Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
rkalidh
Participant

Export Policy using python

Jump to solution

Hi all,

 

Good day!!.Am new to check point and am trying to automate few tasks in check point. As a part of it, would like to automate policy export of all check point firewalls and send in mail for monthly review.

https://github.com/CheckPointSW/ExportImportPolicyPackage : Export import package will help to export policies but when i run in python, am getting error as in attached screen shot.  Am sure that something is missed.

Please guide me if am not in right path. 

 

0 Kudos
1 Solution

Accepted Solutions
Maik
Advisor

Ah okay I see that you are using python 3 - as far as I know this script has been written to work with python 2.7 only.

Can you try to install version 2.7.x and run the script again, please?

View solution in original post

36 Replies
PhoneBoy
Admin
Admin

Did you download and install the Check Point API Python SDK repository?
This is required to use this particular script.

rkalidh
Participant

Hi,

I have installed same. Attached screen shot.

0 Kudos
PhoneBoy
Admin
Admin

The error message suggests the module is not installed in a place the python interpreter sees it.

0 Kudos
rkalidh
Participant

I have installed in same path and it is reflected in sys.path also.

Interpreter reflecting correct path.  May be am lack in understanding. Could you please guide me.

rkalidh
Participant

Hi,

Here is the problem what am facing. If i run examples of cp_mgmt_api_python, it is working fine, but from same path if I execute, import_export_package am getting error. Please help me to fix this.

0 Kudos
Maik
Advisor

Hey,

 

From your given Output I can see that you try to execute the script with the use of relative module names ("-m" parameter). If you have installed the Check Point API Python SDK as it is mentioned in the linked GitHub page the script execution should be possible by simple typing

 

"python.exe import_export_package.py" [with python in the path variable as a requirement]

 

PS C:\Users\user\Desktop\Check Point Scripts\Scripting_Mgmt_CLI\ExportImportPolicyPackage-masterNEW> python.exe import_export_package.py
 
Welcome to the Policy Package Import/Export Tool.
What would you like to do?
1. Import a package
2. Export a package
99. Exit

As "ExportImportPolicyPackage-master" is your current working directory related to your screenshot the only issue I can think of is a copy/paste mistake. Please double check if the Folder "exporting" within ExportImportPolicyPackage contains the file "Export_access_rulebase" as well as all the other required files. In sum you should see 16 files in there, 8 of these should have the .py ending. In the case of some files being not present, try to download the repository as a zip again and proceed with step one.

 

Regards,

Maik

rkalidh
Participant

Hi,

As suggested, i have removed directory and downloaded as zip and placed in separate folder, but still am getting same error.

attached screen shots. Please help.

rkalidh
Participant

Hi, 

Attached list of files post downloading package using zip.

0 Kudos
rkalidh
Participant

Hi

Attached package export path.

0 Kudos
Maik
Advisor

Ah okay I see that you are using python 3 - as far as I know this script has been written to work with python 2.7 only.

Can you try to install version 2.7.x and run the script again, please?

View solution in original post

rkalidh
Participant

Hi,

Yes, it is working fine with python 2.7.9. Thanks.

Juan_Concepcion
Advisor

Is it expected this script doesn't export gateway objects, regardless if they are internally or externally managed??

0 Kudos
Maik
Advisor

It exports gateway objects - at least internally managed ones. However as SIC can't be recreated via this script only temporary ("place holder") objects will be created, so that SIC re-establishment has to be done manually.

0 Kudos
Juan_Concepcion
Advisor

Limitation in R80.30??  For any CP Gateway (there are 25 of them) I have defined it fails to export it:

 

Object of type CpmiHostCkp with uid fcfc4ee2-1049-47b9-ba1b-ad06be4fb964 named <gateway_name> is not exportable. Its name was changed to export_error_CpmiHostCkp_fcfc4ee2-1049-47b9-ba1b-ad06be4fb964_<gateway_name>

0 Kudos
Maik
Advisor

I used the script up and including R80.20 - so I can't say anything related R80.30 test cases.

However the output that you mentioned shows this:

 

Object of type CpmiHostCkp with uid fcfc4ee2-1049-47b9-ba1b-ad06be4fb964 named <gateway_name> is not exportable. Its name was changed to export_error_CpmiHostCkp_fcfc4ee2-1049-47b9-ba1b-ad06be4fb964_<gateway_name>.

 

This should allow you to edit the related object called export_error_CpmiHostCkp_fcfc4ee2-1049-47b9-ba1b-ad06be4fb964_<gateway_name> in order to re-establish sic and set the other parameters as well as the actual gateway name. As all references to the actual gateway are also overwritten with the export_error_CpmiHostCkp_fcfc4ee2-1049-47b9-ba1b-ad06be4fb964_<gateway_name> object you don't need to overwrite anything else; all the references will be updates once the object export_error_CpmiHostCkp_fcfc4ee2-1049-47b9-ba1b-ad06be4fb964_<gateway_name> gets fixed manually. Note that this is the normal behavior as the management API is not able to handle tasks like SIC establishment and firewall blade configuration (at least not detailled).

0 Kudos
Juan_Concepcion
Advisor

The issue is that I have 1 internal cluster and round 23 external  gateways (combination of external and interoperable devices) - when it imported them it did so as all locally managed gateways so now i've got quite a bit of cleanup with 23 vpn communities they are all a part of.  I know how to fix it ultimately but just wanted to provide a heads up as I've used the tool in versions prior to R80.30 and don't recall this being the behavior.

 

The example in screenshot was interoperable devices before being imported.

0 Kudos
PhoneBoy
Admin
Admin
There isn't API support for interoperable devices, so they get created as placeholders by the script.
That should not be new behavior.
0 Kudos
Juan_Concepcion
Advisor

The issue I've run into (merging 3 managers into 1) is that it does not export checkpoint gateways either, since it cannot export the object it also does not handle the group objects that are defined for the interfaces. I learned this after the fact when i manually created the cluster and the group object for the interface was not present, nor were the hosts that were a part of that group.

All in all i understand that this is not expected to be 100% accurate was just raising it to see if it was a known limitation of not being able to export gateway objects and any other objects associated to the gateway as well.

0 Kudos
PhoneBoy
Admin
Admin
There is no API support for clusters as of yet either, which might explain some of this.
0 Kudos
fmous
Explorer

Hello!

Interoperable devices are not supported at all? So in case we need to transfer VPN communities , we will have to reconfigure them manually?

0 Kudos
Sanjay_S
Advisor

Hi All,

So as per my understanding, we need to install the script in our local machine which have connectivity to the MDS and run the script from the location you saved it. Follow the pop up we get and export the policy? Is my understanding correct?

Regards,

Sanjay S

0 Kudos
PhoneBoy
Admin
Admin

It's a script that runs on the CLI, so there is no pop-up, but yes, follow the instructions.

0 Kudos
Sanjay_S
Advisor

[root@Hostname ~]# python ExportImportPolicyPackage/import_export_package.py

Welcome to the Policy Package Import/Export Tool.
What would you like to do?
1. Import a package
2. Export a package
99. Exit
2
Please enter a Policy Package name to export:
Standard
Please select a login method:
1. Enter user credentials manually
2. Login as Root
3. Use an existing session file
4. Use an existing session UID
99. Back
1
The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = False
Output-file name = None
Management Server IP = 127.0.0.1
Management Server Port = 443
Management Server Domain = None
1. Change Settings
2. Run
99. Back
1
Please select a setting to change:
1. Disable export of Access-Control Rulebases
2. Enable export of Threat-Prevention Rulebases
3. Output file name
4. Change Management Server IP
5. Change Management Server Port
6. Change the domain name
99. Back
4
Please enter the IP address of the management server:
10.10.10.11                                     -->CMA IP
The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = False
Output-file name = None
Management Server IP = 10.10.10.11
Management Server Port = 443
Management Server Domain = None
1. Change Settings
2. Run
99. Back
1
Please select a setting to change:
1. Disable export of Access-Control Rulebases
2. Enable export of Threat-Prevention Rulebases
3. Output file name
4. Change Management Server IP
5. Change Management Server Port
6. Change the domain name
99. Back
3
Please enter the output file name:
StandardExport
The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = False
Output-file name = StandardExport
Management Server IP = 10.10.10.11
Management Server Port = 443
Management Server Domain = None
1. Change Settings
2. Run
99. Back
1
Please select a setting to change:
1. Disable export of Access-Control Rulebases
2. Enable export of Threat-Prevention Rulebases
3. Output file name
4. Change Management Server IP
5. Change Management Server Port
6. Change the domain name
99. Back
99
The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = False
Output-file name = StandardExport
Management Server IP = 10.10.10.11
Management Server Port = 443
Management Server Domain = None
1. Change Settings
2. Run
99. Back
2
Please enter your username:
admin

Please enter your password:

You currently do not have a record of this server's fingerprint.
Server's fingerprint: ****************************
Do you accept this fingerprint? [y/n] y
Fingerprint saved.
No package named 'Standard' found. Cannot export.

[root@Hostname ~]# python ExportImportPolicyPackage/import_export_package.py

Welcome to the Policy Package Import/Export Tool.
What would you like to do?
1. Import a package
2. Export a package
99. Exit
2
Please enter a Policy Package name to export:
Standard
Please select a login method:
1. Enter user credentials manually
2. Login as Root
3. Use an existing session file
4. Use an existing session UID
99. Back
1
The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = False
Output-file name = None
Management Server IP = 127.0.0.1
Management Server Port = 443
Management Server Domain = None
1. Change Settings
2. Run
99. Back
1
Please select a setting to change:
1. Disable export of Access-Control Rulebases
2. Enable export of Threat-Prevention Rulebases
3. Output file name
4. Change Management Server IP
5. Change Management Server Port
6. Change the domain name
99. Back
5
Please enter the port on the management server to connect to:
22
The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = False
Output-file name = None
Management Server IP = 127.0.0.1
Management Server Port = 22
Management Server Domain = None
1. Change Settings
2. Run
99. Back
1
Please select a setting to change:
1. Disable export of Access-Control Rulebases
2. Enable export of Threat-Prevention Rulebases
3. Output file name
4. Change Management Server IP
5. Change Management Server Port
6. Change the domain name
99. Back
4
Please enter the IP address of the management server:
10.10.10.11
The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = False
Output-file name = None
Management Server IP = 10.10.10.11
Management Server Port = 22
Management Server Domain = None
1. Change Settings
2. Run
99. Back
2
Please enter your username:
admin

Please enter your password:

Login to management server failed. instance({
"data": null,
"error_message": "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:618)",
"res_obj": {},
"status_code": null,
"success": false
})

 

 

Do we need to enable any permissions for port 443 or port 22? And do we need to give the CMA IP as a management server ip of should it be the MDS IP? Getting the above errors while running the script please help.

 

0 Kudos
Sanjay_S
Advisor

Hi All,

Please suggest on the above. That helps me to proceed with the migration. Currently i am not able to export the policy. Am i doing something wrong or am i missing something?

0 Kudos
Juan_Concepcion
Advisor

You should be running this python script on the management station to have successful export.

0 Kudos
Sanjay_S
Advisor

Thank you Juan,

I will try to install the script on MDS and try to export it. 

0 Kudos
Sanjay_S
Advisor

Hi Juan,

Thanks it helped to export the policy as recommended. Now I just wanted to confirm if we have installed Global Policy then will those objects also be exported? Or only the Local Domain policy will be exported?

0 Kudos
PhoneBoy
Admin
Admin

Noted in the README for the script:

In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA. The tool doesn't support exporting a policy with global policy assigned!

Which means: no, it won't include it.
However, if you want the global policy, that can be exported separately: https://community.checkpoint.com/t5/API-CLI-Discussion/Export-Import-Python-script-Global-Rules/m-p/... 

Sanjay_S
Advisor

Thank you PhoneBoy. This is helpful.

0 Kudos