- CheckMates
- :
- Products
- :
- Developers
- :
- API / CLI Discussion
- :
- Re: can anybody let me know how can we import poli...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can anybody let me know how can we import policy/rules via .csv file in r80.10
can anybody let me know how can we import policy/rules via .csv file in r80.20
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
In pre-R80, you can do it using a CSV file with the cp_merge utility, described here: Using cp_merge utility
In R80+ there isn't a pre-built tool that does the rulebase via CSV, but I imagine one can be created that uses the API.
Meanwhile, you can use a tool like the following to import/export rules: https://community.checkpoint.com/docs/DOC-1938
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The policy that you want to import into R80.10 management server - is it exported from other R80.X management server, or you have created /want to create it manually and then import as a batch operation?
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also have this issue. I have an existing R80.10 management server and need to get the access control policy and NAT to a different R80.10 management server. I cannot use migrate export / import as I cannot overwrite the existing production management server. I'd like to export to csv and import using a batch operation. I am also using inline layers.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can certainly export the rules to CSV using SmartConsole, but there is no way to import the same currently.
Your best bet is to use this script to do it: Python tool for exporting/importing a policy package or parts of it
Unlike a migrate export/import, does not overwrite the existing database.
That said, you might want to use migrate export/import to create another copy of your existing management and test the process.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks Dameon. I saw that before, but I don't know python so I kept looking for another method. Oh well, I guess I'll have to learn me up some python. Thanks for the tip on testing the process. I already have a vm with the production export imported to use as a test platform.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
you do not need to learn python. just use the tool that Dameon referenced.
also, read this - https://community.checkpoint.com/docs/DOC-2745-migrating-r8010-smartcenter-to-r8010-cma-meet-your-be....
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I installed python 2.7.9 and ran import_export_package.py. I input my package name, I chose enter user credentials manually, I changed the mgmt server ip, I changed the output file name, and I ran. I input my username, then password. I get the following in the import_export.log.
Login to management server failed. lib::APIResponse
{
"data": null,
"error_message": "APIResponse received a response which is not a valid JSON.",
"res_obj": {},
"status_code": 403,
"success": false
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
please check your API server's accessibility permission -
https://community.checkpoint.com/docs/DOC-2731
Robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanks for the quick responses Robert.
[Expert@sms-r80.10:0]# api status
API Settings:
---------------------
Accessibility: Require ip 127.0.0.1
Automatic Start: Enabled
Processes:
Name State PID More Information
-------------------------------------------------
API Started 15151
CPM Started 3816 Check Point Security Management Server is running and ready
FWM Started 3439
Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443
--------------------------------------------
Overall API Status: Started
--------------------------------------------
API readiness test SUCCESSFUL. The server is up and ready to receive connections
Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'
[Expert@sms-r80.10:0]# cd /web/conf
[Expert@sms-r80.10:0]# ls
extra httpd2.conf httpd2_mp.conf login mime.types server.crt server.key
[Expert@sms-r80.10:0]# file server.crt
server.crt: ASCII text
[Expert@sms-r80.10:0]#
I also verified the R80.10 smartconsole gui settings
startup settings > automatic start
access settings > all ip addresses
I also ran import_export_package.py using the default ip 127.0.0.1 and got the following in the import_export.log.
Login to management server failed. lib::APIResponse
{
"data": null,
"error_message": "APIResponse received a response which is not a valid JSON.",
"res_obj": {},
"status_code": 400,
"success": false
}
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
your API status command shows that API server is configured for access from management server only (127.0.0.1).
did you run "api restart" command on your management server?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I ran api restart and it still shows 127.0.0.1
[Expert@sms-r80.10:0]# api restart
2018-May-16 11:30:03 - Stopping API...
2018-May-16 11:30:05 - API stopped successfully.
2018-May-16 11:30:05 - Starting API...
. . . . . . . . . . . . .
2018-May-16 11:31:06 - API started successfully.
[Expert@sms-r80.10:0]# api status
API Settings:
---------------------
Accessibility: Require ip 127.0.0.1
Automatic Start: Enabled
Processes:
Name State PID More Information
-------------------------------------------------
API Started 10095
CPM Started 3816 Check Point Security Management Server is running and ready
FWM Started 3439
Port Details:
-------------------
JETTY Internal Port: 50277
APACHE Gaia Port: 443
--------------------------------------------
Overall API Status: Started
--------------------------------------------
API readiness test SUCCESSFUL. The server is up and ready to receive connections
Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'
[Expert@sms-r80.10:0]#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
can you please paste here the output of "cpinfo -y all" command?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I also did a shutdown -r now and same api status after the reboot.
[Expert@sms-r80.10:0]# cpinfo -y all
This is Check Point CPinfo Build 914000176 for GAIA
[IDA]
HOTFIX_R80_10
[CPFC]
HOTFIX_R80_10
[FW1]
HOTFIX_R80_10
FW1 build number:
This is Check Point Security Management Server R80.10 - Build 192
This is Check Point's software version R80.10 - Build 435
[SecurePlatform]
No hotfixes..
[CPinfo]
No hotfixes..
[DIAG]
HOTFIX_R80_10
[SmartPortal]
No hotfixes..
[Reporting Module]
HOTFIX_R80_10
[CPuepm]
HOTFIX_R80_10
[VSEC]
HOTFIX_R80_10
[SmartLog]
HOTFIX_R80_10
[R7520CMP]
HOTFIX_R80_10
[R7540CMP]
HOTFIX_R80_10
[R7540VSCMP]
HOTFIX_R80_10
[R76CMP]
HOTFIX_R80_10
[SFWR77CMP]
HOTFIX_R80_10
[R77CMP]
HOTFIX_R80_10
[R75CMP]
HOTFIX_R80_10
[NGXCMP]
HOTFIX_R80_10
[EdgeCmp]
HOTFIX_R80_10
[SFWCMP]
HOTFIX_R80_10
[FLICMP]
HOTFIX_R80_10
[SFWR75CMP]
HOTFIX_R80_10
[MGMTAPI]
No hotfixes..
[rtm]
No hotfixes..
[Expert@sms-r80.10:0]#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
ok, I see that you have plain r80.10 installation, no jumbo hotfixes.
what you are experiencing is a known bug, that was fixed in T37 of r80.10 jumbo hotfix release.
please contact your SE or partner for your installation upgrade.
robert.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
OK, thanks for the help and very quick responses, much appreciated.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I put on jumbo hfa take 103 which does include t37 but still have the same issue. I also built a new vm and added the hfa t103 and same problem. I'm using windows 10, vm workstation pro 14, 300gb disk space, 8gb ram (new vm I tried 9gb ram).
[Expert@sms-r80.10:0]# cpinfo -y all
This is Check Point CPinfo Build 914000176 for GAIA
[IDA]
HOTFIX_R80_10
[CPFC]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 103
[FW1]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 103
FW1 build number:
This is Check Point Security Management Server R80.10 - Build 016
This is Check Point's software version R80.10 - Build 068
[SecurePlatform]
HOTFIX_R80_10_JUMBO_HF Take: 103
[CPinfo]
No hotfixes..
[DIAG]
HOTFIX_R80_10
[SmartPortal]
No hotfixes..
[Reporting Module]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 103
[CPuepm]
HOTFIX_R80_10
[VSEC]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 103
[SmartLog]
HOTFIX_R80_10
HOTFIX_R80_10_JUMBO_HF Take: 103
[R7520CMP]
HOTFIX_R80_10
[R7540CMP]
HOTFIX_R80_10
[R7540VSCMP]
HOTFIX_R80_10
[R76CMP]
HOTFIX_R80_10
[SFWR77CMP]
HOTFIX_R80_10
HOTFIX_R80_10_JHF_COMP
[R77CMP]
HOTFIX_R80_10
HOTFIX_R80_10_JHF_COMP
[R75CMP]
HOTFIX_R80_10
[NGXCMP]
HOTFIX_R80_10
[EdgeCmp]
HOTFIX_R80_10
[SFWCMP]
HOTFIX_R80_10
[FLICMP]
HOTFIX_R80_10
[SFWR75CMP]
HOTFIX_R80_10
[MGMTAPI]
No hotfixes..
[CPUpdates]
BUNDLE_R80_10_JUMBO_HF Take: 103
[rtm]
No hotfixes..
[Expert@sms-r80.10:0]# api status
API Settings:
---------------------
Accessibility: Require ip 127.0.0.1
Automatic Start: Enabled
Processes:
Name State PID More Information
-------------------------------------------------
API Started 16171
CPM Started 3715 Check Point Security Management Server is running and ready
FWM Started 3461
Port Details:
-------------------
JETTY Internal Port: 50276
APACHE Gaia Port: 443
--------------------------------------------
Overall API Status: Started
--------------------------------------------
API readiness test SUCCESSFUL. The server is up and ready to receive connections
Notes:
------------
To collect troubleshooting data, please run 'api status -s <comment>'
[Expert@sms-r80.10:0]#
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
See if restarting the API server clears it.
At least that was the initial workaround we figured out here:
Re: R80.10 API bug: fallback to "SmartCenter Only" after reboot
And yes, please open a TAC case for this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I don't know if this will help or not, but here is an elementary script that will create 10 hosts, 10 networks and 10 rules using said hosts and networks. Of course this can be done much better with python. But with this you can see the syntax for how to create the rules using APIs.
cd "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM"
mgmt_cli -m demootj1uuvics.mgmt.cloud login -u aa -p aaaa > "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add host name MyHost1 ip-address 10.0.0.1 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add host name MyHost2 ip-address 10.0.0.2 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add host name MyHost3 ip-address 10.0.0.3 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add host name MyHost4 ip-address 10.0.0.4 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add host name MyHost5 ip-address 10.0.0.5 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add host name MyHost6 ip-address 10.0.0.6 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add host name MyHost7 ip-address 10.0.0.7 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add host name MyHost8 ip-address 10.0.0.8 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add host name MyHost9 ip-address 10.0.0.9 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add host name MyHost10 ip-address 10.0.0.10 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli publish -s session_id.txt
mgmt_cli add network name MyNet0 subnet 10.0.0.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add network name MyNet1 subnet 10.0.1.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add network name MyNet2 subnet 10.0.2.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add network name MyNet3 subnet 10.0.3.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add network name MyNet4 subnet 10.0.4.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add network name MyNet5 subnet 10.0.5.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add network name MyNet6 subnet 10.0.6.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add network name MyNet7 subnet 10.0.7.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add network name MyNet8 subnet 10.0.8.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add network name MyNet9 subnet 10.0.9.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add network name MyNet10 subnet 10.0.10.0 subnet-mask 255.255.255.0 -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli publish -s session_id.txt
mgmt_cli add access-section layer Network name "My Rules" position.above "Data Center Access" -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add access-rule layer Network position.top "My Rules" name "My Rule 1" source "MyHost1" destination "MyNet1" service.1 "microsoft-ds" service.2 "Remote_Desktop_Protocol" service.3 "nbsession" action accept track Log -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add access-rule layer Network position.bottom "My Rules" name "My Rule 2" source "MyHost2" destination "MyNet2" service.1 "http" service.2 "https" service.3 "dns" action accept track Log -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add access-rule layer Network position.bottom "My Rules" name "My Rule 3" source "MyHost3" destination "MyNet3" service.1 "smtp" service.2 "pop-3" service.3 "imap" action accept track Log -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add access-rule layer Network position.bottom "My Rules" name "My Rule 4" source "MyHost4" destination "MyNet4" service.1 "microsoft-ds" service.2 "Remote_Desktop_Protocol" service.3 "nbsession" action accept track Log -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add access-rule layer Network position.bottom "My Rules" name "My Rule 5" source "MyHost5" destination "MyNet5" service.1 "http" service.2 "https" service.3 "dns" action accept track Log -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add access-rule layer Network position.bottom "My Rules" name "My Rule 6" source "MyHost6" destination "MyNet6" service.1 "smtp" service.2 "pop-3" service.3 "imap" action accept track Log -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add access-rule layer Network position.bottom "My Rules" name "My Rule 7" source "MyHost7" destination "MyNet7" service.1 "microsoft-ds" service.2 "Remote_Desktop_Protocol" service.3 "nbsession" action accept track Log -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add access-rule layer Network position.bottom "My Rules" name "My Rule 8" source "MyHost8" destination "MyNet8" service.1 "http" service.2 "https" service.3 "dns" action accept track Log -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add access-rule layer Network position.bottom "My Rules" name "My Rule 9" source "MyHost9" destination "MyNet9" service.1 "smtp" service.2 "pop-3" service.3 "imap" action accept track Log -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli add access-rule layer Network position.bottom "My Rules" name "My Rule 10" source "MyHost10" destination "MyNet10" service.1 "microsoft-ds" service.2 "Remote_Desktop_Protocol" service.3 "nbsession" action accept track Log -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
mgmt_cli publish -s session_id.txt
mgmt_cli publish -s "C:\Program Files (x86)\CheckPoint\SmartConsole\R80.10\PROGRAM\session_id.txt"
I hope it helps.