- CheckMates
- :
- Products
- :
- Developers
- :
- API / CLI Discussion
- :
- Re: Python tool for exporting/importing a policy p...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Python tool for exporting/importing a policy package or parts of it
Overview
ExportImportPolicyPackage tool enables you to export a policy package from a R80.x management database to a .tar.gz file, which can then be imported into any other R8x management database.
This tool can be used for backups, database transfers, testing, and more.
In the case you are exporting a policy package from a CMA, please verify that a global policy was NOT assigned to that CMA.
The tool doesn't support exporting a policy with global policy assigned!
The tool is referenced in https://support.checkpoint.com/results/sk/sk180923
Description
This tool enables you to export a policy package (Access Policy, Threat Policy or both) from a management server into a .tar.gz file.
Notice
There are some types of objects that the script might not be able to export.
In such a case, an appropriate dummy object will be exported instead, and a message will be logged into the log files to notify you of this.
In the Check Point SmartConsole you can easily replace each of these objects by searching "export_error" in the search field, see where each object is used, create the necessary object manually, then replace it.
Instructions
Download the latest version from our GitHub repository: https://github.com/CheckPointSW/ExportImportPolicyPackage
First, make sure you have [2.7.9 <= Python <= 2.7.14] installed on the machine running the script.
To export a package, run the import_export_package.py script. An interactive menu will guide you the rest of the way.
Command line flags may also be set in order to skip some or all of the menu.
A lot more details can of course be accessed with the [-h] option. This option also prints the current version of the tool.
Current tool version is V3.0.
Limitations
This export/import script does not gather all data from a given management server/CMA.
In general, it is limited by the R80.x Management APIs.
Specifically, this means:
- CMAs with a Global Policy assigned cannot be exported
- Workaround: unassign the Global Policy prior to export
- Gateway/Cluster objects have to be recreated
- Placeholder objects will be created
- UserCheck messages have to be recreated
- Placeholder objects will be created
- The Internal Certificate Authority will not be copied. This means:
- Re-establishing SIC with the appropriate gateways
- Re-generating VPN certificates
- Manually recreating HTTPS Inspection and DLP Rules
- Other objects not currently readable/writable via the R80.x API will not be copied
Tested on version
R8x
Releases earlier than R80 lack the necessary API support and are not supported.
Source Code Availability
The source code is available through GitHub: https://github.com/CheckPointSW/ExportImportPolicyPackage
FAQ
Replies to this thread have locked.
Please refer to the FAQ below before you create a new post with your question.
When I run this tool, I get the message: APIResponse received a response which is not a valid JSON.
This most likely means you haven't enabled the API server yet.
See: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Enabling-web-api/m-p/32641
I get an error message related to server fingerprint
Use the --unsafe option to ignore this error.
Can this tool export more than one policy package at a time?
Not currently, but you could call the tool in a script multiple times.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I have heard that there are a couple of RFEs ongoing with Check Point to produce a supportable integrated migration tool from R80.x to R80.x.
This is absolutely imperative for MSPs , taking on a customer is not possible using API scripts in a timely manner.
I hope someone at Check Point has some good news about a forthcoming release that will allow us to do what we have done for all time up until R80 was released and allow us to migrate export , migrate import in R80.x
Can someone comment on this ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Peter,
Can you elaborate on "in a timely manner"? is there a performance problem with export-import-policy?
We have plans for migrating specific domains in the R8x train, however it will not make R80.20.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Tomer,
Its just the fact that it is 'not possible' to migrate cleanly from R80.x to R80.x. There is no supported method.
It needs to be implemented as a matter of urgency. (is what i meant by a timely manner)
Thanks
Peter
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I think the question Tomer Sole is asking is: what is missed using this script versus, say, a migrate export/import between different DMS?
I think I can answer that
A few things I can think of off the top of my head:
- Gateway objects have to be recreated
- UserCheck messages have to be created
- Anything related to the ICA is lost (because gateways are recreated)
- HTTPS Inspection Rules
- DLP Rules
- Anything else not currently readable/writable via the R80.x API
So while it is possible to move domains between DMSes using this script, it can be a fair bit of manual work.
Work that previously wasn't required.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Indeed Dameon... a feature that worked well and was built into R77 product has disappeared and been replaced by a script that does not migrate gateway objects (and ICA). ... in effect you lose the most important parts of the configuration.
I'm looking for some commitment from Check Point to put back what has been lost since R80 code was released.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
ExportImportPolicy was never intended to be the official replacement of domain migration tools.
Lack of domain migration tools is a limitation of R80, R80.10 and R80.20. We planned to have it released sooner but there was a delay in the schedule for the delivery of this feature.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
Im trying to import a policy package, but it failed with several errors, it is supported to export de policy package from a management server and import it to a domain in a multidomain server?.
regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, it is possible -
Can you paste here the import errors?
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thanks for the answer, i miss to change the domain ip, now is working ok, but i have another problem, the users objects are not beeing imported,there is a list of objects that cannot be imported?.
regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
As stated in the overview, there are some object types that are not exported/imported - mainly the legacy R77.x objects, which are not native R80.x objects and cannot be created by R80.x Management API:
Clusters, Gateways, VSX/VS, UserCheck, Users.
The Simple-Gateway object is partially exported/imported.
For Cluster and Gateway objects a placeholder object is created and you will need to manualy change it post import.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I guess we can add users to my earlier comment on this thread, which lists several other things.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What is the best procedure to migrate users from R77.30 to R80? I feels quite cumbersome and time consuming copying them by hand. Especially when there are a lot of them.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In which conditions do you choose to move just user objects and not directly upgrade security management servers?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
When merging two management servers into one. After some mergers we are trying to migrate to one management server without using MDS.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Judging by the sound of crickets, there is no easy way to do that other than transferring users by hand
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi all,
I have trying to import an exported policy with Data Center objects (APIC integration) and I am getting this error from my imported Management:
Adding data-center-objects
Traceback (most recent call last):
File "import_export_package.py", line 47, in <module>
import_package(client, args)
File "/root/ExportImportPolicyPackage/importing/import_package.py", line 52, in import_package
layers_to_attach = import_objects(args.file, client, {})
File "/root/ExportImportPolicyPackage/importing/import_objects.py", line 78, in import_objects
changed_layer_names, api_call, num_objects, client)
File "/root/ExportImportPolicyPackage/importing/import_objects.py", line 106, in add_object
payload, _ = create_payload(fields, line, 0, api_type, client.api_version)
File "/root/ExportImportPolicyPackage/utils.py", line 395, in create_payload
if data[data_index] != "":
IndexError: list index out of range
I can succesfully export/import policies without DataCenter objects.
Is there anyone experience this kind of issue?
Thanks in advanced.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This looks like a bug.
Will check the code and inform you.
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you very much Robert, for your quick reply.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
Verified that this is a bug - the code fails to properly handle the data center objects.
Will be fixed, please stay tuned.
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the info Robert!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Robert
Quick question regarding the merging of the policies, as far as I know, if the object/group with the same name exist when the tool import a policy package it will skip that object,
Is there a way we can force to replace all the existing objects with the new policy package, the requirement is I am merging new set of policy packages with an existing CMAs and some of the objects on the new policy packages are updated which we don't know the exact ones, we just need to force replace all the existing objects with new objects when it is importing.
Is this possible?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Could you please update lists_and_dictionaries.py on your github, in order to support api version 1.3 on R80.20 mgmt?
I've run in issue when trying to import packages there. Even when i force it to use version 1.1 during import it hang on error like this.
line 56, in import_objects.py
client.api_version] else "generic objects of type " + api_type), True)
KeyError: u'1.3'
As workaround i've just copy/paste definition from 1.2 to 1.3 and it started to work.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
This can be done for several network objects by using the "set-if-exist" flag when adding the objects - requires using a new flag.
For other objects - it is rejected by the Management Server database.
I'll ask to add a new flag for specific existing objects override.
Please stay tuned.
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sure, I'll add and inform you.
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi Robert
When you say it can be done for several network objects using "set-if-exist" flag, is this feature already exist or you mean it will be available in the future versions.
Also if it is already available, what type of network objects it works and how that flag can be used?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry for the confusion, this flag doesn't exist yet - if it will be added to the tool, it can influence on the following network objects: host, network, address-range.
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The tool is updated for Management API version 1.3.
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I fixed this by setting the 'MGMT_CLI_PORT' variable to '4434' on the management server before running the import.
Also, when importing, run --file <export-file-name.tar.gz> and it calls the export file from your local machine. Doesn't need to be run on the Management server.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello,
I am trying to use this tool for exporting/importing between 2 SmartManager machines. Export is working well but I bump into issues on Import.
Data:
1. SmartCenters are in a virtual lab environment for testing the script.
2. Objects/Rules were imported initially from Fortigate, using SmartMove, so they all have "Fortinet" tags.
3. Export generates no errors
4. Import on a new SM server generates multiple errors sampled bellow:
Failed to import service-tcp with name [TCP_15000]. Error: Invalid parameter for [tags]. Invalid value
Failed to import service-tcp with name [TCP_15100]. Error: Invalid parameter for [tags]. Invalid value
Failed to import service-tcp with name [TCP_15180]. Error: Invalid parameter for [tags]. Invalid value
Failed to import network with name [net_xxxx_VPN_xxx_192.168.104.0n24]. Error: Management server failed to execute command
Failed to import network with name [net_xxxx_Bondy_10.132.34.0n23]. Error: Management server failed to execute command
Failed to import access-rule. Error: Requested object [TCP_5666_NAGIOS] not found
Also failed to generate placeholder object: Validation failed with 1 error
Any help will be much appreciated.
Adrian.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
We found that if you in the menu choose to disable export of Access-Control layers, the script will not export anything - would expect it to export other objects like hosts, networks and groups. Is this by design?