Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Inbar_Moskovich
Employee Alumnus
Employee Alumnus

Python tool for exporting/importing a policy package or parts of it

Overview

ExportImportPolicyPackage tool enables you to export a policy package from a R80.x management database to a .tar.gz file, which can then be imported into any other R8x management database.

This tool can be used for backups, database transfers, testing, and more.

In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA.
The tool doesn't support exporting a policy with global policy assigned!

The tool is referenced in https://support.checkpoint.com/results/sk/sk180923 

Description

This tool enables you to export a policy package (Access Policy, Threat Policy or both) from a management server into a .tar.gz file.

Notice

There are some types of objects that the script might not be able to export.
In such a case, an appropriate dummy object will be exported instead, and a message will be logged into the log files to notify you of this.
In the Check Point SmartConsole you can easily replace each of these objects by searching "export_error" in the search field, see where each object is used, create the necessary object manually, then replace it.

Instructions

Download the latest version from our GitHub repository: https://github.com/CheckPointSW/ExportImportPolicyPackage 
First, make sure you have [2.7.9 <= Python <= 2.7.14] installed on the machine running the script.
To export a package, run the import_export_package.py script. An interactive menu will guide you the rest of the way.
Command line flags may also be set in order to skip some or all of the menu.
A lot more details can of course be accessed with the [-h] option. This option also prints the current version of the tool.

Current tool version is V3.0.

Limitations

This export/import script does not gather all data from a given management server/CMA.
In general, it is limited by the R80.x Management APIs.
Specifically, this means:

  • CMAs with a Global Policy assigned cannot be exported
    • Workaround: unassign the Global Policy prior to export
  • Gateway/Cluster objects have to be recreated
    • Placeholder objects will be created
  • UserCheck messages have to be recreated
    • Placeholder objects will be created
  • The Internal Certificate Authority will not be copied. This means:
    • Re-establishing SIC with the appropriate gateways
    • Re-generating VPN certificates
    • Manually recreating HTTPS Inspection and DLP Rules
  • Other objects not currently readable/writable via the R80.x API will not be copied

Tested on version

R8x
Releases earlier than R80 lack the necessary API support and are not supported.

 

Source Code Availability

The source code is available through GitHub: https://github.com/CheckPointSW/ExportImportPolicyPackage 

FAQ

Replies to this thread have locked.
Please refer to the FAQ below before you create a new post with your question.

When I run this tool, I get the message: APIResponse received a response which is not a valid JSON.

This most likely means you haven't enabled the API server yet.
See: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Enabling-web-api/m-p/32641

I get an error message related to server fingerprint

Use the --unsafe option to ignore this error.

Can this tool export more than one policy package at a time?

Not currently, but you could call the tool in a script multiple times.

262 Replies
Peter_Lyndley
Advisor
Advisor

I have heard that there are a couple of RFEs ongoing with Check Point to produce a supportable integrated migration tool from R80.x to R80.x.

This is absolutely imperative for MSPs , taking on a customer is not possible using API scripts in a timely manner.

I hope someone at Check Point has some good news about a forthcoming release that will allow us to do what we have done for all time up until R80 was released and allow us to migrate export , migrate import in R80.x

Can someone comment on this ?

Tomer_Sole
Mentor
Mentor

Hi Peter,

Can you elaborate on "in a timely manner"? is there a performance problem with export-import-policy?

We have plans for migrating specific domains in the R8x train, however it will not make R80.20. 

Peter_Lyndley
Advisor
Advisor

Hi Tomer,

Its just the fact that it is 'not possible' to migrate cleanly from R80.x to R80.x. There is no supported method.

It needs to be implemented as a matter of urgency. (is what i meant by a timely manner)

Thanks

Peter

PhoneBoy
Admin
Admin

I think the question Tomer Sole is asking is: what is missed using this script versus, say, a migrate export/import between different DMS?

I think I can answer that Smiley Happy

A few things I can think of off the top of my head:

  • Gateway objects have to be recreated
  • UserCheck messages have to be created
  • Anything related to the ICA is lost (because gateways are recreated)
  • HTTPS Inspection Rules
  • DLP Rules
  • Anything else not currently readable/writable via the R80.x API

So while it is possible to move domains between DMSes using this script, it can be a fair bit of manual work.

Work that previously wasn't required.

Peter_Lyndley
Advisor
Advisor

Indeed Dameon... a feature that worked well and was built into R77 product has disappeared and been replaced by a script that does not migrate gateway objects (and ICA). ... in effect you lose the most important parts of the configuration.

I'm looking for some commitment from Check Point to put back what has been lost since R80 code was released.

Tomer_Sole
Mentor
Mentor

Hi,

ExportImportPolicy was never intended to be the official replacement of domain migration tools. 

Lack of domain migration tools is a limitation of R80, R80.10 and R80.20. We planned to have it released sooner but there was a delay in the schedule for the delivery of this feature. 

Fernando_Lopez
Contributor

Hello,

Im trying to import a policy package, but it failed with several errors, it is supported to export de policy package from a management server and import it to a domain in a multidomain server?.

regards

Robert_Decker
Advisor

Yes, it is possible - 

https://community.checkpoint.com/docs/DOC-2745-migrating-r8010-smartcenter-to-r8010-cma-meet-your-be...

Can you paste here the import errors?

Robert.

Fernando_Lopez
Contributor

thanks for the answer, i miss to change the domain ip, now is working ok, but i have another problem, the users objects are not beeing imported,there is a list of objects that cannot be imported?.

regards

Robert_Decker
Advisor

As stated in the overview, there are some object types that are not exported/imported - mainly the legacy R77.x objects, which are not native R80.x objects and cannot be created by R80.x Management API:

Clusters, Gateways, VSX/VS, UserCheck, Users.

The Simple-Gateway object is partially exported/imported.

For Cluster and Gateway objects a placeholder object is created and you will need to manualy change it post import.

PhoneBoy
Admin
Admin

I guess we can add users to my earlier comment on this thread, which lists several other things.

Borut
Collaborator
Collaborator

What is the best procedure to migrate users from R77.30 to R80? I feels quite cumbersome and time consuming copying them by hand. Especially when there are a lot of them.

Tomer_Sole
Mentor
Mentor

In which conditions do you choose to move just user objects and not directly upgrade security management servers?

Borut
Collaborator
Collaborator

When merging two management servers into one. After some mergers we are trying to migrate to one management server without using MDS.

Borut
Collaborator
Collaborator

Judging by the sound of crickets, there is no easy way to do that other than transferring users by hand Smiley Happy

Julian_Salmeron
Explorer

Hi all,

I have trying to import an exported policy with Data Center objects (APIC integration) and I am getting this error from my imported Management:

Adding data-center-objects

Traceback (most recent call last):
File "import_export_package.py", line 47, in <module>
import_package(client, args)
File "/root/ExportImportPolicyPackage/importing/import_package.py", line 52, in import_package
layers_to_attach = import_objects(args.file, client, {})
File "/root/ExportImportPolicyPackage/importing/import_objects.py", line 78, in import_objects
changed_layer_names, api_call, num_objects, client)
File "/root/ExportImportPolicyPackage/importing/import_objects.py", line 106, in add_object
payload, _ = create_payload(fields, line, 0, api_type, client.api_version)
File "/root/ExportImportPolicyPackage/utils.py", line 395, in create_payload
if data[data_index] != "":
IndexError: list index out of range

I can succesfully export/import policies without DataCenter objects.

Is there anyone experience this kind of issue?

Thanks in advanced.

Robert_Decker
Advisor

This looks like a bug.

Will check the code and inform you.

Robert.

Julian_Salmeron
Explorer

Thank you very much Robert, for your quick reply.

Robert_Decker
Advisor

Hi,

Verified that this is a bug - the code fails to properly handle the data center objects.

Will be fixed, please stay tuned.

Robert.

Julian_Salmeron
Explorer

Thanks for the info Robert!

Demith_Samaraw2
Contributor

Hi Robert

Quick question regarding the merging of the policies, as far as I know, if the object/group with the same name exist when the tool import a policy package it will skip that object,

Is there a way we can force to replace all the existing objects with the new policy package, the requirement is I am merging new set of policy packages with an existing CMAs and some of the objects on the new policy packages are updated which we don't know the exact ones, we just need to force replace all the existing objects with new objects when it is importing. 

Is this possible?

Martin_Valenta
Advisor

Could you please update lists_and_dictionaries.py on your github, in order to support api version 1.3 on R80.20 mgmt?

I've run in issue when trying to import packages there. Even when i force it to use version 1.1 during import it hang on error like this.

line 56, in import_objects.py

client.api_version] else "generic objects of type " + api_type), True)
KeyError: u'1.3'

As workaround i've just copy/paste definition from 1.2 to 1.3 and it started to work.

Robert_Decker
Advisor

Hi,

This can be done for several network objects by using the "set-if-exist" flag when adding the objects - requires using a new flag.

For other objects - it is rejected by the Management Server database.

I'll ask to add a new flag for specific existing objects override.

Please stay tuned.

Robert.

Robert_Decker
Advisor

Sure, I'll add and inform you.

Robert.

Demith_Samaraw2
Contributor

Hi Robert

When you say it can be done for several network objects using "set-if-exist" flag, is this feature already exist or you mean it will be available in the future versions.

Also if it is already available, what type of network objects it works and how that flag can be used?

Robert_Decker
Advisor

Sorry for the confusion, this flag doesn't exist yet - if it will be added to the tool, it can influence on the following network objects: host, network, address-range.

Robert.

Robert_Decker
Advisor

The tool is updated for Management API version 1.3.

Robert.

Aaron_Vivadelli
Contributor
Contributor

I fixed this by setting the 'MGMT_CLI_PORT' variable to '4434' on the management server before running the import.

Also, when importing, run --file <export-file-name.tar.gz> and it calls the export file from your local machine.  Doesn't need to be run on the Management server.

ATT_Network_Sup
Explorer

Hello,

I am trying to use this tool for exporting/importing between 2 SmartManager machines. Export is working well but I bump into issues on Import.

Data:

1. SmartCenters are in a virtual lab environment for testing the script.

2. Objects/Rules were imported initially from Fortigate, using SmartMove, so they all have "Fortinet" tags.

3. Export generates no errors

4. Import on a new SM server generates multiple errors sampled bellow:

Failed to import service-tcp with name [TCP_15000]. Error: Invalid parameter for [tags]. Invalid value

Failed to import service-tcp with name [TCP_15100]. Error: Invalid parameter for [tags]. Invalid value

Failed to import service-tcp with name [TCP_15180]. Error: Invalid parameter for [tags]. Invalid value

Failed to import network with name [net_xxxx_VPN_xxx_192.168.104.0n24]. Error: Management server failed to execute command

Failed to import network with name [net_xxxx_Bondy_10.132.34.0n23]. Error: Management server failed to execute command

Failed to import access-rule. Error: Requested object [TCP_5666_NAGIOS] not found
Also failed to generate placeholder object: Validation failed with 1 error

Any help will be much appreciated.

Adrian.

Theis_Andersen_
Explorer

We found that if you in the menu choose to disable export of Access-Control layers, the script will not export anything - would expect it to export other objects like hosts, networks and groups. Is this by design?

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events