Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Inbar_Moskovich
Employee Alumnus
Employee Alumnus

Python tool for exporting/importing a policy package or parts of it

Overview

ExportImportPolicyPackage tool enables you to export a policy package from a R80.x management database to a .tar.gz file, which can then be imported into any other R8x management database.

This tool can be used for backups, database transfers, testing, and more.

In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA.
The tool doesn't support exporting a policy with global policy assigned!

The tool is referenced in https://support.checkpoint.com/results/sk/sk180923 

Description

This tool enables you to export a policy package (Access Policy, Threat Policy or both) from a management server into a .tar.gz file.

Notice

There are some types of objects that the script might not be able to export.
In such a case, an appropriate dummy object will be exported instead, and a message will be logged into the log files to notify you of this.
In the Check Point SmartConsole you can easily replace each of these objects by searching "export_error" in the search field, see where each object is used, create the necessary object manually, then replace it.

Instructions

Download the latest version from our GitHub repository: https://github.com/CheckPointSW/ExportImportPolicyPackage 
First, make sure you have [2.7.9 <= Python <= 2.7.14] installed on the machine running the script.
To export a package, run the import_export_package.py script. An interactive menu will guide you the rest of the way.
Command line flags may also be set in order to skip some or all of the menu.
A lot more details can of course be accessed with the [-h] option. This option also prints the current version of the tool.

Current tool version is V3.0.

Limitations

This export/import script does not gather all data from a given management server/CMA.
In general, it is limited by the R80.x Management APIs.
Specifically, this means:

  • CMAs with a Global Policy assigned cannot be exported
    • Workaround: unassign the Global Policy prior to export
  • Gateway/Cluster objects have to be recreated
    • Placeholder objects will be created
  • UserCheck messages have to be recreated
    • Placeholder objects will be created
  • The Internal Certificate Authority will not be copied. This means:
    • Re-establishing SIC with the appropriate gateways
    • Re-generating VPN certificates
    • Manually recreating HTTPS Inspection and DLP Rules
  • Other objects not currently readable/writable via the R80.x API will not be copied

Tested on version

R8x
Releases earlier than R80 lack the necessary API support and are not supported.

 

Source Code Availability

The source code is available through GitHub: https://github.com/CheckPointSW/ExportImportPolicyPackage 

FAQ

Replies to this thread have locked.
Please refer to the FAQ below before you create a new post with your question.

When I run this tool, I get the message: APIResponse received a response which is not a valid JSON.

This most likely means you haven't enabled the API server yet.
See: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Enabling-web-api/m-p/32641

I get an error message related to server fingerprint

Use the --unsafe option to ignore this error.

Can this tool export more than one policy package at a time?

Not currently, but you could call the tool in a script multiple times.

262 Replies
Loic_Le_devin
Explorer

Hi Robert,

First, I want to thanks you for your amazing work on this script and the support you provide.

We are facing some problems while importing a policy package into a second one. Actually, I'll explain that we are testing the script for production.
So we did an export from a R77.20 policy to a R80.10 CMA within a MDS. Everything went OK for this part. Unfortunately, when we imported this exported policy package to another R80.10 CMA, nothing gone right.

First, for servers migration needs, we create a second interface in the host object that way flows are assured during the entire migration process. Thoses objects can't imported.
I've search into the .tgz file created by the export method of your script and found that data are present in columns "interfaces.0.mask-length4" / "interfaces.0.name" / "interfaces.0.subnet4" / "interfaces.0.type" in the file named add-host*.csv
This message is printed :
Failed to import host with name [Object_010.175.252.007]. Error: Invalid parameter for [interfaces]. Invalid value

--------------------------

The second one is that when we import policy with rules with an object (gateway or group) on the "Install On" column, the rule simply can't be imported. For thoses without this column there is no trouble, they are well imported.
This message appear in the logs :
Failed to import access-rule. Error: Requested object [CPROM_FW] not found
This object actually exist in the source policy and in the destination target CMA after the script ends. It's a group that usually contain gateways (it has been emptied for the migration).

--------------------------
The last one is that when the script find problematic objects it create a dummy gateway but it seems to import only a limited number of objects since it addresses those gateway in a single network (255.1.255.0/24) that seems to limit to 255 objects.

If you need any information let us know.

0 Kudos
Robert_Decker
Advisor

Hi Loic,

I need some clarifications to better understand the problems and assist.

This tool is intended to export/import policy from/to R80.10 databases only.

1. What are you importing into the second CMA? The policy that you've exported from the first CMA, after the import from R77.20?

2. Can you paste here the header row from the add_host.csv file and the values row for that host object? For sensitive values, just use XXX filler.

3. I also need the JSON file content for that host. It is in the same archive. Mask the sensitive values with XXX.

4. The CPROM_FW object represents an empty network group, right? And it is imported into the CMA, right? Just the rule import fails. Please search this object in "import_export.log" file in your working folder, and ensure that it was imported. Please paste here all lines that it appears in the log file.

BTW, did you migrate the R77.20 to R80.10 by yourself or got assistance from you SE/partner?

Thanks,

Robert.

0 Kudos
Robert_Decker
Advisor

Hi Nader,

I'm analyzing the data you have sent.

I'll contact you via email for further information.

Robert.

0 Kudos
Loic_Le_devin
Explorer

Thanks you Robert for your quick response.

We are actually testing the R80.10 -> R80.10 migration do I think it's ok.
1. Exactly ! I imported an R77.20 policy in a R80.10 CMA and exported this one to another CMA already populated.
2. Those are headers : interfaces.0.mask-length4    interfaces.0.name    interfaces.0.subnet4    interfaces.0.type
                                             32                                           old                    XXX.XXX.XXX.24            CpmiInterface
3. Here are the JSON values for this object :
{
        "nat-settings.auto-rule": false,
        "interfaces.0.mask-length4": 32,
        "color": "orange",
        "ipv4-address": "XXX.XXX.XXX.105",
        "comments": "parsl0111795_dmz old XXX.XXX.XXX.24 - chgt D2 lot2 MS EL 22/01/09",
        "interfaces.0.name": "old",
        "interfaces.0.subnet4": "XXX.XXX.XXX.24",
        "interfaces.0.color": "black",
        "name": "IPM_XXX.XXX.XXX.105",
        "interfaces.0.type": "CpmiInterface",
        "interfaces.0.comments": ""
    },
4. Unfortunately, I don't have the right file from when I imported the CMA at the first time. I did a lot of try since and I'm a bit stuck with a MDS problem. Let's deal with this problem later this week. But here what I found in the file :
Failed to import group with name [CPROM_FW]. Error: More than one object named 'CPROM_FW' exists.


And I migrated without external help.

Thanks for your time.

Loic

0 Kudos
Robert_Decker
Advisor

Hi,

I'll analyze your information and I may ask for some additional data.

Regarding item 4 - "Failed to import group with name [CPROM_FW]. Error: More than one object named 'CPROM_FW' exists", this is a normal warning, you may discard it.

Robert.

0 Kudos
Robert_Decker
Advisor

Fixed and uploaded source code to GitHub repo.

There was an issue with the result check for show-group API call.

Robert.

0 Kudos
Robert_Decker
Advisor

Hi,

I've reproduced the "Failed to import host with name [Object_010.175.252.007]. Error: Invalid parameter for [interfaces]. Invalid value" incident on my environment.

It looks like a bug, working on it. I'll inform you ASAP.

Robert.

0 Kudos
Robert_Decker
Advisor

Hi,

Found and fixed a bug related to host creation with interfaces.

Updated source code is uploaded to GitHub repo.

Please download the tool again and run.

Hope that this will give you some progress.

Robert.

0 Kudos
Marco_Valenti
Advisor

Hey Rob , at the moment the script does not import object defined as web server , do you have any other kind of similar issue?

0 Kudos
Robert_Decker
Advisor

Yep, saw the problem on my server too.

Fix on the way...

Robert.

0 Kudos
Marco_Valenti
Advisor

Thanks , working on moving from a dmn in r80.10 to anothe dmn r80.10 a very large database , if you don't mind I'll keep updating here my findings

0 Kudos
Robert_Decker
Advisor

No problem, your input is very valuable!

I fixed the problem and uploaded to GitHub.

Please download and try again.

Robert.

0 Kudos
Marco_Valenti
Advisor

Just ended the import successfully , what I like to know if in future version the creation of the vpn community will be done anyway despite the fact that the preshared secret cannot be fetched ( I'm ok with that ).

Next try with the new version of the script will be to uncheck the use of the preshared secret in the community  and see if the script create it anyway , my necessity is that due to the fact that I have 1000+ rule  and most of them use the vpn community cell I need the community object.

I'll past the output of just one message that I'd like to share

UnicodeWarning: Unicode equal comparison failed to convert both arguments to Unicode - interpreting them as being unequal

  indices_of_field = [i for i, x in enumerate(line) if x == field_value]

Thanks again

0 Kudos
Robert_Decker
Advisor

Hi Marco,

I'll check what can be done with VPN object without shared secret object value and inform you.

Thanks for sharing the unicode issue!

Robert.

0 Kudos
Marco_Valenti
Advisor

Hi Rob

Follow up about the import of a large database , I have downloaded the new version , now on the objects that are defined as a web server return the following error

Error: Validation failed with 1 blocking-error

About the issue relative to the unicode , are objects imported anyway?

thanks

0 Kudos
Robert_Decker
Advisor

Marco,

I need the whole log to understand the context of the error.

Regarding the unicode, I'll fix it, but it doesn't affect your process.

Robert.

0 Kudos
Marco_Valenti
Advisor

Which  file do you need ? do you want me to paste the output here?

0 Kudos
Robert_Decker
Advisor

The validation error is followed by a validation message. Please paste it here.

0 Kudos
Robert_Decker
Advisor

Hi,

You have a global policy assigned to your CMA. The tool does not work in this situation.

You need to un-assign the global policy and then use the tool.

Robert.

0 Kudos
Marco_Valenti
Advisor

I'm goig to double check but I was pretty sure there should be no global policy assigned to the cma , on the ouput of the import just got the message that I posted before

0 Kudos
Robert_Decker
Advisor

Marco,

I suspect that the validation error you are recieving is due to the "Protected by" field on your host's web server configuration - 

Payload: {
"code" : "err_validation_failed",
"message" : "Validation failed with 1 blocking-error",
"blocking-errors" : [ {
"message" : "One of the objects that you selected could not be linked."
} ]
}

I do not know why this happens. The error arrives from the server.

I'll check with the server team on sunday.

If this is your case, try to remove or change the object in this field and see what happens.

Robert.

0 Kudos
Marco_Valenti
Advisor

Thanks for the reply Robert , we have removed the tick on the related object and proceeded with the import without any more error , just for information removing the tick from use preshared in the vpn communities let you import successfully the relative object.

Tomorrow we are moving on trying to merge two database on the same cma.

Edmund_Carbon
Employee
Employee

Hi getting this error in windows trying to import. I was successful in exporting the package. I am new to this and do not know where to look or the proper command. I am using the script and I have entered the below path to the file. If this is not correct please send me the commands to import.

No file named C:\Users\ecarbon\Desktop\Images\GITHUB\ExportImportPolicyPackage\"name of exported file" found!

Thanks

0 Kudos
Robert_Decker
Advisor

please type here the complete command you used for import.

Robert.

0 Kudos
Edmund_Carbon
Employee
Employee

Following the script I gave it the location to the exported file which is in the same folder as the export import policy package

Thanks

Edmund Carbon

Security Engineer- SLED NY/NJ

Check Point Software Technologies

516 641-6907

ecarbon@checkpoint.com<mailto:ecarbon@checkpoint.com>

0 Kudos
Robert_Decker
Advisor

if it is in the same folder as the script, you do not need a full path to the file.

just grab the tar file from the folder (F2 and then ctrl+C) and paste when the tool asks for it.

0 Kudos
Edmund_Carbon
Employee
Employee

Thanks seems to get pass this but now I get this error.

Login to management server failed. lib::APIResponse

{

"data": null,

"error_message": "APIResponse received a response which is not a valid JSON.",

"res_obj": {},

"status_code": 503,

"success": false

}

Thanks

Edmund Carbon

Security Engineer- SLED NY/NJ

Check Point Software Technologies

516 641-6907

ecarbon@checkpoint.com<mailto:ecarbon@checkpoint.com>

0 Kudos
Robert_Decker
Advisor

0 Kudos
Robert_Decker
Advisor

Hi Marco,

Fixed the issue related to Unicode warning.

The updated source code is on GitHub repo.

Robert.

0 Kudos
Bill_Ng
Collaborator

I was successfully able to import one policy, but it is failing on subsequent policies.  Is there a fix or way around this?  The import_export log file is trying to import existing objects, but fails after a certain point and it doesn't get to import the access policy.

Thanks.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events