Use DBEDIT to Create Bulk Objects on Checkpoint Firewall

One of the repetitive tasks managing Checkpoint Firewall is to create blocked IP addresses and networks. It might be time consuming if you need to create a bulk of those via GUI. Based on a Checkpoint KB article, here is my weekly routine:

1. Log into your Checkpoint management server in expert mode and create a text file named "blockedaddress.csv" with two columns that separated by space. The first column is the IP address or network ID. The second column is the network mask. Here is an example:

              83.143.247.28 255.255.255.255

              223.223.176.0 255.255.240.0

               223.223.192.0 255.255.240.0

2. Create a script file named "blockCP.sh" in the same directory and Here is the content of the script:. 

#! /bin/bash

while read f1 f2

do

echo "create network block-addr-$f1" >>badip.txt

echo "modify network_objects block-addr-$f1 ipaddr $f1" >>badip.txt

echo "modify network_objects block-addr-$f1 netmask $f2" >>badip.txt

echo "update network_objects block-addr-$f1" >>badip.txt

echo "addelement network_objects Blocked-Networks '' network_objects:block-addr-$f1" >>badip.txt

echo "update network_objects Blocked-Networks" >>badip.txt

done < blockedaddress.csv

This script will parse the csv file and generate a new text file called "badip.txt" that DBEDIT can use. The "block-addr-$f1" is the new network object based on the csv file. The "Blocked-Networks" is my existing object group and the new network objects will be added to. The "blockaddress.csv" is obviously the csv file we defined in step 1.

3. Run "sh block.sh" to generate the text file - "badip.txt".

create network block-addr-83.143.247.28

modify network_object block-addr-83.143.247.28 ipaddr 83.143.247.28

modify network_object block-addr-83.143.247.28 netmask 255.255.255.255

update network_objects block-addr-83.143.247.28

addelement network_objects Blocked-Networks '' network_objects: block-addr-83.143.247.28

update network_objects Blocked-Networks

create network block-addr-223.223.192.0

modify network_objects block-addr-223.223.192.0 ipaddr 223.223.192.0

modify network_objects block-addr-223.223.192.0 netmask 255.255.240.0

update network_objects block-addr-223.223.192.0

addelement network_objects Blocked-Networks '' network_objects: block-addr-223.223.192.0

update network_objects Blocked-Networks

create network block-addr-223.223.192.0

modify network_objects block-addr-223.223.192.0 ipaddr 223.223.192.0

modify network_objects block-addr-223.223.192.0 netmask 255.255.240.0

update network_objects block-addr-223.223.192.0

addelement network_objects Blocked-Networks '' network_objects: block-addr-223.223.192.0

update network_objects Blocked-Networks

4. Run "dbedit -local -f badip.txt"

5. Log into Dashboard, verify "Blocked-Networks" is updated and push policy.

Here are two reference doc:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk30383

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=skI3301


If you have Cisco ASA, you can run this shell script against the same csv file to generate a text file to paste into ASA. Here is the sample script:

#! /bin/bash
echo "object-group network BlockNet_Group" >>badip4ASA.txt
while read f1 f2
do
 echo "network-object $f1 $f2" >>badip4ASA.txt

 done < blocklist.csv

The "BlockNet_Group" is the pre-existing object group in your ASA. You might need to remove the last line from "badip4ASA.txt.