Support Center > Search Results > SecureKnowledge Details
Editing the objects_5_0.C file via Check Point database editing utilities
Solution

Table of Contents:

  1. Introduction
  2. Instructions for using 'dbedit'
  3. Syntax
    1. DBedit Command Arguments
    2. DBedit Internal Commands
  4. Using dbedit commands in shell script
  5. Related documentation / solutions

 

(1) Introduction

Check Point has created new utilities to make it easier to work with the database files on the Security Management / Customer Management Add-on / Domain Management Server:

These utilities allow administrators to make changes in the $FWDIR/conf/objects_5_0.C file, such as creating or modifying attributes and values. These utilities are designed to replace the error-prone manual editing of the $FWDIR/conf/objects_5_0.C file and allow searching of the file based on "type" and "attribute".

Additionally, using these tools maintain the audit trail for changes to the database.

There is an $FWDIR/conf/objects.C file on the Security Gateway and a new file, $FWDIR/conf/objects_5_0.C, located on the Security Management / Customer Management Add-on / Domain Management Server. A new $FWDIR/conf/objects.C file gets created and pushed to the Security Gateway each time a policy is installed. Editing the $FWDIR/conf/objects.C file on the Security Gateway, or the Security Management / Customer Management Add-on / Domain Management Server, is not desirable since the change will be lost during the next policy installation, or restart of the Security Management / Customer Management Add-on / Domain Management Server.

Note: Check Point recommends using the 'GuiDBEedit Tool' to make changes in the $FWDIR/conf/objects_5_0.C file. Refer to sk13009 - Check Point Database Tool (GuiDBedit).

Alternately, the 'dbedit' utility can be used from the CLI for making the same changes.

 

(2) Instructions for using 'dbedit'

  1. The involved objects should be edited only on the relevant Security Management / Customer Management Add-on / Domain Management Server.

  2. Backup the Security Management Server / Multi-Domain Security Management Server before modifying any of the objects.

    Refer to:



  3. Close all SmartConsole windows (SmartDashboard, SmartView Tracker, SmartView Monitor, etc.).

  4. Connect to command line on Security Management Server / Multi-Domain Security Management Server.

  5. Log in to Expert mode.

  6. On Multi-Domain Security Management Server - switch to the context of the involved Domain Management Server:

    [Expert@HostName]# mdsenv <Name of Domain Management Server>

  7. Execute the dbedit:

    [Expert@HostName]# dbedit

    Refer to section "Syntax - DBedit Command Arguments" below.

  8. Enter resolvable hostname, or IP address of the relevant Security Management / Customer Management Add-on / Domain Management Server:

    Enter Server name (ENTER for 'localhost'):

  9. When prompted, enter username and password of the Administrator:

    Enter Administrator Name:
    Enter Administrator Password:

  10. Modify the relevant object / value.

    Refer to section "Syntax - DBedit Internal Commands" below.

  11. Save the changes:

    dbedit> update_all

  12. Exit from the dbedit (you can specify whether to save the changes upon exit):

    dbedit> quit [-update_all | -noupdate].

  13. In SmartDashboard, install database / install policy onto relevant objects.

 

Notes:

  • Check Point strongly recommends consulting Technical Support before editing any objects.

  • Pressing "CTRL+C" will kill the dbedit without saving any changes.

 

(3) Syntax

General syntax:

[Expert@HostName]# dbedit -help
Usage: dbedit [-local | -s server] [-c certificate file | -u user] [-p password] [-f filename] [-r db-open-reason] [-help] [ignore_script_failure] [-continue_updating]

 

(3-A) Syntax - DBedit Command Arguments

The following table describes the additional arguments for dbedit command:
[Expert@HostName]# dbedit [command arguments]

Argument Description
-help Prints the general help.
-globallock dbedit partially locks the database, and if a user configures objects with SmartDashboard, there can be problems in the database. This option does not let SmartDashboard, or a dbedit user make changes to the database.
When this option is enabled, dbedit commands run on a copy of the database. After you change the database and run the savedb command, it is saved and committed on the actual database.
-local

Connect to localhost (127.0.0.1) without using username/password.

If this argument is not provided, then dbedit will ask the user how to connect.
-s <server>

Connect to specified Security Management Server (by IP address or HostName).

If this argument is not provided, then dbedit will ask the user how to connect.
-c <certificate_file>

Mandatory when used with "-s <server>" argument.

Specifies the user's certificate file.
-u <username>

Mandatory when used with "-s <server>" argument.

Specifies the username.
-p <password>

Mandatory when used with "-s <server>" argument.

Specifies the user's password.
-r <open_reason_text> Specifies the reason for opening the database in read-write mode (default mode).
-f <file_name>

Specifies the file with relevant dbedit commands of the following form (refer to the section "DBedit Internal Commands" below):

create <object_type> <object_name>
modify <table_name> <object_name> <field_name> <value>
update <table_name> <object_name>
delete <table_name> <object_name>
print <table_name> <object_name>v quit

Notes:

  • Each command is limited to 4096 characters
ignore_script_failure

Used with the argument "-f <file_name>".

Continue executing commands in the file and ignore errors.
-continue_updating

Used with the argument "-f <file_name>".

Continue updating modified objects even if the operation fails for some of the objects (ignores the errors and runs the update_all command at the end of the script).

-d <database_name> Specifies the name of the database, to which dbedit should connect (e.g., "mdsdb").
-listen

dbedit will "listen" for changes (this mode is used for advanced troubleshooting by Check Point Support and R&D).

dbedit will print its internal messages when a change occurs in Management Database - similar to these:

[1] Got eCPMI_NOTIFY_UPDATE (2) notification for 'antibot_by_incidents_hour'@'antimalware_statistics'
event eCPMI_NOTIFY_UPDATE was triggered by Security Management Server@localhost
[2] Got eCPMI_NOTIFY_UPDATE (2) notification for 'antivirus_by_incidents_hour'@'antimalware_statistics'
event eCPMI_NOTIFY_UPDATE was triggered by Security Management Server@localhost
[3] Got eCPMI_NOTIFY_UPDATE (2) notification for 'te_by_incidents_hour'@'antimalware_statistics'
event eCPMI_NOTIFY_UPDATE was triggered by Security Management Server@localhost
-readonly Specifies that the database should be opened in read-only mode (default mode is read-write).
-session Session Connectivity.

 

(3-B) Syntax - DBedit Internal Commands

The following table describes the commands available inside the dbedit.

# DBedit command Section Text
1 -h Description Prints the general help.
Syntax -h
Examples
  • dbedit> -h
2 -q

quit
Description Quit from dbedit.
Syntax
  • -q
  • quit [-update_all | -noupdate]
Examples
  • Exit the utility and commit the remaining modified objects (interactive mode):
    dbedit> quit

  • Exit the utility and update all the remaining modified objects:
    dbedit> quit -update_all

  • Exit the utility and discard all modifications:
    dbedit> quit -no_update
3 update Description

Saves the specified object in the specified table (e.g., "network_objects", "services", "users").

Note: To see the available tables, connect to Management Server with GuiDBedit Tool.
Syntax update <table_name> <object_name>
Examples
  • Save object 'my_service' in table 'services':
    dbedit> update services my_service
4 update_all Description Saves all the modified objects.
Syntax update_all
Examples
  • Save all the modified objects:
    dbedit> update_all
5 _print_set Description

Prints the specified object from the specified table (e.g., "network_objects", "services", "users") as it appears in the $FWDIR/conf/objects_5_0.C file (sets of attributes).

Note: To see the available tables, connect to Management Server with GuiDBedit Tool.
Syntax _print_set <table_name> <object_name>
Examples
  • Print object 'my_obj' from table 'network_objects':
    dbedit> print network_objects my_obj
6 print Description

Prints the list of attributes of the specified object from the specified table (e.g., "network_objects", "properties", "services", "users").

Note: To see the available tables, connect to Management Server with GuiDBedit Tool.
Syntax print <table_name> <object_name>
Examples
  • Print object 'my_obj' from table 'network_objects' (in "Network Objects"):
    dbedit> print network_objects my_obj

  • Print object 'firewall_properties' from table 'properties' (in "Global Properties"):
    dbedit> print properties firewall_properties
7 printxml Description

Prints in XML format the list of attributes of the specified object from the specified table (e.g., "network_objects", "properties", "services", "users").

You can export the settings from a Management Server to an XML file that you can use later with external automation systems.

Note: To see the available tables, connect to Management Server with GuiDBedit Tool.
Syntax printxml <table_name> [<object_name>]
Examples
  • Print object 'my_obj' from table 'network_objects':
    dbedit> printxml network_objects my_obj

  • Print object 'firewall_properties' from table 'properties' (in "Global Properties"):
    dbedit> printxml properties firewall_properties
8 printbyuid Description Prints the attributes of the object specified by its UID
(appears in the $FWDIR/conf/objects_5_0.C file at the beginning of the object as "chkpf_uid ({...})").
Syntax printbyuid {object_id}
Examples
  • Print the attributes of the object with the following UID:
    dbedit> printbyuid {D3833F1D-0A58-AA42-865F-39BFE3C126F1}
9 query Description

Prints all the objects in the specified table.

Optionally, you can query for objects with specific attribute and value - query is separated by a comma after "query <table_name>" (spaces are not allowed between <attribute> and '<value>').

Note: To see the available tables, attributes and values, connect to Management Server with GuiDBedit Tool.
Syntax query <table_name> [ , <attribute>='<value>' ]
Examples
  • Print all objects in 'users' table:
    dbedit> query users

  • Print all objects in table 'network_objects' defined as Management Servers:
    dbedit> query network_objects, management='true'

  • Print all objects in table 'services' with the name 'ssh':
    dbedit> query services, name='ssh'

  • Print all objects in table 'services' with the port '22':
    dbedit> query services, port='22'

  • Print all objects with the IP address '10.10.10.10':
    dbedit> query network_objects, ipaddr='10.10.10.10'
10 whereused Description

Checks where the specified object used in the database.

Prints the number of places where this object is used and relevant information about each such place.
Syntax whereused <table_name> <object_name>
Examples
  • Check where object 'my_obj' is used:
    dbedit> whereused network_objects my_obj
11 create Description

Creates an object of specified type (with its default values) in the database.

Restrictions apply to object's name:

  • Object names can have a maximum of 100 characters.
  • Objects names can contain only ASCII letters, numbers, and dashes.
  • Reserved words will be blocked by the Management Server (refer to sk40179).
Note: To see the available tables and their class names (object types), connect to Management Server with GuiDBedit Tool.
Syntax create <object_type> <object_name>
Examples
  • Create service 'my_service' of type 'tcp_service' (with its default values):
    dbedit> create tcp_service my_service
12 delete Description Deletes an object from the specified table.
Syntax delete <table_name> <object_name>
Examples
  • Delete service 'my_service' from table 'services':
    dbedit> delete services my_service
13 modify Description

Modifies the value of specified attribute in the specified object in the specified table (e.g., "network_objects", "services", "users") in the database.

Note: To see the available tables, connect to Management Server with GuiDBedit Tool.
Syntax modify <table_name> <object_name> <field_name> <value>
Examples
  • Modify color to 'red' in object 'my_service' in table 'services':
    dbedit> modify services my_service color red

  • Add a comment to object 'MyObj':
    dbedit> modify network_objects MyObj comments "Created by fwadmin with dbedit"

  • Set the value of global property 'ike_use_largest_possible_subnets' in table 'properties' to 'false':
    dbedit> modify properties firewall_properties ike_use_largest_possible_subnets false

  • Create a new interface on the Security Gateway 'My_FW' and modify its attributes - set the IP address / Mask and enable Anti-Spoofing on interface with "Element Index"=3 (check the attributes of the 'My_FW' in GuiDBedit Tool):
    dbedit> addelement network_objects My_FW interfaces interface
    dbedit> modify network_objects My_FW interfaces:3:officialname NAME_OF_INTERFACE
    dbedit> modify network_objects My_FW interfaces:3:ipaddr IP_ADDRESS
    dbedit> modify network_objects My_FW interfaces:3:netmask NETWORK_MASK
    dbedit> modify network_objects My_FW interfaces:3:security:netaccess:access specific
    dbedit> modify network_objects My_FW interfaces:3:security:netaccess:allowed network_objects:group_name
    dbedit> modify network_objects My_FW interfaces:3:security:netaccess:perform_anti_spoofing true


  • In Member Object 'MyObj' change 'FieldA' to point to 'LINKSYS' (owned object) instead of '3COM' (there is no need to create the 'LINKSYS' object prior to the 'modify' command):
    dbedit> modify network_objects MyObj FieldA LINKSYS

  • In Owned Object 'MyObj' change value of 'FieldB' to 'NewVal':
    dbedit> modify network_objects MyObj FieldA:FieldB NewVal

  • In Linked Object 'MyObj' change value of 'FieldA' from 'RouterA' to 'RouterB':
    dbedit> modify network_objects MyObj FieldA RouterA:RouterB
14 lock Description

Locks the specified object (by administrator) in the specified table (e.g., "network_objects", "services", "users") from being modified by other users.

For example, if you connect from a remote machine to this Management Server with admin1 and lock an object, you will be able to connect with admin2, but will not be able to modify the locked object until admin1 releases the lock.

Note: To see the available tables, connect to Management Server with GuiDBedit Tool.
Syntax lock <table_name> <object_name>
Examples
  • Lock object 'my_service_obj' in table 'services' in the database:
    dbedit> lock services my_service_obj
15 addelement Description

Adds a specified multiple field / container (with specified value) to a specified object in specified table.

To see the available tables and their class names (object types), connect to Management Server with GuiDBedit Tool.
Syntax addelement <table_name> <object_name> <field_name> <value>
Examples
  • Add an element 'BranchObjectClass' with value 'Organization' to a multiple field 'Read' in object 'my_obj' in table 'ldap':
    dbedit> addelement ldap my_obj Read:BranchObjectClass Organization

  • Add service 'MyService' to group of services 'MyServicesGroup' in table 'services':
    dbedit> addelement services MyServicesGroup '' services:MyService

  • Add network 'MyNetwork' to group of networks 'MyNetworksGroup' in table 'network_objects':
    dbedit> addelement network_objects MyNetworksGroup '' network_objects:MyNetwork
16 rmelement Description

Removes a specified multiple field / container (with specified value) from a specified object in specified table.

To see the available tables and their class names (object types), connect to Management Server with GuiDBedit Tool.
Syntax rmelement <table_name> <object_name> <field_name> <value>
Examples
  • Remove service 'MyService' from group of services 'MyServicesGroup' from table 'services':
    dbedit> rmelement services MyServicesGroup '' services:MyService

  • Remove network 'MyNetwork' from group of networks 'MyNetworksGroup' from table 'network_objects':
    dbedit> rmelement network_objects MyNetworksGroup '' network_objects:MyNetwork

  • Remove an element 'BranchObjectClass' with value 'Organization' from a multiple field 'Read' in object 'my_obj' in table 'ldap':
    dbedit> rmelement ldap my_obj Read:BranchObjectClass Organization
17 rename Description

Renames the specified object in specified table.

Note: To see the available tables, connect to Management Server with GuiDBedit Tool.
Syntax rename <table_name> <object_name> <new_object_name>
Examples
  • Rename network object 'london' to 'chicago' in table 'network_objects':
    dbedit> rename network_objects london chicago
18 rmbyindex Description Removes an element from a container by element's index.

Note: To see the available tables, connect to Management Server with GuiDBedit Tool.

Syntax rmbyindex <table_name> <object_name> <field_name> <index_number>
Examples
  • Remove an element 'backup_log_servers' from a container 'log_servers' by element index '1' in table 'network_objects':
    dbedit> rmbyindex network_objects g log_servers:backup_log_servers 1
19 add_owned_remove_name Description

Adds an owned object (and removes its name) to a specified owned object field (or container).

Note: To see the available tables, connect to Management Server with GuiDBedit Tool.
Syntax add_owned_remove_name <table_name> <object_name> <field_name> <value>
Examples
  • Add owned object 'my_gateway' (and remove its name) to an owned object field (or container) 'my_external_products':
    dbedit> add_owned_remove_name network_objects my_gateway additional_products owned:my_external_products
20 is_delete_allowed Description

Checks if the specified object can be deleted from the specified table (object cannot be deleted if it is used by other objects).

Note: To see the available tables, connect to Management Server with GuiDBedit Tool.
Syntax is_delete_allowed <table_name> <object_name>
Examples
  • Check if 'MyObj' can be deleted from table 'network_objects':
    dbedit> is_delete_allowed network_objects MyObj
21 set_pass Description

Sets specified password for specified user.

Notes:

  • The password should contain at least 4 characters and no more than 50 characters.
  • Administrator's password cannot be changed by this command.
Syntax set_pass <user> <password>
Examples
  • Set the password '1234' for the user 'abcd':
    dbedit> set_pass abcd 1234
22 savedb Description

Saves the database.

Allowed only when database was locked globally (dbedit was started with "dbedit -globallock" command).
Syntax savedb
Examples
  • dbedit> savedb
23 savesession Description

Saves the session.

Allowed only when database was opened in session mode (dbedit was started with "dbedit -session" command).
Syntax savesession
Examples
  • dbedit> savesession

 

(4) Using dbedit commands in shell script

It is possible to automate the dbedit internal commands using the syntax below in Bash shell (Expert mode).

The table below provides basic syntax examples based on section "(3-B) DBedit Internal Commands".

Note: For internal commands other than print, _print_set, printxml, printbyuid, query, and whereused, use the syntax "dbedit -f <file_name>".

# DBedit operation Section Commands
1 Print the list of attributes of the specified object from the the specified table Syntax

echo -e "print <table_name> <object_name>\n-q\n" | dbedit -local

echo -e "printxml <table_name> <object_name>\n-q\n" | dbedit -local

Example

Connect with dbedit to localhost (127.0.0.1) and print the list of attributes of the object "MyCluster" from the table "network_objects":

[Expert@HostName:0]# echo -e "print network_objects MyCluster\n-q\n" | dbedit -local

Please enter a command, -h for help or -q to quit:
dbedit>
Object Name: MyCluster
Object UID: {CD6C4010-AD0E-4168-8D6A-13B712EC5A05}
Class Name: gateway_cluster
Table Name: network_objects
Last Modified by: admin
Last Modified from: root-PC
Last Modification time: Sun Jun 19 08:57:02 2016
Fields Details
--------------
    CP_high_availability: false
    DAG: false
    Enable_CPSyslogD: false
    Everest: false
    HA_mode: ActiveUp
    HA_new: true
    IPSec_cluster_nat: true
    LS_decision_function: default
    ... ... ...
2 Print the attributes of the object specified by its UID Syntax echo -e "printbyuid {<UID>}\n-q\n" | dbedit -local
Example

Connect with dbedit to localhost (127.0.0.1) and print the list of attributes of the object with UID {CD6C4010-AD0E-4168-8D6A-13B712EC5A05}:

[Expert@Mgmt:0]# echo -e "printbyuid {CD6C4010-AD0E-4168-8D6A-13B712EC5A05}\n-q\n" | dbedit -local
3 Print all the objects in the specified table in the database Syntax echo -e "query <table_name>[, <attribute>='<value>']\n-q\n" | dbedit -local
Example

Connect with dbedit to localhost (127.0.0.1) and print all the objects from the table "network_objects" with IP address 192.168.1.1:

[Expert@Mgmt:0]# echo -e "query network_objects, ipaddr='192.168.1.1'\n-q\n" | dbedit -local
4 Check where the specified object is used in the database Syntax echo -e "whereused <table_name> <object_name>\n-q\n" | dbedit -local
Example

Connect with dbedit to localhost (127.0.0.1) and check where the object "MyCluster" from the table "network_objects" is used:

[Expert@Mgmt:0]# echo -e "whereused network_objects MyCluster\n-q\n" | dbedit -local

 

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment