This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ravindra_Katrag
Contributor
‎2018-06-18 08:35 AM

dbedit Script for bulk object creation

Hello

Does anybody have a script to create Network Objects in bulk via CLI using dbedit?

I have used the below script to create hosts and it did not work. My device is Smart 1-50 running Gaia R77.30

create host_plain web_server 
modify network_objects web_server ipaddr 192.168.1.1 
update network_objects web_server
update_all

Thanks in advance

8 Replies
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-06-18 01:08 PM

Actual dbedit commands look correct. The question is how do you execute them and what error do you get.

Hopefully you have read the SK Editing the objects_5_0.C file via Check Point database editing utilities 

Here's output of your own commands:

[Expert@ms01:0]# dbedit
Enter Server name (ENTER for 'localhost'):
Please enter a command, -h for help or -q to quit:

dbedit> create host_plain web_server

dbedit> modify network_objects web_server ipaddr 192.168.1.111

dbedit> update network_objects web_server
web_server updated successfully.

dbedit> update_all

dbedit> print network_objects web_server
Object Name: web_server
Object UID: {D864991F-7B18-B641-A6E1-503D440952F2}
Class Name: host_plain
Table Name: network_objects
Last Modified by: System
Last Modified from: localhost
Last Modification time: Mon Jun 18 22:05:21 2018
Fields Details
--------------
 ‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍‍
0 Kudos
Petr_Hantak
Advisor
Advisor
‎2018-06-18 11:13 PM

Kaspars Zibarts‌ show it correctly. You have right syntaxe, but problem must be in execution. I usually pushing configuration from file, so I'm able to add thousands rows at once.

  • In case you want to run script from file, make sure that you have there UNIX end of lines (when you copied file from different filesystem)
  • In production make database revision first!
  • DBEDIT fails and stop in case of first error in your code. This could be annoying when you are using update_all. For better visibility where the problem is you can update each element separately (you'll see which update line failed). It takes you much more time especially if you run something really big, but it is best for troubleshooting.

How to run file?

On localhost:

dbedit -s localhost -f /somepath/import-file.txt 

Under MDS on certain domain:

dbedit -s <domain server IP> -f /somepath/import-file.txt ‍

In case you need to add more objects, but some with same names already exist in your database, then you can ingnore errors:

dbedit -s localhost -f /somepath/import-file.txt ‍-ignore_script_failure

Here are some simple object code examples (host, network, ip range, group):

 Create host 10.0.0.3

create host_plain host10.0.0.3
modify network_objects host10.0.0.3 ipaddr 10.0.0.3
modify network_objects host10.0.0.3 comments "Company Host"
update network_objects host10.0.0.3

Create network 10.0.0.128/25

create network net10.0.0.128m25
modify network_objects net10.0.0.128m25 ipaddr 10.0.0.128
modify network_objects net10.0.0.128m25 netmask 255.255.255.128
modify network_objects net10.0.0.128m25 comments "Company network"
update network_objects net10.0.0.128m25

Create IP range 10.0.0.2-10.0.0.25

create address_range range10.0.0.2-10.0.0.25
modify network_objects range10.0.0.2-10.0.0.25 ipaddr_first 10.0.0.2
modify network_objects range10.0.0.2-10.0.0.25 ipaddr_last 10.0.0.25
modify network_objects range10.0.0.2-10.0.0.25 comments "server range"
update network_objects range10.0.0.2-10.0.0.25

Put all previous to simple group:

create network_object_group branchSubnetGroup
addelement network_objects branchSubnetGroup '' network_objects:host10.0.0.3
addelement network_objects branchSubnetGroup '' network_objects:net10.0.0.128m25
addelement network_objects branchSubnetGroup '' network_objects:range10.0.0.2-10.0.0.25
modify network_objects branchSubnetGroup comments "Group of objects"
update network_objects branchSubnetGroup

More examples you can find in Multi-Domain Security Management R77 Versions Administration Guide . There are examples of rules, renaming, etc.

0 Kudos
Kaspars_Zibarts
MVP Gold CHKP MVP Gold CHKP
MVP Gold CHKP
‎2018-06-18 11:21 PM
In response to Petr_Hantak

Best is wait and see what Ravindra Katragadda has to say Smiley Happy i suspected the same but it's good to give people some time to chew on info provided as in turn if you can suss out the problem yourself you might actually remember it instead of someone serving you answer on the plate Smiley Happy But yes all info you provided is correct and helpful of course

Ravindra_Katrag
Contributor
‎2018-06-19 06:52 AM
In response to Petr_Hantak

Petr Hantak

Thank you so much for such a detailed explanation.

I used the below lines to create a script.

create host_plain Block_80.80.80.80
modify network_objects Block_80.80.80.80 ipaddr 80.80.80.80
update network_objects Block_80.80.80.80
update_all

I saved this into a text file.

I copied this file to /var/log/ in the MDS.

Then, I log into MDS, went to the CMA context using mdsenv xx.xx.xx.xx command. Then I ran the below commands

dos2unix /var/log/test.txt

dbedit -local -globallock -f /var/log/test.txt &> test_output.txt

The output file shows the below error.

create <object_type> <object_name>
Error in line: 1

Can you please help me why am I seeing this?

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-06-19 08:17 AM
In response to Ravindra_Katrag

First of all, try to execute the commands manually and see if you get the same error, could it be that object already exists?

SK30383:

  • When using the –globallock flag, savedb should be added at the end of the script (like save button in SmartDashboard). 
Regards, Maarten
0 Kudos
Ravindra_Katrag
Contributor
‎2018-06-19 09:16 AM
In response to Maarten_Sjouw

That Object doesn't exist. It's a new one.

if I change the update_all to savedb, will it work?

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-06-19 10:35 AM
In response to Ravindra_Katrag

it is an additional command, not a replacement, however it will not remove the error

we recently added a lot of Office 365 hosts and networks and used this format for the host:

create host_plain O365-H-94.245.88.28
modify network_objects O365-H-94.245.88.28 ipaddr 94.245.88.28
update network_objects O365-H-94.245.88.28
update_all
savedb

And this for the networks:

create network O365-N-94.245.120.64_26
modify network_objects O365-N-94.245.120.64_26 ipaddr 94.245.120.64
modify network_objects O365-N-94.245.120.64_26 netmask 255.255.255.192
update network_objects O365-N-94.245.120.64_26
update_all
savedb

These are just the single host and a single network, but if you copy the text above and use VI on the MDS instead of notepad or make sure to use notepad++ or a similar product that can store the file as a linux file so you dont have strange characters in the file.

Double check by doing a cat of you text file on the MDS.

Regards, Maarten
Petr_Hantak
Advisor
Advisor
‎2018-06-21 04:03 AM
In response to Ravindra_Katrag

I tried exactly on MDS R77.30 your object and it worked without issues.

  • I created file for import on the MDS as new file via VIM editor, paste commands from clipboard and save it.
  • Make sure that there are no special characters there or unexpected spaces
  • I switched MDS context with mdsenv as well. 
  • It worked fine with –globallock flag and savedb

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events