Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
fw_ctl
Participant

Best (simplest) way to export policy from old CMA to new all R80.20

Jump to solution

As above - I have a requirement to migrate a policy package (Gaia config not important) from existing CMA in MDS domain #1 to new CMA in domain#2. (same mds)

I have looked into multiple methods, such as ofiller/dumper, cp_merge, etc etc. 

What are peoples tried and tested method as i don't see an official SK or supported methodology. 

 

 

 

0 Kudos
1 Solution

Accepted Solutions
Lari_Luoma
Employee
Employee

A very short introduction to Python syntax. These examples are from SMS to domain migration. When exporting from MDS domain you will need to reference to that domain.

First of all you'll need to get the name of the policy you want to export if you have a lot of them.

List all policies with mgmt API (need to use the domain keyword to export from a CMA)
mgmt_cli --root true --format json show packages | jq ".packages[] .name" -r

Copy the Python SDK to your management server and use the following command to reference to it:export PYTHONPATH=${PYTHONPATH}:/home/admin/python/cp_mgmt_api_python_sdk-master/

Run Import_export_package (this is a menu driven tool) to export the package
/opt/CPsuite-R80.20/fw1/Python/bin/python2.7 /home/admin/python/ExportImportPolicyPackage-master/import_export_package.py

Copy package to the destination and import it automatically without prompting
/opt/CPsuite-R80.20/fw1/Python/bin/python2.7 /home/admin/python/ExportImportPolicyPackage-master/import_export_package.py --file /home/admin/Internal_Prod/exported__package__POLICY_NAME__DATE.tar.gz --domain x.x.x.x --root --unsafe-auto-accept

 

View solution in original post

11 Replies
PhoneBoy
Admin
Admin
The tools you mention won’t work in R80.x.
This might be your best approach: https://community.checkpoint.com/t5/API-CLI-Discussion-and-Samples/Python-tool-for-exporting-importi...
0 Kudos
Maarten_Sjouw
Champion
Champion

These tools are now available for R80.40 only. They are still looking at expanding these tools to lower versions but I would not get my hopes up to high in that respect for R80.20.

Regards, Maarten
0 Kudos
PhoneBoy
Admin
Admin
It looks like you can use them for R80.20/R80.30 with the right JHF Installed.
However, OP said a specific Policy Package, not the entire domain, thus why I suggested the Python script.
0 Kudos
Lari_Luoma
Employee
Employee

Hi!

R80.40 has native support for this kind of migration. This being said you cannot do full migration (that keeps sic) between the minor R80.x-versions until R80.40.

cp_merge is not supported, but you can achieve the same results with a simple Python tool (link below).

https://github.com/CheckPointSW/ExportImportPolicyPackage

When using Python tool remember that SIC will need to be re-established.

ofiller and odumper are very old tools that still work in R77.x, but in R80.x you'll have to use the management API to export and import objects. However, if you use Python tool you don't need to worry about this as it will take care of exporting/importing the entire policy package.

0 Kudos
Lari_Luoma
Employee
Employee

A very short introduction to Python syntax. These examples are from SMS to domain migration. When exporting from MDS domain you will need to reference to that domain.

First of all you'll need to get the name of the policy you want to export if you have a lot of them.

List all policies with mgmt API (need to use the domain keyword to export from a CMA)
mgmt_cli --root true --format json show packages | jq ".packages[] .name" -r

Copy the Python SDK to your management server and use the following command to reference to it:export PYTHONPATH=${PYTHONPATH}:/home/admin/python/cp_mgmt_api_python_sdk-master/

Run Import_export_package (this is a menu driven tool) to export the package
/opt/CPsuite-R80.20/fw1/Python/bin/python2.7 /home/admin/python/ExportImportPolicyPackage-master/import_export_package.py

Copy package to the destination and import it automatically without prompting
/opt/CPsuite-R80.20/fw1/Python/bin/python2.7 /home/admin/python/ExportImportPolicyPackage-master/import_export_package.py --file /home/admin/Internal_Prod/exported__package__POLICY_NAME__DATE.tar.gz --domain x.x.x.x --root --unsafe-auto-accept

 

View solution in original post

fw_ctl
Participant
Great thank you.
0 Kudos
fw_ctl
Participant

Thanks all. 

 

Native support for this is long overdue and very welcome news for me. The current estate I am working in is very large and still completing ->R80.20 migrations - so will be a while off .40 yet. 

 

Looks like the Python tool is the best way forward for my situation now - as I only need policy and objects from one policy package.  I will look into this in detail. Cheers

0 Kudos
HenrikJ
Participant
If you get any errors for the python package (keyError), you may have to edit a file and add that key to its dictionary.

I did this in R80.30 between MDSs, and I had to add key "1.6" with the same values as the one in 1.5.
Vikas_Kakkar
Explorer

I am getting error running import_export_package.py in MDS environment (R80.30). Trying to export one of the policy from one of the CMA.

The script will run with the following parameters:
Export Access-Control layers = True
Export Threat-Prevention layers = False
Output-file name = None
Management Server IP = 10.248.132.136 ("This is my DMS IP")
Management Server Port = 443
Management Server Domain = Cloud-Services-DMS ("This is my DMS Name")
1. Change Settings
2. Run
99. Back
2
Traceback (most recent call last):
  File "/home/admin/ExportImportPolicyPackage-master/import_export_package.py", line 26, in <module>
    args = process_arguments(arg_parser)
  File "/home/admin/ExportImportPolicyPackage-master/utils.py", line 89, in process_arguments
    True)
  File "/home/admin/ExportImportPolicyPackage-master/utils.py", line 100, in debug_log
    if log_file:
NameError: global name 'log_file' is not defined

I am one Global Object to support TACACS authentication for MDS and DMSs. Is it causing the problem? Any help would be appreciated.

0 Kudos
PhoneBoy
Admin
Admin

I know global policies aren't supported, but I think global objects are ok.
Paging @chkp-royl 

0 Kudos
Vikas_Kakkar
Explorer

Does that mean support ticket would be needed for this?

0 Kudos