Created
March 13, 2017 08:40
-
-
Save anonymous/56ffce9f4fd7029deca94a2bdfe91912 to your computer and use it in GitHub Desktop.
Powershell script to automate the creation of required Office 365 IP addresses or URLs in a Checkpoint management server
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
<# | |
.Synopsis | |
Create the required objects in a Checkpoint R80+ management server to allow Office 365 traffic | |
.DESCRIPTION | |
This script will connect to https://support.content.office.net/en-us/static/O365IPAddresses.xml | |
and download an XML file containing the required objects to allow Office 365 traffic to pass. | |
It will then create the objects (IPv4, IPv6 addresses or URLs) into the Checkpoint management | |
server using the R80+ API, according to the selected parameters. | |
It depends on the ConvertFrom-O365AddressesXMLFile module | |
(https://github.com/it-praktyk/Convert-Office365NetworksData/tree/master/ConvertFrom-O365AddressesXMLFile). | |
.NOTES | |
Name: Create-O365CheckpointObjects | |
Version: 1.1.0 | |
DateCreated: 2017-02-17 | |
DateUpdated: 2016-03-09 | |
.PARAMETER Server | |
The mandatory Checkpoint management server hostname or IP address | |
.PARAMETER Port | |
The Checkpoint R80 API port | |
By default, 443 will be used | |
.PARAMETER Port | |
An optional MDS domain name to use | |
.PARAMETER Service | |
An optional Office 365 to filter on (among "WAC","Sway","Planner","Yammer","OfficeMobile", "ProPlus", | |
"RCA","OneNote","OfficeiPad","EXO","SPO","Office365Video","LYO","Identity","CRLs","o365" and "EOP" | |
If not specified, all Office 365 services objects will be created | |
.PARAMETER Type | |
A mandatory object type to filter on (among "IPv4","IPv6","URL") | |
.PARAMETER Prefix | |
A prefix for the Office 365 objects in the Checkpoint management server | |
By default, "O365" will be used | |
.PARAMETER Category | |
The primary category for the Office 365 application objects in the Checkpoint management server | |
By default, "Microsoft & Office365 Services" will be used | |
.EXAMPLE | |
Create-O365CheckpointObjects -Server cpserver -Type IPv4 | |
Description: | |
Will create the IPv4 objects for all the Office 365 apps in a Checkpoint management server | |
named "cpserver" | |
.EXAMPLE | |
Create-O365CheckpointObjects -Server cpserver -Service LYO -Type IPv6 -Verbose | |
Description: | |
Will create the IPv6 network objects for Skype for Business in a Checkpoint management server | |
named "cpserver" | |
.EXAMPLE | |
Create-O365CheckpointObjects -Server cpserver -Service EOP -Type URL -Category "Exchange" | |
Description: | |
Will create an application object for Exchange Online, with the required URLs, and a primary | |
category set to "Exchange" | |
#> | |
[CmdletBinding()] | |
Param ( | |
[Parameter(Mandatory=$true)] | |
[string]$Server, | |
[Parameter()] | |
[int]$Port = 443, | |
[Parameter()] | |
[string]$DomainName, | |
[Parameter()] | |
[ValidateSet("WAC","Sway","Planner","Yammer","OfficeMobile","ProPlus","RCA","OneNote", | |
"OfficeiPad","EXO","SPO","Office365Video","LYO","Identity","CRLs","o365","EOP")] | |
[string]$Service, | |
[Parameter()] | |
[string]$Prefix = "O365", | |
[Parameter()] | |
[string]$Category = "Microsoft & Office365 Services", | |
[Parameter(Mandatory=$true)] | |
[ValidateSet("IPv4","IPv6","URL")] | |
[string]$Type | |
) | |
# Import the required module | |
If (Get-Module -ListAvailable -Name ConvertFrom-O365AddressesXMLFile) {} Else{ | |
Write-Host "The O365AddressesXMLFile module is not installed. Exiting" -BackgroundColor Red | |
Exit 1 | |
} | |
If ( ! (Get-module ConvertFrom-O365AddressesXMLFile )) { | |
Import-Module ConvertFrom-O365AddressesXMLFile | |
} | |
# The URL blacklist | |
$blacklist = "facebook|youtube|evernote|google-analytics|wunderlist|flurry|adjust|uservoice|hockeyapp|box.com|webtrends|tific|yahoo|bing|apple" | |
# Checkpoint API URIs | |
$loginURI = "https://${Server}:${Port}/web_api/login" | |
$logoutURI = "https://${Server}:${Port}/web_api/logout" | |
$discardURI = "https://${Server}:${Port}/web_api/discard" | |
$publishURI = "https://${Server}:${Port}/web_api/publish" | |
$addNetURI = "https://${Server}:${Port}/web_api/add-network" | |
$AddAppURI = "https://${Server}:${Port}/web_api/add-application-site" | |
$SetGrpURI = "https://${Server}:${Port}/web_api/set-group" | |
# FUNCTIONS | |
Function CPAPIRequest { | |
[CmdletBinding()] | |
Param ( | |
[Parameter(Mandatory=$true)] | |
[string]$uri, | |
[Parameter(Mandatory=$true)] | |
$body, | |
[string]$method = "POST", | |
$headers, | |
[bool]$stoponerror = $False | |
) | |
Process { | |
$mybodyjson = $body | convertto-json -compress | |
try { | |
If ($headers.Length -gt 0) { | |
$myresponse = Invoke-WebRequest -uri $uri -ContentType "application/json" -Method $method -headers $headers -body $mybodyjson -ErrorAction Stop | |
} Else { | |
$myresponse = Invoke-WebRequest -uri $uri -ContentType "application/json" -Method $method -body $mybodyjson -ErrorAction Stop | |
} | |
} catch { | |
$_.Exception | |
$result = $_.Exception.Response.GetResponseStream() | |
$reader = New-Object System.IO.StreamReader($result) | |
$reader.BaseStream.Position = 0 | |
$reader.DiscardBufferedData() | |
$reader.ReadToEnd(); | |
If ($stoponerror) { Exit 1 } | |
} | |
Return $myresponse | |
} | |
} | |
# MAIN | |
Clear-Host | |
Write-Host "************************************************************" | |
Write-Host "This script will create the required objects in a Checkpoint" -ForegroundColor Yellow | |
Write-Host "R80+ management server to allow Office 365 traffic to pass." -ForegroundColor Yellow | |
Write-Host "************************************************************" | |
Write-Host "*************** Getting objects from Office 365 ******************" -BackgroundColor Yellow -ForegroundColor Black | |
Write-Host | |
$objs = ConvertFrom-O365AddressesXMLFile | |
If ($Service) { | |
Write-Host "Filtering on service $Service..." | |
$objs = $objs | where { $_.Service -eq $Service } | |
} | |
Write-Host "Filtering on type $Type..." | |
$objs = $objs | where { $_.type -eq $Type } | |
If ($Type -eq "URL") { | |
Write-Host "Applying the URL blacklist..." | |
$objs = $objs | Where-Object { $_.Url -notmatch $blacklist } | |
} | |
Write-Host | |
Write-Verbose "Objects downloaded from Microsoft :" | |
Write-Verbose ($objs | ft | Out-String) | |
# Count objects | |
$count = ($objs | measure).count | |
If ($count -eq 0) { | |
Write-Host "Cannot find Office 365 objects. Exiting" -BackgroundColor Red | |
Exit 1 | |
} Else { | |
Write-Host "Found $count objects matching the filters" | |
$confirmation = Read-Host "Are you sure you want to proceed (y|n) ?" | |
if ($confirmation -ne 'y') { | |
Exit | |
} | |
} | |
# Prompt for Checkpoint credentials | |
If ($cred = $host.ui.PromptForCredential('Credentials', 'Please enter the credentials to access the Checkpoint API','', '')){}Else{Exit} | |
$User = $cred.Username | |
$Password = $cred.GetNetworkCredential().Password | |
#create credential json | |
$myCredentialhash=@{user=$User;password=$Password} | |
if($DomainName.length -gt 0){$myCredentialhash.add("domain", $DomainName) } | |
#allow self signed certs | |
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True } | |
$myresponse = CPAPIRequest -uri $loginURI -body $myCredentialhash -stoponerror $True | |
#remove objects with password | |
rv "Password" | |
if ($credential.password.Length -gt 0) {rv "cred"} | |
$myresponsecontent=$myresponse.Content | ConvertFrom-Json | |
$mysid=$myresponsecontent.sid | |
$myCPHeader=@{"x-chkp-sid"=$mysid} | |
Write-Host "***************** Creating O365 objects ********************" -BackgroundColor Yellow -ForegroundColor Black | |
# Looping through Office 365 services | |
Foreach ($srv in ($objs | Select-Object -Unique Service) ) { | |
$grpname = "{0}_{1}_{2}" -f $Prefix, $Type, $srv.Service | |
If ($Type -eq "URL" ) { # URLs | |
$urllist = @() | |
Foreach ($node in ( $objs | where {$_.Service -eq $srv.Service } ) ) { | |
$URL = $node.Url | |
If ($URL -eq "") { Continue } # Skip empty URLs | |
# Sanitize Url | |
$URL = $URL -replace "\.","\." -replace "\*",".*" | ? {$_.trim() -ne "" } | |
Write-Host "Adding object $URL of type $Type" | |
$urllist += $URL | |
} | |
Write-Host "Creating application $grpname" -ForegroundColor Green | |
$mybody=@{name=$grpname;"primary-category"=$Category;color="cyan";"urls-defined-as-regular-expression"=$True;"url-list"=$urllist} | |
$myresponse = CPAPIRequest -uri $AddAppURI -body $mybody -headers $myCPHeader | |
} | |
Else { # IPv4 or IPv6 | |
Write-Host "Creating group $grpname" -ForegroundColor Green | |
$mybody=@{name=$grpname;color="cyan"} | |
$AddGrpURI="https://${Server}:${Port}/web_api/add-group" | |
$myresponse = CPAPIRequest -uri $AddGrpURI -body $mybody -headers $myCPHeader | |
$members = @() | |
Foreach ($node in ( $objs | where {$_.Service -eq $srv.Service } ) ) { | |
$IPaddress = ($node.IPAddress).IPAddressToString | |
$SubNetMaskLength = $node.SubNetMaskLength | |
$Name = "{0}_{1}_{2}" -f $Prefix, $Type, $IPaddress | |
$members += $Name | |
Write-Host "Creating object $Name of type $Type" | |
$mybody=@{name=$Name;color="cyan";subnet=$IPAddress;"mask-length"=$SubNetMaskLength} | |
$myresponse = CPAPIRequest -uri $AddNetURI -body $mybody -headers $myCPHeader | |
} | |
Write-Host "Adding objects to group $grpname" -ForegroundColor Green | |
$mybody=@{name=$grpname;members=$members} | |
$myresponse = CPAPIRequest -uri $SetGrpURI -body $mybody -headers $myCPHeader | |
} | |
} | |
Write-Host | |
$confirmation = Read-Host "Do you want to publish the objects (y|n) ?" | |
if ($confirmation -eq 'y') { | |
# Publish the objects | |
$myresponse = CPAPIRequest -uri $publishURI -body @{} -headers $myCPHeader | |
If ($myresponse.statuscode -eq 200){ | |
Write-Host "Successfully published the objects." -ForegroundColor Green | |
} | |
Else { | |
Write-Host "Error when publishing the objects." -ForegroundColor Red | |
} | |
} | |
Else { | |
$myresponse = CPAPIRequest -uri $discardURI -body @{} -headers $myCPHeader | |
} | |
# logout | |
$myresponse = CPAPIRequest -uri $logoutURI -body @{} -headers $myCPHeader | |
Write-Host "********************** End of script ***********************" -BackgroundColor Yellow -ForegroundColor Black | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment