Check Point – How to use DBedit to create a default policy

This blog will show you how to create a default policy on a Check Point firewall, it will work on both a Security Gateway and a Virtual System.

The script will only work on a fresh installed installation, and must be created before launching Smartdashboard for the first time. (Otherwise you have to remove parts of the script)

The script creates the following:

  • Policy called Standard
  • Service group called TEST-GROUP
    • Including two custom services (tcp-8080 and tcp-135)
  • A network group called LocalNets
    • Including two internal zones (ZONE1 and ZONE2)
  • Some default firewall rules including headers, name and comments

DBEdit is very sensitive to formatting-errors, so it is important to remove any unneeded spaces, linebreaks etc.

 

Create the Standard policy
Skip this part, of you launch SmartDashboard before running your script!

 

Create needed services and a service group

 

Create network objects and a group

 

Define a “Internet” group (Just to show how to create a exclusion group)

 

And now for the ruleset!

 

And in the end, we update it all to ensure we havent missed anything!

And we’re done! 🙂
The above code should create a complete security policy on your gateway!

The easiest way to run the above code directly from your Management Server (or Multi Domain Management server). Paste everything into a file called dbedit.cfg.
(NB: Remember to keep your dbedit.cfg clean for  more than one line break after a line, comments or anything like that! DBEdit does not handle that very well)

Then execute the following command:

Domain server will of course be your mangement server, if you are running a standalone Management Server you can use localhost, if you are using a MDM then use the IP-address of the specific domain CMA.

You can also add the following parameters -u and -p to specify a user and a password, otherwise DBEdit will prompt you for both.

If you want to try DBEdit live, you can connect directly to it, with the same command just remove the -f parameter.

Thats it, if you have any questions or comments, feel free to use the comment function or send me a mail. cheers!

Leave a Reply

Your email address will not be published. Required fields are marked *