- CheckMates
- :
- Products
- :
- Quantum
- :
- Management
- :
- Re: Best (simplest) way to export policy from old ...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Best (simplest) way to export policy from old CMA to new all R80.20
As above - I have a requirement to migrate a policy package (Gaia config not important) from existing CMA in MDS domain #1 to new CMA in domain#2. (same mds)
I have looked into multiple methods, such as ofiller/dumper, cp_merge, etc etc.
What are peoples tried and tested method as i don't see an official SK or supported methodology.
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A very short introduction to Python syntax. These examples are from SMS to domain migration. When exporting from MDS domain you will need to reference to that domain.
First of all you'll need to get the name of the policy you want to export if you have a lot of them.
List all policies with mgmt API (need to use the domain keyword to export from a CMA)
mgmt_cli --root true --format json show packages | jq ".packages[] .name" -r
Copy the Python SDK to your management server and use the following command to reference to it:export PYTHONPATH=${PYTHONPATH}:/home/admin/python/cp_mgmt_api_python_sdk-master/
Run Import_export_package (this is a menu driven tool) to export the package
/opt/CPsuite-R80.20/fw1/Python/bin/python2.7 /home/admin/python/ExportImportPolicyPackage-master/import_export_package.py
Copy package to the destination and import it automatically without prompting
/opt/CPsuite-R80.20/fw1/Python/bin/python2.7 /home/admin/python/ExportImportPolicyPackage-master/import_export_package.py --file /home/admin/Internal_Prod/exported__package__POLICY_NAME__DATE.tar.gz --domain x.x.x.x --root --unsafe-auto-accept
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
This might be your best approach: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Python-tool-for-exporting-importi...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These tools are now available for R80.40 only. They are still looking at expanding these tools to lower versions but I would not get my hopes up to high in that respect for R80.20.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
However, OP said a specific Policy Package, not the entire domain, thus why I suggested the Python script.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi!
R80.40 has native support for this kind of migration. This being said you cannot do full migration (that keeps sic) between the minor R80.x-versions until R80.40.
cp_merge is not supported, but you can achieve the same results with a simple Python tool (link below).
https://github.com/CheckPointSW/ExportImportPolicyPackage
When using Python tool remember that SIC will need to be re-established.
ofiller and odumper are very old tools that still work in R77.x, but in R80.x you'll have to use the management API to export and import objects. However, if you use Python tool you don't need to worry about this as it will take care of exporting/importing the entire policy package.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
A very short introduction to Python syntax. These examples are from SMS to domain migration. When exporting from MDS domain you will need to reference to that domain.
First of all you'll need to get the name of the policy you want to export if you have a lot of them.
List all policies with mgmt API (need to use the domain keyword to export from a CMA)
mgmt_cli --root true --format json show packages | jq ".packages[] .name" -r
Copy the Python SDK to your management server and use the following command to reference to it:export PYTHONPATH=${PYTHONPATH}:/home/admin/python/cp_mgmt_api_python_sdk-master/
Run Import_export_package (this is a menu driven tool) to export the package
/opt/CPsuite-R80.20/fw1/Python/bin/python2.7 /home/admin/python/ExportImportPolicyPackage-master/import_export_package.py
Copy package to the destination and import it automatically without prompting
/opt/CPsuite-R80.20/fw1/Python/bin/python2.7 /home/admin/python/ExportImportPolicyPackage-master/import_export_package.py --file /home/admin/Internal_Prod/exported__package__POLICY_NAME__DATE.tar.gz --domain x.x.x.x --root --unsafe-auto-accept
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks all.
Native support for this is long overdue and very welcome news for me. The current estate I am working in is very large and still completing ->R80.20 migrations - so will be a while off .40 yet.
Looks like the Python tool is the best way forward for my situation now - as I only need policy and objects from one policy package. I will look into this in detail. Cheers
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I did this in R80.30 between MDSs, and I had to add key "1.6" with the same values as the one in 1.5.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I am getting error running import_export_package.py in MDS environment (R80.30). Trying to export one of the policy from one of the CMA.
The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = False
Output-file name = None
Management Server IP = 10.248.132.136 ("This is my DMS IP")
Management Server Port = 443
Management Server Domain = Cloud-Services-DMS ("This is my DMS Name")
1. Change Settings
2. Run
99. Back
2
Traceback (most recent call last):
File "/home/admin/ExportImportPolicyPackage-master/import_export_package.py", line 26, in <module>
args = process_arguments(arg_parser)
File "/home/admin/ExportImportPolicyPackage-master/utils.py", line 89, in process_arguments
True)
File "/home/admin/ExportImportPolicyPackage-master/utils.py", line 100, in debug_log
if log_file:
NameError: global name 'log_file' is not defined
I am one Global Object to support TACACS authentication for MDS and DMSs. Is it causing the problem? Any help would be appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I know global policies aren't supported, but I think global objects are ok.
Paging @chkp-royl
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Does that mean support ticket would be needed for this?
