cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question
Employee+
Employee+

Python tool for exporting/importing a policy package or parts of it

Overview

ExportImportPolicyPackage tool enables you to export a policy package from a R80.x management database to a .tar.gz file, which can then be imported into any other R80.x management database.

This tool can be used for backups, database transfers, testing and more.

In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA.
The tool doesn't support exporting a policy with global policy assigned!

Description

This tool enables you to export a policy package (Access Policy, Threat Policy or both) from a management server into a .tar.gz file.

Notice

There are some types of objects that the script might not be able to export. In such a case, an appropriate dummy object will be exported instead, and a message will be logged into the log files to notify you of this. In the Check Point SmartConsole you can easily replace each of these objects by searching "export_error" in the search field, see where each object is used, create the necessary object manually, then replace it.

Instructions

Download the latest version from our GitHub repository: https://github.com/CheckPointSW/ExportImportPolicyPackage 

First, make sure you have [2.7.9 <= Python <= 2.7.14] installed on the machine running the script.

To export a package, run the import_export_package.py script. An interactive menu will guide you the rest of the way.

Command line flags may also be set in order to skip some or all of the menu.

A lot more details can of course be accessed with the [-h] option. This option also prints the current version of the tool.

Current tool version is V3.0.

Limitations

This export/import script does not gather all data from a given management server/CMA. In general, it is limited by the R80.x Management APIs. Specifically, this means:

  • CMAs with a Global Policy assigned cannot be exported
    • Workaround: unassign the Global Policy prior to export
  • Gateway/Cluster objects have to be recreated
    • Placeholder objects will be created
  • UserCheck messages have to be recreated
    • Placeholder objects will be created
  • The Internal Certificate Authority will not be copied. This means:
    • Re-establishing SIC with the appropriate gateways
    • Re-generating VPN certificates
    • Manually recreating HTTPS Inspection and DLP Rules
  • Other objects not currently readable/writable via the R80.x API will not be copied

Tested on version

R80.x

Source Code Availability

The source code is available through GitHub: https://github.com/CheckPointSW/ExportImportPolicyPackage 

 

NOTICE: By using this sample code you agree to terms and conditions in this Terms and Conditions

...

289 Replies

Re: Python tool for exporting/importing a policy package or parts of it

Hello Inbar.

I am using python 2.7.13 for windows and R80 without jumbotake.

When I trie to use your scripts... I get somethink like:

C:\Users\administrador\Desktop\import_export_package>export_package.py -m 192.168.80.254 Standard

Trying to get login credentials...

Got the following login credentials:

    Username: admin

    Password: **********

    Session ID: None

Traceback (most recent call last):

  File "C:\Users\administrador\Desktop\import_export_package\export_package.py", line 30, in <module>

    _, _, user_created, client, args = process_args_and_login(client=client, parser=parser, showparameter="package")

  File "C:\Users\administrador\Desktop\import_export_package\import_export_objects\get_objects.py", line 66, in process_args_and_login

    login(client, management, domain, username, password, session_id)

  File "C:\Users\administrador\Desktop\import_export_package\import_export_objects\get_objects.py", line 698, in login

    login_res = client.login(management, username, password, domain=domain)

  File "C:\Users\administrador\Desktop\import_export_package\mgmt_api_lib\cp_mgmt_api.py", line 140, in login

    self.api_version = login_res.data["api-server-version"]

KeyError: 'api-server-version'

Which can be te problem?

Thanks in advance.

Re: Python tool for exporting/importing a policy package or parts of it

Hello,

Also having problems while exporting package:

Login failed: APIResponse received a response which is not valid JSON.

I'm using Python:

Python 2.7.9 (default, Mar  1 2015, 12:57:24)

[GCC 4.9.2] on linux2

Against R80 - Build 101

Can you please help me with this?

Thank you in advance.

Re: Python tool for exporting/importing a policy package or parts of it

Hello.

I think you have to enable access to the API from external PCs... (settings --> blade --> API)

If after that it works.. please tell me your sintax.. because I still have problems.

Thanks in advance.

Re: Python tool for exporting/importing a policy package or parts of it

Thanks Carlos, that worked for me.

Now i'm facing another error:

UnicodeEncodeError: 'ascii' codec can't encode character u'\u0431' in position 43: ordinal not in range(128)

That i hope is related to any unusual character on a policy object name, or to the encoding used on mi linux client.

I'll write here if i find how to solve it.

The syntax i used is:

python export_package.py -m 192.168.10.213 "2016-Septiembre01_1"

Where "2016-Septiembre01_1", is the access layer (policy) name i got from running "show packages", like the "Standard" one.

Thank you!

Re: Python tool for exporting/importing a policy package or parts of it

Hello,

Solved the previous problem by adding:

     reload(sys)

     sys.setdefaultencoding('utf8')

To the beggining of export_package.py

Now lets see how i import it on the R80 management, as the python version is 2.7.3:

     /opt/CPsuite-R80/fw1/Python/bin/python -V

     Python 2.7.3

Kind regards.

Re: Python tool for exporting/importing a policy package or parts of it

Hello.

finally it works after instsalling jumbo take 76

Thanks.

Re: Python tool for exporting/importing a policy package or parts of it

Hi.  Trying to extract from R80.10, and running the scripts on macOS...

grat:import_export_package gjh$ python export_package.py -m 10.0.41.253 -u lgjh Standard

Trying to get login credentials...

Trying to login via `mgmt_cli login -r true`.

Trying to get username and password.

Enter password: 

Got the following login credentials:

    Username: lgjh

    Password: ********

    Session ID: None

Login failed: APIResponse received a response which is not valid JSON.

Help please!

Also, yeah... how can you possibly re-import when you're supposed to do it locally on the mgmt server and the version of Python is wrong....

Thx-Greg

Admin
Admin

Re: Python tool for exporting/importing a policy package or parts of it

0 Kudos

Re: Python tool for exporting/importing a policy package or parts of it

Found the problem - --port is not honoured, and neither is the related env variable.  This is relevant because we are using SmartEndpoint, and so port=4434.  I hope someone will fix the code and keep this script supported!

Thx

Greg

Re: Python tool for exporting/importing a policy package or parts of it

Hi,

python version 2.7.9 installed on my pc.

also my smartcenter pyton version 2.7.3

[Expert@mgmt:0]# /opt/CPsuite-R80/fw1/Python/bin/python -V
Python 2.7.3

How can I resolve the Login failed issue?

C:\import_export_package\export_package.py -m 192.168.0.1 fwpolicy
Trying to get login credentials...
Trying to login via `mgmt_cli login -r true`.
Trying to get username and password.
Enter username: admin
Enter password:
Got the following login credentials:
Username: admin
Password: ********
Session ID: None
Login failed: APIResponse received a response which is not valid JSON.

Thank you
Best Regards

Suleyman

0 Kudos
Admin
Admin

Re: Python tool for exporting/importing a policy package or parts of it

0 Kudos

Re: Python tool for exporting/importing a policy package or parts of it

Hello again,

Do you have an idea for the solution?

python version 2.7.9 installed on my pc.

 

also my smartcenter pyton version 2.7.3

[Expert@mgmt:0]# /opt/CPsuite-R80/fw1/Python/bin/python -V
Python 2.7.3

 

How can I resolve the Login failed issue?

 

C:\import_export_package\export_package.py -m 192.168.0.1 fwpolicy
Trying to get login credentials...
Trying to login via `mgmt_cli login -r true`.
Trying to get username and password.
Enter username: admin
Enter password:
Got the following login credentials:
Username: admin
Password: ********
Session ID: None
Login failed: APIResponse received a response which is not valid JSON.

 

Thank you
Best Regards

Suleyman

Employee
Employee

Re: Python tool for exporting/importing a policy package or parts of it

Hi Suleyman,

Please try using the newer version of the API Python library - 

https://community.checkpoint.com/docs/DOC-1091

Please contact me via e-mail if you run into any issues.

Thanks,

Adam

0 Kudos

Re: Python tool for exporting/importing a policy package or parts of it

Hello,

I have several issues with this tool.

one of them is the following: The finger pring is not accepted.

As this is a LAB env. and I have managed to crash the DB I had to install the R80.10 Smart Center once again.

I have deleted the cache files on my CP and uninstalled the entire dashboard plus deleted all files in C:\Program Files\CheckPoint\SmartConsole\R80.10

But this did not solve the issue.

----------------------------------------------------------------------------------------------------------------------------------------------------

[Expert@SC1-R80.10:0]# /opt/CPsuite-R80/fw1/Python/bin/python -V
Python 2.7.13
[Expert@SC1-R80.10:0]# clish -c "show installer packages installed"
**  ************************************************************************* **
**              Connection error. Packages list might be incomplete           **
**  ************************************************************************* **
**  ************************************************************************* **
**                                 Hotfixes                                   **
**  ************************************************************************* **
Display name                                      Type
Check_Point_R80_10_JUMBO_HF_T15_sk116380_FULL.... Hotfix
HOTFIX_R80_10                                     Legacy Mini-Wrapper
[Expert@SC1-R80.10:0]#

----------------------------------------------------------------------------------------------------------------------------------------------------

DOS prompt:

C:\Users\lab1\Documents\import_export_package1>export_package.py -u admin -p vpn
123 -m 192.168.63.80 Standard --unsafe true
Trying to get login credentials...
Got the following login credentials:
    Username: admin
    Password: ******
    Session ID: None
Traceback (most recent call last):
  File "C:\Users\lab1\Documents\import_export_package1\export_package.py", line
30, in <module>
    _, _, user_created, client, args = process_args_and_login(client=client, par
ser=parser, showparameter="package")
  File "C:\Users\lab1\Documents\import_export_package1\import_export_objects\get
_objects.py", line 68, in process_args_and_login
    raise mgmt_api_lib.APIClientException("The server's fingerprint is different
 than your local record of it. The script cannot operate in this unsecure manner
 (unless running with --unsafe). Exiting...")
import_export_objects.mgmt_api_lib.api_exceptions.APIClientException: The server
's fingerprint is different than your local record of it. The script cannot oper
ate in this unsecure manner (unless running with --unsafe). Exiting...

----------------------------------------------------------------------------------------------------------------------------------------------------

by the way, can you provide instructions how to install python_bundle_1_2_2, please ?

Thank you very much

Re: Python tool for exporting/importing a policy package or parts of it

Ps. my Python version installed on the PC is 2.7.13 Tk version 8.5.15

Employee
Employee

Re: Python tool for exporting/importing a policy package or parts of it

Hi Sebastian,

Please add the --unsafe flag when you run the tool. 

Let me know if this resolves your issue.

Adam Galmor

0 Kudos

Re: Python tool for exporting/importing a policy package or parts of it

Hello Adam,

I have tried it already before with different ways.

Here once again the results.

Python version installed on the PC is 2.7.13 Tk version 8.5.15

Best regards

Sebastian

C:\Users\lab1\Documents\import_export_package1>export_package.py -u

123 -m 192.168.63.80 Standard --unsafe true

Trying to get login credentials...

Got the following login credentials:

Username: admin

Password: ******

Session ID: None

Traceback (most recent call last):

File "C:\Users\lab1\Documents\import_export_package1\export_packag

30, in

_, , usercreated, client, args = process_args_and_login(client

ser=parser, showparameter="package")

File "C:\Users\lab1\Documents\import_export_package1\import_export

objects.py", line 68, in processargs_and_login

raise mgmt_api_lib.APIClientException("The server's fingerprint

than your local record of it. The script cannot operate in this uns

(unless running with --unsafe). Exiting...")

import_export_objects.mgmt_api_lib.api_exceptions.APIClientException

's fingerprint is different than your local record of it. The script

ate in this unsecure manner (unless running with --unsafe). Exiting.

C:\Users\lab1\Documents\import_export_package1>

C:\Users\lab1\Documents\import_export_package1>

C:\Users\lab1\Documents\import_export_package1>python -V

'python' is not recognized as an internal or external command,

operable program or batch file.

C:\Users\lab1\Documents\import_export_package1>export_package.py --unsafe -u adm

in -p vpn123 -m 192.168.63.80 Standard

usage: export_package.py

package

export_package.py: error: argument --unsafe: expected one argument

C:\Users\lab1\Documents\import_export_package1>export_package.py --unsafe true -

u admin -p vpn123 -m 192.168.63.80 Standard

Trying to get login credentials...

Got the following login credentials:

Username: admin

Password: ******

Session ID: None

Traceback (most recent call last):

File "C:\Users\lab1\Documents\import_export_package1\export_package.py", line

30, in

_, , usercreated, client, args = process_args_and_login(client=client, par

ser=parser, showparameter="package")

File "C:\Users\lab1\Documents\import_export_package1\import_export_objects\get

objects.py", line 68, in processargs_and_login

raise mgmt_api_lib.APIClientException("The server's fingerprint is different

than your local record of it. The script cannot operate in this unsecure manner

(unless running with --unsafe). Exiting...")

import_export_objects.mgmt_api_lib.api_exceptions.APIClientException: The server

's fingerprint is different than your local record of it. The script cannot oper

ate in this unsecure manner (unless running with --unsafe). Exiting...

C:\Users\lab1\Documents\import_export_package1>

C:\Users\lab1\Documents\import_export_package1>export_package.py --unsafe-auto-a

ccept true -u admin -p vpn123 -m 192.168.63.80 Standard

Trying to get login credentials...

Got the following login credentials:

Username: admin

Password: ******

Session ID: None

Traceback (most recent call last):

File "C:\Users\lab1\Documents\import_export_package1\export_package.py", line

30, in

_, , usercreated, client, args = process_args_and_login(client=client, par

ser=parser, showparameter="package")

File "C:\Users\lab1\Documents\import_export_package1\import_export_objects\get

objects.py", line 68, in processargs_and_login

raise mgmt_api_lib.APIClientException("The server's fingerprint is different

than your local record of it. The script cannot operate in this unsecure manner

(unless running with --unsafe). Exiting...")

import_export_objects.mgmt_api_lib.api_exceptions.APIClientException: The server

's fingerprint is different than your local record of it. The script cannot oper

ate in this unsecure manner (unless running with --unsafe). Exiting...

C:\Users\lab1\Documents\import_export_package1>

0 Kudos

Re: Python tool for exporting/importing a policy package or parts of it

unfortunately the unsafe flag does not resolve it.

Employee
Employee

Re: Python tool for exporting/importing a policy package or parts of it

Hi Sebastian, have you tried using both "unsafe" and "unsafe-auto-accept"?

In any case, please supply me with your e-mail address.

0 Kudos
Admin
Admin

Re: Python tool for exporting/importing a policy package or parts of it

Adam, I will send his email address offline. Smiley Happy

0 Kudos

Re: Python tool for exporting/importing a policy package or parts of it

It was the IP address. Using correct IP helped.

C:\Users\lab1\Documents\import_export_package1>export_package.py --unsafe true -u admin -p vpn123 -m 192.168.163.80 Standard
Trying to get login credentials...
Got the following login credentials:
    Username: admin
    Password: ******
    Session ID: None

You currently do not have a record of this server's fingerprint.
Server's fingerprint: ******************************************
Do you accept this fingerprint? [y/n] y
Fingerprint saved.
Exporting rulebase from layer 'Network'...

1/1 objects retrieved.
Exporting access rules from layer 'Network'...
Exporting access sections from layer 'Network'...
Done exporting layer 'Network'.

Thank you

0 Kudos

Re: Python tool for exporting/importing a policy package or parts of it

Hello,

can you please provide instructions how to install python_bundle_1_2_2 ?

for both DOS/Windows and Gaia R80.10.

As that tool is not supported by CheckPoint, this is the only way to get help on this.

At the moment this script does not run on a R80.10 System

 

[Expert@SC2-R80.10:0]# ./export_package.py -u admin -p vpn123 -m localhost Sandard

Traceback (most recent call last):

  File "./export_package.py", line 6, in <module>

    from mgmt_api_lib import cp_mgmt_api

  File "/home/admin/tools/import_export_package/mgmt_api_lib/__init__.py", line 1, in <module>

    from cp_mgmt_api import APIClient

  File "/home/admin/tools/import_export_package/mgmt_api_lib/cp_mgmt_api.py", line 12, in <module>

    from distutils.version import LooseVersion

ImportError: No module named distutils.version

[Expert@SC2-R80.10:0]# python -V

Python 2.7.13

[Expert@SC2-R80.10:0]#

I hope python_bundle_1_2_2 will fix the problem.

Unless you have another solution how to run that scripts on a R80.10 System

0 Kudos

Re: Python tool for exporting/importing a policy package or parts of it

The scripts seemed to work well in exporting the package, but on the import, it imports all the objects, but the rulebase comes up as a single line for me.  (Excluding the any/any drop).

I'm trying to move a policy package from one management server to another (consolidation of management). 

The original policy is about ~130 lines long for reference.  Even importing into a fresh R80 management station, it doesn't seem to work successfully.

Any suggestions?

0 Kudos

Re: Python tool for exporting/importing a policy package or parts of it

It looks like there is a bug in how it created the csv for the rules import: 

/snip

Adding access rules to layer 'New_Standard Security'...
Error occured during parsing of CSV file.
Line 7 column 40: Unexpected character in csv file. String value is not followed by double-quotes
Failed to read parameters file [01__add-access-rule__2017_07_27_09_43.csv]: Invalid format

code: "generic_err_invalid_parameter"
message: "Invalid parameter for [position]. The invalid value [73] should be replaced by one of the following values: [1-2]"


Adding access sections to layer 'New_Standard Security'...
Line 2: code: "generic_err_invalid_parameter"
message: "Invalid parameter for [position]. The invalid value [14] should be replaced by one of the following values: [1-2]"

Line 3: code: "generic_err_invalid_parameter"
message: "Invalid parameter for [position]. The invalid value [17] should be replaced by one of the following values: [1-2]"

Line 4: code: "generic_err_invalid_parameter"
message: "Invalid parameter for [position]. The invalid value [18] should be replaced by one of the following values: [1-2]"

Line 5: code: "generic_err_invalid_parameter"
message: "Invalid parameter for [position]. The invalid value [22] should be replaced by one of the following values: [1-2]"

Line 6: code: "generic_err_invalid_parameter"
message: "Invalid parameter for [position]. The invalid value [24] should be replaced by one of the following values: [1-2]"

/endsnip

I'm in the process of digging through the export packages currently, but that appears to be the root of the issue.

0 Kudos
Employee
Employee

Re: Python tool for exporting/importing a policy package or parts of it

Hello,

A new version of the tool will be uploaded soon (during next week).

Thank you for your patience,

Adam Galmor

RickLin
Silver

Re: Python tool for exporting/importing a policy package or parts of it

Hello Adam

Can we use it on R80.10 GA version now?

0 Kudos
Employee
Employee

Re: Python tool for exporting/importing a policy package or parts of it

A new version of the tool, 2.0, has been uploaded. 

0 Kudos
Employee
Employee

Re: Python tool for exporting/importing a policy package or parts of it

Hi Rick,

A new version was just uploaded, and you may use in on R80.10.

0 Kudos
Employee++
Employee++

Re: Python tool for exporting/importing a policy package or parts of it

This source code is now an open source on GitHub repository:

GitHub - CheckPoint-APIs-Team/ExportImportPolicyPackage