Hi,

I have installed same. Attached screen shot.

The error message suggests the module is not installed in a place the python interpreter sees it.

I have installed in same path and it is reflected in sys.path also.

Interpreter reflecting correct path.  May be am lack in understanding. Could you please guide me.

Hi,

Here is the problem what am facing. If i run examples of cp_mgmt_api_python, it is working fine, but from same path if I execute, import_export_package am getting error. Please help me to fix this.

Hey,

From your given Output I can see that you try to execute the script with the use of relative module names ("-m" parameter). If you have installed the Check Point API Python SDK as it is mentioned in the linked GitHub page the script execution should be possible by simple typing

"python.exe import_export_package.py" [with python in the path variable as a requirement]

PS C:\Users\user\Desktop\Check Point Scripts\Scripting_Mgmt_CLI\ExportImportPolicyPackage-masterNEW> python.exe import_export_package.py

 

Welcome to the Policy Package Import/Export Tool.
What would you like to do?
1. Import a package
2. Export a package
99. Exit

---

As "ExportImportPolicyPackage-master" is your current working directory related to your screenshot the only issue I can think of is a copy/paste mistake. Please double check if the Folder "exporting" within ExportImportPolicyPackage contains the file "Export_access_rulebase" as well as all the other required files. In sum you should see 16 files in there, 8 of these should have the .py ending. In the case of some files being not present, try to download the repository as a zip again and proceed with step one.

Regards,

Maik

Hi,

As suggested, i have removed directory and downloaded as zip and placed in separate folder, but still am getting same error.

attached screen shots. Please help.

Hi, 

Attached list of files post downloading package using zip.

Hi

Attached package export path.

Hi,

Yes, it is working fine with python 2.7.9. Thanks.

Is it expected this script doesn't export gateway objects, regardless if they are internally or externally managed??

It exports gateway objects - at least internally managed ones. However as SIC can't be recreated via this script only temporary ("place holder") objects will be created, so that SIC re-establishment has to be done manually.

Limitation in R80.30??  For any CP Gateway (there are 25 of them) I have defined it fails to export it:

Object of type CpmiHostCkp with uid fcfc4ee2-1049-47b9-ba1b-ad06be4fb964 named <gateway_name> is not exportable. Its name was changed to export_error_CpmiHostCkp_fcfc4ee2-1049-47b9-ba1b-ad06be4fb964_<gateway_name>

I used the script up and including R80.20 - so I can't say anything related R80.30 test cases.

However the output that you mentioned shows this:

Object of type CpmiHostCkp with uid fcfc4ee2-1049-47b9-ba1b-ad06be4fb964 named <gateway_name> is not exportable. Its name was changed to export_error_CpmiHostCkp_fcfc4ee2-1049-47b9-ba1b-ad06be4fb964_<gateway_name>.

This should allow you to edit the related object called export_error_CpmiHostCkp_fcfc4ee2-1049-47b9-ba1b-ad06be4fb964_<gateway_name> in order to re-establish sic and set the other parameters as well as the actual gateway name. As all references to the actual gateway are also overwritten with the export_error_CpmiHostCkp_fcfc4ee2-1049-47b9-ba1b-ad06be4fb964_<gateway_name> object you don't need to overwrite anything else; all the references will be updates once the object export_error_CpmiHostCkp_fcfc4ee2-1049-47b9-ba1b-ad06be4fb964_<gateway_name> gets fixed manually. Note that this is the normal behavior as the management API is not able to handle tasks like SIC establishment and firewall blade configuration (at least not detailled).

The issue is that I have 1 internal cluster and round 23 external  gateways (combination of external and interoperable devices) - when it imported them it did so as all locally managed gateways so now i've got quite a bit of cleanup with 23 vpn communities they are all a part of.  I know how to fix it ultimately but just wanted to provide a heads up as I've used the tool in versions prior to R80.30 and don't recall this being the behavior.

The example in screenshot was interoperable devices before being imported.

The issue I've run into (merging 3 managers into 1) is that it does not export checkpoint gateways either, since it cannot export the object it also does not handle the group objects that are defined for the interfaces. I learned this after the fact when i manually created the cluster and the group object for the interface was not present, nor were the hosts that were a part of that group.

All in all i understand that this is not expected to be 100% accurate was just raising it to see if it was a known limitation of not being able to export gateway objects and any other objects associated to the gateway as well.

Hello!

Interoperable devices are not supported at all? So in case we need to transfer VPN communities , we will have to reconfigure them manually?

Hi All,

So as per my understanding, we need to install the script in our local machine which have connectivity to the MDS and run the script from the location you saved it. Follow the pop up we get and export the policy? Is my understanding correct?

Regards,

Sanjay S

It's a script that runs on the CLI, so there is no pop-up, but yes, follow the instructions.

[root@Hostname ~]# python ExportImportPolicyPackage/import_export_package.py

Welcome to the Policy Package Import/Export Tool.
What would you like to do?
1. Import a package
2. Export a package
99. Exit
2
Please enter a Policy Package name to export:
Standard
Please select a login method:
1. Enter user credentials manually
2. Login as Root
3. Use an existing session file
4. Use an existing session UID
99. Back
1
The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = False
Output-file name = None
Management Server IP = 127.0.0.1
Management Server Port = 443
Management Server Domain = None
1. Change Settings
2. Run
99. Back
1
Please select a setting to change:
1. Disable export of Access-Control Rulebases
2. Enable export of Threat-Prevention Rulebases
3. Output file name
4. Change Management Server IP
5. Change Management Server Port
6. Change the domain name
99. Back
4
Please enter the IP address of the management server:
10.10.10.11                                     -->CMA IP
The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = False
Output-file name = None
Management Server IP = 10.10.10.11
Management Server Port = 443
Management Server Domain = None
1. Change Settings
2. Run
99. Back
1
Please select a setting to change:
1. Disable export of Access-Control Rulebases
2. Enable export of Threat-Prevention Rulebases
3. Output file name
4. Change Management Server IP
5. Change Management Server Port
6. Change the domain name
99. Back
3
Please enter the output file name:
StandardExport
The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = False
Output-file name = StandardExport
Management Server IP = 10.10.10.11
Management Server Port = 443
Management Server Domain = None
1. Change Settings
2. Run
99. Back
1
Please select a setting to change:
1. Disable export of Access-Control Rulebases
2. Enable export of Threat-Prevention Rulebases
3. Output file name
4. Change Management Server IP
5. Change Management Server Port
6. Change the domain name
99. Back
99
The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = False
Output-file name = StandardExport
Management Server IP = 10.10.10.11
Management Server Port = 443
Management Server Domain = None
1. Change Settings
2. Run
99. Back
2
Please enter your username:
admin

Please enter your password:

You currently do not have a record of this server's fingerprint.
Server's fingerprint: ****************************
Do you accept this fingerprint? [y/n] y
Fingerprint saved.
No package named 'Standard' found. Cannot export.

[root@Hostname ~]# python ExportImportPolicyPackage/import_export_package.py

Welcome to the Policy Package Import/Export Tool.
What would you like to do?
1. Import a package
2. Export a package
99. Exit
2
Please enter a Policy Package name to export:
Standard
Please select a login method:
1. Enter user credentials manually
2. Login as Root
3. Use an existing session file
4. Use an existing session UID
99. Back
1
The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = False
Output-file name = None
Management Server IP = 127.0.0.1
Management Server Port = 443
Management Server Domain = None
1. Change Settings
2. Run
99. Back
1
Please select a setting to change:
1. Disable export of Access-Control Rulebases
2. Enable export of Threat-Prevention Rulebases
3. Output file name
4. Change Management Server IP
5. Change Management Server Port
6. Change the domain name
99. Back
5
Please enter the port on the management server to connect to:
22
The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = False
Output-file name = None
Management Server IP = 127.0.0.1
Management Server Port = 22
Management Server Domain = None
1. Change Settings
2. Run
99. Back
1
Please select a setting to change:
1. Disable export of Access-Control Rulebases
2. Enable export of Threat-Prevention Rulebases
3. Output file name
4. Change Management Server IP
5. Change Management Server Port
6. Change the domain name
99. Back
4
Please enter the IP address of the management server:
10.10.10.11
The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = False
Output-file name = None
Management Server IP = 10.10.10.11
Management Server Port = 22
Management Server Domain = None
1. Change Settings
2. Run
99. Back
2
Please enter your username:
admin

Please enter your password:

Login to management server failed. instance({
"data": null,
"error_message": "[SSL: UNKNOWN_PROTOCOL] unknown protocol (_ssl.c:618)",
"res_obj": {},
"status_code": null,
"success": false
})

Do we need to enable any permissions for port 443 or port 22? And do we need to give the CMA IP as a management server ip of should it be the MDS IP? Getting the above errors while running the script please help.

Hi All,

Please suggest on the above. That helps me to proceed with the migration. Currently i am not able to export the policy. Am i doing something wrong or am i missing something?

You should be running this python script on the management station to have successful export.

Thank you Juan,

I will try to install the script on MDS and try to export it. 

Hi Juan,

Thanks it helped to export the policy as recommended. Now I just wanted to confirm if we have installed Global Policy then will those objects also be exported? Or only the Local Domain policy will be exported?

Noted in the README for the script:

In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA. The tool doesn't support exporting a policy with global policy assigned!

Which means: no, it won't include it.
However, if you want the global policy, that can be exported separately: https://community.checkpoint.com/t5/API-CLI-Discussion/Export-Import-Python-script-Global-Rules/m-p/... 

Thank you PhoneBoy. This is helpful.