Hi Loic,

I need some clarifications to better understand the problems and assist.

This tool is intended to export/import policy from/to R80.10 databases only.

1. What are you importing into the second CMA? The policy that you've exported from the first CMA, after the import from R77.20?

2. Can you paste here the header row from the add_host.csv file and the values row for that host object? For sensitive values, just use XXX filler.

3. I also need the JSON file content for that host. It is in the same archive. Mask the sensitive values with XXX.

4. The CPROM_FW object represents an empty network group, right? And it is imported into the CMA, right? Just the rule import fails. Please search this object in "import_export.log" file in your working folder, and ensure that it was imported. Please paste here all lines that it appears in the log file.

BTW, did you migrate the R77.20 to R80.10 by yourself or got assistance from you SE/partner?

Thanks,

Robert.

Hi Nader,

I'm analyzing the data you have sent.

I'll contact you via email for further information.

Robert.

Thanks you Robert for your quick response.

We are actually testing the R80.10 -> R80.10 migration do I think it's ok.
1. Exactly ! I imported an R77.20 policy in a R80.10 CMA and exported this one to another CMA already populated.
2. Those are headers : interfaces.0.mask-length4    interfaces.0.name    interfaces.0.subnet4    interfaces.0.type
                                             32                                           old                    XXX.XXX.XXX.24            CpmiInterface
3. Here are the JSON values for this object :
{
        "nat-settings.auto-rule": false,
        "interfaces.0.mask-length4": 32,
        "color": "orange",
        "ipv4-address": "XXX.XXX.XXX.105",
        "comments": "parsl0111795_dmz old XXX.XXX.XXX.24 - chgt D2 lot2 MS EL 22/01/09",
        "interfaces.0.name": "old",
        "interfaces.0.subnet4": "XXX.XXX.XXX.24",
        "interfaces.0.color": "black",
        "name": "IPM_XXX.XXX.XXX.105",
        "interfaces.0.type": "CpmiInterface",
        "interfaces.0.comments": ""
    },
4. Unfortunately, I don't have the right file from when I imported the CMA at the first time. I did a lot of try since and I'm a bit stuck with a MDS problem. Let's deal with this problem later this week. But here what I found in the file :
Failed to import group with name [CPROM_FW]. Error: More than one object named 'CPROM_FW' exists.

And I migrated without external help.

Thanks for your time.

Loic

Hi,

I'll analyze your information and I may ask for some additional data.

Regarding item 4 - "Failed to import group with name [CPROM_FW]. Error: More than one object named 'CPROM_FW' exists", this is a normal warning, you may discard it.

Robert.

Fixed and uploaded source code to GitHub repo.

There was an issue with the result check for show-group API call.

Robert.

Hi,

I've reproduced the "Failed to import host with name [Object_010.175.252.007]. Error: Invalid parameter for [interfaces]. Invalid value" incident on my environment.

It looks like a bug, working on it. I'll inform you ASAP.

Robert.

Hi,

Found and fixed a bug related to host creation with interfaces.

Updated source code is uploaded to GitHub repo.

Please download the tool again and run.

Hope that this will give you some progress.

Robert.

Hey Rob , at the moment the script does not import object defined as web server , do you have any other kind of similar issue?

Yep, saw the problem on my server too.

Fix on the way...

Robert.

Thanks , working on moving from a dmn in r80.10 to anothe dmn r80.10 a very large database , if you don't mind I'll keep updating here my findings

No problem, your input is very valuable!

I fixed the problem and uploaded to GitHub.

Please download and try again.

Robert.

Just ended the import successfully , what I like to know if in future version the creation of the vpn community will be done anyway despite the fact that the preshared secret cannot be fetched ( I'm ok with that ).

Next try with the new version of the script will be to uncheck the use of the preshared secret in the community  and see if the script create it anyway , my necessity is that due to the fact that I have 1000+ rule  and most of them use the vpn community cell I need the community object.

I'll past the output of just one message that I'd like to share

UnicodeWarning: Unicode equal comparison failed to convert both arguments to Unicode - interpreting them as being unequal

  indices_of_field = [i for i, x in enumerate(line) if x == field_value]

Thanks again

Hi Marco,

I'll check what can be done with VPN object without shared secret object value and inform you.

Thanks for sharing the unicode issue!

Robert.

Hi Rob

Follow up about the import of a large database , I have downloaded the new version , now on the objects that are defined as a web server return the following error

Error: Validation failed with 1 blocking-error

About the issue relative to the unicode , are objects imported anyway?

thanks

Marco,

I need the whole log to understand the context of the error.

Regarding the unicode, I'll fix it, but it doesn't affect your process.

Robert.

Which  file do you need ? do you want me to paste the output here?

The validation error is followed by a validation message. Please paste it here.

Hi,

You have a global policy assigned to your CMA. The tool does not work in this situation.

You need to un-assign the global policy and then use the tool.

Robert.

I'm goig to double check but I was pretty sure there should be no global policy assigned to the cma , on the ouput of the import just got the message that I posted before

Marco,

I suspect that the validation error you are recieving is due to the "Protected by" field on your host's web server configuration - 

Payload: {
"code" : "err_validation_failed",
"message" : "Validation failed with 1 blocking-error",
"blocking-errors" : [ {
"message" : "One of the objects that you selected could not be linked."
} ]
}

I do not know why this happens. The error arrives from the server.

I'll check with the server team on sunday.

If this is your case, try to remove or change the object in this field and see what happens.

Robert.

Thanks for the reply Robert , we have removed the tick on the related object and proceeded with the import without any more error , just for information removing the tick from use preshared in the vpn communities let you import successfully the relative object.

Tomorrow we are moving on trying to merge two database on the same cma.

Hi getting this error in windows trying to import. I was successful in exporting the package. I am new to this and do not know where to look or the proper command. I am using the script and I have entered the below path to the file. If this is not correct please send me the commands to import.

No file named C:\Users\ecarbon\Desktop\Images\GITHUB\ExportImportPolicyPackage\"name of exported file" found!

Thanks

please type here the complete command you used for import.

Robert.

Following the script I gave it the location to the exported file which is in the same folder as the export import policy package

Thanks

Edmund Carbon

Security Engineer- SLED NY/NJ

Check Point Software Technologies

516 641-6907

ecarbon@checkpoint.com<mailto:ecarbon@checkpoint.com>

if it is in the same folder as the script, you do not need a full path to the file.

just grab the tar file from the folder (F2 and then ctrl+C) and paste when the tool asks for it.

Thanks seems to get pass this but now I get this error.

Login to management server failed. lib::APIResponse

{

"data": null,

"error_message": "APIResponse received a response which is not a valid JSON.",

"res_obj": {},

"status_code": 503,

"success": false

}

Thanks

Edmund Carbon

Security Engineer- SLED NY/NJ

Check Point Software Technologies

516 641-6907

ecarbon@checkpoint.com<mailto:ecarbon@checkpoint.com>

please read this doc - https://community.checkpoint.com/docs/DOC-2731

Hi Marco,

Fixed the issue related to Unicode warning.

The updated source code is on GitHub repo.

Robert.

I was successfully able to import one policy, but it is failing on subsequent policies.  Is there a fix or way around this?  The import_export log file is trying to import existing objects, but fails after a certain point and it doesn't get to import the access policy.

Thanks.