Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Martijn
Advisor
Advisor
Jump to solution

Importing policy package without objects

Hi,

I am using the script from Github to migrate policies from one management server to another management server.

https://github.com/CheckPoint-APIs-Team/ExportImportPolicyPackage

The script works fine, but every time I migrate an additional policy package all objects are also created again which results in duplicated objects (with e different name).

Is there a procedure/option in the script so only the policy is imported without importing all objects again?

Regards,
Martijn 

0 Kudos
2 Solutions

Accepted Solutions
Omer_Kleinstern
Employee
Employee

Hi @Martijn ,

 

We released a new version of the tool (v5.3) with the flag "--skip-duplicate-objects" that addresses your needs.

 

Thanks,

Omer

View solution in original post

Omer_Kleinstern
Employee
Employee

Hi Jarvis,

 

The tool does not update existing objects.

The only options are - create a new object (the default) or use the existing object.

 

Thanks,

Omer

View solution in original post

0 Kudos
22 Replies
PhoneBoy
Admin
Admin

As far as I know, no.

0 Kudos
Itai_Minuhin
Employee
Employee

Hi Martijn,

Can you elaborate on the use case in which you import a policy multiple times to the same domain or Management server? 

Is it import of policy from a staging environment to production? 

Thanks, 

Itai

0 Kudos
Martijn
Advisor
Advisor

Hoi Itai,

Customer has a SmartCenter which has been migrated several times over the last couple of years. Every time we performed a major upgrade, we used the export of the database. The SmartCenter was on R80.40, but originates from a time in which the customer had Nokia IP appliances on R60. The database had a lot of legacy configuration and current administrators had no idea why some settings where altered or if they are needed today.

When building the new VSX clusters, the customer decided to start from scratch. Making sure all settings, parameters, timers where default again. So we installed al clean R81.10 SmartCenter and used the Python script to import the rule base. This works fine.

But there is more than one rule base on the SmartCenter because it manages multiple gateways. So we are not trying to import the same rule base twice. We are importing different rule bases. But when an object is used in more than one rule base and we import the second policy, the script does not check if the object excists and uses that object, but creates a new object to use in second imported policy. Because the object is already in the object database, the newly created object has a name containg 'NAME_COLLISSION_'

We have to manually find and replace all name collission objects with the original objects. And with large rule bases, this is a lot of work.

I hope this makes my question more clearly.

Regards,
Martijn

Omer_Kleinstern
Employee
Employee

Hi @Martijn ,

 

We released a new version of the tool (v5.3) with the flag "--skip-duplicate-objects" that addresses your needs.

 

Thanks,

Omer

Jarvis_Lin
Collaborator

Hi Omer_Kleinstern,

I have a similar problem,

when I export the group name is AFD, there are 3 members in it.

The imported target has a group name called AFD with 2 members in it.

When the "--skip-duplicate-objects parameter" is set, will the third member be missed?

Or can other parameters be added to make the members of the group consistent?

 

Thanks,

Jarvis

 

0 Kudos
Omer_Kleinstern
Employee
Employee

Hi Jarvis,

 

The tool does not update existing objects.

The only options are - create a new object (the default) or use the existing object.

 

Thanks,

Omer

0 Kudos
ramakrishnan
Contributor

Hi, I am moving policy from one domain to another domain; now with the package tool script I successfully exported, how to import to another domain server and how to install the policy...Note there 2 access rules sitting already which being used for prod traffic, when we install complete package tool will append the rules or clean  the existing rule and will deploy?

0 Kudos
PhoneBoy
Admin
Admin

This tool creates an entirely new policy package with the rules you've exported from elsewhere.
It won't change the existing policy package.

0 Kudos
ramakrishnan
Contributor

@PhoneBoy not sounds clear to me Sir...

[mdm_server01:0]# /opt/CPsuite-R80.40/fw1/Python/bin/python3.7 ./import_export_package.py

Welcome to the Policy Package Import/Export Tool.
What would you like to do?
1. Import a package
2. Export a package
99. Exit
1
Please specify the path to the file you wish to import:
/home/admin ---- > [Will it simply sit this directory with tar.gz format, if so I can use WINSCP or something else]
Please select a login method:
1. Enter user credentials manually
2. Login as Root
3. Use an existing session file
4. Use an existing session UID
99. Back
1
The script will run with the following parameters:
Custom name for imported package (optional) = None
Management Server IP = 127.0.0.1
Management Server Port = 443
Management Server Domain = None
1. Change Settings
2. Run
99. Back
1
<Output Ommitted>
The script will run with the following parameters:
Custom name for imported package (optional) = None
Management Server IP = 192.168.1.100
Management Server Port = 443
Management Server Domain = 192.168.2.100
1. Change Settings
2. Run
99. Back

What will happen If I give hit '2', import and install all the firewall rules on target machine?
Or if that tar file sits on target CMA how I could install that package into firewall gateway?
If yes, already 2 rules are there, will it append additional rules +2 ?

I tried all the internet / CP resource unable to get steps.
I agree such this request are, rare phenomena but would be better have good document.

0 Kudos
PhoneBoy
Admin
Admin

Your existing rules are in a policy package.
When you run this script and import the exported policy, a different policy package will be created with the imported rules.
It will not impact any existing policy packages, nor will it install the new policy package on the gateway.
You will have to choose to install this specific policy package, which can of course be modified beforehand (e.g. to include additional rules).

Yes, you can copy the tgz file with scp or similar to /home/admin or wherever you run the script from.

0 Kudos
ramakrishnan
Contributor

Policy Import successfully. But while complete and writing to layer getting below error. But I could see / manually verified all the access rule base [1500+ rule] and NAT rule, In fact all the duplicate objects renamed [anyway i will do cleanup/replace correct objects in the rules] and import into new package. 

Is that something I need to check ? 

Failed to attach layers to package! Error: code: generic_error
message: Runtime error: Object 'exported__package__uatfw-policy' is locked by another session.
. Import operation aborted.

0 Kudos
PhoneBoy
Admin
Admin

Rules are stored in layers, which are part of a policy package.
Policy layers can be attached to multiple policy packages, so this should not be an issue.

Presumably, a previous attempt has exported__package__uatfw-policy "locked" so the layer created cannot be attached to that specific policy package.
The only way to resolve that issue is to connect to that specific session and either "publish" whatever changes are there or discard the session.
Or attach the newly created layer to a different policy package.

However, if you can see the rules in the layer(s)

0 Kudos
zhouwu_02
Explorer

Hi, I have the same problems, where may I find the newest version with "skip-duplicate-objects"?
Thank you in advance.

0 Kudos
Martijn
Advisor
Advisor

Hi,

Just go to the Github page https://github.com/CheckPointSW/ExportImportPolicyPackage and download the code.
You will have the latest version.

The 'skip-duplicate-objects' option is in there for some time now and works great.

Martijn

zhouwu_02
Explorer

Hello again, 
Thank you so much for answer, I have already fixed it.😊
But I just encountered with another problem that the script creates a new layer whenever we import policies. Is it anyway to import all policies to the default layer?  
The situation is we have a policy package which has already some policies configured and we want to import policies within the same layer of that policy package, in the other hand, we would like to do a filtering to skip all those policies which are existed before. 

 

0 Kudos
PhoneBoy
Admin
Admin

By default, the program will create the policy package under the same name as was exported.
To import the rules into a different (existing) policy package, you'd have to modify the source code of the program.
However, I think it's wise to have the rules imported into a different policy package so each rule can be reviewed.
I believe you can also copy/paste the rules between policy layers (including across policy packages), which is the approach I would recommend (especially if you're reviewing the rules anyway).

0 Kudos
EJ1
Explorer

Hi @Omer_Kleinstern,

Hi @PhoneBoy 

 

I was having a similar issue with the object in collision in my Lab and took your advice and added the Skip duplicate flag. Now when using the script in my Production environment I am seeing this new error message for the creating of objects. 


Failed to import service-tcp with name [BIBF4412]. Error: code: generic_err_invalid_parameter
message: Invalid parameter for [delayed-sync-value]. delayed-sync-value can get value only if sync-connections-on-cluster and use-delayed-sync are true

Failed to import service-tcp with name [Biblio_SQL]. Error: code: generic_err_invalid_parameter
message: Invalid parameter for [delayed-sync-value]. delayed-sync-value can get value only if sync-connections-on-cluster and use-delayed-sync are true


Failed to import service-tcp with name [BIBF4421]. Error: code: generic_err_invalid_parameter
message: Invalid parameter for [delayed-sync-value]. delayed-sync-value can get value only if sync-connections-on-cluster and use-delayed-sync are true

 

Any advice on how to rectify this issue 

 

0 Kudos
PhoneBoy
Admin
Admin

Sounds like those objects are NOT duplicates but rather objects you created (specifically the TCP services Biblio_SQL and BIBF4421).
You may need to replace those services with a placeholder in your rulebase.

0 Kudos
LouisC
Explorer

Hi @Omer_Kleinstern 

 

When I try to run the scripts with the flag "--skip-duplicate-objects", 

(# python3 import_export_package.py --skip-duplicate-objects)

It returns:

import_export_package.py: error: argument --skip-duplicate-objects: expected one argument

 

The packet is download from github few days ago.

Is there anything i am missing?

 

Thanks,

Louis

0 Kudos
Martijn
Advisor
Advisor

Hi Louis,

After --skip-duplicate-objects you need to enter false or true.

Regards,
Martijn

0 Kudos
LouisC
Explorer

It works!

Many Thanks!!!!

 

Best,

Louis

0 Kudos
K_montalvo
Advisor

You can do a fresh install and use the following link to do the migrate_server but this will migrate everything including objects, you can maybe later try to open the objects explorer and delete the objects you don't want using the right procedure. The following link is the method i used recently for a client, but let see if someone else have a method of doing it like you are asking.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events