Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Shaimaa
Participant

Comparing policy rules from two check point devives R80.20

Jump to solution

Hello,

We need to compare security policies from two devices checkpoint R80.20.

We have two Checkpoint firewalls:

- Checkpoint A is active (with 800 rules)

- Checkpoint B is a backup (with 1000 rules)

1. Some rules configured on A should be configured as is on B,

2. Some rules configured on A should be modified before configured on B

Modified means: modification/deletion of source/destination list of adsresses

3. Some extra rules configured on B but not on A.

Rules are not configured in the same order on both devices, so when we extract rules from both devices ... we cannot compare line by line.

Now we need to make sure that all rules exist on device A exist also on device B.

When we use power query (excel) for comparison (using:source, destination and service) , we have only 130 rules matching in the two devices

Now we have two issues:

1. Comparing the two exported files containing 1000 and 800 lines and extracting the differences.

2. configuring the results of step 1 on device B (almost 600 rules)

    As far as i know, till now there is no import functionality in check point!

Anyone has an idea what is the best solution (official) for doing this?

 

Thanks in advance.

Shaimaa

 

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin

Unlike the regular migration tools, the python export/import does not overwrite anything.
More precisely, the import recreates the exported policy package and related objects in the target management domain.
In the cases where a specific object doesn't have API support, we create a placeholder object that should be replaced with a manually created object.

View solution in original post

(1)
14 Replies
PhoneBoy
Admin
Admin

Are firewalls A and B managed by the same or different management?
Because if they are, you can just push the same policy.

However, if they are managed by different management, you can import the specific policy package using a tool like: https://community.checkpoint.com/t5/API-CLI-Discussion/Python-tool-for-exporting-importing-a-policy-...

Merging two policies into one is a completely different problem best handled either manually or, if it can be done deterministically enough, by writing a script that calls the API to make the necessary changes.

0 Kudos
Shaimaa
Participant

Hello PhoneBoy,

Thanks for your reply.

FWs A and B are managed by different management so we would use the python tool,but the question: is it officially supported by check point?

For the second point, I think we will do it manually...we don't have other choices.

0 Kudos
Bob_Zimmerman
Advisor

A tool I wrote could be modified a bit to find the differences. Basically replace findRulesUsingIPs and getRuleUIDsUsingObjectUID with something which gets all of the rules for the access layer you want to compare. Skip scanMDS, scanSmartCenter, cleanupMDS, and cleanupSmartCenter, since you already know the policy from each device you want to compare.

Might want to modify the object dereferencer cases to skip the objects' names and comments, since they are on different management servers. Spit out all the rules in compact JSON form, and they could be sorted, then compared to see how they differ.

Not saying it would be easy, but it shouldn't take more than two hours for somebody who knows BASH. Far easier than manual review.

0 Kudos
Shaimaa
Participant

Thanks for your reply.

If I understood correctly, after some modifications with your tool I would be able to extract all rules from each device in compact JSON form then I'll compare for differences.

Actually I can extract all rules from the two devices in CSV format and I can compare them with power query (excel) using source, destination and service columns and I've the results (almost 600 rules are different).

For those 600 rules I have to check them one by one (manually) to know what to modify and what to keep (to modify, add or delete a rule on device B), I'm not sure that could be done by a tool.

Please correct me if I didn't understand the use of your tool.

0 Kudos
Bob_Zimmerman
Advisor

The CSV export in SmartDashboard just gets you the object names. My tool gets you the object contents.

My tool's compact JSON output would allow the rules to be sorted, so rule position wouldn't matter. As it exists currently, my tool includes the object name and comment, so if those differ between systems, the objects will show as different, even if they actually represent the same IP. That's why I mentioned above that the name and comment could be removed from the output. Then you would be able to compare what the rules do rather than what things are named.

Change merging tools like 'diff' could then be used to find what differs between the policies.

0 Kudos
(1)
Shaimaa
Participant

Hello Bob_Zimmerman,

Now I got your point, your tool will facilitate the comparison but we have to modify it a little bit to extract what we need.

It's a very good Idea, we will study the two solutions (export/import and your tool) to see what would be better for our case.

Thanks a lot for your idea and your answers.

0 Kudos
PhoneBoy
Admin
Admin

The python export/import tool is developed/maintained by Check Point R&D and you can ask questions about it on CheckMates or via the GitHub repo.
I don't believe you can obtain support via TAC, however. 

0 Kudos
Shaimaa
Participant

I beleive the best solution is :

- Using the Python tool to export rules from device A

- Modify rules

- import the modified rules on device B with Python tool.

This tool will overwrite the existing security policies ?

Thanks in advance.

 

0 Kudos
PhoneBoy
Admin
Admin

Unlike the regular migration tools, the python export/import does not overwrite anything.
More precisely, the import recreates the exported policy package and related objects in the target management domain.
In the cases where a specific object doesn't have API support, we create a placeholder object that should be replaced with a manually created object.

View solution in original post

(1)
Shaimaa
Participant

Hello Again,

My customer finally accepted that we test using the export/import python tool, but he has some questions ( have some answers but i need to confirm):

1. The script will be executed from the MDS? and is compatible with the VSX?

2. The script export/import the objects related to the rules? how it manages the duplicates (while importing) ?

3. The imported rules will be placed at the end (just before deny all) ? and the rule number exported will be different while being imported?

Thanks in advance for your reply

0 Kudos
PhoneBoy
Admin
Admin

The script will work for a domain in MDS and will work with VSX.

I believe all objects will be created and duplicates may get a different name.
Also, some placeholder objects will be created, which will have to be handled manually after the fact.
This is for objects that do not have API support such as gateway objects (added in R80.40), VS (no API for these yet), and a handful of others.
A new policy package will be created with all the rules.
It won't merge it into an existing policy. 

I highly recommend importing into a test management server/VM so you fully understand the behavior and the work involved and can precisely test the things you're interested in (duplicate objects, etc). 

0 Kudos
(1)
Shaimaa
Participant

Hello PhoneBoy, 

Unfortunately, my client dosen't have a machine/VM for test ( he says it's complicated)!

Just to confirm that I understood correctly the usage of this tool:

1. It can be executed from any machine that can access the MDS (for example the same machine we have the smartconsole already installed).

2. This tool export the policy package or part of it, which means for example the access control part as a whole (not part of it), I mean we cannot export and import some policy rules.

3. If the imported package (or objects inside) having the same name that we have already on the machine, it will rename it,

4. While importing, if we have a policy package already installed (with the same policy types ...access control, QOS...etc), I wonder how checkpoint will handle the traffic, it will scan both packages?

 

Thanks in advance for your valuable reply.

0 Kudos
PhoneBoy
Admin
Admin

Ok, if the client can’t create a VM, surely you can create one?
The tool copies all the rules/layers in the policy package (not a subset).
You can have many policy packages on your management but a gateway can only have a single one installed at a time.

0 Kudos
(1)
Shaimaa
Participant

I cannot create one, as we have read only access to the devices of the client.

I'm trying to find a solution to export the rules from the primary site and import them into the backup site (after some modifications) because when the agents configure rules in one site, they forget to do the same for the backup site, actually they have a lot of diferences between both sites (for several domains).

And this tool seems to do the job, but as you said we need to test it first.

Thanks a lot for your answers and suggestions.

0 Kudos