Table of Contents:

1. Introduction
2. Instructions for using 'dbedit'
3. Syntax
   1. DBedit Command Arguments
   2. DBedit Internal Commands
4. Using dbedit commands in shell script
5. Related documentation / solutions

 

(1) Introduction

Check Point created new utilities to make it easier to work with the database files on the Security Management Server / Customer Management Add-on / Domain Management Server:

• dbedit (see description and instructions below)
• GuiDBEedit Tool (recommended method - described in sk13009 - Check Point Database Tool (GuiDBedit))

In R7x, dbedit could be used for manipulating all object stored in objects_5_0.C and in other fwset files.

In R80.x, the tool is still supported, but it can manipulate only some of the objects (Security Gateways and global properties for instance), while other objects (such as rulebase) can be managed only by the new mgmt_cli tool.

Note: Refer to sk13009 - Check Point Database Tool (GuiDBedit).

Alternately, you can use the 'dbedit' utility from the CLI for making the same changes.

 

(2) Instructions for using 'dbedit'

1. Edit the requierd objects only on the relevant Security Management Server / Customer Management Add-on / Domain Management Server.
   
   Note: You can make changes only on an active Security Management Server or Domain Management Server, because the database of the standby server is in read-only mode and cannot be changed by dbedit or any other client.
   
   

2. Backup the Security Management Server / Multi-Domain Security Management Server before modifying any of the objects.

   Refer to:

   • sk108902 - Best Practices - Backup on Gaia OS
   • sk91400 - System Backup and Restore feature in Gaia
   • sk54100 - How to back up your system on SecurePlatform
   • sk98153 - How to take a snapshot of Endpoint Security Management Server database
   
   
   
3. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).
   
   
4. Connect to the command line on the Security Management Server / Multi-Domain Security Management Server.
   
   
5. Log in to Expert mode.
   
   

6. On the Multi-Domain Security Management Server - switch to the context of the involved Domain Management Server:

   [Expert@HostName]# mdsenv <Name of Domain Management Server>
   
   

7. Execute the dbedit:

   [Expert@HostName]# dbedit

   Refer to section "Syntax - DBedit Command Arguments" below.
   
   

8. Enter resolvable hostname, or IP address of the relevant Security Management Server / Customer Management Add-on / Domain Management Server:

   Enter Server name (ENTER for 'localhost'):
   
   

9. When prompted, enter the username and password of the Administrator:

   Enter Administrator Name:
   Enter Administrator Password:
   
   

10. Modify the relevant object / value.

    Refer to section "Syntax - DBedit Internal Commands" below.
    
    

11. Save the changes:

    dbedit> update_all
    
    

12. Exit from the dbedit (you can specify whether to save the changes upon exit):

    dbedit> quit [-update_all | -noupdate].
    
    
13. In SmartDashboard / SmartConsole, install database / install policy onto the relevant objects.

 

Notes:

• Check Point strongly recommends consulting Technical Support before editing any objects.
  
  
• Pressing "CTRL+C" will kill the dbedit without saving any changes.

 

(3) Syntax

General syntax:

[Expert@HostName]# dbedit -help
Usage: dbedit [-local | -s server] [-c certificate file | -u user] [-p password] [-f filename] [-r db-open-reason] [-help] [-ignore_script_failure] [-continue_updating]

 

(3-A) Syntax - DBedit Command Arguments

The following table describes the additional arguments for dbedit command:
[Expert@HostName]# dbedit [command arguments]

Argument	Description
-help	Prints the general help.
-globallock	dbedit partially locks the database, and if a user configures objects with SmartDashboard / SmartConsole, there can be problems in the database. This option does not let SmartDashboard /SmartConsole, or a dbedit user make changes to the database. When this option is enabled, dbedit commands run on a copy of the database. After you change the database and run the savedb command, it is saved and committed on the actual database.
-local	Connect to localhost (127.0.0.1) without using username/password. If this argument is not provided, dbedit asks the user how to connect.
-s <server>	Connect to the specified Security Management Server (by an IP address or a HostName). If this argument is not provided, dbedit asks the user how to connect.
-c <certificate_file>	Mandatory when used with "-s <server>" argument. Specifies the user's certificate file.
-u <username>	Mandatory when used with "-s <server>" argument. Specifies the username.
-p <password>	Mandatory when used with "-s <server>" argument. Specifies the user's password.
-r <open_reason_text>	Specifies the reason for opening the database in read-write mode (default mode).
-f <file_name>	Specifies the file with the relevant dbedit commands of the following form (refer to the section "DBedit Internal Commands" below): create <object_type> <object_name> modify <table_name> <object_name> <field_name> <value> update <table_name> <object_name> delete <table_name> <object_name> print <table_name> <object_name>v quit Notes: Each command is limited to 4096 characters
-ignore_script_failure	Used with the argument "-f <file_name>". Continue executing commands in the file and ignore errors.
-continue_updating	Used with the argument "-f <file_name>". Continue updating modified objects even if the operation fails for some of the objects (ignores the errors and runs the update_all command at the end of the script).
-d <database_name>	Specifies the name of the database, to which dbedit should connect (e.g., "mdsdb").
-listen	dbedit will "listen" for changes (this mode is used for advanced troubleshooting by Check Point Support and R&D). dbedit will print its internal messages when a change occurs in the Management Database - similar to these: [1] Got eCPMI_NOTIFY_UPDATE (2) notification for 'antibot_by_incidents_hour'@'antimalware_statistics' event eCPMI_NOTIFY_UPDATE was triggered by Security Management Server@localhost [2] Got eCPMI_NOTIFY_UPDATE (2) notification for 'antivirus_by_incidents_hour'@'antimalware_statistics' event eCPMI_NOTIFY_UPDATE was triggered by Security Management Server@localhost [3] Got eCPMI_NOTIFY_UPDATE (2) notification for 'te_by_incidents_hour'@'antimalware_statistics' event eCPMI_NOTIFY_UPDATE was triggered by Security Management Server@localhost
-readonly	Specifies that the database must be opened in read-only mode (default mode is read-write).
-session	Session Connectivity.

 

(3-B) Syntax - DBedit Internal Commands

The following table describes the commands available inside the dbedit.

#	DBedit command	Section	Text
1	-h	Description	Prints the general help.
		Syntax	-h
		Examples	dbedit> -h
2	-q quit	Description	Quit from dbedit.
		Syntax	-q quit [-update_all | -noupdate]
		Examples	Exit the utility and commit the remaining modified objects (interactive mode): dbedit> quit Exit the utility and update all the remaining modified objects: dbedit> quit -update_all Exit the utility and discard all modifications: dbedit> quit -no_update
3	update	Description	Saves the specified object in the specified table (for example, "network_objects", "services", "users"). Note: To see the available tables, connect to the Security Management Server with GuiDBedit Tool.
		Syntax	update <table_name> <object_name>
		Examples	Save object 'my_service' in table 'services': dbedit> update services my_service
4	update_all	Description	Saves all the modified objects.
		Syntax	update_all
		Examples	Save all the modified objects: dbedit> update_all
5	_print_set	Description	Prints the specified object from the specified table (e.g., "network_objects", "services", "users"). Note: To see the available tables, connect to Security Management Server with GuiDBedit Tool.
		Syntax	_print_set <table_name> <object_name>
		Examples	Print object 'my_obj' from table 'network_objects': dbedit> print network_objects my_obj
6	print	Description	Prints the list of attributes of the specified object from the specified table (e.g., "network_objects", "properties", "services", "users"). Note: To see the available tables, connect to the Security Management Server with GuiDBedit Tool.
		Syntax	print <table_name> <object_name>
		Examples	Print object 'my_obj' from table 'network_objects' (in "Network Objects"): dbedit> print network_objects my_obj Print object 'firewall_properties' from table 'properties' (in "Global Properties"): dbedit> print properties firewall_properties
7	printxml	Description	Prints in XML format the list of attributes of the specified object from the specified table (e.g., "network_objects", "properties", "services", "users"). You can export the settings from a Security Management Server to an XML file that you can use later with external automation systems. Note: To see the available tables, connect to the Security Management Server with GuiDBedit Tool.
		Syntax	printxml <table_name> [<object_name>]
		Examples	Print object 'my_obj' from table 'network_objects': dbedit> printxml network_objects my_obj Print object 'firewall_properties' from table 'properties' (in "Global Properties"): dbedit> printxml properties firewall_properties
8	printbyuid	Description	Prints the attributes of the object specified by its UID.
		Syntax	printbyuid {object_id}
		Examples	Print the attributes of the object with these UID: dbedit> printbyuid {D3833F1D-0A58-AA42-865F-39BFE3C126F1}
9	query	Description	Prints all the objects in the specified table. Optionally, you can query for objects with specific attribute and value - query is separated by a comma after "query <table_name>" (spaces are not allowed between <attribute> and '<value>'). Note: To see the available tables, attributes and values, connect to the Security Management Server with GuiDBedit Tool.
		Syntax	query <table_name> [ , <attribute>='<value>' ]
		Examples	Print all objects in 'users' table: dbedit> query users Print all objects in table 'network_objects' defined as Management Servers: dbedit> query network_objects, management='true' Print all objects in table 'services' with the name 'ssh': dbedit> query services, name='ssh' Print all objects in table 'services' with the port '22': dbedit> query services, port='22' Print all objects with the IP address '10.10.10.10': dbedit> query network_objects, ipaddr='10.10.10.10'
10	whereused	Description	Checks where the specified object is used in the database. Prints the number of places where this object is used and the relevant information about each such place.
		Syntax	whereused <table_name> <object_name>
		Examples	Check where object 'my_obj' is used: dbedit> whereused network_objects my_obj
11	create	Description	Creates an object of a specified type (with its default values) in the database. Restrictions apply to the object's name: Object names can have a maximum of 100 characters. Objects names can contain only ASCII letters, numbers, and dashes. Reserved words will be blocked by the Security Management Server (refer to sk40179). Note: To see the available tables and their class names (object types), connect to the Security Management Server with GuiDBedit Tool.
		Syntax	create <object_type> <object_name>
		Examples	Create service 'my_service' of type 'tcp_service' (with its default values): dbedit> create tcp_service my_service
12	delete	Description	Deletes an object from the specified table.
		Syntax	delete <table_name> <object_name>
		Examples	Delete service 'my_service' from table 'services': dbedit> delete services my_service
13	modify	Description	Modifies the value of a specified attribute in the specified object in the specified table (for example, "network_objects", "services", "users") in the database. Note: To see the available tables, connect to the Security Management Server with GuiDBedit Tool.
		Syntax	modify <table_name> <object_name> <field_name> <value>
		Examples	Modify color to 'red' in object 'my_service' in table 'services': dbedit> modify services my_service color red Add a comment to object 'MyObj': dbedit> modify network_objects MyObj comments "Created by fwadmin with dbedit" Set the value of global property 'ike_use_largest_possible_subnets' in table 'properties' to 'false': dbedit> modify properties firewall_properties ike_use_largest_possible_subnets false Create a new interface on the Security Gateway 'My_FW' and modify its attributes - set the IP address / Mask and enable Anti-Spoofing on the interface with "Element Index"=3 (check the attributes of the 'My_FW' in GuiDBedit Tool): dbedit> addelement network_objects My_FW interfaces interface dbedit> modify network_objects My_FW interfaces:3:officialname NAME_OF_INTERFACE dbedit> modify network_objects My_FW interfaces:3:ipaddr IP_ADDRESS dbedit> modify network_objects My_FW interfaces:3:netmask NETWORK_MASK dbedit> modify network_objects My_FW interfaces:3:security:netaccess:access specific dbedit> modify network_objects My_FW interfaces:3:security:netaccess:allowed network_objects:group_name dbedit> modify network_objects My_FW interfaces:3:security:netaccess:perform_anti_spoofing true In Member Object 'MyObj' change 'FieldA' to point to 'LINKSYS' (owned object) instead of '3COM' (there is no need to create the 'LINKSYS' object prior to the 'modify' command): dbedit> modify network_objects MyObj FieldA LINKSYS In Owned Object 'MyObj' change value of 'FieldB' to 'NewVal': dbedit> modify network_objects MyObj FieldA:FieldB NewVal In Linked Object 'MyObj' change value of 'FieldA' from 'RouterA' to 'RouterB': dbedit> modify network_objects MyObj FieldA RouterA:RouterB
14	lock	Description	Locks the specified object (by administrator) in the specified table (for example, "network_objects", "services", "users") from being modified by other users. For example, if you connect from a remote device to this Security Management Server with admin1 and lock an object, you will be able to connect with admin2, but will not be able to modify the locked object until admin1 releases the lock. Note: To see the available tables, connect to Security Management Server with GuiDBedit Tool.
		Syntax	lock <table_name> <object_name>
		Examples	Lock object 'my_service_obj' in table 'services' in the database: dbedit> lock services my_service_obj
15	addelement	Description	Adds a specified multiple field / container (with specified value) to a specified object in specified table. To see the available tables and their class names (object types), connect to the Security Management Server with GuiDBedit Tool.
		Syntax	addelement <table_name> <object_name> <field_name> <value>
		Examples	Add an element 'BranchObjectClass' with value 'Organization' to a multiple field 'Read' in object 'my_obj' in table 'ldap': dbedit> addelement ldap my_obj Read:BranchObjectClass Organization Add service 'MyService' to group of services 'MyServicesGroup' in table 'services': dbedit> addelement services MyServicesGroup '' services:MyService Add network 'MyNetwork' to group of networks 'MyNetworksGroup' in table 'network_objects': dbedit> addelement network_objects MyNetworksGroup '' network_objects:MyNetwork
16	rmelement	Description	Removes a specified multiple field / container (with a specified value) from a specified object in a specified table. To see the available tables and their class names (object types), connect to the Security Management Server with GuiDBedit Tool.
		Syntax	rmelement <table_name> <object_name> <field_name> <value>
		Examples	Remove service 'MyService' from group of services 'MyServicesGroup' from table 'services': dbedit> rmelement services MyServicesGroup '' services:MyService Remove network 'MyNetwork' from group of networks 'MyNetworksGroup' from table 'network_objects': dbedit> rmelement network_objects MyNetworksGroup '' network_objects:MyNetwork Remove an element 'BranchObjectClass' with value 'Organization' from a multiple field 'Read' in object 'my_obj' in table 'ldap': dbedit> rmelement ldap my_obj Read:BranchObjectClass Organization
17	rename	Description	Renames the specified object in the specified table. Note: To see the available tables, connect to the Security Management Server with GuiDBedit Tool.
		Syntax	rename <table_name> <object_name> <new_object_name>
		Examples	Rename network object 'london' to 'chicago' in table 'network_objects': dbedit> rename network_objects london chicago
18	rmbyindex	Description	Removes an element from a container by element's index. Note: To see the available tables, connect to the Security Management Server with GuiDBedit Tool.
		Syntax	rmbyindex <table_name> <object_name> <field_name> <index_number>
		Examples	Remove an element 'backup_log_servers' from a container 'log_servers' by element index '1' in table 'network_objects': dbedit> rmbyindex network_objects g log_servers:backup_log_servers 1
19	add_owned_remove_name	Description	Adds an owned object (and removes its name) to a specified owned object field (or container). Note: To see the available tables, connect to the Security Management Server with GuiDBedit Tool.
		Syntax	add_owned_remove_name <table_name> <object_name> <field_name> <value>
		Examples	Add owned object 'my_gateway' (and remove its name) to an owned object field (or container) 'my_external_products': dbedit> add_owned_remove_name network_objects my_gateway additional_products owned:my_external_products
20	is_delete_allowed	Description	Checks if the specified object can be deleted from the specified table (object cannot be deleted if it is used by other objects). Note: To see the available tables, connect to the Security Management Server with GuiDBedit Tool.
		Syntax	is_delete_allowed <table_name> <object_name>
		Examples	Check if 'MyObj' can be deleted from table 'network_objects': dbedit> is_delete_allowed network_objects MyObj
21	set_pass	Description	Sets specified password for a specified user. Notes: The password should contain at least 4 characters and no more than 50 characters. Administrator's password cannot be changed by this command.
		Syntax	set_pass <user> <password>
		Examples	Set the password '1234' for the user 'abcd': dbedit> set_pass abcd 1234
22	savedb	Description	Saves the database. Allowed only when database was locked globally (dbedit was started with "dbedit -globallock" command).
		Syntax	savedb
		Examples	dbedit> savedb
23	savesession	Description	Saves the session. Allowed only when database was opened in session mode (dbedit was started with "dbedit -session" command).
		Syntax	savesession
		Examples	dbedit> savesession

 

(4) Using dbedit commands in shell script

It is possible to automate the dbedit internal commands using the syntax below in Bash shell (Expert mode).

The table below provides basic syntax examples based on section "(3-B) DBedit Internal Commands".

Note: For internal commands other than print, _print_set, printxml, printbyuid, query, and whereused, use the syntax "dbedit -f <file_name>".

#	DBedit operation	Section	Commands
1	Print the list of attributes of the specified object from the specified table	Syntax	echo -e "print <table_name> <object_name>\n-q\n" | dbedit -local echo -e "printxml <table_name> <object_name>\n-q\n" | dbedit -local
		Example	Connect with dbedit to localhost (127.0.0.1) and print the list of attributes of the object "MyCluster" from the table "network_objects": [Expert@HostName:0]# echo -e "print network_objects MyCluster\n-q\n" | dbedit -local Please enter a command, -h for help or -q to quit: dbedit> Object Name: MyCluster Object UID: {CD6C4010-AD0E-4168-8D6A-13B712EC5A05} Class Name: gateway_cluster Table Name: network_objects Last Modified by: admin Last Modified from: root-PC Last Modification time: Sun Jun 19 08:57:02 2016 Fields Details -------------- CP_high_availability: false DAG: false Enable_CPSyslogD: false Everest: false HA_mode: ActiveUp HA_new: true IPSec_cluster_nat: true LS_decision_function: default ... ... ...
2	Print the attributes of the object specified by its UID	Syntax	echo -e "printbyuid {<UID>}\n-q\n" | dbedit -local
		Example	Connect with dbedit to localhost (127.0.0.1) and print the list of attributes of the object with UID {CD6C4010-AD0E-4168-8D6A-13B712EC5A05}: [Expert@Mgmt:0]# echo -e "printbyuid {CD6C4010-AD0E-4168-8D6A-13B712EC5A05}\n-q\n" | dbedit -local
3	Print all the objects in the specified table in the database	Syntax	echo -e "query <table_name>[, <attribute>='<value>']\n-q\n" | dbedit -local
		Example	Connect with dbedit to localhost (127.0.0.1) and print all the objects from the table "network_objects" with IP address 192.168.1.1: [Expert@Mgmt:0]# echo -e "query network_objects, ipaddr='192.168.1.1'\n-q\n" | dbedit -local
4	Check where the specified object is used in the database	Syntax	echo -e "whereused <table_name> <object_name>\n-q\n" | dbedit -local
		Example	Connect with dbedit to localhost (127.0.0.1) and check where the object "MyCluster" from the table "network_objects" is used: [Expert@Mgmt:0]# echo -e "whereused network_objects MyCluster\n-q\n" | dbedit -local

 

(5) Related documentation / solutions

• Command Line Interface Reference Guide (R55, R60, R61, R62, R65, R70, R71, R75, R75.20, R75.40, R75.40VS, R76, R77) - chapter 'Security Management Server and Firewall Commands' - dbedit
• sk13009 - Check Point Database Tool (GuiDBedit)
• sk107932 - How to create manual NAT rules using DBedit
• sk74020 - How to change the IP address of a Domain Management Server
• sk30383 - Using a dbedit script to create new network objects and network object groups
• sk94047 - How to set configure automatic deletion of Database Revision Control versions with 'dbedit' tool
• sk93590 - Using dbedit to create time objects
• sk65680 - Create users using dbedit
• sk76040 - How to use dbedit to create automatic NAT on host object
• sk33403 - How to add a massive list of URLs to the URL filtering
• sk101056 - dbedit printxml command does not return AdminInfo
• sk39187 - Running dbedit utility on the Provider-1 MDS server fails with error.
• sk93589 - 'One or more arguments are invalid' error when trying to add the value for 'day_of_month' for time objects using the dbedit utility
• sk101492 - Unable to change CLM IP address using dbedit
• sk99049 - Modifying Database fields using DBedit does not work
• sk23630 - Advanced configuration options for ISP Redundancy
• skI3780 - Error: "CPHA: Found another machine with same cluster ID..." in the system console
• sk33403 - Import static routes from FireWall_A to FireWall_B on SecurePlatform