This is my attempt to create a PowerShell script to add all computers in an Active Directory as hosts in a Check Point R80 firewall. It is a work in progress at the moment.
It requires at least Check Point R80!
(I tested it only with R80.10)
If you have not done so allready make sure you install the Check Point for PowerShell modules by running this as administrator:
Install-Module psCheckPoint
Install-Module psCheckPointAI
The functions of the module psCheckPoint are documented in the psCheckPoint WIKI
and (as ever) Get-Help is your friend!
Once installed you don’t need administrator rights for the Check Point connection. This script might however need elevated rights to find all machines in Active Directory.
In short this script does:
- Import Modules
- Get list of AD computer and store names and IP addresses
- Open a session to the Smart Center
- Create a group for all AD computers
- Loop over all AD computers and create a Check Point host object for each of them and add them to the group from the previous step
- Publish the lot and log out.
# # PowerShell script to read Computer details from the current Active Directory and inster the machines into a Check point infinity firewall. #
# Import Modules Write-Verbose " *** Loading Modules *** " Import-Module ActiveDirectory Import-Module psCheckPoint
# Variables for customisation $ADG = "ActiveDirectoryHosts" $Color = "Cyan" $Comments = "All hosts in the Active Directory"
# Get my Domain name and Fill in the blanks $Domain = Get-ADDomain $DNSRoot = $Domain.DNSRoot $ADG = -join("$ADG", "-", "$DNSRoot") $Comments = "$Comments $DNSRoot" $TimeStamp = Get-Date -UFormat "%Y/%m/%d %H:%M"
# Read Active Directory Computerlist Write-Verbose " *** Reading Computerlist *** " $ADComputers = Get-ADComputer -Filter * -Property Name,DNSHostName,IPv4Address,IPv6Address
## Output to screen Write-Verbose " *** Active Directory Domain $DNSRoot *** " $ADComputers|Format-Table DNSHostname,IPv4Address,IPv6Address
# Login to Check Point API to get Session ID Write-Verbose " *** Log in to Check Point Smart Center API *** " #$MyCC = Get-Credential -Message "Check Point Management Center login" $Session = Open-CheckPointSession -SessionName "API $TimeStamp" -SessionDescription "WEB API session started at $TimeStamp to update ActiveDirectory Hosts" -NoCertificateValidation
# Create ActiveDirectory Group Write-Verbose " *** Adding Group $ADG *** " New-CheckPointGroup -Session $Session -Name $ADG -Tag ActiveDirectory,$DNSRoot -Color Red -Comments "$Comments changed $TimeStamp" -SetIfExists
foreach ($Computer in $ADcomputers) { if ($Computer.Enabled -eq $True) { $CDN = $Computer.DistinguishedName Write-Verbose " *** Adding Host $CDN *** " if ($Computer.IPv6Address -ne $Null -And $Computer.IPv4Address -ne $Null) { $Result = New-CheckPointHost -Session $Session -Name $Computer.DNSHostName -Ipv4address $Computer.IPv4Address -Ipv6address $Computer.IPv6Address -Tag ActiveDirectory,$DNSRoot -Color $Color -Groups $ADG -Comments "$CDN changed $TimeStamp" -SetIfExists } elseif ($Computer.IPv4Address -ne $Null) { $Result = New-CheckPointHost -Session $Session -Name $Computer.DNSHostName -Ipv4address $Computer.IPv4Address -Tag ActiveDirectory,$DNSRoot -Color $Color -Groups $ADG -Comments "$CDN changed $TimeStamp" -SetIfExists } } }
# Publish Changes Write-Verbose " *** Publish Session changes *** " Publish-CheckPointSession -Session $Session
# Logout from Check Point API Write-Verbose " *** Logout Session *** " Reset-CheckPointSession -Session $Session Close-CheckpointSession -Session $Session
# Remove Modules Write-Verbose " *** Remove Modules *** " Remove-Module ActiveDirectory Remove-Module psCheckPoint
# DONE!
This is a basic working version. The might be some way to refine it but it works rather well for me in my lab.
Reacties
Op dit artikel kan niet gereageerd worden.