Re: Python tool for exporting/importing a policy p... - Page 7

Inbar_Moskovich · ‎2016-10-13

Overview

ExportImportPolicyPackage tool enables you to export a policy package from a R80.x management database to a .tar.gz file, which can then be imported into any other R8x management database.

This tool can be used for backups, database transfers, testing, and more.

In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA.
The tool doesn't support exporting a policy with global policy assigned!

The tool is referenced in https://support.checkpoint.com/results/sk/sk180923

Description

This tool enables you to export a policy package (Access Policy, Threat Policy or both) from a management server into a .tar.gz file.

Notice

There are some types of objects that the script might not be able to export.
In such a case, an appropriate dummy object will be exported instead, and a message will be logged into the log files to notify you of this.
In the Check Point SmartConsole you can easily replace each of these objects by searching "export_error" in the search field, see where each object is used, create the necessary object manually, then replace it.

Instructions

Download the latest version from our GitHub repository: https://github.com/CheckPointSW/ExportImportPolicyPackage
First, make sure you have [2.7.9 <= Python <= 2.7.14] installed on the machine running the script.
To export a package, run the import_export_package.py script. An interactive menu will guide you the rest of the way.
Command line flags may also be set in order to skip some or all of the menu.
A lot more details can of course be accessed with the [-h] option. This option also prints the current version of the tool.

Limitations

This export/import script does not gather all data from a given management server/CMA.
In general, it is limited by the R8x Management APIs available on your version.
Specifically, this means:

CMAs with a Global Policy assigned cannot be exported
- Workaround: unassign the Global Policy prior to export
Gateway/Cluster objects have to be recreated
- Placeholder objects will be created
UserCheck messages have to be recreated
- Placeholder objects will be created
The Internal Certificate Authority will not be copied. This means:
- Re-establishing SIC with the appropriate gateways
- Re-generating VPN certificates
- Manually recreating HTTPS Inspection and DLP Rules
Other objects not currently readable/writable via the R8x API will not be copied

Tested on version

R8x
Releases earlier than R80 lack the necessary API support and are not supported.

Source Code Availability

The source code is available through GitHub: https://github.com/CheckPointSW/ExportImportPolicyPackage

FAQ

Replies to this thread have locked.
Please refer to the FAQ below before you create a new post with your question.

When I run this tool, I get the message: APIResponse received a response which is not a valid JSON.

This most likely means you haven't enabled the API server yet.
See: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Enabling-web-api/m-p/32641

I get an error message related to server fingerprint

Use the --unsafe option to ignore this error.

Can this tool export more than one policy package at a time?

Not currently, but you could call the tool in a script multiple times.

Peter_Lyndley · ‎2018-07-27

I have heard that there are a couple of RFEs ongoing with Check Point to produce a supportable integrated migration tool from R80.x to R80.x.

This is absolutely imperative for MSPs , taking on a customer is not possible using API scripts in a timely manner.

I hope someone at Check Point has some good news about a forthcoming release that will allow us to do what we have done for all time up until R80 was released and allow us to migrate export , migrate import in R80.x

Can someone comment on this ?

Tomer_Sole · ‎2018-07-28

Hi Peter,

Can you elaborate on "in a timely manner"? is there a performance problem with export-import-policy?

We have plans for migrating specific domains in the R8x train, however it will not make R80.20.

Peter_Lyndley · ‎2018-07-29

Hi Tomer,

Its just the fact that it is 'not possible' to migrate cleanly from R80.x to R80.x. There is no supported method.

It needs to be implemented as a matter of urgency. (is what i meant by a timely manner)

Thanks

Peter

PhoneBoy · ‎2018-07-29

I think the question Tomer Sole is asking is: what is missed using this script versus, say, a migrate export/import between different DMS?

I think I can answer that

A few things I can think of off the top of my head:

Gateway objects have to be recreated
UserCheck messages have to be created
Anything related to the ICA is lost (because gateways are recreated)
HTTPS Inspection Rules
DLP Rules
Anything else not currently readable/writable via the R80.x API

So while it is possible to move domains between DMSes using this script, it can be a fair bit of manual work.

Work that previously wasn't required.

Peter_Lyndley · ‎2018-07-29

Indeed Dameon... a feature that worked well and was built into R77 product has disappeared and been replaced by a script that does not migrate gateway objects (and ICA). ... in effect you lose the most important parts of the configuration.

I'm looking for some commitment from Check Point to put back what has been lost since R80 code was released.

Tomer_Sole · ‎2018-07-29

Hi,

ExportImportPolicy was never intended to be the official replacement of domain migration tools.

Lack of domain migration tools is a limitation of R80, R80.10 and R80.20. We planned to have it released sooner but there was a delay in the schedule for the delivery of this feature.

Fernando_Lopez · ‎2018-07-30

Hello,

Im trying to import a policy package, but it failed with several errors, it is supported to export de policy package from a management server and import it to a domain in a multidomain server?.

regards

Robert_Decker · ‎2018-07-30

Yes, it is possible -

https://community.checkpoint.com/docs/DOC-2745-migrating-r8010-smartcenter-to-r8010-cma-meet-your-be...

Can you paste here the import errors?

Robert.

Fernando_Lopez · ‎2018-07-30

thanks for the answer, i miss to change the domain ip, now is working ok, but i have another problem, the users objects are not beeing imported,there is a list of objects that cannot be imported?.

regards

Robert_Decker · ‎2018-07-30

As stated in the overview, there are some object types that are not exported/imported - mainly the legacy R77.x objects, which are not native R80.x objects and cannot be created by R80.x Management API:

Clusters, Gateways, VSX/VS, UserCheck, Users.

The Simple-Gateway object is partially exported/imported.

For Cluster and Gateway objects a placeholder object is created and you will need to manualy change it post import.

PhoneBoy · ‎2018-07-30

I guess we can add users to my earlier comment on this thread, which lists several other things.

Borut · ‎2018-07-31

What is the best procedure to migrate users from R77.30 to R80? I feels quite cumbersome and time consuming copying them by hand. Especially when there are a lot of them.

Tomer_Sole · ‎2018-07-31

In which conditions do you choose to move just user objects and not directly upgrade security management servers?

Borut · ‎2018-07-31

When merging two management servers into one. After some mergers we are trying to migrate to one management server without using MDS.

Borut · ‎2018-08-16

Judging by the sound of crickets, there is no easy way to do that other than transferring users by hand

Julian_Salmeron · ‎2018-08-22

Hi all,

I have trying to import an exported policy with Data Center objects (APIC integration) and I am getting this error from my imported Management:

Adding data-center-objects

Traceback (most recent call last):
File "import_export_package.py", line 47, in <module>
import_package(client, args)
File "/root/ExportImportPolicyPackage/importing/import_package.py", line 52, in import_package
layers_to_attach = import_objects(args.file, client, {})
File "/root/ExportImportPolicyPackage/importing/import_objects.py", line 78, in import_objects
changed_layer_names, api_call, num_objects, client)
File "/root/ExportImportPolicyPackage/importing/import_objects.py", line 106, in add_object
payload, _ = create_payload(fields, line, 0, api_type, client.api_version)
File "/root/ExportImportPolicyPackage/utils.py", line 395, in create_payload
if data[data_index] != "":
IndexError: list index out of range

I can succesfully export/import policies without DataCenter objects.

Is there anyone experience this kind of issue?

Thanks in advanced.

Robert_Decker · ‎2018-08-22

This looks like a bug.

Will check the code and inform you.

Robert.

Julian_Salmeron · ‎2018-08-22

Thank you very much Robert, for your quick reply.

Robert_Decker · ‎2018-08-23

Hi,

Verified that this is a bug - the code fails to properly handle the data center objects.

Will be fixed, please stay tuned.

Robert.

Julian_Salmeron · ‎2018-08-23

Thanks for the info Robert!

Demith_Samaraw2 · ‎2018-10-01

Hi Robert

Quick question regarding the merging of the policies, as far as I know, if the object/group with the same name exist when the tool import a policy package it will skip that object,

Is there a way we can force to replace all the existing objects with the new policy package, the requirement is I am merging new set of policy packages with an existing CMAs and some of the objects on the new policy packages are updated which we don't know the exact ones, we just need to force replace all the existing objects with new objects when it is importing.

Is this possible?

Martin_Valenta · ‎2018-10-01

Could you please update lists_and_dictionaries.py on your github, in order to support api version 1.3 on R80.20 mgmt?

I've run in issue when trying to import packages there. Even when i force it to use version 1.1 during import it hang on error like this.

line 56, in import_objects.py

client.api_version] else "generic objects of type " + api_type), True)
KeyError: u'1.3'

As workaround i've just copy/paste definition from 1.2 to 1.3 and it started to work.

Robert_Decker · ‎2018-10-02

Hi,

This can be done for several network objects by using the "set-if-exist" flag when adding the objects - requires using a new flag.

For other objects - it is rejected by the Management Server database.

I'll ask to add a new flag for specific existing objects override.

Please stay tuned.

Robert.

Robert_Decker · ‎2018-10-02

Sure, I'll add and inform you.

Robert.

Demith_Samaraw2 · ‎2018-10-02

Hi Robert

When you say it can be done for several network objects using "set-if-exist" flag, is this feature already exist or you mean it will be available in the future versions.

Also if it is already available, what type of network objects it works and how that flag can be used?

Robert_Decker · ‎2018-10-03

Sorry for the confusion, this flag doesn't exist yet - if it will be added to the tool, it can influence on the following network objects: host, network, address-range.

Robert.

Robert_Decker · ‎2018-10-07

The tool is updated for Management API version 1.3.

Robert.

Aaron_Vivadelli · ‎2018-12-12

I fixed this by setting the 'MGMT_CLI_PORT' variable to '4434' on the management server before running the import.

Also, when importing, run --file <export-file-name.tar.gz> and it calls the export file from your local machine. Doesn't need to be run on the Management server.

ATT_Network_Sup · ‎2018-12-13

Hello,

I am trying to use this tool for exporting/importing between 2 SmartManager machines. Export is working well but I bump into issues on Import.

Data:

1. SmartCenters are in a virtual lab environment for testing the script.

2. Objects/Rules were imported initially from Fortigate, using SmartMove, so they all have "Fortinet" tags.

3. Export generates no errors

4. Import on a new SM server generates multiple errors sampled bellow:

Failed to import service-tcp with name [TCP_15000]. Error: Invalid parameter for [tags]. Invalid value

Failed to import service-tcp with name [TCP_15100]. Error: Invalid parameter for [tags]. Invalid value

Failed to import service-tcp with name [TCP_15180]. Error: Invalid parameter for [tags]. Invalid value

Failed to import network with name [net_xxxx_VPN_xxx_192.168.104.0n24]. Error: Management server failed to execute command

Failed to import network with name [net_xxxx_Bondy_10.132.34.0n23]. Error: Management server failed to execute command

Failed to import access-rule. Error: Requested object [TCP_5666_NAGIOS] not found
Also failed to generate placeholder object: Validation failed with 1 error

Any help will be much appreciated.

Adrian.

Theis_Andersen_ · ‎2018-12-21

We found that if you in the menu choose to disable export of Access-Control layers, the script will not export anything - would expect it to export other objects like hosts, networks and groups. Is this by design?

Are you a member of CheckMates?

Python tool for exporting/importing a policy package or parts of it

Overview

Description

Notice

Instructions

Limitations

Tested on version

FAQ

When I run this tool, I get the message: APIResponse received a response which is not a valid JSON.

I get an error message related to server fingerprint

Can this tool export more than one policy package at a time?