How do I create a large number of objects via the command line?

[BarryStiefel]

How do I create a large number of objects via the command line?



In FireWall-1 NG, bulk creation of objects is accomplished through the use of the command-line program dbedit, which provides a protected interface to the CheckPoint? object database tables, along with object validation.

WARNING: While several individuals have repoted the following works, dbedit may or may not be a supported way to perform these operations. The only supported way to create network objects is via the Policy Editor or Smart Dashboard application.

The dbedit commands to create a simple network object are as follows (x.y.z.w is the IP address, a.b.c.d is the netmask, sample-host is the name of the object):

dbedit> create network sample-networkdbedit> modify network_objects sample-network ipaddr x.y.z.wdbedit> modify network_objects sample-network netmask a.b.c.ddbedit> modify network_objects sample-network comments "This is a sample network"dbedit> update network_objects sample-networkTo create a simple host object (e.f.g.h is the host object IP) dbedit> create host_plain sample-hostdbedit> modify network_objects sample-host ipaddr e.f.g.hdbedit> update network_objects sample-hostTo group the objects together: dbedit> create network_object_group sample-groupdbedit> addelement network_objects sample-group '' network_objects:sample-networkdbedit> addelement network_objects sample-group '' network_objects:sample-hostdbedit> update network_objects sample-groupTo create a network object with automatic NAT: dbedit> create host_plain londondbedit> modify network_objects london ipaddr 192.168.1.1dbedit> modify network_objects london color reddbedit> modify network_objects london comments "This is london calling"dbedit> modify network_objects london add_adtr_rule truedbedit> modify network_objects london NAT NATdbedit> modify network_objects london NAT:valid_ipaddr 195.195.195.3dbedit> modify network_objects london NAT:netobj_adtr_method adtr_staticdbedit> modify network_objects london SNMP:write_community abc123dbedit> update network_objects london

In the above, if you wanted to do hide mode, replace adtr_static with adtr_hide.

To create a service:

dbedit> create other_service ms_rdp dbedit> modify services ms_rdp color red dbedit> modify services ms_rdp comments "Microsoft Remote Desktop Protocol" dbedit> modify services ms_rdp protocol 6 dbedit> modify services ms_rdp exp "dport = 3389" dbedit> modify services ms_rdp include_in_any false dbedit> modify services ms_rdp timeout 3600 dbedit> update services ms_rdp

User creation:

create user nwt

modify users nwt auth_method radiusmodify users nwt expiration_date 31-dec-2010modify users nwt name nwt-radius-accessmodify users nwt radius_server servers:nwt-radius-serverupdate users nwt

Adding user to group:

addelement users SC-group '' users:nwt

update users SC-group



Rule creation:

New rulebase:

# Add "Edge" to polices_collectionscreate policies_collection Edgeupdate policies_collections Edge# Add "Edge" to fw_policiescreate firewall_policy ##Edgemodify fw_policies ##Edge collection policies_collections:Edgeupdate fw_policies ##Edge

New header rule:

# Add header rule

addelement fw_policies ##Edge rule security_header_rule

addelement fw_policies ##Edge rule:0:action drop_action:drop

modify fw_policies ##Edge rule:0:header_text "Just a header"





New security rule: addelement fw_policies ##Edge rule security_ruleaddelement fw_policies ##Edge rule:1:action accept_action:acceptmodify fw_policies ##Edge rule:1:comments "Allow icmp from london"addelement fw_policies ##Edge rule:1:services:'' services:icmp-protoaddelement fw_policies ##Edge rule:1:src:'' network_objects:london

Update the policy:

update fw_policies ##Edge

By issuing the appropriate commands to dbedit and putting commands above in a file, one could script the creation of network objects. To automate the process, execute something similar to the following on your management station:

# dbedit -s localhost -u admin -p adminpw -f dbeditcmdfile.txt

Someone added the following : successfully created more than 4000 objects with groups with this kind of method.

But beware! The grouping function is not working the way we want it to be. You should remove an object from the group and add again into the group, then save the group. Repeat the process for all of the groups, otherwise the reporting module won't work, and the ip to name resolution will not be working too.

What I mean by "remove" and then "add" is that by using Checkpoint GUI (SmartDashboard), open a group, delete a member of that group, then add that member to the group again, then save the group.

I know this sounds silly, but if you don't do that, you'll run into many trouble, trust me.

-- GuyR - 09 Jan 2004

see also bin/upgrade_tools/upgrade_export.exe

FAQForm FAQs.Class: InstallAndUpgradeFAQs, RemoteManagementFAQs FAQs.OS: OsAIX, OsSolaris, OsSecurePlatform, OsNokiaIPSO, OsResilience, OsWindows, OsHpux, OsLinux, OsSafeAt FAQs.Version:

[usman_a]

How can i use dbedit to create multiple hosts from a given IP range? am only interested in certain hosts not all of them....eg if i have 10.10.1.0 i want host 10.10.1.12 then 10.10.2.12 > 10.10.3.12 > 10.10.4.12 an so on......with only the third octet changing?

i want to do with this for three different ip ranges in one go ie 10.10.1.0, 172.16.1.0 and 192.168.1.0 and only create objects for certain hosts within each range.

[northlandboy]

Quote:

Originally Posted by usman_a

How can i use dbedit to create multiple hosts from a given IP range? am only interested in certain hosts not all of them....eg if i have 10.10.1.0 i want host 10.10.1.12 then 10.10.2.12 > 10.10.3.12 > 10.10.4.12 an so on......with only the third octet changing?

i want to do with this for three different ip ranges in one go ie 10.10.1.0, 172.16.1.0 and 192.168.1.0 and only create objects for certain hosts within each range.

Script it. Your requirements sound fairly easy to script.

[chillyjim]

Take a look at http://www.cpug.org/check_point_reso...iller_v2.4.tgz also

[usman_a]

cool :) thank you very much....i have had a quick look and it looks like what am i am after.

it will take a me while to come up withsome as this is a little side project i have however i will make sure thats what i come up to help anyone else who wants to do the same!

regards
uz

[usman_a]

Quote:

Originally Posted by northlandboy

Script it. Your requirements sound fairly easy to script.

m scripting skills are not that good, as i dont do it enough of it till now ie it will be something i need to learn as part of my new job. so what ever jobs you can offer would great. :)