|
|
|
This section shows sample scripts that change the Policy on a Domain Management Server named Standard. We recommend that you write the scripts in a text file and then you import the file to dbedit.
When you use dbedit command (see skI3301) to add a rule, the rule must be added to the bottom of the Rule Base by manually specifying the rule number. If the policy contains no other rules, the rule becomes the policy’s first rule.
|
Note - Rules in SmartDashboard start with rule number 1. Rules in dbedit start with rule number 0. |
This sample script creates a new policy called DemoPolicy with a Rule Base that contains this rule:
Source |
Destination |
Service |
Action |
|
|---|---|---|---|---|
Any |
Any |
Any |
Accept |
|
create policies_collection ##DemoPolicy modify policies_collections ##DemoPolicy comments "Demo" modify policies_collections ##DemoPolicy default 1 update policies_collections ##DemoPolicy create firewall_policy ##DemoPolicy modify fw_policies ##DemoPolicy default 0 modify fw_policies ##DemoPolicy collection policies_collections:##DemoPolicy addelement fw_policies ##DemoPolicy rule security_rule modify fw_policies ##DemoPolicy rule:0:name "AcceptAll" rmbyindex fw_policies ##DemoPolicy rule:0:track 0 addelement fw_policies ##DemoPolicy rule:0:track tracks:None addelement fw_policies ##DemoPolicy rule:0:time globals:Any addelement fw_policies ##DemoPolicy rule:0:install:'' globals:Any addelement fw_policies ##DemoPolicy rule:0:action accept_action:accept addelement fw_policies ##DemoPolicy rule:0:src:'' globals:Any modify fw_policies ##DemoPolicy rule:0:src:op '' addelement fw_policies ##DemoPolicy rule:0:dst:'' globals:Any modify fw_policies ##DemoPolicy rule:0:dst:op '' addelement fw_policies ##DemoPolicy rule:0:services:'' globals:Any modify fw_policies ##DemoPolicy rule:0:services:op '' update_all |
||||
This sample script changes this rule:
|
Source |
Destination |
Service |
Action |
|
|---|---|---|---|---|---|
Original rule 4 |
Any |
Any |
Any |
Accept |
|
New rule 4 |
Any |
DMZ |
SSH |
Accept |
|
Modify Rule 4 Previous rule was any any any accept, it will now be any dmz ssh accept
|
|||||
When it is necessary to add a rule to the middle of a Rule Base, you cannot use dbedit (see skI3301) to simply insert a rule.
This sample script adds a new rule number 2 in a Rule Base that has three rules.
|
Note - Rules in SmartDashboard start with rule number 1. Rules in dbedit start with rule number 0. |
|
Delete rule 2 and 3 (delete in reverse order)
rmbyindex fw_policies ##Standard rule 2 rmbyindex fw_policies ##Standard rule 1
Add new rule 2
addelement fw_policies ##Standard rule security_rule modify fw_policies ##Standard rule:1:comments "Firewall stealth rule" modify fw_policies ##Standard rule:1:disabled false rmbyindex fw_policies ##Standard rule:1:track 0 addelement fw_policies ##Standard rule:1:track tracks:Log addelement fw_policies ##Standard rule:1:time globals:Any addelement fw_policies ##Standard rule:1:install:'' globals:Any rmbyindex fw_policies ##Standard rule:1:action 0 addelement fw_policies ##Standard rule:1:action drop_action:drop addelement fw_policies ##Standard rule:1:src:'' network_objects:net-internal modify fw_policies ##Standard rule:1:src:op 'not in' addelement fw_policies ##Standard rule:1:dst:'' globals:Any modify fw_policies ##Standard rule:1:dst:op '' addelement fw_policies ##Standard rule:1:services:'' globals:Any modify fw_policies ##Standard rule:1:services:op '' |
||
Add New Rule 3 (Old Rule 2)
addelement fw_policies ##Standard rule security_rule modify fw_policies ##Standard rule:2:comments "Allow selected hosts outbound" modify fw_policies ##Standard rule:2:disabled false rmbyindex fw_policies ##Standard rule:2:track 0 addelement fw_policies ##Standard rule:2:track tracks:Log addelement fw_policies ##Standard rule:2:time globals:Any addelement fw_policies ##Standard rule:2:install:'' globals:Any rmbyindex fw_policies ##Standard rule:2:action 0 addelement fw_policies ##Standard rule:2:action accept_action:accept addelement fw_policies ##Standard rule:2:src:'' network_objects:flamer-100 addelement fw_policies ##Standard rule:2:src:'' network_objects:flamer-101 modify fw_policies ##Standard rule:2:src:op '' addelement fw_policies ##Standard rule:2:dst:'' network_objects:net-internal modify fw_policies ##Standard rule:2:dst:op 'not in' addelement fw_policies ##Standard rule:2:services:'' globals:Any modify fw_policies ##Standard rule:2:services:op '' |
||
Add New Rule 4 (Old Rule 3)
addelement fw_policies ##MyPolicy rule security_rule modify fw_policies ##MyPolicy rule:3:comments "Drop all" modify fw_policies ##MyPolicy rule:3:disabled false rmbyindex fw_policies ##MyPolicy rule:3:track 0 addelement fw_policies ##MyPolicy rule:3:track tracks:Log addelement fw_policies ##MyPolicy rule:3:time globals:Any addelement fw_policies ##MyPolicy rule:3:install:'' globals:Any rmbyindex fw_policies ##MyPolicy rule:3:action 0 addelement fw_policies ##MyPolicy rule:3:action drop_action:drop addelement fw_policies ##MyPolicy rule:3:src:'' globals:Any modify fw_policies ##MyPolicy rule:3:src:op '' addelement fw_policies ##MyPolicy rule:3:dst:'' globals:Any modify fw_policies ##MyPolicy rule:3:dst:op '' addelement fw_policies ##MyPolicy rule:3:services:'' globals:Any modify fw_policies ##MyPolicy rule:3:services:op '' |
||
