Is this option the “same” as graphically accessing “GuiDBedit.exe”?

Yes sir!

Do any of these files that are in this path, have to do with the ‘behavior’ of Check Point, for example when it comes to ‘create a new object’ or ‘add’ an object to an existing group?

Can these files be read with EXTENSIONS. .c?

That Im not sure, sorry. I will have a look tomorrow in the lab.

Andy

Going through these files isn’t what you want to do; these are created programmatically by the manage server, and not always just for object changes.

If you only want to see changes made by other administrators, then you need to view the Audit Log.  This is either via SmartConsole, web-based SmartView, or (again) the ansible module for logs.  You could write a custom script in (say) Python, but… this is what Ansible already does.

If you need to enforce additional controls for policy and object management, such as requiring verification before publishing changes and installing policy, then you need to use the new Administrator approval system (aka “SmartWorkflow”) on that administrator’s permission profile.

If you want certain actions taken based on some particular management server event, then you may need SmartTasks like @the_rock showed.

If you want to mass-add/delete basic objects based on some other data source, then Ansible might the right thing.  If you want to mass-add entries to a custom block list, then you might actually want to use a Generic Data Center object sourced from a JSON file on the management server (or hosted on an internal web server).  This object gets copied to all gateways on a periodic basis and doesn’t require policy install to update. The choice depends on where you are using these objects.

Each of these solve different things, so you’ll need to be certain you have your goal and intent well-defined, be as specific as you can so you avoid trying to use the wrong tool for the job (or accidentally creating a problem unintentionally).

Thats kind of what I was thinking as well, but personally, I would NOT touch those files from $FWDIR/database.

Andy

There is a need to “observe” the behavior, related for example to the “creation/editing/deletion” of network objects (IP/Subnetworks, etc.).

The reason is that they need to try to create a “script” after observing these behaviors, that allows to make a more “automated” task related to the fact of creating/editing/deleting, a massive amount of objects.

They are currently working with the “Management API” for this, but SMC limits you to enter only a certain amount of lines, approx. 30 entries (e.g. 30 new objects).

And we want to try to create a script that allows to work with a large number of objects (>70).

Hey bud,

For script, I would either try what I attached in smart console or cron job from web UI.

Andy

We have requirements where we are usually asked to add for example, 100 new IPs (Create them as objects), and these add them in a GROUP that is already created and working on a FW rule.

So, what we are trying to do is to find an “automatable” way to achieve this goal, because the requirements come in a continuous way, for high amounts of objects to create or delete, and we have many Perimeter FW where we need to apply these tasks.

I would take advice from @Duane_Toler , since he is way smarter than I am : - )

Andy

You need Ansible for this.  The link to my Ansible series is in my signature where I go through the setup of Ansible and the management server. I’m working on t 7 now, but up to Episode 6 gets you started for what you need. 
Episode 8 will cover more multitask playbooks for more flexibility. 

GREAT series btw!

Ansible helps for these “automation” tasks if the environment is MDS and VSX?

Duane will give you all the details Im sure, but according to online search, it says 100% it can help.

Below is example from chatgpt.

Andy

Yes, Ansible can definitely help with Check Point MDS (Multi-Domain Server) and VSX (Virtual Systems Extension) environments — but with some caveats depending on what you want to do.

Here’s a breakdown:

1. Check Point Ansible Collections

Check Point provides official Ansible collections:

• CheckPoint.mgmt — Manages Check Point Management Servers (including MDS domains) via the Management API.

• CheckPoint.gaia — Manages Gaia OS (for things like system settings, interface configs).

These collections allow you to automate tasks like:

• Creating and modifying firewall rules, objects, NAT rules, etc.

• Managing domains inside an MDS.

• Managing VSX environments via API (although this is a bit trickier).

2. MDS-specific considerations

• MDS has multiple domains, and Ansible needs to target the right domain.

• Using domain parameter when calling the API via Ansible is critical.

• You often need to log in to a specific domain and then manage it.

Example of a login targeting a specific domain:

3. VSX-specific considerations

• VSX systems can be tricky because:

  • Some VSX operations are API-supported (e.g., VS creation, updates).

  • Some low-level VSX tasks may require CLI/SCP/SSH access, not just API.

• You might need a combination of:

  • Management API (via CheckPoint.mgmt Ansible modules)

  • SSH modules (like ansible.builtin.shell) to run CLI commands for things not exposed via API.

Example use case:

• Creating a VS via API — possible.

• Advanced VSX CLI setup — might need SSH modules.

4. Gotchas

• Version compatibility matters: Different R80.x versions and R81+ have different API features.

• Session handling: Ansible roles/modules usually handle login/logout automatically, but if scripting manually, you must manage sessions carefully.

• License and permissions: Make sure the API user has access to all required domains or VSX elements.

Summary Table

If you want, I can also show you a working Ansible Playbook snippet for either MDS or VSX, depending on what exactly you are trying to automate.

Would you like a real example next? (like create VS, manage policy, or domain-specific object changes?) 🚀
Let me know!

Since you’re asking for policy related items, and objects, this applies to any gateway target type (gateway, cluster, VSX VS).  VSX is not a concern. 
VSX only comes into concern if you’re trying to make VS-specific configuration changes (interfaces, static routes).  But this is not that.

I also cover Ansible inventory for MDS servers along with the other server types.

You can, and should, run Ansible in Docker even on Windows. I cover this in one of the episodes along with GitHub resources to get you started.

Its the best!

Thinking about this, maybe not a bad idea to consult with PS team, Im sure they can help. Yes, there is a charge for it, but at least you know its done by the vendor.

Andy

There is no limit how many objects you can handle within management API. If your team observed that only first 30 entries are processed, then there is some logical problem in their script. Are you able to provide the script so we can have a look and check the problem ?

I personally wrote script using bash and mgmt_cli which created more than 1000 objects on different Domains on MDS.

Some steps which should be done via script:

1. Check if script is run on management

2. if MDS, check if Domain in question exists

3. login to Domain and get session id

4. Gather all already created objects from Domain

5. If object doesnt exist, create and add to needed group

6. publish changes made within session

7. install needed policy (check on which policy package the affected group is used)

8. logout from current domain

9. repeat steps 2-8 for all affected Domains

Hi,

The 'Management API' applied from the ''Command Line" that is in the SmartConsole seems to have a limitation with the amount of lines you enter.

Normally it only allows us to paste 30 entries (For example, to create 30 new IPs)

And we have big needs, because sometimes we have to create more than 100 IPs, and these 100 IPs, add them to a group that is already created and working, for example named GRP_Block.

As the environment is very large, because there are many perimeters to block, the task does not become very simple.

That is why our client's team of ‘developers’ wants to create their own script, and therefore, they are asking us for access to the CheckPoint database, to investigate the behavior and create their script.

Does this make sense? 

In this case, since they are other developers, they need to use Ansible.  Anything else is simply re-inventing a wheel or creating problems that don’t need to exist. They can create a YAML or JSON data source for Ansible to read and provide as input to the playbook, create groups if they don’t exist and delete/edit/add hosts whether they exist or not.  I cover this as part of episodes 5 and 6 in my series. All of this can run as one or two tasks in Ansible as a loop, saving you a lot of time!

Check Point’s R&D team encourages you not to make more than a few hundred changes to the server without periodic database publish operations. This is due to session management and memory usage for managing unpublished sessions. Many of us have made more changes successfully, but sometimes we have encountered a failed publish operation with 500 changes.

Ansible, with a well-designed inventory, will handle login to multiple domains and install policy packages to various gateways at your specification.

When I finish Episode 7 shortly, it will show how to load your YAML or JSON content from an external data file and how to handle missing data in your source.  I have the episode written, but not yet fully edited and assembled for video publishing.

You can commit all of your Ansible code and playbooks to a git repository for the developers to clone.  I cover that very briefly at the end of Episode 4. I don’t go into details for remote repos, but if you know git and collaboration, then you already know this.

Hello, @JozkoMrkvicka 
Maybe you can share with us the script you use, maybe it can help us a little bit with our activities for the moment.
The need is to create a “massive” list of new network objects (either IPs, or Segments), and add them to a group that already exists in a Firewall rule, for example GRP_Block.
I am reviewing the other option that has been mentioned in this post, related to the use of Ansible, although we have to wait for the client to accept to apply this way of working.
For the moment we want to move forward with the options that are available.

With an API script, even when ran from a remote host (not using mgmt_cli on the management server and the domain), you can use the API command "add-objects-batch":

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-objects-batch~v1.9.1%20

This will work to solve the immediate need until you can get an automation system setup.

Read this API documentation very carefully as the information needs to be structured in a specific layout.

You can create new administrators for these developers and setup an API key authentication method for their scripts to use.  You can assign this administrator to the specific domains as necessary.  You can use this API endpoint with a Python script, Bash, or something else.

Check Point provides a Python SDK for their management API.  The other developers can use this to build their own scripts and tools.

https://github.com/CheckPointSW/cp_mgmt_api_python_sdk

Hi, @Yasushi_Kono1 

We want to extract “visual” information about the behavior related to “creation/deletion/editing” of network objects (IP/Segments).

Information of how at PostgreSQL level, Check Point “acts”, when doing tasks of creating/deleting certain things, and adding them in an existing group.

Is it possible to “see” this?

So, if you want to get a list of deleted objects, let's say host objects, the syntax would be:

[Expert@Management:0]# psql_client cpm postgres

cpm=#

cpm=# select name,objid from dleobjectderef_data where objclass like '%CpmiHostPlain' and deleted='t';

name    |                               objid

-------------------------------------------------------------------

TestPC|  5151123-a123-4e32-3312-03123123be12312331

This syntax does not affect production, does it?

Is the syntax the same when your Management is an MDS?

If you want a list of IPs added to a group object, like GRP_Block, what would be the syntax, please?

The important thing is that the command does not “hit” the production solution, and only allows us to “see”.