Check Point – How to use DBedit to create a default policy
This blog will show you how to create a default policy on a Check Point firewall, it will work on both a Security Gateway and a Virtual System.
The script will only work on a fresh installed installation, and must be created before launching Smartdashboard for the first time. (Otherwise you have to remove parts of the script)
The script creates the following:
- Policy called Standard
- Service group called TEST-GROUP
- Including two custom services (tcp-8080 and tcp-135)
- A network group called LocalNets
- Including two internal zones (ZONE1 and ZONE2)
- Some default firewall rules including headers, name and comments
DBEdit is very sensitive to formatting-errors, so it is important to remove any unneeded spaces, linebreaks etc.
Create the Standard policy
Skip this part, of you launch SmartDashboard before running your script!
create policies_collection Standard modify policies_collections Standard all_internal_modules true modify policies_collections Standard color black modify policies_collections Standard default 0 update policies_collections Standard create firewall_policy ##Standard modify fw_policies ##Standard default 0 modify fw_policies ##Standard collection policies_collections:Standard modify fw_policies ##Standard use_VPN_communities true modify fw_policies ##Standard globally_enforced true update fw_policies ##Standard
Create needed services and a service group
create tcp_service tcp-8080 modify services tcp-8080 port 8080 modify services tcp-8080 include_in_any false update services tcp-8080 create tcp_service tcp-135 modify services tcp-135 port 135 modify services tcp-135 include_in_any false update services tcp-135 create service_group TEST-GROUP addelement services TEST-GROUP '' services:tcp-8080 addelement services TEST-GROUP '' services:tcp-135 update services TEST-GROUP
Create network objects and a group
create network ZONE1 modify network_objects ZONE1 ipaddr 192.168.1.0 modify network_objects ZONE1 netmask 255.255.255.0 update network_objects ZONE1 create network ZONE2 modify network_objects ZONE2 ipaddr 192.168.2.0 modify network_objects ZONE2 netmask 255.255.255.0 update network_objects ZONE2 create network_object_group LocalNets addelement network_objects LocalNets '' network_objects:ZONE1 addelement network_objects LocalNets '' network_objects:ZONE2 modify network_objects LocalNets color dodgerblue3 update network_objects LocalNets
Define a “Internet” group (Just to show how to create a exclusion group)
create group_with_exception Internet modify network_objects Internet base globals:Any modify network_objects Internet exception network_objects:LocalNets modify network_objects Internet color red update network_objects Internet
And now for the ruleset!
addelement fw_policies ##Standard rule security_header_rule addelement fw_policies ##Standard rule:0:action drop_action:drop modify fw_policies ##Standard rule:0:header_text "Pre- Firewall & Stealth" modify fw_policies ##Standard rule:0:state collapsed addelement fw_policies ##Standard rule security_rule addelement fw_policies ##Standard rule:1:action accept_action:accept modify fw_policies ##Standard rule:1:name "Allow icmp from LocalNets" modify fw_policies ##Standard rule:1:comments “Created by script“ addelement fw_policies ##Standard rule:1:services:'' services:echo-request addelement fw_policies ##Standard rule:1:src:'' network_objects:LocalNets addelement fw_policies ##Standard rule:1:dst:'' network_objects:Internet rmelement fw_policies ##Standard rule:1:track tracks:None addelement fw_policies ##Standard rule:1:track tracks:Log addelement fw_policies ##Standard rule security_rule addelement fw_policies ##Standard rule:2:action drop_action:drop modify fw_policies ##Standard rule:2:name "Deny any to gateway" modify fw_policies ##Standard rule:2:comments "Created by script" addelement fw_policies ##Standard rule:2:dst:'' network_objects: addelement fw_policies ##Standard rule security_header_rule addelement fw_policies ##Standard rule:3:action drop_action:drop modify fw_policies ##Standard rule:3:header_text "Interzone" addelement fw_policies ##Standard rule security_header_rule addelement fw_policies ##Standard rule:4:action drop_action:drop modify fw_policies ##Standard rule:4:header_text "Inbound" addelement fw_policies ##Standard rule security_header_rule addelement fw_policies ##Standard rule:5:action drop_action:drop modify fw_policies ##Standard rule:5:state collapsed modify fw_policies ##Standard rule:5:header_text "Outbound" addelement fw_policies ##Standard rule security_rule addelement fw_policies ##Standard rule:6:action accept_action:accept modify fw_policies ##Standard rule:6:name "Allow WinUpdate from LocalNets" modify fw_policies ##Standard rule:6:comments "Created by script" addelement fw_policies ##Standard rule:6:services:'' services:https addelement fw_policies ##Standard rule:6:src:'' network_objects:LocalNets addelement fw_policies ##Standard rule:6:dst:'' network_objects:Internet rmelement fw_policies ##Standard rule:6:track tracks:None addelement fw_policies ##Standard rule:6:track tracks:Log update fw_policies ##Standard
And in the end, we update it all to ensure we havent missed anything!
update_all
And we’re done! 🙂
The above code should create a complete security policy on your gateway!
The easiest way to run the above code directly from your Management Server (or Multi Domain Management server). Paste everything into a file called dbedit.cfg.
(NB: Remember to keep your dbedit.cfg clean for more than one line break after a line, comments or anything like that! DBEdit does not handle that very well)
Then execute the following command:
dbedit -s <domain-server> -f dbedit.cfg
Domain server will of course be your mangement server, if you are running a standalone Management Server you can use localhost, if you are using a MDM then use the IP-address of the specific domain CMA.
You can also add the following parameters -u and -p to specify a user and a password, otherwise DBEdit will prompt you for both.
If you want to try DBEdit live, you can connect directly to it, with the same command just remove the -f parameter.
Thats it, if you have any questions or comments, feel free to use the comment function or send me a mail. cheers!
