Hello PhoneBoy,

Thanks for your reply.

FWs A and B are managed by different management so we would use the python tool,but the question: is it officially supported by check point?

For the second point, I think we will do it manually...we don't have other choices.

A tool I wrote could be modified a bit to find the differences. Basically replace findRulesUsingIPs and getRuleUIDsUsingObjectUID with something which gets all of the rules for the access layer you want to compare. Skip scanMDS, scanSmartCenter, cleanupMDS, and cleanupSmartCenter, since you already know the policy from each device you want to compare.

Might want to modify the object dereferencer cases to skip the objects' names and comments, since they are on different management servers. Spit out all the rules in compact JSON form, and they could be sorted, then compared to see how they differ.

Not saying it would be easy, but it shouldn't take more than two hours for somebody who knows BASH. Far easier than manual review.

Thanks for your reply.

If I understood correctly, after some modifications with your tool I would be able to extract all rules from each device in compact JSON form then I'll compare for differences.

Actually I can extract all rules from the two devices in CSV format and I can compare them with power query (excel) using source, destination and service columns and I've the results (almost 600 rules are different).

For those 600 rules I have to check them one by one (manually) to know what to modify and what to keep (to modify, add or delete a rule on device B), I'm not sure that could be done by a tool.

Please correct me if I didn't understand the use of your tool.

The CSV export in SmartDashboard just gets you the object names. My tool gets you the object contents.

My tool's compact JSON output would allow the rules to be sorted, so rule position wouldn't matter. As it exists currently, my tool includes the object name and comment, so if those differ between systems, the objects will show as different, even if they actually represent the same IP. That's why I mentioned above that the name and comment could be removed from the output. Then you would be able to compare what the rules do rather than what things are named.

Change merging tools like 'diff' could then be used to find what differs between the policies.

Hello Bob_Zimmerman,

Now I got your point, your tool will facilitate the comparison but we have to modify it a little bit to extract what we need.

It's a very good Idea, we will study the two solutions (export/import and your tool) to see what would be better for our case.

Thanks a lot for your idea and your answers.

The python export/import tool is developed/maintained by Check Point R&D and you can ask questions about it on CheckMates or via the GitHub repo.
I don't believe you can obtain support via TAC, however. 

I beleive the best solution is :

- Using the Python tool to export rules from device A

- Modify rules

- import the modified rules on device B with Python tool.

This tool will overwrite the existing security policies ?

Thanks in advance.

Hello Again,

My customer finally accepted that we test using the export/import python tool, but he has some questions ( have some answers but i need to confirm):

1. The script will be executed from the MDS? and is compatible with the VSX?

2. The script export/import the objects related to the rules? how it manages the duplicates (while importing) ?

3. The imported rules will be placed at the end (just before deny all) ? and the rule number exported will be different while being imported?

Thanks in advance for your reply

The script will work for a domain in MDS and will work with VSX.

I believe all objects will be created and duplicates may get a different name.
Also, some placeholder objects will be created, which will have to be handled manually after the fact.
This is for objects that do not have API support such as gateway objects (added in R80.40), VS (no API for these yet), and a handful of others.
A new policy package will be created with all the rules.
It won't merge it into an existing policy. 

I highly recommend importing into a test management server/VM so you fully understand the behavior and the work involved and can precisely test the things you're interested in (duplicate objects, etc). 

Hello PhoneBoy, 

Unfortunately, my client dosen't have a machine/VM for test ( he says it's complicated)!

Just to confirm that I understood correctly the usage of this tool:

1. It can be executed from any machine that can access the MDS (for example the same machine we have the smartconsole already installed).

2. This tool export the policy package or part of it, which means for example the access control part as a whole (not part of it), I mean we cannot export and import some policy rules.

3. If the imported package (or objects inside) having the same name that we have already on the machine, it will rename it,

4. While importing, if we have a policy package already installed (with the same policy types ...access control, QOS...etc), I wonder how checkpoint will handle the traffic, it will scan both packages?

Thanks in advance for your valuable reply.

Ok, if the client can’t create a VM, surely you can create one?
The tool copies all the rules/layers in the policy package (not a subset).
You can have many policy packages on your management but a gateway can only have a single one installed at a time.

I cannot create one, as we have read only access to the devices of the client.

I'm trying to find a solution to export the rules from the primary site and import them into the backup site (after some modifications) because when the agents configure rules in one site, they forget to do the same for the backup site, actually they have a lot of diferences between both sites (for several domains).

And this tool seems to do the job, but as you said we need to test it first.

Thanks a lot for your answers and suggestions.