List all Objects of a Check Point Firewall

I think every firewall admin knows the situation. There is a nice process adding nodes or networks to the configuration database of the firewall and add rules to allow certain traffic. But removing these rules and objects is, well, not regulated.

In most of the firewall systems I have seen there is a large amount of garbage configured. A lot of nodes just do not exist any more. And sometimes an admin has some spare time to cleanup the rules and object database…

But how to export the data from the Check Point configuration database to a file?

There is a nice little tool called queryDB_util that exports the Check Point configuration database. It queries the database and prints out the results. With a little helper script exporting the IP addresses of all configured nodes becomes a matter of seconds:


cat <<EOF | queryDB_util  | awk -F": " '/ipaddr/ {print $2}'
-t network_objects -s type='host' -pf

The output of this command gives you a list of all IP addresses of the nodes configured on your firewall. Now you can compare that list to the asset management system of your company to find out if these objects still exist in reality. If not deconfigure the object from your firewall.


Of course an asset management system that really knows what is going on in your network by crawling it every hour is preferred over a static system where assets are enterered manually.

The queryDB_util command

The queryDB_util command works interactive. You have to enter the commands line by line confirming every action with the ENTER key. In the fist line I tell the command to connect to the configuration database on localhost. The command in the next line orders the utility to list all objects in the network_objects table of the host type. The utility should print out the full data set. The awk command selects the important lines.

The last line -q quits the utility.

For more information about the utility and its features please read the documentation. Also calling the utility with the -h option prints out a lot of information.

Michael Schwartzkopff, 19.02.2013