topic Re: Accessing the Check Point Database in Firewall and Security Management

Accessing the Check Point Database

Matlu — Mon, 28 Apr 2025 18:35:31 GMT

Hello,

Is it possible to access the Check Point database via CLI?

I need to access the DB of my MDS, to be able to “observe” certain behaviors of the platform.

Is it possible to do this?

Thanks for your comments.

Re: Accessing the Check Point Database

the_rock — Mon, 28 Apr 2025 18:39:03 GMT

https://sc1.checkpoint.com/documents/latest/APIs/index.html#~v2%20

Or dbedit, but not sure thats supported any longer.

Andy

Re: Accessing the Check Point Database

the_rock — Mon, 28 Apr 2025 18:50:42 GMT

You can also poke around in $FWDIR/database dir, but PLEASE be careful.

Andy

*************

[Expert@CP-MANAGEMENT:0]# cd /opt/CPsuite-R82/fw1/database/
[Expert@CP-MANAGEMENT:0]# ls
CrlCache_1 objects.C
SC.NDB opsec_objects.C
Sandbox-persistence.xml postgresql
SessionCache_1 products_objects.C
XML properties_objects.C
communities_objects.C props_objects.C
content_security_objects.C protoobj_objects.C
dlp_net_objects.C resourcesobj_objects.C
dlpda_extract_config.C sam_policy.db
dlpda_general_config.C sam_policy.mng
encryption_objects.C servers_objects.C
fwauth.NDB servobj_objects.C
fwuserauth.keys setup_objects.C
globals_objects.C slim_objects.C
inspect.lf smart-center-servers.properties
itp_file_types.magic sofaware_gw_types_objects.C
itp_trad_file_types.magic spii_objects.C
ldap_objects.C superobj_objects.C
lists timeobj_objects.C
methods_objects.C tracks_objects.C
mime_types_objects.C trad_file_types.magic
myself_objects.C uf_predefined_categories_objects.C
netobj_objects.C url_filtering_objects.C
[Expert@CP-MANAGEMENT:0]#

Re: Accessing the Check Point Database

Matlu — Mon, 28 Apr 2025 18:53:27 GMT

Is this option the “same” as graphically accessing “GuiDBedit.exe”?

Re: Accessing the Check Point Database

the_rock — Mon, 28 Apr 2025 19:16:38 GMT

Yes sir!

Re: Accessing the Check Point Database

Duane_Toler — Mon, 28 Apr 2025 22:58:47 GMT

What sort of "access" to the database do you need?

Re: Accessing the Check Point Database

the_rock — Mon, 28 Apr 2025 23:17:13 GMT

Thats kind of what I was thinking as well, but personally, I would NOT touch those files from $FWDIR/database.

Andy

Re: Accessing the Check Point Database

Matlu — Mon, 28 Apr 2025 23:19:20 GMT

There is a need to “observe” the behavior, related for example to the “creation/editing/deletion” of network objects (IP/Subnetworks, etc.).

The reason is that they need to try to create a “script” after observing these behaviors, that allows to make a more “automated” task related to the fact of creating/editing/deleting, a massive amount of objects.

They are currently working with the “Management API” for this, but SMC limits you to enter only a certain amount of lines, approx. 30 entries (e.g. 30 new objects).

And we want to try to create a script that allows to work with a large number of objects (>70).

Re: Accessing the Check Point Database

the_rock — Mon, 28 Apr 2025 23:23:34 GMT

Hey bud,

For script, I would either try what I attached in smart console or cron job from web UI.

Andy

Re: Accessing the Check Point Database

Matlu — Mon, 28 Apr 2025 23:32:06 GMT

We have requirements where we are usually asked to add for example, 100 new IPs (Create them as objects), and these add them in a GROUP that is already created and working on a FW rule.

So, what we are trying to do is to find an “automatable” way to achieve this goal, because the requirements come in a continuous way, for high amounts of objects to create or delete, and we have many Perimeter FW where we need to apply these tasks.

Re: Accessing the Check Point Database

the_rock — Mon, 28 Apr 2025 23:33:38 GMT

I would take advice from @Duane_Toler , since he is way smarter than I am : - )

Andy

Re: Accessing the Check Point Database

Duane_Toler — Mon, 28 Apr 2025 23:39:46 GMT

You need Ansible for this. The link to my Ansible series is in my signature where I go through the setup of Ansible and the management server. I’m working on t 7 now, but up to Episode 6 gets you started for what you need.
Episode 8 will cover more multitask playbooks for more flexibility.

Re: Accessing the Check Point Database

the_rock — Mon, 28 Apr 2025 23:41:28 GMT

GREAT series btw!

Re: Accessing the Check Point Database

Matlu — Mon, 28 Apr 2025 23:46:34 GMT

Ansible helps for these “automation” tasks if the environment is MDS and VSX?

Re: Accessing the Check Point Database

the_rock — Mon, 28 Apr 2025 23:52:20 GMT

Duane will give you all the details Im sure, but according to online search, it says 100% it can help.

Below is example from chatgpt.

Andy

Yes, Ansible can definitely help with Check Point MDS (Multi-Domain Server) and VSX (Virtual Systems Extension) environments — but with some caveats depending on what you want to do.

Here’s a breakdown:

1. Check Point Ansible Collections

Check Point provides official Ansible collections:

CheckPoint.mgmt — Manages Check Point Management Servers (including MDS domains) via the Management API.
CheckPoint.gaia — Manages Gaia OS (for things like system settings, interface configs).

These collections allow you to automate tasks like:

Creating and modifying firewall rules, objects, NAT rules, etc.
Managing domains inside an MDS.
Managing VSX environments via API (although this is a bit trickier).

2. MDS-specific considerations

MDS has multiple domains, and Ansible needs to target the right domain.
Using domain parameter when calling the API via Ansible is critical.
You often need to log in to a specific domain and then manage it.

Example of a login targeting a specific domain:

3. VSX-specific considerations

VSX systems can be tricky because:
- Some VSX operations are API-supported (e.g., VS creation, updates).
- Some low-level VSX tasks may require CLI/SCP/SSH access, not just API.
You might need a combination of:
- Management API (via CheckPoint.mgmt Ansible modules)
- SSH modules (like ansible.builtin.shell) to run CLI commands for things not exposed via API.

Example use case:

Creating a VS via API — possible.
Advanced VSX CLI setup — might need SSH modules.

4. Gotchas

Version compatibility matters: Different R80.x versions and R81+ have different API features.
Session handling: Ansible roles/modules usually handle login/logout automatically, but if scripting manually, you must manage sessions carefully.
License and permissions: Make sure the API user has access to all required domains or VSX elements.

Summary Table

Feature	Status with Ansible
Basic object management (MDS)	✅ Supported
Firewall policy installs	✅ Supported
VS creation (via API)	✅ Supported (partially)
VSX CLI operations (low-level)	⚠️ Needs SSH workaround
MDS domain management	✅ Supported (carefully)

If you want, I can also show you a working Ansible Playbook snippet for either MDS or VSX, depending on what exactly you are trying to automate.

Would you like a real example next? (like create VS, manage policy, or domain-specific object changes?) 🚀
Let me know!

Re: Accessing the Check Point Database

Duane_Toler — Tue, 29 Apr 2025 00:34:15 GMT

Since you’re asking for policy related items, and objects, this applies to any gateway target type (gateway, cluster, VSX VS). VSX is not a concern.
VSX only comes into concern if you’re trying to make VS-specific configuration changes (interfaces, static routes). But this is not that.

I also cover Ansible inventory for MDS servers along with the other server types.

You can, and should, run Ansible in Docker even on Windows. I cover this in one of the episodes along with GitHub resources to get you started.

Re: Accessing the Check Point Database

the_rock — Tue, 29 Apr 2025 00:33:36 GMT

Its the best!

Re: Accessing the Check Point Database

the_rock — Tue, 29 Apr 2025 00:44:39 GMT

Thinking about this, maybe not a bad idea to consult with PS team, Im sure they can help. Yes, there is a charge for it, but at least you know its done by the vendor.

Andy

Re: Accessing the Check Point Database

Matlu — Tue, 29 Apr 2025 04:04:01 GMT

Do any of these files that are in this path, have to do with the ‘behavior’ of Check Point, for example when it comes to ‘create a new object’ or ‘add’ an object to an existing group?

Can these files be read with EXTENSIONS. .c?

Re: Accessing the Check Point Database

the_rock — Tue, 29 Apr 2025 04:23:20 GMT

That Im not sure, sorry. I will have a look tomorrow in the lab.

Andy