Firewall Builder (fwbuilder) and fwbedit tricks

So I’m a huge fan of fwbuilder, having been a security guy for many years, and having been spoilt by Checkpoint’s SmartDashboard GUI (one of the few things they do well).

Up until recently, I’ve not really needed a GUI for firewall management as we did most firewalling via the CP boxes.  Now, with the advent of having to admin over 150 (and growing) Linux VMs, and the iptables instances therein, fwbuilder fits the bill perfectly.

Great design

One of the best things about fwbuilder is its use of XML for configuration files.  This means all sorts of useful fun can be had when bulk changes are needed.  Still, XML can be hard at the best of times, due to the multi-line structure of it — a topic for another day of hackery.

Bulk import/discovery

fwbuilder has a few options in this regard, and I ended up using SNMP, so that the interfaces themselves (and names) are also brought in.  The other option was a painful import of the iptables save/restore stuff, but that would have still meant manual, or automated hackery, to config interfaces.

The issue is that the imports are left pretty raw; you can’t choose a firewall type, which is the management interface, and so on.  fwbuilder is lacking in this area of bulk change — fwbedit gets you some of the way, but not all of the way.

Good ole sed

I’m a Unix guy; always have been, always will be.  One of my favourite things is regexps, and with that, sed.

Here’s what I used to at least bulk change platform and host_OS on the XML:

sed -ie '/platform="unknown" name="au-/s@platform="unknown"@platform="iptables"@; s@host_OS="unknown"@host_OS="linux24"@' yourconfig.fwb

It’s a little lazy, but does the job, using the unknown text as an anchor.  The part of the pattern matching for au- is just a common starting name for all of our firewalls.

fwbedit

The next issue was bulk-changing the management interface of all the 150+ firewalls.  fwbedit has this capability, but the documentation isn’t the best, hence this blog post.

This format seems to have worked for me:

fwbedit.exe modify -f yourconfig.fwb -o /User/Firewalls/somefirewall -a 0,,1

The syntax for doing modify’s is not all that clear.  The doco says:

modify -f file.fwb -o object -c comment [-a attrs]

Modifies object specified by its full path in the tree or object ID. Object can not be renamed using this operation.
-f file.fwb: data file
-o object: object to be deleted, full path or ID
-c txt:  specify comment for the new object
-a attribute1[,attribute2…]  :  specify attributes that
define parameters of the new object (see below)

A few things here — firstly, the comment argument appears entirely optional, but isn’t indicated thusly via the traditional use of square brackets around it.  Secondly, the attribute stuff is confusing:

-t Interface -a security level,address type (dynamic or unnumbered),management

It doesn’t show here what arguments are mandatory, their format (boolean, “true/false” etc).  After hunting the source, using integers is what seems to work.

Now, with that in mind, we loop over all management interfaces, and set them right:


fwbedit.exe list -f yourconfig.fwb -r -o /FWObjectDatabase/User/Firewalls | grep '.*au-.*/eth0$' | while read id; do fwbedit.exe modify -f yourconfig.fwb -o $id -a 0,,1; done

Here we’re just iterating over the firewalls we’re interested in to get their ID, and then modify accordingly.

I hope this helps someone 🙂

2 comments

  1. Hi !
    Great Post ! Can you say me if it’s possible to add a policyRule to my 166Firewall using script ?
    Thx

    Regard,

    Ben

    1. Hi, thanks for the feedback. Sorry, I’ve never heard of 166Firewall.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: