The TAC does not attend to these requests, according to an engineer who is supporting me with another service.

This is more of a consultation that should “land” with the Account Manager of the account (according to TAC's comments). 😅

Right, that makes sense.

No it doesn't . You can extract the content of the PostgreSQL database with the select statements.

Is GRP_Block a dynamic object? Where is the information source to extract from to add the IP addresses into the object. Better not to use a group of hosts, because you have to install the policy every time you make changes. In dynamic objects, content change is immediately effective.

Is GRP_Block a dynamic object?

- No.

It is a group object, where the IPs are added manually (currently using the Management API, but by “tranches”).

As there are more than 100 new IPs that have to be created, and after creating them, just add them to the group GRP_Block, this task by the “Command Line” of the MDS, is little “automated” because from the SmartConsole, only allows to add a limited amount, about 30 objects.

The idea of starting to use Ansible is already landed, but like any other client, it is now evaluating its deployment.

Anyway, they want to apply or at least try to apply the script that they build internally.

So, exactly where would you have to “query” the database, regarding how Check Point “behaves”, every time it does an activity like this, create new IPs, and add them to an existing group.

So, does a dynamic object not work for you or do you see any disadvantages over a group object?

Hi, @Yasushi_Kono1 

The focus of the problem is the amount of IPs that we have to add on a recurring basis every day.

We get >70 new IPs, and we have to put them into a group that is already created in a rule.

The group is called GRP_Block.

So, what our team of developers are looking for is to “review” how the Check Point database behaves, so they can create their custom script, and make the tasks more “user friendly”.

The script they are looking to get based on the behavior of the platform, is that it allows them to add/edit/delete new IPs, add them to an existing group, and after that, send to install policies in different perimeter FW.

Is it possible to “interact” with the database through the Check Point CLI?

Here's a query of the Audit log showing changes to a specific group object (adjust your filter and other fields accordingly).  This uses the show-logs API command:

mgmt_cli -r true show-logs \
  new-query.type audit
  new-query.time-frame last-hour \
  new-query.max-logs-per-request 5 \
  new-query.filter "GRP_Block" |\
jq -r '.logs[] |
  .time,.objectname,.administrator,.client_ip, .subject, .operation,.calc_desc,  (.fieldschanges|@csv) ,""'

Using jq to select specific fields from the output.  Just as an example:

2025-04-29T15:36:44Z
SPAM_Sources
WEB_API
192.0.2.1
Object Manipulation
Modify Object
WEB_API modified the object "GRP_Block" of type Network Group
"DummyUpdateField: Changed from 'x9t9h8i7s6i5s4a3n2i1nternaldummystring' to 'x9t9h8i7s6i5s4a3n2i1nternaldummystring '","Network object group members: Added 'Test_host_1024'"

2025-04-29T15:27:29Z
Test_host_1024
WEB_API
192.0.2.1
Object Manipulation
Create Object
WEB_API created the object "Test_host_1024" of type Host
"Name: 'Test_host_1024'","IP Address: '192.0.2.204'"

You can transform the output however you want.  This is just an example.  Please read the show-logs API documentation for the query fields you can use.

https://sc1.checkpoint.com/documents/latest/APIs/index.html#web/show-logs~v1.9.1%20

Please don't use direct database commands for this. You can easily and accidentally destroy your management server and TAC will not be able to help you.  Please use the public access methods available which will be fully supported.  You should only use internal database access if you're working with TAC on some serious issue.

In an MDS environment, with several CMAs.

This command syntax you have shared, applies in the MDS Main, right?

Or does it have to jump, yes or yes, to a particular CMA?

Add "-d <DOMAIN>" the mgmt_cli command for a specific domain.  If you're using the REST API remotely, then you specify the domain on the API login command.  Use "mgmt_cli --help" to see all of the available options.

You can run mgmt_cli.exe on a Windows host if that host is a Trusted Client and has SmartConsole installed.  You don't need to run SmartConsole, just use the mgmt_cli.exe command included in the installation package.  You would need to use PowerShell to do certain things at the Windows command line.  This is a bit sub-optimal, but it will work.  With mgmt_cli.exe, you can use all of the API commands as if you were on the MDS server directly with mgmt_cli.  Same command syntax.