Solved: Issue with web_api_show_package on r80.30

G-D · ‎2023-01-12

Hi,

I'm trying to export the policy packages from my management servers using the latest jar file (v2.1.0). When I run the export it generates the tar.gz but all thats inside is the elg log. I've looked at the log and cant see any errors within it so I'm unsure what the issue is. I get the same no matter which package I run this against. This management box controls 2 separate clusters each with their own policy.

Below is the output of the elg file.

[1/12/23 5:48 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: The parameters that were received: showPackagesList:(-v)=true username:(-u)=admin password:(-p)=***** showRule**bleep**Counts:(-c)=true Sho
w access policy (--show-access-policy)=true Show nat policy (--show-nat-policy)=true server:(-m)=127.0.01 userRequestGateway:(-g)=D-PUB-FW port:(-n)=443 userRequestPackage:(-k)=D-Policy-1
[1/12/23 5:48 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Limit number of object per page: 10
[1/12/23 5:48 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Login As root: false
[1/12/23 5:48 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Login with 'read-only' flag.
[1/12/23 5:48 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.writeTheVersionsToTheLogger()INFO]: Management API running version: 1.6
[1/12/23 5:48 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.writeTheVersionsToTheLogger()INFO]: show_package v2.1.0
[1/12/23 5:48 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.writeTheVersionsToTheLogger()INFO]: Chosen port: 443
[1/12/23 5:48 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Chosen server IP: 127.0.01
[1/12/23 5:48 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Login response: {"session-timeout":600,"api-server-version":"1.6","last-login-was-at":{"iso-8601":"2023-01-12T17:40+0000","posix":16735
45229745},"read-only":true,"url":"https:\/\/127.0.01:443\/web_api","sid":"PFDjCwC_U94EetUiq4mU7eEIYCicPKePWTq5PP0cOPQ"}
[1/12/23 5:48 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Run command: 'show-gateways-and-servers' with details level 'full'
[1/12/23 5:48 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Found 7 gateways from 'show-gateways-and-servers'
[1/12/23 5:48 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.setGatewayAndServerPolicy()INFO]: gateway PP-W-FW is not relevant.
[1/12/23 5:48 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.collectGatewaysInUseAndInstalledPolicies()INFO]: Found 2 gateways that have a policy installed on them
[1/12/23 5:48 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Run command: 'show-vpn-communities-star' with details level 'full'
[1/12/23 5:48 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Run command: 'show-vpn-communities-meshed' with details level 'full'
[1/12/23 5:48 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Found 1 vpn communities
[1/12/23 5:48 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Run command: 'show-packages' with details level 'full'
[1/12/23 5:48 PM com.checkpoint.mgmt_api.examples.MyLogger.debug()DEBUG]: Found 3 packages
[1/12/23 5:48 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: Script finished running successfully!
[1/12/23 5:48 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: dirPath: /opt/CPsuite-R80.30/fw1/scripts/3cd4b11d-9436-47f4-9d5f-d33058f59093
[1/12/23 5:48 PM com.checkpoint.mgmt_api.examples.ShowPackageTool.logoutReportAndExit()INFO]: tarGzPath: show_package-2023-01-12_17-48-08.tar.gz

Any help would be great.

thanks

G-D · ‎2023-01-18

@PhoneBoy I re-ran it with an extended timeout and have been able to finally get the export 🙂 thanks for the help

I ran this from a seperate machine
java -jar web_api_show_package-jar-with-dependencies.jar -m 1.1.1.1 -c -k Policy-1 --query-limit 500 -r

View solution in original post

PhoneBoy · ‎2023-01-12

Did you look in /opt/CPsuite-R80.30/fw1/scripts/3cd4b11d-9436-47f4-9d5f-d33058f59093 to see if any files are there?
A TAC case might be in order, but be mindful of the fact that R80.30 is End of Support.

G-D · ‎2023-01-18

thanks @PhoneBoy it doesnt even generate the sub directories. While using the original script it generates the directory and index file but doesnt bring any policies in. I've raised a tac but not holding out much hope at this stage.

PhoneBoy · ‎2023-01-18

Curious what $FWDIR/log/api.elg has to say after you run the script.
I don't need to see the precise output (it'll obviously contain sensitive data), but you should see the various API calls and their results there.
This should be provided to your TAC case and will help triangulate whether the issue is with the script or the issue is with your management server.

Regardless, upgrading to a supported version is highly recommended.

G-D · ‎2023-01-18

Ive had a look at the log and Im not seeing any errors. I can also see it poll information on the firewalls, interfaces, vpns etc but not specifically acls. It also doesnt generate a folder for this info which is strange. Im really trying to do this without upgrading as i need to decommission the firewalls and mgmt server ultimately. other than manually sorting 1000+ acls an upgrade does seem necessary at this stage. Thanks for the help @PhoneBoy

G-D · ‎2023-01-18

@PhoneBoy I re-ran it with an extended timeout and have been able to finally get the export 🙂 thanks for the help

I ran this from a seperate machine
java -jar web_api_show_package-jar-with-dependencies.jar -m 1.1.1.1 -c -k Policy-1 --query-limit 500 -r

PhoneBoy · ‎2023-01-18

Glad you were able to figure it out.
There have been numerous improvements to the API server performance and stability in newer versions.
Even in newer versions, queries that result in a lot of data being returned may time out.
Which is why, I suspect, --query-limit was added as a switch in v2 of the tool.

Are you a member of CheckMates?

Issue with web_api_show_package on r80.30