Create or Modify Policy Objects (Hosts, Networks)

This section shows sample scripts that create one or more new network or service objects. You can combine one or more of these samples into one script file.

We recommend that you add the update_all command to the end of the script file.

Networks

You can use a script to manage database objects that include:

• Networks
• Hosts
• Address Ranges

These are sample scripts that show how to create and configure the database objects.

Creating a Network

This sample script:

1. Create the Network object with the name "net-internal"
2. Modifies this Network object to configure its IPv4 address 190.0.2.0
3. Modifies this Network object to configure its IPv4 Netmask 255.255.255.0
4. Adds a comment to describe what the object is for (optional) - "Created by fwadmin with dbedit"

The dbedit Script:

create network net-internal modify network_objects net-internal ipaddr 192.0.2.0 modify network_objects net-internal netmask 255.255.255.0 modify network_objects net-internal comments "Created by fwadmin with dbedit"

Configuring Automatic NAT

If your network uses NAT (Network Address Translation), you can use dbedit (see skI3301) to configure an Automatic NAT rule. Add these lines to a script only for a network that uses Automatic NAT rules.

This sample script creates an Automatic NAT rule for the net-internal network that starts with the IP address 190.0.2.100.

The next four modify lines are optional and are only needed if you want to do an automatic NAT rule for this object. modify network_objects net-internal add_adtr_rule true modify network_objects net-internal NAT NAT Set the NAT type, adtr_static or adtr_hide modify network_objects net-internal NAT:netobj_adtr_method adtr_hide Set the "valid" IP address for this object. For a static NAT on a network, the assumption is there is a 1-to-1 ratio between untranslated and translated addresses and the valid range is contiguous. This setting is the first IP address in this range. modify network_objects net-internal NAT:valid_ipaddr 192.0.2.100

Creating a Host

This sample script creates the host host-10 with the IP address 192.0.2.10.

Create the actual object (of type host_plain) create host_plain host-10 Modify the host IP address modify network_objects host-10 ipaddr 192.0.2.10 Add a comment to describe what the object is for (optional) modify network_objects host-10 comments "Created by fwadmin with dbedit"

You can also add the lines to this script to configure Automatic NAT for the host. The modify commands for this sample rule starts with: modify network_objects host-10

Creating an Address Range

This sample script creates the address range object addr-range with the IP addresses 192.0.2.150 to 190.0.2.200.

Create the actual object (of type address_range) create address_range addr-range Modify the first IP address in the range modify network_objects addr-range ipaddr_first 192.0.2.150 Modify the last IP address in the range modify network_objects addr-range ipaddr_last 192.0.2.200 Add a comment to describe what the object is for (optional) modify network_objects addr-range comments "Created by fwadmin with dbedit"

You can also add the lines to this script to configure Automatic NAT for the address range object. The modify commands for this sample rule starts with: modify network_objects addr-range

Renaming and Deleting Objects

You can change the name of an object or delete it from the database. When you change the name of an object the Security Policy is also updated with the new name.

Rename the network object addr-range to IPv4-range rename network_objects addr-range IPv4-range

When you delete an object, the references to it are also deleted from the Rule Base. The delete command fails if there is a different object that is dependent on it.

Delete the network object addr-range delete network_objects addr-range

Network Groups

You can create and use a group object as a container for network and host objects.

Creating a Network Group

Create a network group that uses networks and hosts. Make sure that these objects are in the management database before you create a network group.

This sample script creates the object host-group for the hosts host-100 and host-101.

Create a group object create network_object_group host-group Add the individual elements to the group addelement network_objects host-group '' network_objects:host-100 addelement network_objects host-group '' network_objects:host-101

Configuring and Deleting a Network Group

You can remove a network or host from a network group. This sample script removes host-100 from host-group.

Remove individual elements from the group rmelement network_objects host-group '' network_objects:host-100

You can rename or remove a network group almost the same as objects.

Rename the network object host-group to host-ipaddrs Rename network_objects host-group host-ipaddrs Delete the network object host-ipaddrs delete network_objects host-ipaddrs

Services

Services are objects that are used for network protocols.

Creating a Service

This sample script creates these services:

• tcp_8081 - TCP protocol port 8081
• udp_8082 - UDP protocol port 8082
• inspect_svc - Inspect SVC protocol 6 and with an optional feature that uses the INSPECT expression

  Create a TCP service create tcp_service tcp_8081 Set port 8081 for TCP service modify services tcp_8081 port 8081 Create a UDP service create udp_service udp_8082 Set port 8082 for UDP service modify services udp_8082 port 8082 Create a service of type "other." This can be used for random IP protocols as well as services that require more complex INSPECT code for matching.   Create the service of type other create other_service inspect_svc Modify the IP Protocol that matches the service modify services inspect_svc protocol 6 (Optional) Modify the INSPECT expression that matches this service. modify services inspect_svc exp "dport=123”

Renaming and Deleting a Service

You can rename or remove a service almost the same as objects.

Rename inspect_svc to inspect_tcp123 rename services inspect_svc inspect_tcp123 Delete the network object inspect_tcp123 delete services inspect_tcp123

Service Groups

You can create and use a group object as a container for service objects.

Creating a Service Group

Create a service group for more than one service. Make sure that the service objects are in the management database before you create a service group.

This sample script creates the object mysvc-group for the services SSH and HTTPS.

Create a group object create service_group mysvc-group Add the individual elements to the group addelement services mysvc-group '' services:ssh addelement services mysvc-group '' services:https

Configuring and Deleting a Service Group

You can remove a network or host from a network group. This sample script removes the SSH service from mysvc-group.

Remove individual elements from the group rmelement services mysvc-group '' services:ssh

You can rename or remove a network group almost the same as objects.

Rename the service group mysvc-group to myservices rename services mysvc-group myservices Delete the network object my services delete services myservices

Object Naming Restrictions

These are some of the restrictions for object names:

• Objects names can contain only ASCII letters, numbers, and dashes. Other characters such as a plus sign, asterisk, parenthesis, square brackets, and so on, are not supported.
• Object names can have a maximum of 100 characters.
• You cannot use reserved words for objects names and they include words that are policy elements. For example, names of colors, common networks terms (ipv6, nets, routers, servers, and so on).

To see a full list of the naming restrictions, go to sk40179.