This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
ekagan2
Explorer
‎2020-03-30 08:44 PM
Jump to solution

Creating NAT rules with dbedit

Can someone please provide an example of creating a static NAT policy rule with DBEdit?

I am looking to create many rules like these ones with a script

orig src      orig dest        orig svc  NATed src       NATed dest    NATed svc  Install on
------------- ---------------  --------  --------------  ------------  ---------  -----------
SOME-NET      host-natted-ip   any       original        host-real-ip  original   firewall123
host-real-ip  SOME-NET         any       host-natted-ip  original      original   firewall123

Thanks,

Eli

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2020-04-02 01:31 PM
In response to _Val_
Jump to solution

You realize that's a challenge I can't back down from, right? 😬
In the following example, I have an existing manual rule in the NAT rulebase in the policy package MyPolicy.
I am adding a manual NAT rule to this to do source NAT for MyObject to MyObject-Public. 

addelement fw_policies ##MyPolicy rule_adtr address_translation_rule
modify fw_policies ##MyPolicy rule_adtr:1:comments "This is really Rule number 2"

addelement fw_policies ##MyPolicy rule_adtr:1:src_adtr network_objects:MyObject
addelement fw_policies ##MyPolicy rule_adtr:1:dst_adtr globals:Any
addelement fw_policies ##MyPolicy rule_adtr:1:services_adtr globals:Any

modify fw_policies ##MyPolicy rule_adtr:1:src_adtr_translated translate_static
modify fw_policies ##MyPolicy rule_adtr:1:src_adtr_translated:'' network_objects:MyObject-public
modify fw_policies ##MyPolicy rule_adtr:1:dst_adtr_translated translate_static
modify fw_policies ##MyPolicy rule_adtr:1:dst_adtr_translated:'' globals:Any
modify fw_policies ##MyPolicy rule_adtr:1:services_adtr_translated service_translate
modify fw_policies ##MyPolicy rule_adtr:1:services_adtr_translated:'' globals:Any

update_all

(Note: It is helpful to refer to $FWDIR/conf/classes.C when you're figuring out how to do things in dbedit).

Note modifying the NAT rulebase with dbedit has the same basic limitations as the regular rulebase.
Namely, it's easy to add rules to the bottom of the rulebase, but not necessarily "somewhere in the middle" as it involves deleting all the rules below and re-adding them.

In short, it's really worth upgrading your management to R80.x as this is much easier, has better documentation, and more importantly, is supported.

 

View solution in original post

13 Replies
_Val_
Admin
Admin
‎2020-03-31 12:12 AM
Jump to solution

Why dbedit? It is legacy and bad for scripting. Uye MGMT API instead

https://sc1.checkpoint.com/documents/latest/APIs/#cli/add-nat-rule~v1.6%20

0 Kudos
ekagan2
Explorer
‎2020-03-31 05:16 AM
In response to _Val_
Jump to solution

I am running r77.30. I think dbedit is my only option, isn't it?

0 Kudos
_Val_
Admin
Admin
‎2020-03-31 05:59 AM
In response to ekagan2
Jump to solution

Unfortunately, yes. Just a reminder, R77.30 is out of support from September 2019. 

0 Kudos
_Val_
Admin
Admin
‎2020-03-31 06:04 AM
In response to ekagan2
Jump to solution

Also, I thinnk dbedit does not have an option to add NAT rules. You still can enable automatic NAT on an object with it, though:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
https://sc1.checkpoint.com/documents/R77/CP_R77_Multi-DomainSecurityManagement_WebAdminGuide/105997....

0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-01 02:32 PM
In response to _Val_
Jump to solution

There is likely a way to do it via dbedit but it's not documented anywhere.
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-04-01 02:34 PM
In response to _Val_
Jump to solution

The automatic way does not work as he has a specific network he wants to add as the source or destination.
Regards, Maarten
0 Kudos
_Val_
Admin
Admin
‎2020-04-02 12:44 AM
In response to Maarten_Sjouw
Jump to solution

True. I think the best would be to lift management to one of R80.x, so API would be available. I do not see a way to add manual NAT rules with dbedit (Despite what @PhoneBoy is implying :-))

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-02 10:15 AM
In response to _Val_
Jump to solution

You obviously underestimate my ability to figure out dbedit 🙂
0 Kudos
_Val_
Admin
Admin
‎2020-04-02 10:32 AM
In response to PhoneBoy
Jump to solution

Prove it please 🙂

0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-02 01:31 PM
In response to _Val_
Jump to solution

You realize that's a challenge I can't back down from, right? 😬
In the following example, I have an existing manual rule in the NAT rulebase in the policy package MyPolicy.
I am adding a manual NAT rule to this to do source NAT for MyObject to MyObject-Public. 

addelement fw_policies ##MyPolicy rule_adtr address_translation_rule
modify fw_policies ##MyPolicy rule_adtr:1:comments "This is really Rule number 2"

addelement fw_policies ##MyPolicy rule_adtr:1:src_adtr network_objects:MyObject
addelement fw_policies ##MyPolicy rule_adtr:1:dst_adtr globals:Any
addelement fw_policies ##MyPolicy rule_adtr:1:services_adtr globals:Any

modify fw_policies ##MyPolicy rule_adtr:1:src_adtr_translated translate_static
modify fw_policies ##MyPolicy rule_adtr:1:src_adtr_translated:'' network_objects:MyObject-public
modify fw_policies ##MyPolicy rule_adtr:1:dst_adtr_translated translate_static
modify fw_policies ##MyPolicy rule_adtr:1:dst_adtr_translated:'' globals:Any
modify fw_policies ##MyPolicy rule_adtr:1:services_adtr_translated service_translate
modify fw_policies ##MyPolicy rule_adtr:1:services_adtr_translated:'' globals:Any

update_all

(Note: It is helpful to refer to $FWDIR/conf/classes.C when you're figuring out how to do things in dbedit).

Note modifying the NAT rulebase with dbedit has the same basic limitations as the regular rulebase.
Namely, it's easy to add rules to the bottom of the rulebase, but not necessarily "somewhere in the middle" as it involves deleting all the rules below and re-adding them.

In short, it's really worth upgrading your management to R80.x as this is much easier, has better documentation, and more importantly, is supported.

 

_Val_
Admin
Admin
‎2020-04-02 01:55 PM
In response to PhoneBoy
Jump to solution

@PhoneBoy strikes again, well done!

0 Kudos
ekagan2
Explorer
‎2020-04-04 12:36 PM
In response to PhoneBoy
Jump to solution

Thank you so much. That worked.

A quick question, is there a way to know which rule number the new rule will be added as or do I need to count them manually?
0 Kudos
PhoneBoy
Admin
Admin
‎2020-04-04 01:06 PM
In response to ekagan2
Jump to solution

Short of listing the rulebase itself beforehand, no.
Like I said, you are way better off upgrading your management so you can leverage the REST API which is easier to work with, has better documentation, and is supported.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events