CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 8 of 8

Thread: dbedit scripting --- help

  1. #1
    Join Date
    2015-02-04
    Posts
    6
    Rep Power
    0

    Default dbedit scripting --- help

    Hello Guys,
    i am working on a dbedit script but there are some tasks i can't finish.

    1.) Set a resource in the column "Service" (policy)
    2.) Set a VPN Community in the column "VPN" (policy)
    3.) Create an Externally Manages Secrutiy Gateway (network object)
    4.) Create an Interoperable Device (network object)

    Does anybody have an example for me? I tested a lot of ways but i have no idea...

    If anybody want how to create a Resource, Services, Network Objects, Groups, Groups with exclusions, Gateways, Rules or some Properties u can query me and i will sent an example.

    Thank u all

  2. #2
    Join Date
    2014-11-14
    Location
    Ottawa Canada
    Posts
    364
    Rep Power
    6

    Default Re: dbedit scripting --- help

    There is nothing in any documentation for dbedit or guidbedit on how the 4 things you want to do can be done. this suggests to me that there is no way to do so. For full documented details on dbedit, take a look a the CLI reference guide for your version.

    Here's a link to the R77 CLI guide:
    http://supportcontent.checkpoint.com...nload?id=24833
    chapter 'Security Management Server and Firewall Commands' - dbedit

  3. #3
    Join Date
    2015-02-04
    Posts
    6
    Rep Power
    0

    Default Re: dbedit scripting --- help

    Hey jdmoore0883,

    thx 4 the reply, but i am sure that it will work. I tested a lot of things which are not in the documentation, and they are working fine.
    CCNA
    CCSA
    CCSE

  4. #4
    Join Date
    2006-10-03
    Location
    Offenbach/ Germany
    Posts
    170
    Rep Power
    14

    Default Re: dbedit scripting --- help

    Quote Originally Posted by mabu09 View Post
    Hey jdmoore0883,

    thx 4 the reply, but i am sure that it will work. I tested a lot of things which are not in the documentation, and they are working fine.

    Hello,

    at the upcoming week-end, I will have to do a migration project of an old Check Point version in which doing multiple steps of "migrate export" and "migrate import" does not sound reasonable. The onsite admin is in a process of removing objects and rules to get the work done in a reasonable amount of time.

    Therefore, I will do some research today on your request. Should be working so far and I cannot see any kind of obstacles. But, let me evaluate my attempts first.

    I will post the results of my research at the end of today (my timezone is Central European Time).

    Kind regards,
    Yasushi

  5. #5
    Join Date
    2006-10-03
    Location
    Offenbach/ Germany
    Posts
    170
    Rep Power
    14

    Default Re: dbedit scripting --- help

    Quote Originally Posted by mabu09 View Post
    Hey jdmoore0883,

    thx 4 the reply, but i am sure that it will work. I tested a lot of things which are not in the documentation, and they are working fine.
    1.) Set a resource in the column "Service" (policy)


    addelement fw_policies ##Standard rule:17:services:compound rule_services_compound_element:ftp->GET_ONLY
    addelement fw_policies ##Standard rule:17:services:compound:0:service services:ftp
    addelement fw_policies ##Standard rule:17:services:compound:0:resource resources:GET_ONLY
    addelement fw_policies ##Standard rule:17:services:compound:0:action accept_action:accept
    rmbyindex fw_policies ##Standard rule:17:track 0
    addelement fw_policies ##Standard rule:17:track tracks:Log
    addelement fw_policies ##Standard rule:17:install:' ' globals:Any


    2.) Set a VPN Community in the column "VPN" (policy)

    addelement fw_policies ##Standard rule:18:through:' ' communities:MyExtranet


    3.) Create an Externally Manages Secrutiy Gateway (network object)

    You have to create the corresponding network object first:

    create network Net_Hawaii
    modify network_objects Net_Hawaii ipaddr 10.41.40.0
    modify network_objects Net_Hawaii netmask 255.255.255.0
    modify network_objects Net_Hawaii color red
    update network_objects Net_Hawaii

    create gateway_ckp CP_Ext_Managed
    modify network_objects CP_Ext_Managed ipaddr 172.25.105.1
    modify network_objects CP_Ext_Managed encdomain manual
    modify network_objects CP_Ext_Managed manual_encdomain network_objects:Net_Hawaii
    modify network_objects CP_Ext_Managed color red
    update network_objects CP_Ext_Managed
    addelement network_objects CP_Ext_Managed
    modify network_objects CP_Ext_Managed interfaces:0:ipaddr 172.25.105.1
    modify network_objects CP_Ext_Managed interfaces:0:officialname eth0
    modify network_objects CP_Ext_Managed interfaces:0:ifindex 0
    modify network_objects CP_Ext_Managed interfaces:0:netmask 255.255.255.0
    modify network_objects CP_Ext_Managed interfaces:0:security:netaccess:access undefined
    modify network_objects CP_Ext_Managed interfaces:0:security:netaccess:leads_to_internet true
    update network_objects CP_Ext_Managed


    The bold part makes up the difference between a gateway and an externally managed gateway.

    4.) Create an Interoperable Device (network object)

    Create a network object first:
    create network Net_Atlanta
    modify network_objects Net_Atlanta ipaddr 10.42.41.0
    modify network_objects Net_Atlanta netmask 255.255.255.0
    modify network_objects Net_Atlanta color blue
    update network_objects Net_Atlanta

    create gateway_plain CiscoVPN
    modify network_objects CiscoVPN VPN VPN
    modify network_objects CiscoVPN VPN: IKE IKE
    modify network_objects CiscoVPN VPN: third_party_ecryption true
    modify network_objects CiscoVPN ipaddr 199.91.119.91
    modify network_objects CiscoVPN encdomain manual
    modify network_objects CiscoVPN manual_encdomain network_objects:Net_Atlanta
    modify network_objects CiscoVPN color blue
    update network_objects CiscoVPN


    Hopefully, I could contribute to your success! At least a tiny contribution.

    Kind regards,
    Yasushi (CCSM, CCMSE, CCSI)

  6. #6
    Join Date
    2015-02-04
    Posts
    6
    Rep Power
    0

    Default Re: dbedit scripting --- help

    Hello Mr. Yasushi Kono

    special special special thanks 4 your help. How do you find that variables to create that network optjects? I tested a lot of ways, to find a way to create this tasks ("print" or "printxml" or with the grafic tool "dbedit").

    EDIT:
    there are some mistakes in your answer. I tested it and there is no Externally Manages VPN Gateway only a Check Point Gateway (CP_Ext_Managed) and on creating the Interoperable device i got errors. (I am using R77.20)

    3.) Create an Interoperable Device (network object)
    Solution:
    --> modify network_objects CiscoVPN VPN:IKE IKE
    --> modify network_objects CiscoVPN VPN:third_party_encryption true

    Ressource:
    rule is not a multiple field.
    Error in line: 12
    rule is not a multiple field.
    Error in line: 13
    Failed to get field action
    Error in line: 14

    12 --> addelement fw_policies ##Standard rule:17:services:compound:0:service services:ftp
    13 --> addelement fw_policies ##Standard rule:17:services:compound:0:resource resources:GET_ONLY
    14 --> addelement fw_policies ##Standard rule:17:services:compound:0:action accept_action:accept
    Last edited by mabu09; 2015-02-15 at 09:50.
    CCNA
    CCSA
    CCSE

  7. #7
    Join Date
    2006-10-03
    Location
    Offenbach/ Germany
    Posts
    170
    Rep Power
    14

    Default Re: dbedit scripting --- help

    Hello Mabu09,


    I had to do work on NGX R62 to R77.20 migration during week end and therefore, I could not read your post in the meanwhile.

    There are some challenges while importing the series of commands to import the objects and rule bases. I have to analyse the error messages you described.

    But, for now, I am really exhausted. The customer I am taking care of had IPSec VPN to thirty companies around Europe. I worked from Saterday to Monday noon. And now, I am in the office and had to coordinate other Check Point projects.

    Maybe, I could write my own program for the task you described. But, because I am not a skilled programmer, I have to acquire knowledge on how to write a program code.

    Cheers,
    Yasushi

  8. #8
    Join Date
    2015-02-04
    Posts
    6
    Rep Power
    0

    Default Re: dbedit scripting --- help

    Hello Mr. Yasushi Kono,

    i am very happy that u are helping me and i will now stress you. If you have some free time 4 that task i am happy but if you dont have time, i have to accept that.

    Kind regards,
    mabu09
    CCNA
    CCSA
    CCSE

Similar Threads

  1. Replies: 6
    Last Post: 2016-01-11, 11:21
  2. confwiz and dbedit and scripting help.
    By tjtj211 in forum Confwiz
    Replies: 6
    Last Post: 2014-03-30, 06:49
  3. DBEdit Resources?
    By Docwyatt2001 in forum Scripts and Tools
    Replies: 0
    Last Post: 2012-08-24, 06:35
  4. Create Rule - DBEDIT
    By pviana in forum Security Management Server (Formerly SmartCenter Server ((Formerly Management Server))
    Replies: 1
    Last Post: 2008-08-18, 09:47
  5. dbedit behaviour
    By rawon in forum Miscellaneous
    Replies: 1
    Last Post: 2008-08-15, 08:08

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •