AnsweredAssumed Answered

Can I export and import a policy?

Question asked by Tomer Sole

on Apr 24, 2016
Latest reply on Feb 4, 2019 by Alex Tooze

Like • Show 4 Likes4
Comment • 10

In R77 we had "save policy as", which was useful in order to have multiple copies of a policy. What is the equivalent for that in R80?

Tomer Sole

Oct 4, 2017 3:15 AM

Correct Answer

April 2017 update: An standalone open-source tool exists for exporting and importing policies and objects by using the R80 or R80.10 Management API: Python tool for exporting/importing a policy package or parts of it

This tool exports a policy package as a list of csv files that can later by imported into a different management setup.

In R80 you can export a policy, but not import.

Export can be done:

From SmartConsole go to a layer, and click on Actions-->Export, which will save the entire layer as a CSV file.
Using the "show access layer" API command. Since the result is a JSON structure, when using it inside the Management Server SSH you can pipe it into other formats.

Importing a layer, a policy, or an entire policy package, is planned as an API command for the next releases.

Please note that for some of the use cases, SmartConsole has alternative tools.

Please reply to this thread with your input - are these tools sufficient, or do you find other cases where need the import option? For example:

Moving policies between different domains in multi-domain environments.
Exporting an importing an entire database in order to refresh the platform underneath.

See the reply in context

No one else had this question

Outcomes

Tomer Sole

Oct 4, 2017 3:15 AM

This tool exports a policy package as a list of csv files that can later by imported into a different management setup.

In R80 you can export a policy, but not import.

Export can be done:

From SmartConsole go to a layer, and click on Actions-->Export, which will save the entire layer as a CSV file.
Using the "show access layer" API command. Since the result is a JSON structure, when using it inside the Management Server SSH you can pipe it into other formats.

Importing a layer, a policy, or an entire policy package, is planned as an API command for the next releases.

Please note that for some of the use cases, SmartConsole has alternative tools.

Please reply to this thread with your input - are these tools sufficient, or do you find other cases where need the import option? For example:

Moving policies between different domains in multi-domain environments.
Exporting an importing an entire database in order to refresh the platform underneath.

Actions

Peter Griekspoor

@ Tomer Sole on Jul 24, 2016 11:07 PM

Dear Tomer,

As we discussed I would like to add the answer you gave me on why we would actually export a policy file if import is not an option.

In addition I would like to record here that export options for Permission profiles and Administrators currently don't exist and a Request for Change is submitted.

What could an export give me:

Work locally on objects with a local copy
Reporting
Especially useful for views that have lots and lots of rows such as IPS Protections and Object Explorer.

Actions

1796bcc4-2260-3646-a7be-924418a7ddf6 @ Tomer Sole on Oct 25, 2016 11:04 PM

Hi Tomer

Moving policies and their associated clusters would be helpful, certainly we have had need to reorganize domain cluster groupings as the organization changes over time.

I also agree with Peter - we need to be able to export permission profiles- if fact to be able to configure perm profiles via API would also be good.

We are also looking to be able to publish all changes carried out within a session to an external source for audit trail purposes - configurable per administrator

Richard

Actions

1796bcc4-2260-3646-a7be-924418a7ddf6 @ Tomer Sole on Oct 25, 2016 11:04 PM

What is the best way to export a very large access layer rulebase? There seem to be a limit on the number of rules that can be exported at once? Guess I can script it and cycle through the rulebase using the offset but why the limitation or have I missed something?

Would be helpful to have some API calls to query policy stats e.g number of active\inactive access rules\rules without logging\number of NAT rules\number of policy packages etc. Most can be gather from existing API call but might be helpful just to be able to do some stats directly

Actions

Tomer Sole

@ 1796bcc4-2260-3646-a7be-924418a7ddf6 on Oct 27, 2016 12:43 AM

Hi, the instructions for exporting a very large rulebase are the same. These commands query the rulebase multiple times by pages of 50 or 100 rules (depending the specific command), and then aggregate the results to the output file or JSON structure. Therefore, there is no limit on the number of rules that can be exported at the same time.

In the case of the API command, you can also change the page size if you find that it makes the response faster on your side. This depends on the specific Internet speed on your side and the number of objects that are selected in your rulebase. You can also specify offsets and limits. Please refer to the API documentation for more details.

Thank you for the suggestions regarding "rulebase statistics". We will add this to our roadmap plans.

Actions

Uri Bialik

May 3, 2017 11:49 PM

Please have a look at Python tool for exporting/importing a policy package or parts of it

This tool exports a policy package as a list of csv files that can later by imported into a different management setup

Actions

Alex Tooze Jan 24, 2019 8:54 AM

I'm interested in using this export/import tool on an R80.10 MDS, but haven't done much with Python in this environment. Is the interpreter installed by default? If so, where do I find it?

Alternatively, do I need to compile the modules? In which case, where would I find the compiler? There is no obvious 'python' in e.g. /opt/CPsuite-R80/fw1/Python/lib/python2.7.

Thanks,

Alex

Actions

Dameon Welch-Abernathy

@ Alex Tooze on Jan 27, 2019 11:54 AM

Python is there, but it's buried.

Should be in $FWDIR/Python/bin/python

Actions

Alex Tooze @ Dameon Welch-Abernathy on Jan 28, 2019 1:51 AM

Thanks Damien - found it in $FWDIR/fw1/Python/bin/python

1 person found this helpful

Actions

Alex Tooze @ Alex Tooze on Feb 4, 2019 1:38 AM

Seems to work a treat :-)

1 person found this helpful

Actions

10 Replies

Tomer Sole Oct 4, 2017 3:15 AM
Unmark Correct
Correct Answer
April 2017 update: An standalone open-source tool exists for exporting and importing policies and objects by using the R80 or R80.10 Management API: Python tool for exporting/importing a policy package or parts of it
This tool exports a policy package as a list of csv files that can later by imported into a different management setup.

In R80 you can export a policy, but not import.

Export can be done:
1. From SmartConsole go to a layer, and click on Actions-->Export, which will save the entire layer as a CSV file.
2. Using the "show access layer" API command. Since the result is a JSON structure, when using it inside the Management Server SSH you can pipe it into other formats.
Importing a layer, a policy, or an entire policy package, is planned as an API command for the next releases.
Please note that for some of the use cases, SmartConsole has alternative tools.

Please reply to this thread with your input - are these tools sufficient, or do you find other cases where need the import option? For example:
- Moving policies between different domains in multi-domain environments.
- Exporting an importing an entire database in order to refresh the platform underneath.
Like • Show 2 Likes2
Actions
- Peter Griekspoor @ Tomer Sole on Jul 24, 2016 11:07 PM
  Mark Correct
  Correct Answer
  Dear Tomer,
  As we discussed I would like to add the answer you gave me on why we would actually export a policy file if import is not an option.
  In addition I would like to record here that export options for Permission profiles and Administrators currently don't exist and a Request for Change is submitted.
  
  What could an export give me:
  Work locally on objects with a local copy
  Reporting
  Especially useful for views that have lots and lots of rows such as IPS Protections and Object Explorer.
  Like • Show 0 Likes0
  Actions
- 1796bcc4-2260-3646-a7be-924418a7ddf6 @ Tomer Sole on Oct 25, 2016 11:04 PM
  Mark Correct
  Correct Answer
  Hi Tomer
  
  Moving policies and their associated clusters would be helpful, certainly we have had need to reorganize domain cluster groupings as the organization changes over time.
  
  I also agree with Peter - we need to be able to export permission profiles- if fact to be able to configure perm profiles via API would also be good.
  
  We are also looking to be able to publish all changes carried out within a session to an external source for audit trail purposes - configurable per administrator
  
  Richard
  Like • Show 0 Likes0
  Actions
- 1796bcc4-2260-3646-a7be-924418a7ddf6 @ Tomer Sole on Oct 25, 2016 11:04 PM
  Mark Correct
  Correct Answer
  What is the best way to export a very large access layer rulebase? There seem to be a limit on the number of rules that can be exported at once? Guess I can script it and cycle through the rulebase using the offset but why the limitation or have I missed something?
  
  Would be helpful to have some API calls to query policy stats e.g number of active\inactive access rules\rules without logging\number of NAT rules\number of policy packages etc. Most can be gather from existing API call but might be helpful just to be able to do some stats directly
  Like • Show 0 Likes0
  Actions
  - Tomer Sole @ 1796bcc4-2260-3646-a7be-924418a7ddf6 on Oct 27, 2016 12:43 AM
    Mark Correct
    Correct Answer
    Hi, the instructions for exporting a very large rulebase are the same. These commands query the rulebase multiple times by pages of 50 or 100 rules (depending the specific command), and then aggregate the results to the output file or JSON structure. Therefore, there is no limit on the number of rules that can be exported at the same time.
    
    In the case of the API command, you can also change the page size if you find that it makes the response faster on your side. This depends on the specific Internet speed on your side and the number of objects that are selected in your rulebase. You can also specify offsets and limits. Please refer to the API documentation for more details.
    
    Thank you for the suggestions regarding "rulebase statistics". We will add this to our roadmap plans.
    Like • Show 0 Likes0
    Actions
Uri Bialik May 3, 2017 11:49 PM
Mark Correct
Correct Answer
Please have a look at Python tool for exporting/importing a policy package or parts of it
This tool exports a policy package as a list of csv files that can later by imported into a different management setup
Like • Show 0 Likes0
Actions
Alex Tooze Jan 24, 2019 8:54 AM
Mark Correct
Correct Answer
I'm interested in using this export/import tool on an R80.10 MDS, but haven't done much with Python in this environment. Is the interpreter installed by default? If so, where do I find it?

Alternatively, do I need to compile the modules? In which case, where would I find the compiler? There is no obvious 'python' in e.g. /opt/CPsuite-R80/fw1/Python/lib/python2.7.

Thanks,

Alex
Like • Show 1 Like1
Actions
- Dameon Welch-Abernathy @ Alex Tooze on Jan 27, 2019 11:54 AM
  Mark Correct
  Correct Answer
  Python is there, but it's buried.
  Should be in $FWDIR/Python/bin/python
  Like • Show 0 Likes0
  Actions
  - Alex Tooze @ Dameon Welch-Abernathy on Jan 28, 2019 1:51 AM
    Mark Correct
    Correct Answer
    Thanks Damien - found it in $FWDIR/fw1/Python/bin/python
    1 person found this helpful
    Like • Show 1 Like1
    Actions
    - Alex Tooze @ Alex Tooze on Feb 4, 2019 1:38 AM
      Mark Correct
      Correct Answer
      Seems to work a treat :-)
      1 person found this helpful
      Like • Show 1 Like1
      Actions

Can I export and import a policy?

Outcomes

Related Content

Recommended Content

Incoming Links