Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Vishnu_Kumar
Contributor

can anybody let me know how can we import policy/rules via .csv file in r80.10

can anybody let me know how can we import policy/rules via .csv file in r80.20

18 Replies
PhoneBoy
Admin
Admin

In pre-R80, you can do it using a CSV file with the cp_merge utility, described here: Using cp_merge utility 

In R80+ there isn't a pre-built tool that does the rulebase via CSV, but I imagine one can be created that uses the API.

Meanwhile, you can use a tool like the following to import/export rules: https://community.checkpoint.com/docs/DOC-1938 

Robert_Decker
Advisor

The policy that you want to import into R80.10 management server - is it exported from other R80.X management server, or you have created /want to create it manually and then import as a batch operation?

Robert.

0 Kudos
Matt_Sherman
Participant

I also have this issue.  I have an existing R80.10 management server and need to get the access control policy and NAT to a different R80.10 management server.  I cannot use migrate export / import as I cannot overwrite the existing production management server.  I'd like to export to csv and import using a batch operation.  I am also using inline layers.

0 Kudos
PhoneBoy
Admin
Admin

You can certainly export the rules to CSV using SmartConsole, but there is no way to import the same currently.

Your best bet is to use this script to do it: Python tool for exporting/importing a policy package or parts of it

Unlike a migrate export/import, does not overwrite the existing database.

That said, you might want to use migrate export/import to create another copy of your existing management and test the process.

0 Kudos
Matt_Sherman
Participant

Thanks Dameon.  I saw that before, but I don't know python so I kept looking for another method.  Oh well, I guess I'll have to learn me up some python.  Thanks for the tip on testing the process.  I already have a vm with the production export imported to use as a test platform.

0 Kudos
Robert_Decker
Advisor

you do not need to learn python. just use the tool that Dameon referenced.

also, read this - https://community.checkpoint.com/docs/DOC-2745-migrating-r8010-smartcenter-to-r8010-cma-meet-your-be....

Robert.

0 Kudos
Matt_Sherman
Participant

I installed python 2.7.9 and ran import_export_package.py.  I input my package name, I chose enter user credentials manually, I changed the mgmt server ip, I changed the output file name, and I ran.  I input my username, then password.  I get the following in the import_export.log.

Login to management server failed. lib::APIResponse
{
    "data": null,
    "error_message": "APIResponse received a response which is not a valid JSON.",
    "res_obj": {},
    "status_code": 403,
    "success": false
}

0 Kudos
Robert_Decker
Advisor

please check your API server's accessibility permission - 

https://community.checkpoint.com/docs/DOC-2731

Robert.

0 Kudos
Matt_Sherman
Participant

Thanks for the quick responses Robert. 

[Expert@sms-r80.10:0]# api status

API Settings:
---------------------
Accessibility:                      Require ip 127.0.0.1
Automatic Start:                    Enabled

Processes:

Name      State     PID       More Information
-------------------------------------------------
API       Started   15151
CPM       Started   3816      Check Point Security Management Server is running and ready
FWM       Started   3439

Port Details:
-------------------
JETTY Internal Port:      50276
APACHE Gaia Port:         443


--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

[Expert@sms-r80.10:0]# cd /web/conf
[Expert@sms-r80.10:0]# ls
extra  httpd2.conf  httpd2_mp.conf  login  mime.types  server.crt  server.key
[Expert@sms-r80.10:0]# file server.crt
server.crt: ASCII text
[Expert@sms-r80.10:0]#

I also verified the R80.10 smartconsole gui settings

   startup settings > automatic start

   access settings > all ip addresses

I also ran import_export_package.py using the default ip 127.0.0.1 and got the following in the import_export.log.

Login to management server failed. lib::APIResponse
{
    "data": null,
    "error_message": "APIResponse received a response which is not a valid JSON.",
    "res_obj": {},
    "status_code": 400,
    "success": false
}

0 Kudos
Robert_Decker
Advisor

your API status command shows that API server is configured for access from management server only (127.0.0.1).

did you run "api restart" command on your management server?

0 Kudos
Matt_Sherman
Participant

I ran api restart and it still shows 127.0.0.1

[Expert@sms-r80.10:0]# api restart
2018-May-16 11:30:03 - Stopping API...
2018-May-16 11:30:05 - API stopped successfully.
2018-May-16 11:30:05 - Starting API...
. . . . . . . . . . . . .
2018-May-16 11:31:06 - API started successfully.
[Expert@sms-r80.10:0]# api status

API Settings:
---------------------
Accessibility:                      Require ip 127.0.0.1
Automatic Start:                    Enabled

Processes:

Name      State     PID       More Information
-------------------------------------------------
API       Started   10095
CPM       Started   3816      Check Point Security Management Server is running and ready
FWM       Started   3439

Port Details:
-------------------
JETTY Internal Port:      50277
APACHE Gaia Port:         443


--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

[Expert@sms-r80.10:0]#

0 Kudos
Robert_Decker
Advisor

can you please paste here the output of "cpinfo -y all" command?

0 Kudos
Matt_Sherman
Participant

I also did a shutdown -r now and same api status after the reboot.

[Expert@sms-r80.10:0]# cpinfo -y all

This is Check Point CPinfo Build 914000176 for GAIA
[IDA]
   HOTFIX_R80_10

[CPFC]
   HOTFIX_R80_10

[FW1]
   HOTFIX_R80_10

FW1 build number:
This is Check Point Security Management Server R80.10 - Build 192
This is Check Point's software version R80.10 - Build 435

[SecurePlatform]
   No hotfixes..

[CPinfo]
   No hotfixes..

[DIAG]
   HOTFIX_R80_10

[SmartPortal]
   No hotfixes..

[Reporting Module]
   HOTFIX_R80_10

[CPuepm]
   HOTFIX_R80_10

[VSEC]
   HOTFIX_R80_10

[SmartLog]
   HOTFIX_R80_10

[R7520CMP]
   HOTFIX_R80_10

[R7540CMP]
   HOTFIX_R80_10

[R7540VSCMP]
   HOTFIX_R80_10

[R76CMP]
   HOTFIX_R80_10

[SFWR77CMP]
   HOTFIX_R80_10

[R77CMP]
   HOTFIX_R80_10

[R75CMP]
   HOTFIX_R80_10

[NGXCMP]
   HOTFIX_R80_10

[EdgeCmp]
   HOTFIX_R80_10

[SFWCMP]
   HOTFIX_R80_10

[FLICMP]
   HOTFIX_R80_10

[SFWR75CMP]
   HOTFIX_R80_10

[MGMTAPI]
   No hotfixes..

[rtm]
   No hotfixes..

[Expert@sms-r80.10:0]#

0 Kudos
Robert_Decker
Advisor

ok, I see that you have plain r80.10 installation, no jumbo hotfixes.

what you are experiencing is a known bug, that was fixed in T37 of r80.10 jumbo hotfix release.

please contact your SE or partner for your installation upgrade.

robert.

0 Kudos
Matt_Sherman
Participant

OK, thanks for the help and very quick responses, much appreciated.

0 Kudos
Matt_Sherman
Participant

I put on jumbo hfa take 103 which does include t37 but still have the same issue.  I also built a new vm and added the hfa t103 and same problem.  I'm using windows 10, vm workstation pro 14, 300gb disk space, 8gb ram (new vm I tried 9gb ram).  

[Expert@sms-r80.10:0]# cpinfo -y all

This is Check Point CPinfo Build 914000176 for GAIA
[IDA]
   HOTFIX_R80_10

[CPFC]
   HOTFIX_R80_10
   HOTFIX_R80_10_JUMBO_HF    Take: 103

[FW1]
   HOTFIX_R80_10
   HOTFIX_R80_10_JUMBO_HF    Take: 103

FW1 build number:
This is Check Point Security Management Server R80.10 - Build 016
This is Check Point's software version R80.10 - Build 068

[SecurePlatform]
   HOTFIX_R80_10_JUMBO_HF    Take: 103

[CPinfo]
   No hotfixes..

[DIAG]
   HOTFIX_R80_10

[SmartPortal]
   No hotfixes..

[Reporting Module]
   HOTFIX_R80_10
   HOTFIX_R80_10_JUMBO_HF    Take: 103

[CPuepm]
   HOTFIX_R80_10

[VSEC]
   HOTFIX_R80_10
   HOTFIX_R80_10_JUMBO_HF    Take: 103

[SmartLog]
   HOTFIX_R80_10
   HOTFIX_R80_10_JUMBO_HF    Take: 103

[R7520CMP]
   HOTFIX_R80_10

[R7540CMP]
   HOTFIX_R80_10

[R7540VSCMP]
   HOTFIX_R80_10

[R76CMP]
   HOTFIX_R80_10

[SFWR77CMP]
   HOTFIX_R80_10
   HOTFIX_R80_10_JHF_COMP

[R77CMP]
   HOTFIX_R80_10
   HOTFIX_R80_10_JHF_COMP

[R75CMP]
   HOTFIX_R80_10

[NGXCMP]
   HOTFIX_R80_10

[EdgeCmp]
   HOTFIX_R80_10

[SFWCMP]
   HOTFIX_R80_10

[FLICMP]
   HOTFIX_R80_10

[SFWR75CMP]
   HOTFIX_R80_10

[MGMTAPI]
   No hotfixes..

[CPUpdates]
   BUNDLE_R80_10_JUMBO_HF    Take: 103

[rtm]
   No hotfixes..

[Expert@sms-r80.10:0]# api status

API Settings:
---------------------
Accessibility:                      Require ip 127.0.0.1
Automatic Start:                    Enabled

Processes:

Name      State     PID       More Information
-------------------------------------------------
API       Started   16171
CPM       Started   3715      Check Point Security Management Server is running and ready
FWM       Started   3461

Port Details:
-------------------
JETTY Internal Port:      50276
APACHE Gaia Port:         443


--------------------------------------------
Overall API Status: Started
--------------------------------------------

API readiness test SUCCESSFUL. The server is up and ready to receive connections

Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'

[Expert@sms-r80.10:0]#
 

0 Kudos
PhoneBoy
Admin
Admin

See if restarting the API server clears it.

At least that was the initial workaround we figured out here:

Re: R80.10 API bug: fallback to "SmartCenter Only" after reboot

And yes, please open a TAC case for this.

0 Kudos
Robert_Elliott
Employee
Employee

I don't know if this will help or not, but here is an elementary script that will create 10 hosts, 10 networks and 10 rules using said hosts and networks.  Of course this can be done much better with python.  But with this you can see the syntax for how to create the rules using APIs.  

cd "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM"
mgmt_cli -m demootj1uuvics.mgmt.cloud login -u aa -p aaaa > "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add host name MyHost1 ip-address 10.0.0.1 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add host name MyHost2 ip-address 10.0.0.2 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add host name MyHost3 ip-address 10.0.0.3 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add host name MyHost4 ip-address 10.0.0.4 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add host name MyHost5 ip-address 10.0.0.5 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add host name MyHost6 ip-address 10.0.0.6 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add host name MyHost7 ip-address 10.0.0.7 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add host name MyHost8 ip-address 10.0.0.8 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add host name MyHost9 ip-address 10.0.0.9 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add host name MyHost10 ip-address 10.0.0.10 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli publish -s session_id.txt
mgmt_cli add network name MyNet0 subnet 10.0.0.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add network name MyNet1 subnet 10.0.1.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add network name MyNet2 subnet 10.0.2.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add network name MyNet3 subnet 10.0.3.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add network name MyNet4 subnet 10.0.4.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add network name MyNet5 subnet 10.0.5.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add network name MyNet6 subnet 10.0.6.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add network name MyNet7 subnet 10.0.7.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add network name MyNet8 subnet 10.0.8.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add network name MyNet9 subnet 10.0.9.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add network name MyNet10 subnet 10.0.10.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli publish -s session_id.txt
mgmt_cli add access-section layer Network name "My Rules" position.above "Data Center Access" -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add access-rule layer Network position.top "My Rules" name "My Rule 1" source "MyHost1" destination "MyNet1" service.1 "microsoft-ds" service.2 "Remote_Desktop_Protocol" service.3 "nbsession" action accept track Log -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add access-rule layer Network position.bottom "My Rules" name "My Rule 2" source "MyHost2" destination "MyNet2" service.1 "http" service.2 "https" service.3 "dns" action accept track Log -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add access-rule layer Network position.bottom "My Rules" name "My Rule 3" source "MyHost3" destination "MyNet3" service.1 "smtp" service.2 "pop-3" service.3 "imap" action accept track Log -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add access-rule layer Network position.bottom "My Rules" name "My Rule 4" source "MyHost4" destination "MyNet4" service.1 "microsoft-ds" service.2 "Remote_Desktop_Protocol" service.3 "nbsession" action accept track Log -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add access-rule layer Network position.bottom "My Rules" name "My Rule 5" source "MyHost5" destination "MyNet5" service.1 "http" service.2 "https" service.3 "dns" action accept track Log -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add access-rule layer Network position.bottom "My Rules" name "My Rule 6" source "MyHost6" destination "MyNet6" service.1 "smtp" service.2 "pop-3" service.3 "imap" action accept track Log -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add access-rule layer Network position.bottom "My Rules" name "My Rule 7" source "MyHost7" destination "MyNet7" service.1 "microsoft-ds" service.2 "Remote_Desktop_Protocol" service.3 "nbsession" action accept track Log -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add access-rule layer Network position.bottom "My Rules" name "My Rule 8" source "MyHost8" destination "MyNet8" service.1 "http" service.2 "https" service.3 "dns" action accept track Log -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add access-rule layer Network position.bottom "My Rules" name "My Rule 9" source "MyHost9" destination "MyNet9" service.1 "smtp" service.2 "pop-3" service.3 "imap" action accept track Log -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add access-rule layer Network position.bottom "My Rules" name "My Rule 10" source "MyHost10" destination "MyNet10" service.1 "microsoft-ds" service.2 "Remote_Desktop_Protocol" service.3 "nbsession" action accept track Log -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli publish -s session_id.txt
mgmt_cli publish -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"

I hope it helps.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events