Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
ramakrishnan
Contributor
Jump to solution

Moving rulebase from one CMA to another CMA from MDM

Dear All,

I have MDM, under that have many CMA. As we consolidating firewalls, we would like to move the complete access control (policy/NAT) from one CMA to another CMA. what is the procedure to move the complete set. Assume each firewall consist of  800+ firewall rule base manual work is absolutely impossible. Kindly let me know is there amicable solution there. 

Regards,

Ram

0 Kudos
3 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin

This does not have to be run on the gateway or management itself, it can be run on any system that runs Python that can access the management API port. 
It reads the necessary data through the API and should not impact the production environment at all.

In any case, this is the closest thing we offer to an official tool that can be used to move a policy (and it's objects) from one CMA to another.

View solution in original post

G_W_Albrecht
Legend
Legend

Clone the repository with this command:

git clone https://github.com/CheckPoint-APIs-Team/ExportImportPolicyPackage

or by clicking the Download ZIP button.

CCSE CCTE CCSM SMB Specialist

View solution in original post

0 Kudos
PhoneBoy
Admin
Admin

The installation of third party software is not supported on Check Point appliances.
You CAN run the ExportImportPolicyPacakage tool directly on your Security Management.
However, it requires installation from the ZIP file.
You also need to install this: https://github.com/CheckPointSW/cp_mgmt_api_python_sdk 
Please follow the instructions for running on a Management system directly. 

View solution in original post

0 Kudos
14 Replies
Tal_Paz-Fridman
Employee
Employee

Please see if this helps - the Check Point ExportImportPolicyPackage tool:

https://github.com/CheckPointSW/ExportImportPolicyPackage

 

0 Kudos
ramakrishnan
Contributor

Thanks for the quick response, but my customer env not allowing as such tool to be installed as there is strict policy/process. Any other way I can move the policy from one cma to another as there is no global objects been used

0 Kudos
PhoneBoy
Admin
Admin

This does not have to be run on the gateway or management itself, it can be run on any system that runs Python that can access the management API port. 
It reads the necessary data through the API and should not impact the production environment at all.

In any case, this is the closest thing we offer to an official tool that can be used to move a policy (and it's objects) from one CMA to another.

ramakrishnan
Contributor

thanks much helpful. I will try to do tool. though we have some mixture of R77.x too

One last question, as we are consolidation the firewalls and club the policy from one CMA to another, so Is there lic / other restriction number of VLANs in a firewall / No of rule base in a firewall. 

0 Kudos
PhoneBoy
Admin
Admin

Not from a licensing perspective.
There are limits on number of interfaces (VLANs included): https://support.checkpoint.com/results/sk/sk31631 

ramakrishnan
Contributor

I just wanted to run it through MDS in my production,  when I tried with my personal lab (Security gateway) running a command https://github.com/CheckPointSW/ExportImportPolicyPackage throwing error git command not found. There should be git package to be installed, could help me how to get this done. 

0 Kudos
PhoneBoy
Admin
Admin

git is not installed on Check Point devices, nor do we support the installation of git on Gaia OS.

0 Kudos
ramakrishnan
Contributor

Then I could install packagetool as its require API library aid to import and export .py scripts.  

0 Kudos
PhoneBoy
Admin
Admin

The installation of third party software is not supported on Check Point appliances.
You CAN run the ExportImportPolicyPacakage tool directly on your Security Management.
However, it requires installation from the ZIP file.
You also need to install this: https://github.com/CheckPointSW/cp_mgmt_api_python_sdk 
Please follow the instructions for running on a Management system directly. 

0 Kudos
ramakrishnan
Contributor

@PhoneBoy @G_W_Albrecht  Am I not installed libraries..? Or its version issue? , I thoroughly followed the given steps. 

[Expert@NA-CP-MGMT:0]# /opt/CPsuite-R80/fw1/Python/bin/python export_access_rulebase.py
Traceback (most recent call last):
File "export_access_rulebase.py", line 3, in <module>
from exporting.export_objects import get_objects, \
ImportError: No module named exporting.export_objects
[Expert@NA-CP-MGMT:0]#

0 Kudos
ramakrishnan
Contributor

Closing this trail...

When I tried with my lab [EVE-NG R81.10] it appears that given script is executing, but it appears to run the script it requires Python3; I assume, in my lab there is no policy i configured and I could not test it, also under access rule base export getting null value, but seems its complied. thanks @PhoneBoy 

 

[Expert@checkpoint-mgmt:0]# /opt/CPsuite-R81.10/fw1/Python/bin/python3 import_export_package.py

Welcome to the Policy Package Import/Export Tool.

What would you like to do?

1. Import a package

2. Export a package

99. Exit

99

[Expert@checkpoint-mgmt:0]# /opt/CPsuite-R81.10/fw1/Python/bin/python2 import_export_package.py

Traceback (most recent call last):

File "import_export_package.py", line 27, in <module>

raise Exception("Min Python version required is 3.7")

Exception: Min Python version required is 3.7

[Expert@checkpoint-mgmt:0]#

 

[Expert@checkpoint-mgmt:0]# /opt/CPsuite-R81.10/fw1/Python/bin/python3.7 export_access_rulebase.py

[Expert@checkpoint-mgmt:0]#

0 Kudos
G_W_Albrecht
Legend
Legend

Clone the repository with this command:

git clone https://github.com/CheckPoint-APIs-Team/ExportImportPolicyPackage

or by clicking the Download ZIP button.

CCSE CCTE CCSM SMB Specialist
0 Kudos
ramakrishnan
Contributor

Thanks @G_W_Albrecht and @PhoneBoy  Dears...

I think now I got the crux..Basically I need  to enable the BASH as I wanted to move SDK files to MGMT in order to check policy import/export function. As I am trying in my lab BASH is not enabled so unbale to do WinSCP. 

There is another threat how to activate Bash User https://community.checkpoint.com/t5/SMB-Gateways-Spark/Activate-bashUser-via-script-on-a-Embedded-Ga... as per this threat pre-requisite to do this we have to enabled SIC and can not locally managed because I am building a lab on EVE-NG and below is my spec. while enabling Bash Getting error. 

[Expert@NA-CP-MGMT:0]# $CPDIR/bin/cprid_util -server 172.16.14.60 -verbose rexec -rcmd /bin/bash -c "bashUser on"
/bin/bash: bashUser: command not found

But I assume my PRD MDM/MDS should have bash enabled. So I can do move SDK file with the help of SCP. 

NA-CP-MGMT> show version all
Product version Check Point Gaia R80.10
OS build 479
OS kernel version 2.6.18-92cpx86_64
OS edition 64-bit

NA-CP-MGMT> show asset all
Platform: Standard PC (i440FX + PIIX, 1996)
CPU Model: QEMU Virtual CPU version 2.5+
CPU Frequency: 2400.225
Number of Cores: 4
CPU Hyperthreading: Disabled

NA-CP-MGMT>

0 Kudos
PhoneBoy
Admin
Admin

Why are you building something on R80.10, which is End of Support?
In any case, "bashUser on" is only a valid command on a Quantum Spark appliance.
If you want to change the user's default shell to bash, that should be done with the relevant clish commands.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events