Solved: Can I export and import a policy?

Tomer_Sole · ‎2016-04-24

In R77 we had "save policy as", which was useful in order to have multiple copies of a policy. What is the equivalent for that in R80?

Tomer_Sole · ‎2016-04-24

April 2017 update: An standalone open-source tool exists for exporting and importing policies and objects by using the R80 or R80.10 Management API: Python tool for exporting/importing a policy package or parts of it

This tool exports a policy package as a list of csv files that can later by imported into a different management setup.

In R80 you can export a policy, but not import.

Export can be done:

From SmartConsole go to a layer, and click on Actions-->Export, which will save the entire layer as a CSV file.
Using the "show access layer" API command. Since the result is a JSON structure, when using it inside the Management Server SSH you can pipe it into other formats.

Importing a layer, a policy, or an entire policy package, is planned as an API command for the next releases.

Please note that for some of the use cases, SmartConsole has alternative tools.

Please reply to this thread with your input - are these tools sufficient, or do you find other cases where need the import option? For example:

Moving policies between different domains in multi-domain environments.
Exporting an importing an entire database in order to refresh the platform underneath.

View solution in original post

Tomer_Sole · ‎2016-04-24

April 2017 update: An standalone open-source tool exists for exporting and importing policies and objects by using the R80 or R80.10 Management API: Python tool for exporting/importing a policy package or parts of it

This tool exports a policy package as a list of csv files that can later by imported into a different management setup.

In R80 you can export a policy, but not import.

Export can be done:

From SmartConsole go to a layer, and click on Actions-->Export, which will save the entire layer as a CSV file.
Using the "show access layer" API command. Since the result is a JSON structure, when using it inside the Management Server SSH you can pipe it into other formats.

Importing a layer, a policy, or an entire policy package, is planned as an API command for the next releases.

Please note that for some of the use cases, SmartConsole has alternative tools.

Please reply to this thread with your input - are these tools sufficient, or do you find other cases where need the import option? For example:

Moving policies between different domains in multi-domain environments.
Exporting an importing an entire database in order to refresh the platform underneath.

Peter_Griekspoo · ‎2016-07-24

Dear Tomer,

As we discussed I would like to add the answer you gave me on why we would actually export a policy file if import is not an option.

In addition I would like to record here that export options for Permission profiles and Administrators currently don't exist and a Request for Change is submitted.

What could an export give me:

Work locally on objects with a local copy
Reporting
Especially useful for views that have lots and lots of rows such as IPS Protections and Object Explorer.

Richard_Carson · ‎2016-10-25

Hi Tomer

Moving policies and their associated clusters would be helpful, certainly we have had need to reorganize domain cluster groupings as the organization changes over time.

I also agree with Peter - we need to be able to export permission profiles- if fact to be able to configure perm profiles via API would also be good.

We are also looking to be able to publish all changes carried out within a session to an external source for audit trail purposes - configurable per administrator

Richard

Richard_Carson · ‎2016-10-25

What is the best way to export a very large access layer rulebase? There seem to be a limit on the number of rules that can be exported at once? Guess I can script it and cycle through the rulebase using the offset but why the limitation or have I missed something?

Would be helpful to have some API calls to query policy stats e.g number of active\inactive access rules\rules without logging\number of NAT rules\number of policy packages etc. Most can be gather from existing API call but might be helpful just to be able to do some stats directly

Tomer_Sole · ‎2016-10-27

Hi, the instructions for exporting a very large rulebase are the same. These commands query the rulebase multiple times by pages of 50 or 100 rules (depending the specific command), and then aggregate the results to the output file or JSON structure. Therefore, there is no limit on the number of rules that can be exported at the same time.

In the case of the API command, you can also change the page size if you find that it makes the response faster on your side. This depends on the specific Internet speed on your side and the number of objects that are selected in your rulebase. You can also specify offsets and limits. Please refer to the API documentation for more details.

Thank you for the suggestions regarding "rulebase statistics". We will add this to our roadmap plans.

Kathleen_Murphy · ‎2020-07-28

Is there a means of exporting the mobile access policy as a .csv?

Ganesan · ‎2021-06-17

Hello Tomer,

Can you share more about hits count extracts in csv format.I’m running R80.40 SmartConsole.

thanks

PhoneBoy · ‎2021-06-17

You can do this using the API today.
I believe the hitcount will be part of the CSV export from SmartConsole in R81.10.
See: https://community.checkpoint.com/t5/Management/Export-of-rules-with-zero-hits-in-dashboard/m-p/12055...

Uri_Bialik · ‎2017-05-03

Please have a look at Python tool for exporting/importing a policy package or parts of it

This tool exports a policy package as a list of csv files that can later by imported into a different management setup

Alex_Tooze · ‎2019-01-24

I'm interested in using this export/import tool on an R80.10 MDS, but haven't done much with Python in this environment. Is the interpreter installed by default? If so, where do I find it?

Alternatively, do I need to compile the modules? In which case, where would I find the compiler? There is no obvious 'python' in e.g. /opt/CPsuite-R80/fw1/Python/lib/python2.7.

Thanks,

Alex

PhoneBoy · ‎2019-01-27

Python is there, but it's buried.

Should be in $FWDIR/Python/bin/python

Alex_Tooze · ‎2019-01-28

Thanks Damien - found it in $FWDIR/fw1/Python/bin/python

Alex_Tooze · ‎2019-02-04

Seems to work a treat 🙂

dpatel · ‎2020-03-05

Is there a way we can export policy without exporting the objects? I need to perform below steps:

1. Export Policy from the R80.30 Management Server.

2. Delete the policy that we just exported.

3. Import the Policy in same Management Server.

I am successfully able to do it but after import, the script is creating cloned objects for all the Host and Network objects (all start with NAME_COLLISION_RESOLUTION_objectname). Is there a way we can export only the policy and import it back?

Are you a member of CheckMates?

Can I export and import a policy?

Can I export and import a policy?