRoot -Color $Color -Groups $ADG -Comments "$CDN changed $TimeStamp" -SetIfExists
        } elseif ($Computer.IPv4Address -ne $Null) {
            $Result = New-CheckPointHost -Session $Session -Name $Computer.DNSHostName -Ipv4address $Computer.IPv4Address -Tag ActiveDirectory,$DNSRoot -Color $Color -Groups $ADG -Comments "$CDN changed $TimeStamp" -SetIfExists

# Publish Changes
Write-Verbose " *** Publish Session changes *** "
Publish-CheckPointSession -Session $Session

# Logout from Check Point API
Write-Verbose " *** Logout Session *** "
Reset-CheckPointSession -Session $Session
Close-CheckpointSession -Session $Session

# Remove Modules
Write-Verbose " *** Remove Modules *** "
Remove-Module ActiveDirectory
Remove-Module psCheckPoint


This is a basic working version. The might be some way to refine it but it works rather well for me in my lab.

Categorie ,


Op dit artikel kan niet gereageerd worden.

← Ouder Nieuwer →