Hoi Itai,

Customer has a SmartCenter which has been migrated several times over the last couple of years. Every time we performed a major upgrade, we used the export of the database. The SmartCenter was on R80.40, but originates from a time in which the customer had Nokia IP appliances on R60. The database had a lot of legacy configuration and current administrators had no idea why some settings where altered or if they are needed today.

When building the new VSX clusters, the customer decided to start from scratch. Making sure all settings, parameters, timers where default again. So we installed al clean R81.10 SmartCenter and used the Python script to import the rule base. This works fine.

But there is more than one rule base on the SmartCenter because it manages multiple gateways. So we are not trying to import the same rule base twice. We are importing different rule bases. But when an object is used in more than one rule base and we import the second policy, the script does not check if the object excists and uses that object, but creates a new object to use in second imported policy. Because the object is already in the object database, the newly created object has a name containg 'NAME_COLLISSION_'

We have to manually find and replace all name collission objects with the original objects. And with large rule bases, this is a lot of work.

I hope this makes my question more clearly.

Regards,
Martijn

Hi Omer_Kleinstern,

I have a similar problem,

when I export the group name is AFD, there are 3 members in it.

The imported target has a group name called AFD with 2 members in it.

When the "--skip-duplicate-objects parameter" is set, will the third member be missed?

Or can other parameters be added to make the members of the group consistent?

Thanks,

Jarvis

Hi, I am moving policy from one domain to another domain; now with the package tool script I successfully exported, how to import to another domain server and how to install the policy...Note there 2 access rules sitting already which being used for prod traffic, when we install complete package tool will append the rules or clean  the existing rule and will deploy?

This tool creates an entirely new policy package with the rules you've exported from elsewhere.
It won't change the existing policy package.

@PhoneBoy not sounds clear to me Sir...

[mdm_server01:0]# /opt/CPsuite-R80.40/fw1/Python/bin/python3.7 ./import_export_package.py

Welcome to the Policy Package Import/Export Tool.
What would you like to do?
1. Import a package
2. Export a package
99. Exit
1
Please specify the path to the file you wish to import:
/home/admin ---- > [Will it simply sit this directory with tar.gz format, if so I can use WINSCP or something else]
Please select a login method:
1. Enter user credentials manually
2. Login as Root
3. Use an existing session file
4. Use an existing session UID
99. Back
1
The script will run with the following parameters:
Custom name for imported package (optional) = None
Management Server IP = 127.0.0.1
Management Server Port = 443
Management Server Domain = None
1. Change Settings
2. Run
99. Back
1
<Output Ommitted>
The script will run with the following parameters:
Custom name for imported package (optional) = None
Management Server IP = 192.168.1.100
Management Server Port = 443
Management Server Domain = 192.168.2.100
1. Change Settings
2. Run
99. Back

What will happen If I give hit '2', import and install all the firewall rules on target machine?
Or if that tar file sits on target CMA how I could install that package into firewall gateway?
If yes, already 2 rules are there, will it append additional rules +2 ?

I tried all the internet / CP resource unable to get steps.
I agree such this request are, rare phenomena but would be better have good document.

Your existing rules are in a policy package.
When you run this script and import the exported policy, a different policy package will be created with the imported rules.
It will not impact any existing policy packages, nor will it install the new policy package on the gateway.
You will have to choose to install this specific policy package, which can of course be modified beforehand (e.g. to include additional rules).

Yes, you can copy the tgz file with scp or similar to /home/admin or wherever you run the script from.

Policy Import successfully. But while complete and writing to layer getting below error. But I could see / manually verified all the access rule base [1500+ rule] and NAT rule, In fact all the duplicate objects renamed [anyway i will do cleanup/replace correct objects in the rules] and import into new package. 

Is that something I need to check ? 

Failed to attach layers to package! Error: code: generic_error
message: Runtime error: Object 'exported__package__uatfw-policy' is locked by another session.
. Import operation aborted.

Rules are stored in layers, which are part of a policy package.
Policy layers can be attached to multiple policy packages, so this should not be an issue.

Presumably, a previous attempt has exported__package__uatfw-policy "locked" so the layer created cannot be attached to that specific policy package.
The only way to resolve that issue is to connect to that specific session and either "publish" whatever changes are there or discard the session.
Or attach the newly created layer to a different policy package.

However, if you can see the rules in the layer(s)

Hi, I have the same problems, where may I find the newest version with "skip-duplicate-objects"?
Thank you in advance.

Hi,

Just go to the Github page https://github.com/CheckPointSW/ExportImportPolicyPackage and download the code.
You will have the latest version.

The 'skip-duplicate-objects' option is in there for some time now and works great.

Martijn

Hello again, 
Thank you so much for answer, I have already fixed it.😊
But I just encountered with another problem that the script creates a new layer whenever we import policies. Is it anyway to import all policies to the default layer?  
The situation is we have a policy package which has already some policies configured and we want to import policies within the same layer of that policy package, in the other hand, we would like to do a filtering to skip all those policies which are existed before. 

By default, the program will create the policy package under the same name as was exported.
To import the rules into a different (existing) policy package, you'd have to modify the source code of the program.
However, I think it's wise to have the rules imported into a different policy package so each rule can be reviewed.
I believe you can also copy/paste the rules between policy layers (including across policy packages), which is the approach I would recommend (especially if you're reviewing the rules anyway).

Hi @Omer_Kleinstern,

Hi @PhoneBoy 

I was having a similar issue with the object in collision in my Lab and took your advice and added the Skip duplicate flag. Now when using the script in my Production environment I am seeing this new error message for the creating of objects. 

Failed to import service-tcp with name [BIBF4412]. Error: code: generic_err_invalid_parameter
message: Invalid parameter for [delayed-sync-value]. delayed-sync-value can get value only if sync-connections-on-cluster and use-delayed-sync are true

Failed to import service-tcp with name [Biblio_SQL]. Error: code: generic_err_invalid_parameter
message: Invalid parameter for [delayed-sync-value]. delayed-sync-value can get value only if sync-connections-on-cluster and use-delayed-sync are true

Failed to import service-tcp with name [BIBF4421]. Error: code: generic_err_invalid_parameter
message: Invalid parameter for [delayed-sync-value]. delayed-sync-value can get value only if sync-connections-on-cluster and use-delayed-sync are true

Any advice on how to rectify this issue 

Sounds like those objects are NOT duplicates but rather objects you created (specifically the TCP services Biblio_SQL and BIBF4421).
You may need to replace those services with a placeholder in your rulebase.

@EJ1  Did you resolve this issue? I have the same problem

Hi @Omer_Kleinstern 

When I try to run the scripts with the flag "--skip-duplicate-objects", 

(# python3 import_export_package.py --skip-duplicate-objects)

It returns:

import_export_package.py: error: argument --skip-duplicate-objects: expected one argument

The packet is download from github few days ago.

Is there anything i am missing?

Thanks,

Louis

Hi Louis,

After --skip-duplicate-objects you need to enter false or true.

Regards,
Martijn

It works!

Many Thanks!!!!

Best,

Louis