cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
fw_ctl
Iron

Best (simplest) way to export policy from old CMA to new all R80.20

Jump to solution

As above - I have a requirement to migrate a policy package (Gaia config not important) from existing CMA in MDS domain #1 to new CMA in domain#2. (same mds)

I have looked into multiple methods, such as ofiller/dumper, cp_merge, etc etc. 

What are peoples tried and tested method as i don't see an official SK or supported methodology. 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
Employee+
Employee+

Re: Best (simplest) way to export policy from old CMA to new all R80.20

Jump to solution

A very short introduction to Python syntax. These examples are from SMS to domain migration. When exporting from MDS domain you will need to reference to that domain.

First of all you'll need to get the name of the policy you want to export if you have a lot of them.

List all policies with mgmt API (need to use the domain keyword to export from a CMA)
mgmt_cli --root true --format json show packages | jq ".packages[] .name" -r

Copy the Python SDK to your management server and use the following command to reference to it:export PYTHONPATH=${PYTHONPATH}:/home/admin/python/cp_mgmt_api_python_sdk-master/

Run Import_export_package (this is a menu driven tool) to export the package
/opt/CPsuite-R80.20/fw1/Python/bin/python2.7 /home/admin/python/ExportImportPolicyPackage-master/import_export_package.py

Copy package to the destination and import it automatically without prompting
/opt/CPsuite-R80.20/fw1/Python/bin/python2.7 /home/admin/python/ExportImportPolicyPackage-master/import_export_package.py --file /home/admin/Internal_Prod/exported__package__POLICY_NAME__DATE.tar.gz --domain x.x.x.x --root --unsafe-auto-accept

 

View solution in original post

8 Replies
Admin
Admin

Re: Best (simplest) way to export policy from old CMA to new all R80.20

Jump to solution
The tools you mention won’t work in R80.x.
This might be your best approach: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Python-tool-for-exporting-importi...
0 Kudos

Re: Best (simplest) way to export policy from old CMA to new all R80.20

Jump to solution

These tools are now available for R80.40 only. They are still looking at expanding these tools to lower versions but I would not get my hopes up to high in that respect for R80.20.

Regards, Maarten
0 Kudos
Admin
Admin

Re: Best (simplest) way to export policy from old CMA to new all R80.20

Jump to solution
It looks like you can use them for R80.20/R80.30 with the right JHF Installed.
However, OP said a specific Policy Package, not the entire domain, thus why I suggested the Python script.
0 Kudos
Employee+
Employee+

Re: Best (simplest) way to export policy from old CMA to new all R80.20

Jump to solution

Hi!

R80.40 has native support for this kind of migration. This being said you cannot do full migration (that keeps sic) between the minor R80.x-versions until R80.40.

cp_merge is not supported, but you can achieve the same results with a simple Python tool (link below).

https://github.com/CheckPointSW/ExportImportPolicyPackage

When using Python tool remember that SIC will need to be re-established.

ofiller and odumper are very old tools that still work in R77.x, but in R80.x you'll have to use the management API to export and import objects. However, if you use Python tool you don't need to worry about this as it will take care of exporting/importing the entire policy package.

0 Kudos
Employee+
Employee+

Re: Best (simplest) way to export policy from old CMA to new all R80.20

Jump to solution

A very short introduction to Python syntax. These examples are from SMS to domain migration. When exporting from MDS domain you will need to reference to that domain.

First of all you'll need to get the name of the policy you want to export if you have a lot of them.

List all policies with mgmt API (need to use the domain keyword to export from a CMA)
mgmt_cli --root true --format json show packages | jq ".packages[] .name" -r

Copy the Python SDK to your management server and use the following command to reference to it:export PYTHONPATH=${PYTHONPATH}:/home/admin/python/cp_mgmt_api_python_sdk-master/

Run Import_export_package (this is a menu driven tool) to export the package
/opt/CPsuite-R80.20/fw1/Python/bin/python2.7 /home/admin/python/ExportImportPolicyPackage-master/import_export_package.py

Copy package to the destination and import it automatically without prompting
/opt/CPsuite-R80.20/fw1/Python/bin/python2.7 /home/admin/python/ExportImportPolicyPackage-master/import_export_package.py --file /home/admin/Internal_Prod/exported__package__POLICY_NAME__DATE.tar.gz --domain x.x.x.x --root --unsafe-auto-accept

 

View solution in original post

fw_ctl
Iron

Re: Best (simplest) way to export policy from old CMA to new all R80.20

Jump to solution
Great thank you.
0 Kudos
fw_ctl
Iron

Re: Best (simplest) way to export policy from old CMA to new all R80.20

Jump to solution

Thanks all. 

 

Native support for this is long overdue and very welcome news for me. The current estate I am working in is very large and still completing ->R80.20 migrations - so will be a while off .40 yet. 

 

Looks like the Python tool is the best way forward for my situation now - as I only need policy and objects from one policy package.  I will look into this in detail. Cheers

0 Kudos
HenrikJ
Iron

Re: Best (simplest) way to export policy from old CMA to new all R80.20

Jump to solution
If you get any errors for the python package (keyError), you may have to edit a file and add that key to its dictionary.

I did this in R80.30 between MDSs, and I had to add key "1.6" with the same values as the one in 1.5.