To load all Amazon networks into Check point objects (R80) you can use this PowerShell Script.
Make sure you have the psCheckPoint module installed.
During testing I found it would put a significant load on the firewall.
This is just a experimental script for now.
# # Download Amazon network Details # # (C) 2017, Hugo van der Kooij # # Don't forget to run `Install-Module psCheckPoint` (as administrator) once! # # WARNING: This script may put a significant load on your SmartCenter! #
# Import Modules Write-Host " *** Loading Modules *** " Import-Module psCheckPoint
# Download Amazon AWS IP Ranges into Object $AmazonAWSURI = "https://ip-ranges.amazonaws.com/ip-ranges.json" $AmazonAWS = Invoke-WebRequest -Uri $AmazonAWSURI -DisableKeepAlive | ConvertFrom-JSON $SyncToken = $AmazonAWS.syncToken $CreateDate = $AmazonAWS.createDate $Marker = "syncToken = $SyncToken; createDate = $CreateDate"
$Comments = "Amazon AWS - $Marker"
# Ignore Certificate Block on self-sign certificate Write-Verbose " *** Ignore Private Certificates *** " [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True }
# Login to Check Point API to get Session ID Write-Verbose " *** Log in to Check Point Smart Center API *** " $Session = Open-CheckPointSession -SessionName "AmazonAWS" -SessionComments "Amazon AWS Filler" -SessionTimeOut 180
Write-Verbose "New-CheckPointGroup -Session $Session -Name Amazon_AWS -Tag AmazonAWS -Color Orange -Comments $Comments" $Object = New-CheckPointGroup -Session $Session -Name Amazon_AWS -Tag AmazonAWS -Color Orange -Comments "$Comments"
$Services = ($AmazonAWS.prefixes.service + $AmazonAWS.ipv6_prefixes.service) | Get-Unique ForEach ($Service in $Services) { $GroupName = "Amazon_AWS_Service_$Service" Write-Host "New-CheckPointGroup -Session $Session -Name $GroupName -Tag AmazonAWS,$Service -Color Orange -Comments $Comments" $Object = New-CheckPointGroup -Session $Session -Name $GroupName -Tag AmazonAWS,$Service -Color "Orange" -Comments "$Comments" }
$Regions = ($AmazonAWS.prefixes.region + $AmazonAWS.ipv6_prefixes.region) | Sort | Get-Unique ForEach ($Region in $Regions) { $GroupName = "Amazon_AWS_Region_$Region" Write-Host "New-CheckPointGroup -Session $Session -Name $GroupName -Tag AmazonAWS,$Region -Color Orange -Comments $Comments" $Object = New-CheckPointGroup -Session $Session -Name $GroupName -Tag AmazonAWS,$Region -Color "Orange" -Comments "$Comments" }
foreach($Prefix in $AmazonAWS.prefixes) { $Network = $Prefix.ip_prefix.Split("/")[0] $NetworkMaskLength = $Prefix.ip_prefix.Split("/")[1] $Region = $Prefix.region $RegionGroup = "Amazon_AWS_Region_$Region" $Service = $Prefix.service $ServiceGroup = "Amazon_AWS_Service_$Service" $Name = "Amazon_AWS_$Network/$NetworkMasklength" Write-Host "New-CheckPointNetwork -Session $Session -Name $Name -Subnet4 $Network -MaskLength4 $NetworkMaskLength -Color Orange -Groups Amazon_AWS,$ServiceGroup,$RegionGroup -Tags AmazonAWS,$Service,$Region -Comments $Comments" $Object = New-CheckPointNetwork -Session $Session -Name $Name -Subnet4 $Network -MaskLength4 $NetworkMaskLength -Color Orange -Groups "Amazon_AWS",$ServiceGroup,$RegionGroup -Tags AmazonAWS,$Service,$Region -Comments "$Comments" }
foreach($Prefix in $AmazonAWS.ipv6_prefixes) { $Network = $Prefix.ipv6_prefix.Split("/")[0] $NetworkMaskLength = $Prefix.ipv6_prefix.Split("/")[1] $Region = $Prefix.region $RegionGroup = "Amazon_AWS_Region_$Region" $Service = $Prefix.service $ServiceGroup = "Amazon_AWS_Service_$Service" Write-Verbose "$Network/$NetworkMask | $Region | $Service" $Name = "Amazon_AWS_$Network/$NetworkMasklength" Write-Host "New-CheckPointNetwork -Session $Session -Name $Name -Subnet6 $Network -MaskLength6 $NetworkMaskLength -Color Orange -Groups Amazon_AWS,$ServiceGroup,$RegionGroup -Tags AmazonAWS,$Service,$Region -Comments $Comments" $Object = New-CheckPointNetwork -Session $Session -Name $Name -Subnet6 $Network -MaskLength6 $NetworkMaskLength -Color Orange -Groups "Amazon_AWS",$ServiceGroup,$RegionGroup -Tags AmazonAWS,$Service,$Region -Comments "$Comments" }
# Publish Changes Write-Verbose " *** Publish Session changes *** " Publish-CheckPointSession -Session $Session Reset-CheckPointSession -Session $Session
# Logout from Check Point API Write-Verbose " *** Logout Session *** " Close-CheckPointSession -Session $Session
# Ignore Certificate Block on self-sign certificate no longer Write-Verbose " *** Ignore Private Certificates no longer *** " [System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $False }
# Remove Modules Write-Verbose " *** Remove Modules *** " Remove-Module psCheckPoint
# DONE!
This script is intended to run once at the moment. I will update it in time to make sure you can run it repeatly.
Reacties
Er zijn nog geen reacties op dit artikel.
reageren