Many thanks!

Hi Maik,

I'll check the script and inform you.

Robert.

Found a bug in source code. This code is two years old...

Will fix and update.

Robert.

Fixed.

Please download and run again.

Robert.

Hello Robert,

First of all I want to thank you very much for your effort and help!

Unfortunately I did experiece a few more bugs but was able to fix one of them.

So to start with, in the beginning when I used your new version of the script I received the following error:

"UnicodeEncodeError: 'ascii' codec can't encode character u'\xfc' in position xxx: ordinal not in range(128)"

Due to my (to this day) medium experience with python I was able to handle this one. So the error mentioned that the character "ü" could not be printed. The weird thing for me was, that "ü" or any other special character was not mentioned in any rule at all. Nevertheless, the error mentioned the "print_access_rule" method for the return error. Therefore I added ".encode("utf-8") to line 283 of the script, so that the returned value of the method print_access_rule is encoded in utf-8 which has a more complex characterset after all. (Of course this should also be done for the other two available export options/their related methods: print_nat_rule + print_threat_rule)

But now I experience the problem that only the first 50 rules of any tried rulebase are getting exported. After that the script simply stops exporting more. I tried several rulebases and also created a new one for testing purposes with just 51 rules - and also here, the export stops after rule 50. Unfortunately I am not so familiar with the whole script structure and could not find the related issue in the code. But I guess the solution of this one could be pretty simple for someone who knows the whole script. Maybe you can have a look once more - I promise that I won't bother you any more after this is working Really appreciate your support so far!

Best regards,

Maik

Hi Maik,

The magic 50 is the default limit when querying objects/rules in API.

I'll fix it to return all data, and also the unicode problem.

You are not bothering me - it is your full right to ask and it is my job to answer.

Robert.

Maik,

This fix may take some time, so if you have less than 500 rules in your policy, you can have a quick and dirty fix, as follows:

in method "get_rulebase" on lines 243 and 244, add this parameter to the "data" container - 

"limit" : 500

This will return up to 500 rules.

Robert.

Hello Robert,

Thanks for your answer and suggestion!

The addition of the limit parameter within the data container did the job for now.

All the rules are getting exported (I used the value 1000 instead of 500, not recommended I know, but the rulebase is quite big and sits on top of a 64000 appliance). Now that I was able to create a first csv files via the script I saw, that new lines are getting exported in the rule strings as well. This means, that if a rule has e.g. a comment which contains the following information...

"Comment...

Comment...

Comment!"

...the related entry in the csv file will have "Comment" in the same line as the rest of the rule, but "Comment..." and  "Comment!" in the next two lines. Such a format makes the csv file itself quite unusable. Maybe you can also check the for new lines and basically ignore them when writing the csv file, so that each rule is really represented as only one line within the csv?

I am starting to feel really bad for all the requests I have, don't hesitate to tell me if there is any way I can help with the script modification.

Regards,

Maik

Maik, no problem, don't feel uncomfortable.

I'll look at it tomorrow at work.

Robert.

As a temporary solution I have updated the script to also handle the issue with new lines, tabs and commas within the comment section of rules.

I guess in the eyes of a developer my solution is not the prettiest one, but for now it works.

Nevertheless one important feature that still does not work is the verification of the actual rule numbers and the related, correct, polling. For now my changes to the script just poll the first 4000 rules which currently is more than enough to achieve my plans (seems like the counter starts from 0 for each sub layer - maybe you can verify that?).

By the way, in addition one more thing that I added is that the exported csv file now also contains the custom fields of the rules. If you want to change the "header" of the csv to represent the correct name of the fields (as used in the individual envorinemnt) you need to change them correspondingly in the method "print_access_control_rulebase_csv" (no other changes needed as the name of these fields is always "field-1" etc. within the actual json data that the api is sending).

So long story short, here is my version of the script with the changes that I have added, maybe it is helping someone during the time window of the official script change:

Regards,

Maik

Hi Maik,

Kudos for the effort!

Some usefull information:

1. You cannot enter new-line/tab into rule comment in GUI, it is blocked, and GUI replaces"," with ";" when exporting the rulebase into CSV file.

2. The maximum limit for rules query in rulebase is 500, the offset starts at 0, so you can query in loop until the total is reached (advance the offset by the limit).

Robert.

Hi,

In R80.30 i receive the following error:

[Expert@MGMT:0]# ./export_rulebase_csv.py -o test.csv -u admin -t access -m 192.168.1.2 -i Standard -d
Enter password:
Traceback (most recent call last):
File "./export_rulebase_csv.py", line 401, in <module>
main()
File "./export_rulebase_csv.py", line 66, in main
session = connect(ip_address=management, username=username, password=password, session_id=session_id, readonly="true", fingerprint=fingerprint, verify=(False if management == "127.0.0.1" else not args.ignore_ssl))
File "./export_rulebase_csv.py", line 233, in connect
session.login(username=username, password=password, session_id=session_id, readonly=readonly)
File "./export_rulebase_csv.py", line 159, in login
self.headers["X-chkp-sid"] = api_call(command="login", session=self, data={"user": username, "password": password, "continue-last-session": "false", "read-only": readonly}, level=level)["sid"]
File "./export_rulebase_csv.py", line 173, in api_call
body = json.loads(body)
File "/opt/CPsuite-R80.30/fw1/Python/lib/python2.7/json/__init__.py", line 339, in loads
return _default_decoder.decode(s)
File "/opt/CPsuite-R80.30/fw1/Python/lib/python2.7/json/decoder.py", line 364, in decode
obj, end = self.raw_decode(s, idx=_w(s, 0).end())
File "/opt/CPsuite-R80.30/fw1/Python/lib/python2.7/json/decoder.py", line 382, in raw_decode
raise ValueError("No JSON object could be decoded")
ValueError: No JSON object could be decoded

Could you please help me to solve this?

Thank you in advance!

Hi,

I restarted the API but that solved partially the problem. I receive now the following errors:

[Expert@MGMT:0]# ./export_rulebase_csv.py -o test.csv -u admin -t access -m 192.168.1.2 -i standard
Enter password:
Please wait, the script is currently creating the csv file of your choice: access-rulebase...
|--- >>> Error occured: Requested object [standard] not found. Error type: generic_err_object_not_found.
|--- Headers: {'transfer-encoding': 'chunked', '_reason': 'Not Found', 'strict-transport-security': 'max-age=31536000; includeSubDomains', '_version': 11, 'server': 'CPWS', 'x-ua-compatible': 'IE=EmulateIE8', 'date': 'Fri, 13 Dec 2019 16:25:47 GMT', 'x-frame-options': 'SAMEORIGIN', 'x-forwarded-host-port': '443', 'content-type': 'application/json', '_status': 404}
|--- Body: {u'message': u'Requested object [standard] not found', u'code': u'generic_err_object_not_found'}
Script aborted.
All objects were restored to their previous state.

Standard is the name of the rulebase, but it seems like he is not able to find this object..

Greetings, Rutger

I already tried that 🙂 Didn't solve the problem...

I realize the policy (or more specifically the Policy Package) is shown as "Standard" but the underlying layer must be called something different.
Please check this by looking at the following screen in SmartConsole and use the appropriate name.