checkpointsw / exportimportpolicypackage Goto Github PK

When NAT policy has just one manual rule defined (rest are auto rules based on object NAT), script failed completely.
Workaround is just to add second manual fake NAT rule, than it works OK

Exporting NAT policy

Getting information from show-nat-rulebase

Retrieved 50 out of 292 rules (17%)

Retrieved 100 out of 292 rules (34%)

Traceback (most recent call last):
File "/home/ivo.hrbacek/scripts/ExportImportPolicyPackage/import_export_package.py", line 59, in
export_package(client, args)
File "/home/ivo.hrbacek/scripts/ExportImportPolicyPackage/exporting/export_package.py", line 59, in export_package
nat_data_dict, nat_unexportable_objects = export_nat_rulebase(show_package.data["name"], client)
File "/home/ivo.hrbacek/scripts/ExportImportPolicyPackage/exporting/export_nat_rulebase.py", line 13, in export_nat_rulebase
rulebase_rules, general_objects = get_query_nat_rulebase_data(client, {"package": package})
File "/home/ivo.hrbacek/scripts/ExportImportPolicyPackage/exporting/export_objects.py", line 187, in get_query_nat_rulebase_data
rulebase_items[len(rulebase_items) - 1]["rulebase"].extend(non_empty_rulebase_items[0]["rulebase"])
KeyError: 'rulebase'

Dear API Team,

I downloaded latest package file.
When the rule is imported, the error occurs in middle.
So, the rule is not imported.
This error did not occur before.

Following message:
Failed to publish import of access-rules from tar file #3! Access-rules from said file were not imported!. Error: Publish failed because of validation errors

I attach the import.export.log

Regards,

import_export.log

Dear all,
I have just downloaded last version. It runs well, but for some reason, NAT rules are not exported (all NAT rules are manual rules). SMS has R80.40 JHF Take 94.

Python version is 2.7.9.

Have you any clue about this issue?
Exported policy package is imported to other SMS, except NAT rules.

Kind regards.

This script won't run on an R80.10 management, I just receive a lot of Python errors.

Does this script require to be run on a seperate machine that connectes to the management?

Your (NAT) export basically works pretty good, but I have an enhancement request:

At the moment, an exported json nat rule looks like that:

    {
        "__before_auto_rules": false,
        "original-destination": "MY_PUBLIC_NET",
        "install-on.0": "Policy Targets",
        "comments": "",
        "translated-source": "Original",
        "method": "static",
        "translated-destination": "WEBServer_1",
        "original-source": "Any",
        "translated-service": "Original",
        "enabled": true,
        "original-service": "Any",
        "position": 273
    },

It would be nice if you would resolve objects (for the access rule export as well) to their ip-addresses/networks, e.g.:

    {
        "__before_auto_rules": false,
        "original-destination.0": "2xx.xx.xx.xx/24",
        "original-destination.1": "2yy.yy.yy.yy/24",
        "install-on.0": "Policy Targets",
        "comments": "",
        "translated-source": "Original",
        "method": "static",
        "translated-destination.0": "10.x.x.x.1",
        "original-source": "Any",
        "translated-service": "Original",
        "enabled": true,
        "original-service": "Any",
        "position": 273
    },

In the export files, I have all the files to resolve these objects by myself, but in some cases, it would be nice to have an exported rule base with addresses (Hosts and Nets) instead of the object names.

A cli option for that would be great. Thanks.

I was testing the script on an SMS R81.20 JHF 53

I am getting an error as follows.
File "import_export_package.py", line 73, in
export_package(client, args)
File "/home/admin/ExportImportPolicyPackage-master/ExportImportPolicyPackage-master/exporting/export_package.py", line 44, in export_package
= export_access_rulebase(show_package.data["name"], access_layer["name"], access_layer["uid"], client, timestamp, tar_file)
File "/home/admin/ExportImportPolicyPackage-master/ExportImportPolicyPackage-master/exporting/export_access_rulebase.py", line 16, in export_access_rulebase
get_query_rulebase_data(client, "access-rulebase", {"name": layer, "uid": layer_uid, "package": package})
File "/home/admin/ExportImportPolicyPackage-master/ExportImportPolicyPackage-master/exporting/export_objects.py", line 116, in get_query_rulebase_data
check_for_export_error(general_object, client)
File "/home/admin/ExportImportPolicyPackage-master/ExportImportPolicyPackage-master/utils.py", line 480, in check_for_export_error
general_object["type"] not in singular_to_plural_dictionary[client.api_version]):
KeyError: '1.9.1'

I was able to fix the error by adding a 1.9.1 section to the dictionary in lists_and_dictionaries.py
"1.9.1": {
"access-role": "access-roles",
"threat-profile": "threat-profiles",
"host": "hosts",
"network": "networks",
"address-range": "address_ranges",
"multicast-address-range": "multicast-address-ranges",
"security-zone": "security-zones",
"time": "times",
"simple-gateway": "simple-gateways",
"simple-cluster": "simple-clusters",
"dynamic-object": "dynamic-objects",
"trusted-client": "trusted-clients",
"tags": "tags",
"dns-domain": "dns-domains",
"opsec-application": "opsec-applications",
"data-center": "data-centers",
"data-center-object": "data-center-objects",
"service-tcp": "services-tcp",
"service-udp": "services-udp",
"service-icmp": "services-icmp",
"service-icmp6": "services-icmp6",
"service-sctp": "services-sctp",
"service-rpc": "services-rpc",
"service-other": "services-other",
"service-dce-rpc": "services-dce-rpc",
"application-site": "applications-sites",
"application-site-category": "application-site-categories",
"application-site-group": "application-site-groups",
"vpn-community-meshed": "vpn-communities-meshed",
"vpn-community-star": "vpn-communities-star",
"placeholder": "placeholders",
"administrator": "administrators",
"group": "groups",
"group-with-exclusion": "groups-with-exclusion",
"service-group": "service-groups",
"time-group": "time-groups",
"application-group": "application-groups",
"threat-protection": "threat-protections",
"exception-group": "exception-groups",
"generic-object": "",
"access-layer": "access-layers",
"access-section": "access-sections",
"access-rule": "access-rules",
"nat-layer": "nat-layers",
"nat-section": "nat-sections",
"nat-rule": "nat-rules",
"threat-layer": "threat-layers",
"threat-rule": "threat-rules",
"threat-exception-section": "threat-exception-sections",
"threat-exception": "threat-exceptions",
"wildcard": "wildcards",
"updatable-object": "updatable-objects",
"https-layer": "https-layers",
"https-section": "https-sections",
"https-rule": "https-rules"
},

I wanted to bring this to your attention, Thanks

Hi
problem in csv when in comment column several lines or special characters

• For example
  • if several lines in comments of the rules the CSV is cutted in several lines
  • if several lines in description of the objects the CSV is cutted in several lines
• check also with host having a space in name ( Checkpoint convert it to special characters ) could be potentiel a issue
  Thank you

Goodmorning,

on R81.10 with JHF45 is it no longer possible to import policies. I'll get the following error:

Failed to import service-tcp with name [tcp_2376]. Error: code: generic_err_invalid_parameter
message: This API request must contain only one of these - "use-default-timeout = true" or "timeout = "

in Take 38 are the following release notes about the API:
PRJ-33865,PRHF-21129 | Security Management | When creating or updating a service object via Management API, it is not possible to specify a custom aggressive-aging timeout.

Is there somehow possible to put the session timeout via this tool?

Using ExportImportPolicyPackage V6, cp-api V1.8,

I have an R81.10 MDS enviroment, where I try to export a policy from one domain and import it to a newly created domain on the same MDS Server.
( this python script for "Export" and "Import" are running directly on the MDS server itself)

During import ( I get following "FileNotFoundError" ( replicable!) :

Importing Access_Layer [IMPORTED LAYER Network]

Traceback (most recent call last):
  File "import_export_package.py", line 75, in <module>
    import_package(client, args)
  File "/home/admin/exportImportPolicyPackage6.0+cpi1.8/importing/import_package.py", line 56, in import_package
    layers_to_attach = import_objects(args.file, client, {}, package, None, args)
  File "/home/admin/exportImportPolicyPackage6.0+cpi1.8/importing/import_objects.py", line 208, in import_objects
    import_objects(rulebase_object_file.name, client, changed_layer_names, package, layer_name, args)
  File "/home/admin/exportImportPolicyPackage6.0+cpi1.8/importing/import_objects.py", line 66, in import_objects
    export_tar = tarfile.open(file_name, "r:gz")
  File "/opt/CPsuite-R81.10/fw1/Python/lib/python3.7/tarfile.py", line 1591, in open
    return func(name, filemode, fileobj, **kwargs)
  File "/opt/CPsuite-R81.10/fw1/Python/lib/python3.7/tarfile.py", line 1637, in gzopen
    fileobj = GzipFile(name, mode + "b", compresslevel, fileobj)
  File "/opt/CPsuite-R81.10/fw1/Python/lib/python3.7/gzip.py", line 168, in __init__
    fileobj = self.myfileobj = builtins.open(filename, mode or 'rb')
FileNotFoundError: [Errno 2] No such file or directory: 'exported__access_layer__Network__2024_04_17_18_24.tar.gz'

I see in the background, that this file is deleted during import. But I do not understand the work flow of this tool.

What I recognized now during export( after I tried a second time), that there are two exact some export statements for the "customer1 Network" Layer:

1. Change Settings
2. Run
99. Exit
2

Exporting Access Control layers

**Exporting Access Layer [Network]**

Retrieved 28 out of 28 rules (100%)

Processing rules and sections

Exporting Inline-Layer [customer1 Network]

**Exporting Access Layer [customer1 Network]**

Retrieved 50 out of 402 rules (12%)
. . .
. . .
Done exporting layer 'customer1 Network'.

and a little later I got (again):

Exporting access rules from layer [Network]

Exporting access sections from layer [Network]

Exporting placeholders for unexportable objects from layer [Network]

Exporting layer settings of layer [Network]

Done exporting layer 'Network'.


**Exporting Access Layer [customer1 Network]**

Retrieved 50 out of 402 rules (12%)

Retrieved 100 out of 402 rules (24%)

Just recognized another hint/strange thing about my "Export" file:
See the content of this TAR file from this export:

tar xvfz ../exported__package__customer1__2024_04_17_21_28.tar.gz 
**exported__access_layer__customer1 Network__2024_04_17_21_28.tar.gz**
exported__access_layer__Network__2024_04_17_21_28.tar.gz
**exported__access_layer__customer1 Network__2024_04_17_21_28.tar.gz**
exported__nat_layer__customer1__2024_04_17_21_28.tar.gz
03____add-host__2024_04_17_21_28.csv
03____add-host__2024_04_17_21_28.json
04____add-network__2024_04_17_21_28.csv
04____add-network__2024_04_17_21_28.json`
. . .

Any ideas what is going wrong here ?

Thanks,
Martin

Dear API team,

We have another issue.
API was hang when a group object containing many objects(around 2000) is included in the rule.
There are about 12 such rules.

Hello,

If i do not use origin package name, Manual NAT is not imported.

For example,
I exported package named "Standard".
and I want to import the package named "Standard-new"
The Security rule is imported but Manual NAT is not imported.

Manual NAT import in the package named "Standard" not "Standard-new".

Please, fix this.

Thank you.

Done exporting layer 'ABC_Policy Security'.

Hi Eden!
I tried changed new device and install new python's environment. But it still show these problems. Can you expain these problem and any suggestions to fix it.
Thanks.

Traceback (most recent call last):
File "D:\ExportImportPolicyPackage-master\import_export_package.py", line 65, in
export_package(client, args)
File "D:\ExportImportPolicyPackage-master\exporting\export_package.py", line 54, in export_package
File "D:\ExportImportPolicyPackage-master\utils.py", line 289, in write_data
writer.writerows(res)
File "C:\Users\AppData\Local\Programs\Python39\Python39\lib\encodings\cp1252.py", line 19, in encode
return codecs.charmap_encode(input,self.errors,encoding_table)[0]
UnicodeEncodeError: 'charmap' codec can't encode character '\u1ec3' in position 87: character maps to
PS C:\Users\Desktop\ExportImportPolicyPackage-master (1)\ExportImportPolicyPackage-master>

Why do I get this error>

Login to management server failed. lib::APIResponse
{
"data": null,
"error_message": "APIResponse received a response which is not a valid JSON.
",
"res_obj": {},
"status_code": 403,
"success": false
}

Hi Robert, many thanks for developing and supporting these scripts.

I have successfully exported from a mgmt server and now I would like to import on another mgmt server.

I'm getting the error below but I would say that the input data are correct (credentials, path, ...)

Login to management server failed. lib::APIResponse
{
"data": null,
"error_message": "APIResponse received a response which is not a valid JSON.
",
"res_obj": {},
"status_code": 403,
"success": false
}

Thanks for making time looking into this. api.elg file attached
api.zip

Exporting Access Control layers

Exporting Access Layer [P-memcf-asg-cl1 Security]

Retrieved 50 out of 993 rules (5%)

Retrieved 100 out of 993 rules (10%)

Retrieved 150 out of 993 rules (15%)

Retrieved 200 out of 993 rules (20%)

Retrieved 250 out of 993 rules (25%)

Retrieved 300 out of 993 rules (30%)

Retrieved 350 out of 993 rules (35%)

Retrieved 400 out of 993 rules (40%)

Retrieved 450 out of 993 rules (45%)

Retrieved 500 out of 993 rules (50%)

Retrieved 550 out of 993 rules (55%)

Retrieved 600 out of 993 rules (60%)

Retrieved 650 out of 993 rules (65%)

Retrieved 700 out of 993 rules (70%)

Retrieved 750 out of 993 rules (75%)

Retrieved 800 out of 993 rules (80%)

Retrieved 850 out of 993 rules (85%)

Retrieved 900 out of 993 rules (90%)

Retrieved 950 out of 993 rules (95%)

Retrieved 993 out of 993 rules (100%)

Traceback (most recent call last):

File "import_export_package.py", line 61, in

export_package(client, args)

File "/var/ExportImportPolicy/exporting/export_package.py", line 44, in export_package

= export_access_rulebase(show_package.data["name"], access_layer["name"], access_layer["uid"], client, timestamp, tar_file)

File "/var/ExportImportPolicy/exporting/export_access_rulebase.py", line 16, in export_access_rulebase

get_query_rulebase_data(client, "access-rulebase", {"name": layer, "uid": layer_uid, "package": package})

File "/var/ExportImportPolicy/exporting/export_objects.py", line 115, in get_query_rulebase_data

check_for_export_error(general_object, client)

File "/var/ExportImportPolicy/utils.py", line 462, in check_for_export_error

general_object["type"] not in singular_to_plural_dictionary[client.api_version]):

KeyError: u'1.7.1'

Hi Eden!
after Done exporting layer. There show some problem.
Can't you fix these.
Thanks

Traceback (most recent call last):
File "c:\ExportImportPolicyPackage-master\import_export_package.py", line 66, in
export_package(client, args)
File "c:\ExportImportPolicyPackage-master\exporting\export_package.py", line 115, in export_package
export_to_tar(data_dict, timestamp, tar_file, singular_to_plural_dictionary[client.api_version].keys(),
File "c:\ExportImportPolicyPackage-master\utils.py", line 257, in export_to_tar
write_data(data_dict[api_type], tar_file_csv, ".csv")
File "c:\ExportImportPolicyPackage-master\utils.py", line 289, in write_data
writer.writerows(res)
File "C:\Exim\Python310\lib\encodings\cp1252.py", line 19, in encode
return codecs.charmap_encode(input,self.errors,encoding_table)[0]
UnicodeEncodeError: 'charmap' codec can't encode character '\u200b' in position 14321: character maps to

Hi,

I'm CheckPoint Partner engineer.
I'm testing this tool, and I have an issue.

I'm going to compare original rule and new rule.
In the some rule, the order of the objects is different in the source or destination.
And, it is difficult to compare them.
Is there a change during in the order of export and import?

Some rule is failed to import with following error.
"Failed to import access-rule with name [ICD-20170601-1]. Error: [Errno 10053]"

3. Some sections are created duplicated.
   In other words, the section are created two.

Would you check about my question and issue?

Regards,

When importing objects with tags, tags payload is converted to list instead of dict and causes error during import:

Adding services-udp
Unknown tag name for object [port-udp-8089]

relevant service definition in json file (fields except tags, name, port omitted for readability)

    {
        .....
        "port": "8089",
        "tags.0.type": "tag",
        "tags.0.name": "JuniperJunosOS",
        "tags.0.comments": "",
        "name": "port-udp-8089",
    }

The error is printed after this conditional statement:

           if tag_name is None or tag_name == "":
                debug_log("Unknown tag name for object [{0}] - {1}".format(payload["name"],payload), True, True)

I have verified what payload looks like for object in question and it is list of strings, instead of dict:

'tags': [u'black', u'JuniperJunosOS', u'tag']

For other similiar structures (data with dots, like "aging") I see they are correctly converted to dict:

'aggressive-aging': {'use-default-timeout': u'true', 'enable': u'true', 'timeout': u'15', 'default-timeout': u'0'}

Why Do we get these errors, its random not specific to any host or network while importing.

Failed to import host with name [HOEXPR_195.85.246.24]. Error: EOF occurred in violation of protocol (_ssl.c:661)

Hi,

Our specific desktop is not applied option feature even though I add the -h option or others.
I attach screenshot.
What should I check on it?

Is there any plans to migrate this tool to support Python 3?

Hi

crash for exporting inline rules when slash in the name of the inline rule
( perhaps also other special characters )

Thank you for correction
Jean-michel

here example: inline rule "devpacc0018-bs/axi"
here some inputs

Python .\ExportImportPolicyPackage-master\import_export_package.py -op export -n firewall00_policy -m xxx.yyy.zzz.2 -u userX -p mypassword
-o firewall00_policy -ac true -tp true --nat true --https false

Exporting Access Layer [devpacc0018-axi]

Retrieved 3 out of 3 rules (100%)

Processing rules and sections
Exporting applications-sites from layer [devpacc0018-axi]
Exporting groups from layer [devpacc0018-axi]
Exporting networks from group [WP_Public_Net]
Exporting hosts from layer [devpacc0018-axi]
Exporting access rules from layer [devpacc0018-axi]
Exporting access sections from layer [devpacc0018-axi]
Exporting placeholders for unexportable objects from layer [devpacc0018-axi]
Exporting layer settings of layer [devpacc0018-axi]
Done exporting layer 'devpacc0018-axi'.

Exporting Inline-Layer [devpacc0018-bs/axi]
Exporting Access Layer [devpacc0018-bs/axi]

Retrieved 5 out of 5 rules (100%)

Processing rules and sections
Exporting applications-sites from layer [devpacc0018-bs/axi]
Exporting networks from layer [devpacc0018-bs/axi]
Exporting groups from layer [devpacc0018-bs/axi]
Exporting networks from group [WP_Public_Net]
Exporting hosts from layer [devpacc0018-bs/axi]
Exporting access rules from layer [devpacc0018-bs/axi]
Exporting access sections from layer [devpacc0018-bc/axi]
Exporting placeholders for unexportable objects from layer [devpacc0018-bs/axi]
Exporting layer settings of layer [devpacc0018-bs/axi]
Done exporting layer 'devpacc0018-bs/axi'.

Traceback (most recent call last):
File "D:\Automation\checkpointPoliciesDownload\ExportImportPolicyPackage-master\import_export_package.py", line 73, in
export_package(client, args)
File "D:\Automation\checkpointPoliciesDownload\ExportImportPolicyPackage-master\exporting\export_package.py", line 44, in export_package
= export_access_rulebase(show_package.data["name"], access_layer["name"], access_layer["uid"], client, timestamp, tar_file)
File "D:\Automation\checkpointPoliciesDownload\ExportImportPolicyPackage-master\exporting\export_access_rulebase.py", line 46,

in export_access_rulebase
create_tar_file(access_layer, inner_data_dict,
File "D:\Automation\checkpointPoliciesDownload\ExportImportPolicyPackage-master\utils.py", line 244, in create_tar_file
with tarfile.open(layer_tar_name, "w:gz") as tar:
File "C:\Program Files\Python39\lib\tarfile.py", line 1638, in open
return func(name, filemode, fileobj, **kwargs)
File "C:\Program Files\Python39\lib\tarfile.py", line 1684, in gzopen
fileobj = GzipFile(name, mode + "b", compresslevel, fileobj)
File "C:\Program Files\Python39\lib\gzip.py", line 173, in init
fileobj = self.myfileobj = builtins.open(filename, mode or 'rb')
FileNotFoundError: [Errno 2] No such file or directory: 'exported__access_layer__devpacc0018-bs/axi__2024_02_12_20_34.tar.gz'

Hello,

There is a problem.

If the group to be imported and the group that exists have the same name, The rule adds the existing group, not the renamed group when importing access-rule.

The groups have different members each other.

Please fix this.

Hi

the exported files (rules,object) do not have the layername in the filename
The tarname is OK , but not in the json and csv.

Would be nice to have it also

Thank you for the correction

Policy Package Import failed to a Domain in R80.10 MDS - following is the error (in italics) happens after importing access-sections -

`
_Imported 80 out of 114 access-sections (70%)

Imported 100 out of 114 access-sections (87%)

Traceback (most recent call last):
File "import_export_package.py", line 61, in
import_package(client, args)
File "/Users/user/Desktop/cpmigration/ExportImportPolicyPackage-master/importing/import_package.py", line 52, in import_package
layers_to_attach = import_objects(args.file, client, {})
File "/Users/user/Desktop/cpmigration/ExportImportPolicyPackage-master/importing/import_objects.py", line 103, in import_objects
import_objects(rulebase_object_file.name, client, changed_layer_names, layer_name)
File "/Users/user/Desktop/cpmigration/ExportImportPolicyPackage-master/importing/import_objects.py", line 94, in import_objects
changed_layer_names, api_call, num_objects, client)
File "/Users/user/Desktop/cpmigration/ExportImportPolicyPackage-master/importing/import_objects.py", line 335, in add_object
publish_reply = client.api_call("publish", wait_for_task=True)
File "/Users/user/Library/Python/2.7/lib/python/site-packages/cpapi/mgmt_api.py", line 352, in api_call
res = self.__wait_for_task(res.data["task-id"])
File "/Users/user/Library/Python/2.7/lib/python/site-packages/cpapi/mgmt_api.py", line 510, in _wait_for_task
task_result)
cpapi.api_exceptions.APIException: ERROR: Failed to handle asynchronous tasks as synchronous, tasks result is undefined
`

does anyone can explain why this can't export these track log.

my policy before export

my policy after import

many thanks!

Hi,

A have an issue with following filenames. If I run your export-script, I get a policyexport.tar.gz, which contains three additional tar.gz-files:

1. export__nat_layer__POLICY__2018_01_18_17_05.tar.gz
2. exported__access_layer__POLICY Security*.tar.gz
3. exported__access_layer__POLICY Application*.tar.gz

I don't have anything to complain about 1.
For 2. and 3., I have two issues:

• a minor one, the naming is not very consistent. In my opinion, you should add __ after POLICY instead of the space (consistent to 1.)
• if I extract both files (2., 3.), the filenames are identical:

-rw-r----- 1 user group    873 Jan 18 17:22 01____add-access-rule__2018_01_18_17_05.json
-rw-r----- 1 user group    507 Jan 18 17:22 01____add-access-rule__2018_01_18_17_05.csv

So basically, if I want to export both at the same time, the last extracted files will overwrite the first extracted ones.

Can you please slightly rename those files in the tarballs? Thanks!

best regards,
Peter

Hi

bug with option --force crash
"len(self.options) no length for type None "

in:
def display(self):
Menu.menu_print(self.title, 1)
for i in range(1, len(self.options)):

I solved adding
if self.options:

 def display(self):
    Menu.menu_print(self.title, 1)
    if self.options:
       for i in range(1, len(self.options)):

Can we export and import using this tool for Manual NAT?
I tried to export and import policy, but Manual NAT was missed in imported policy.

I'm checking to add manual NAT.
But, Does not add the section?

Failed to attach layers to package! Error: message: Validation failed with 1 blocking-error
code: err_validation_failed
blocking-errors:

• message: First Threat Prevention Layer cannot be moved from the policy.
  . Import operation aborted.

It fails on on the Shared IPS layers but it is not used in the exported policy.

import_export.log

api.log

hello it seems that it doesn't leverage bulk add-host, etc feature on higher version of API, it would improve overall speed of import process.

We have many rules with groups in the install on.
The script has properly imported the group with dummy objects in it.
However it fails to import rules that uses this group in "Install On"

API version changed to 1.6 since R80.30 take 111 which leads to a keyerror when parsing singular_to_plural_dictionary from lists_and_dictionaries.py

It is not implemented in code, basically.

If I try to export policy with system-created services (like ssh, ldap etc.), they will not be added to the resulting tar.gz, which contradicts the description of default system behavior.

The problem is in "should_export" function in export_objects.py
return "domain" in obj and obj["domain"]["domain-type"] in ["domain", "global domain"]
should be changed to
return "domain" in obj and obj["domain"]["domain-type"] in ["domain", "global domain", "data domain"]

Also, this:
parser.add_argument("--non-user-created", required=False, default="false", choices=["true", "false"],
help="Indicates whether to show only user created data.\nDefault: true")

Traceback (most recent call last):
File "import_export_package.py", line 67, in
import_package(client, args)
File "/home/admin/ExportImportPolicyPackage-5.5/importing/import_package.py", line 56, in import_package
layers_to_attach = import_objects(args.file, client, {}, package, None, args)
File "/home/admin/ExportImportPolicyPackage-5.5/importing/import_objects.py", line 198, in import_objects
changed_layer_names, api_call, num_objects, client, args, package)
File "/home/admin/ExportImportPolicyPackage-5.5/importing/import_objects.py", line 413, in add_object
debug_log("Failed to update updatable objects repository "%s"" % updatable_objects_repository_reply.error_message, True, True)
AttributeError: 'APIResponse' object has no attribute 'error_message'

Hi,
We're using this tool.
There are so many objects in a group object in a rule.
So, it stops on the way to loading due to expired session timeout.
How to increase session timeout? As far as I know it is default 600.
Please refer the following screenshot.

Regards,

When I try to export the access control policies, the process proceeds but I get the screenshot error.
Management server version R81.10, build 220.

Hello,

I'm trying to import and I'm getting this error:

Failed to import vpn-community-star with name [****]. Error: message: Invalid parameter for [shared-secrets]. Invalid value
code: generic_err_invalid_parameter

Thanks,

Can not log into Smart1 Cloud for pushing policy / items to Smart1-Cloud. Suspect it's associated with different requirement to specify DNS name for management endpoint location and context id that is not captured / passed for login.

Using latest Version - V5.0 -

I am not able to import a policy with access roles -

Error

Failed to import access-role with name [VSEC-EXT-SUP-INTRANET]. Error: code: generic_err_invalid_parameter_name
message: Unrecognized parameter [remote-access-client]

seems that the "add access role" API command ( which I assume is used in the backgrund) is using a wrong/imcomplete parameter for the remote access client part.

parameter has to be "remote-access-clients" ( ... with an "s" at the end ) ?
(https://sc1.checkpoint.com/documents/latest/APIs/#cli/add-access-role~v1.8%20)

thanks
Martin

It's pretty clear that current versions of this tool (after 5.0) do not run on older systems.
Refer to the following thread: https://community.checkpoint.com/t5/Management/R81-10-Export-Import-policy-package/m-p/145368/highlight/true#M30311

I suggest the following (hopefully) small changes, mostly documentation related.

• First, current versions should check if Python3 is used and print a useful error message if the version isn't v3.7 (or whatever the required minimum version is).
• Instructions should be clear that Python3 is REQUIRED and how to obtain it for Check Point management (e.g. apply recent JHF on R80.40 and above)
• Provide a link to the last version that runs correctly on Python2 for older management versions.

python import_export_package.py -h
Traceback (most recent call last):
File "import_export_package.py", line 9, in
from importing.import_package import import_package
File "/home/admin/export_import/importing/import_package.py", line 6, in
from importing.import_objects import import_objects, add_tag_to_object_payload
File "/home/admin/export_import/importing/import_objects.py", line 983
elif field in ["inline-layer", "host", "exception-group-name", "rule-name", "action"]:
^

I have tried to use this script and when it is running it stopped at line 106 from utils.py.

I am aware of the issue already posted where a shared Threat Prevention Layer fails to import. I attempted to get around it by creating an unshared Threat Prevention Layer with the same profiles. When exporting, the Threat Profiles seem to export successfully, but getting the below error messages when trying to import. ("threat_profile_name" substituted)

Failed to import threat-profile with name [threat_profile_name]. Error: message: Invalid parameter for [overrides]. Invalid value
code: generic_err_invalid_parameter

Failed to import threat-rule. Error: message: Requested object [threat_profile_name] not found
code: generic_err_object_not_found

I'm not very Python/CPapi savvy or I might be able to correct this from the source code.

Failed to import access-rule with name [ICO-20170201-530]. Error: EOF occurred in violation of protocol (_ssl.c:661)

Process prior to issue:

Existing R80.20 VM:

1. run a migrate export

Created new R80.20 VM:
2. imported the policy from Step 1 above.
3. Tested export of policy using import_export tool - success
3. Upgraded VM to R81 JHF T36
4. Attempted to export an existing package "DMZ-FW-POLICY":

[Expert@check_point_mng:0]# mgmt_cli -r true show packages
packages: 
- uid: "20c1a0d6-2136-4b68-a292-045efe5be989"
  name: "**_DMZ-FW-POLICY_**"
  type: "package"
  domain: 
    uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
    name: "SMC User"
    domain-type: "domain"
  icon: "Blades/Access"
  color: "black"
- uid: "8c0e10a6-fad7-4238-ae58-6d70fe6d3150"
  name: "FW-2200-POLICY"
  type: "package"
  domain: 
    uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
    name: "SMC User"
    domain-type: "domain"
  icon: "Blades/Access"
  color: "black"
- uid: "4ac80585-e138-43dd-8680-34a00b8cf262"
  name: "FW-4600-POLICY"
  type: "package"
  domain: 
    uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
    name: "SMC User"
    domain-type: "domain"
  icon: "Blades/Access"
  color: "black"
- uid: "2214aa5e-264e-410f-92ac-3587cbce4b46"
  name: "Merged-Policy"
  type: "package"
  domain: 
    uid: "41e821a0-3720-11e3-aa6e-0800200c9fde"
    name: "SMC User"
    domain-type: "domain"
  icon: "Blades/Access"
  color: "black"
from: 1
to: 4
total: 4

[Expert@check_point_mng:0]# /opt/CPsuite-R81/fw1/Python/bin/python3.7 /home/admin/ExportImportPolicyPackage-master/import_export_package.py

Welcome to the Policy Package Import/Export Tool.
What would you like to do?
1. Import a package
2. Export a package
99. Exit
2
Please enter a Policy Package name to export:
DMZ-FW-POLICY
Please select a login method:
1. Enter user credentials manually
2. Login as Root
3. Use an existing session file
4. Use an existing session UID
99. Back
2
The script will run with the following parameters:
Export Access-Control layers = True
Export NAT layers = True
Export Threat-Prevention layers = True
Export HTTPS Inspection layers = True
Output-file name = None
Management Server IP = 127.0.0.1
Management Server Port = 443
Management Server Domain = None
1. Change Settings
2. Run
99. Back
2
You currently do not have a record of this server's fingerprint.
Server's fingerprint: F6A5B69661ACA067CFE159FD6282D41137D9FBE3
Do you accept this fingerprint? [y/n] y
Fingerprint saved.

No package named 'DMZ-FW-POLICY' found. Cannot export.

5. Attempted to export a different policy: "Merged Policy" however an error occurred after retrieving the Access Layer:

[Expert@check_point_mng:0]# /opt/CPsuite-R81/fw1/Python/bin/python3.7 /home/admin/ExportImportPolicyPackage-master/import_export_package.py

Welcome to the Policy Package Import/Export Tool.
What would you like to do?
1. Import a package
2. Export a package
99. Exit
2
Please enter a Policy Package name to export:
Merged-Policy   
Please select a login method:
1. Enter user credentials manually
2. Login as Root
3. Use an existing session file
4. Use an existing session UID
99. Back
2
The script will run with the following parameters:
Export Access-Control layers = True
Export NAT layers = True
Export Threat-Prevention layers = True
Export HTTPS Inspection layers = True
Output-file name = None
Management Server IP = 127.0.0.1
Management Server Port = 443
Management Server Domain = None
1. Change Settings
2. Run
99. Back
2
Exporting Access Control layers

Exporting Access Layer [Merged-Policy Security]

Retrieved 50 out of 532 rules (9%)

Retrieved 100 out of 532 rules (18%)

Retrieved 150 out of 532 rules (28%)

Retrieved 200 out of 532 rules (37%)

Retrieved 250 out of 532 rules (46%)

Retrieved 300 out of 532 rules (56%)

Retrieved 350 out of 532 rules (65%)

Retrieved 400 out of 532 rules (75%)

Retrieved 450 out of 532 rules (84%)

Retrieved 500 out of 532 rules (93%)

Retrieved 532 out of 532 rules (100%)

Traceback (most recent call last):
  File "/home/admin/ExportImportPolicyPackage-master/import_export_package.py", line 61, in <module>
    export_package(client, args)
  File "/home/admin/ExportImportPolicyPackage-master/exporting/export_package.py", line 44, in export_package
    = export_access_rulebase(show_package.data["name"], access_layer["name"], access_layer["uid"], client, timestamp, tar_file)
  File "/home/admin/ExportImportPolicyPackage-master/exporting/export_access_rulebase.py", line 16, in export_access_rulebase
    get_query_rulebase_data(client, "access-rulebase", {"name": layer, "uid": layer_uid, "package": package})
  File "/home/admin/ExportImportPolicyPackage-master/exporting/export_objects.py", line 115, in get_query_rulebase_data
    check_for_export_error(general_object, client)
  File "/home/admin/ExportImportPolicyPackage-master/utils.py", line 465, in check_for_export_error
    general_object["type"] not in singular_to_plural_dictionary[client.api_version]):
KeyError: '1.7.1'