cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
rkalidh
Iron

Export Policy using python

Jump to solution

Hi all,

 

Good day!!.Am new to check point and am trying to automate few tasks in check point. As a part of it, would like to automate policy export of all check point firewalls and send in mail for monthly review.

https://github.com/CheckPointSW/ExportImportPolicyPackage : Export import package will help to export policies but when i run in python, am getting error as in attached screen shot.  Am sure that something is missed.

Please guide me if am not in right path. 

 

0 Kudos
1 Solution

Accepted Solutions
Maik
Silver

Re: Export Policy using python

Jump to solution

Ah okay I see that you are using python 3 - as far as I know this script has been written to work with python 2.7 only.

Can you try to install version 2.7.x and run the script again, please?

19 Replies
Admin
Admin

Re: Export Policy using python

Jump to solution

Did you download and install the Check Point API Python SDK repository?
This is required to use this particular script.

rkalidh
Iron

Re: Export Policy using python

Jump to solution

Hi,

I have installed same. Attached screen shot.

0 Kudos
Admin
Admin

Re: Export Policy using python

Jump to solution

The error message suggests the module is not installed in a place the python interpreter sees it.

0 Kudos
rkalidh
Iron

Re: Export Policy using python

Jump to solution

I have installed in same path and it is reflected in sys.path also.

Interpreter reflecting correct path.  May be am lack in understanding. Could you please guide me.

rkalidh
Iron

Re: Export Policy using python

Jump to solution

Hi,

Here is the problem what am facing. If i run examples of cp_mgmt_api_python, it is working fine, but from same path if I execute, import_export_package am getting error. Please help me to fix this.

0 Kudos
Maik
Silver

Re: Export Policy using python

Jump to solution

Hey,

 

From your given Output I can see that you try to execute the script with the use of relative module names ("-m" parameter). If you have installed the Check Point API Python SDK as it is mentioned in the linked GitHub page the script execution should be possible by simple typing

 

"python.exe import_export_package.py" [with python in the path variable as a requirement]

 

PS C:\Users\user\Desktop\Check Point Scripts\Scripting_Mgmt_CLI\ExportImportPolicyPackage-masterNEW> python.exe import_export_package.py
 
Welcome to the Policy Package Import/Export Tool.
What would you like to do?
1. Import a package
2. Export a package
99. Exit

As "ExportImportPolicyPackage-master" is your current working directory related to your screenshot the only issue I can think of is a copy/paste mistake. Please double check if the Folder "exporting" within ExportImportPolicyPackage contains the file "Export_access_rulebase" as well as all the other required files. In sum you should see 16 files in there, 8 of these should have the .py ending. In the case of some files being not present, try to download the repository as a zip again and proceed with step one.

 

Regards,

Maik

rkalidh
Iron

Re: Export Policy using python

Jump to solution

Hi,

As suggested, i have removed directory and downloaded as zip and placed in separate folder, but still am getting same error.

attached screen shots. Please help.

rkalidh
Iron

Re: Export Policy using python

Jump to solution

Hi, 

Attached list of files post downloading package using zip.

0 Kudos
rkalidh
Iron

Re: Export Policy using python

Jump to solution

Hi

Attached package export path.

0 Kudos
Maik
Silver

Re: Export Policy using python

Jump to solution

Ah okay I see that you are using python 3 - as far as I know this script has been written to work with python 2.7 only.

Can you try to install version 2.7.x and run the script again, please?

rkalidh
Iron

Re: Export Policy using python

Jump to solution

Hi,

Yes, it is working fine with python 2.7.9. Thanks.

Re: Export Policy using python

Jump to solution

Is it expected this script doesn't export gateway objects, regardless if they are internally or externally managed??

0 Kudos
Maik
Silver

Re: Export Policy using python

Jump to solution

It exports gateway objects - at least internally managed ones. However as SIC can't be recreated via this script only temporary ("place holder") objects will be created, so that SIC re-establishment has to be done manually.

0 Kudos

Re: Export Policy using python

Jump to solution

Limitation in R80.30??  For any CP Gateway (there are 25 of them) I have defined it fails to export it:

 

Object of type CpmiHostCkp with uid fcfc4ee2-1049-47b9-ba1b-ad06be4fb964 named <gateway_name> is not exportable. Its name was changed to export_error_CpmiHostCkp_fcfc4ee2-1049-47b9-ba1b-ad06be4fb964_<gateway_name>

0 Kudos
Maik
Silver

Re: Export Policy using python

Jump to solution

I used the script up and including R80.20 - so I can't say anything related R80.30 test cases.

However the output that you mentioned shows this:

 

Object of type CpmiHostCkp with uid fcfc4ee2-1049-47b9-ba1b-ad06be4fb964 named <gateway_name> is not exportable. Its name was changed to export_error_CpmiHostCkp_fcfc4ee2-1049-47b9-ba1b-ad06be4fb964_<gateway_name>.

 

This should allow you to edit the related object called export_error_CpmiHostCkp_fcfc4ee2-1049-47b9-ba1b-ad06be4fb964_<gateway_name> in order to re-establish sic and set the other parameters as well as the actual gateway name. As all references to the actual gateway are also overwritten with the export_error_CpmiHostCkp_fcfc4ee2-1049-47b9-ba1b-ad06be4fb964_<gateway_name> object you don't need to overwrite anything else; all the references will be updates once the object export_error_CpmiHostCkp_fcfc4ee2-1049-47b9-ba1b-ad06be4fb964_<gateway_name> gets fixed manually. Note that this is the normal behavior as the management API is not able to handle tasks like SIC establishment and firewall blade configuration (at least not detailled).

0 Kudos

Re: Export Policy using python

Jump to solution

The issue is that I have 1 internal cluster and round 23 external  gateways (combination of external and interoperable devices) - when it imported them it did so as all locally managed gateways so now i've got quite a bit of cleanup with 23 vpn communities they are all a part of.  I know how to fix it ultimately but just wanted to provide a heads up as I've used the tool in versions prior to R80.30 and don't recall this being the behavior.

 

The example in screenshot was interoperable devices before being imported.

0 Kudos
Admin
Admin

Re: Export Policy using python

Jump to solution
There isn't API support for interoperable devices, so they get created as placeholders by the script.
That should not be new behavior.
0 Kudos

Re: Export Policy using python

Jump to solution

The issue I've run into (merging 3 managers into 1) is that it does not export checkpoint gateways either, since it cannot export the object it also does not handle the group objects that are defined for the interfaces. I learned this after the fact when i manually created the cluster and the group object for the interface was not present, nor were the hosts that were a part of that group.

All in all i understand that this is not expected to be 100% accurate was just raising it to see if it was a known limitation of not being able to export gateway objects and any other objects associated to the gateway as well.

0 Kudos
Admin
Admin

Re: Export Policy using python

Jump to solution
There is no API support for clusters as of yet either, which might explain some of this.
0 Kudos