Check Point – How to use DBedit to create a default policy

This blog will show you how to create a default policy on a Check Point firewall, it will work on both a Security Gateway and a Virtual System.

The script will only work on a fresh installed installation, and must be created before launching Smartdashboard for the first time. (Otherwise you have to remove parts of the script)

The script creates the following:

  • Policy called Standard
  • Service group called TEST-GROUP
    • Including two custom services (tcp-8080 and tcp-135)
  • A network group called LocalNets
    • Including two internal zones (ZONE1 and ZONE2)
  • Some default firewall rules including headers, name and comments

DBEdit is very sensitive to formatting-errors, so it is important to remove any unneeded spaces, linebreaks etc.

 

Create the Standard policy
Skip this part, of you launch SmartDashboard before running your script!

create policies_collection Standard
modify policies_collections Standard all_internal_modules true
modify policies_collections Standard color black
modify policies_collections Standard default 0
update policies_collections Standard
create firewall_policy ##Standard
modify fw_policies ##Standard default 0
modify fw_policies ##Standard collection policies_collections:Standard
modify fw_policies ##Standard use_VPN_communities true
modify fw_policies ##Standard globally_enforced true
update fw_policies ##Standard

 

Create needed services and a service group

create tcp_service tcp-8080
modify services tcp-8080 port 8080
modify services tcp-8080 include_in_any false
update services tcp-8080
create tcp_service tcp-135
modify services tcp-135 port 135
modify services tcp-135 include_in_any false
update services tcp-135
create service_group TEST-GROUP
addelement services TEST-GROUP '' services:tcp-8080
addelement services TEST-GROUP '' services:tcp-135
update services TEST-GROUP

 

Create network objects and a group

create network ZONE1
modify network_objects ZONE1 ipaddr 192.168.1.0
modify network_objects ZONE1 netmask 255.255.255.0
update network_objects ZONE1
create network ZONE2
modify network_objects ZONE2 ipaddr 192.168.2.0
modify network_objects ZONE2 netmask 255.255.255.0
update network_objects ZONE2
create network_object_group LocalNets
addelement network_objects LocalNets '' network_objects:ZONE1
addelement network_objects LocalNets '' network_objects:ZONE2
modify network_objects LocalNets color dodgerblue3
update network_objects LocalNets

 

Define a “Internet” group (Just to show how to create a exclusion group)

create group_with_exception Internet
modify network_objects Internet base globals:Any
modify network_objects Internet exception network_objects:LocalNets
modify network_objects Internet color red
update network_objects Internet

 

And now for the ruleset!

addelement fw_policies ##Standard rule security_header_rule
addelement fw_policies ##Standard rule:0:action drop_action:drop
modify fw_policies ##Standard rule:0:header_text "Pre- Firewall & Stealth"
modify fw_policies ##Standard rule:0:state collapsed
addelement fw_policies ##Standard rule security_rule
addelement fw_policies ##Standard rule:1:action accept_action:accept
modify fw_policies ##Standard rule:1:name "Allow icmp from LocalNets"
modify fw_policies ##Standard rule:1:comments “Created by script“
addelement fw_policies ##Standard rule:1:services:'' services:echo-request
addelement fw_policies ##Standard rule:1:src:'' network_objects:LocalNets
addelement fw_policies ##Standard rule:1:dst:'' network_objects:Internet
rmelement fw_policies ##Standard rule:1:track tracks:None
addelement fw_policies ##Standard rule:1:track tracks:Log
addelement fw_policies ##Standard rule security_rule
addelement fw_policies ##Standard rule:2:action drop_action:drop
modify fw_policies ##Standard rule:2:name "Deny any to gateway"
modify fw_policies ##Standard rule:2:comments "Created by script"
addelement fw_policies ##Standard rule:2:dst:'' network_objects:
addelement fw_policies ##Standard rule security_header_rule
addelement fw_policies ##Standard rule:3:action drop_action:drop
modify fw_policies ##Standard rule:3:header_text "Interzone"
addelement fw_policies ##Standard rule security_header_rule
addelement fw_policies ##Standard rule:4:action drop_action:drop
modify fw_policies ##Standard rule:4:header_text "Inbound"
addelement fw_policies ##Standard rule security_header_rule
addelement fw_policies ##Standard rule:5:action drop_action:drop
modify fw_policies ##Standard rule:5:state collapsed
modify fw_policies ##Standard rule:5:header_text "Outbound"
addelement fw_policies ##Standard rule security_rule
addelement fw_policies ##Standard rule:6:action accept_action:accept
modify fw_policies ##Standard rule:6:name "Allow WinUpdate from LocalNets"
modify fw_policies ##Standard rule:6:comments "Created by script"
addelement fw_policies ##Standard rule:6:services:'' services:https
addelement fw_policies ##Standard rule:6:src:'' network_objects:LocalNets
addelement fw_policies ##Standard rule:6:dst:'' network_objects:Internet
rmelement fw_policies ##Standard rule:6:track tracks:None
addelement fw_policies ##Standard rule:6:track tracks:Log
update fw_policies ##Standard

 

And in the end, we update it all to ensure we havent missed anything!

update_all

And we’re done! 🙂
The above code should create a complete security policy on your gateway!

The easiest way to run the above code directly from your Management Server (or Multi Domain Management server). Paste everything into a file called dbedit.cfg.
(NB: Remember to keep your dbedit.cfg clean for  more than one line break after a line, comments or anything like that! DBEdit does not handle that very well)

Then execute the following command:

dbedit -s <domain-server> -f dbedit.cfg

Domain server will of course be your mangement server, if you are running a standalone Management Server you can use localhost, if you are using a MDM then use the IP-address of the specific domain CMA.

You can also add the following parameters -u and -p to specify a user and a password, otherwise DBEdit will prompt you for both.

If you want to try DBEdit live, you can connect directly to it, with the same command just remove the -f parameter.

Thats it, if you have any questions or comments, feel free to use the comment function or send me a mail. cheers!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.