CheckPointSW/ExportImportPolicyPackage

Some issues

incubenet opened this issue · 17 comments

Hi,

I'm CheckPoint Partner engineer.
I'm testing this tool, and I have an issue.

I'm going to compare original rule and new rule.
In the some rule, the order of the objects is different in the source or destination.
And, it is difficult to compare them.
Is there a change during in the order of export and import?

Some rule is failed to import with following error.
"Failed to import access-rule with name [ICD-20170601-1]. Error: [Errno 10053]"

  1. Some sections are created duplicated.
    In other words, the section are created two.

Would you check about my question and issue?

Regards,

Sure, we'll check your issues.
Can you please provide example screenshot for issue 1 and 2? How do the rules look like?
Regarding the 3, where the duplicated section is created - along with the original section or somewhere else?
One more thing - we need the output log file - import_export.log.
Thanks.

I'm sorry, I cannot see the attachements...

Hi,
issue 1 - strange, we do not change the order of objects. our tests work correctly.
issue 2 - Errno 10053 (timeout) - network connection error, not related to the tool.
issue 3 - this is a bug - will be fixed ASAP.

I upload the attachment again.

original policy
after import policy
import_export.log

Please perform the following steps for invetigating issue 1 -

  1. unpack the tar.gz file created during the export operation.

  2. inside, there is/are additional tar.gz file(s) named 'exported__access_layer__XXX.tar.gz'.

  3. select the file where XXX contains the name of the correct access layer (Network is the default) and unpack too.

  4. you should have 'XXX_add-access-rule_XXX.json' file. This file has all relevant rules information in JSON format.

  5. locate the rule with position 21, as in your screenshot ("position": 21).

  6. copy this rule information (between { ... }) and attach here for examination. Something like this -

    {
    "track.type": "None",
    "enabled": true,
    "track.per-connection": false,
    "content.0": "Any",
    "content-direction": "any",
    "track.alert": "none",
    "content-negate": false,
    "source.0": "host_1",
    "source.3": "N-mgmt-net-kista",
    "source-negate": false,
    "source.4": "net1",
    "source.2": "N-client-network",
    "track.accounting": false,
    "position": 1,
    "install-on.0": "Policy Targets",
    "comments": "",
    "custom-fields.field-1": "",
    "custom-fields.field-3": "",
    "custom-fields.field-2": "",
    "destination.8": "CPDShield",
    "destination-negate": false,
    "vpn.0": "Any",
    "destination.7": "network_10.11.0.0_24",
    "destination.6": "host_209.134.191.19",
    "destination.5": "Interface_LAN_subnets",
    "destination.4": "IPv6_Link_Local_Hosts",
    "destination.3": "DMZNet",
    "destination.2": "AuxiliaryNet",
    "destination.1": "ASA-CSL",
    "destination.0": "Internet",
    "service.2": "Backage",
    "service.3": "AT-Defender",
    "service.0": "AOL",
    "service.1": "Blubster",
    "service-negate": false,
    "track.per-session": false,
    "source.1": "host_2",
    "time.0": "Any",
    "action": "Accept",
    "action-settings.enable-identity-captive-portal": false
    },

Thanks.

Are you sure that it happens in Services column?
According to your screenshots I see the ptoblem in Source column...
Anyway, can you please provide the info I asked for?
Thanks.

Fixed a bug related to rulebase sections duplication - issue 3.
Please check out the updated source, including the linked python library.
Waiting for your input for issue 1.

Dear API team,

The policy was modified, the rule 21 was changed to rule 20.
So, I provide information about the rule 20.

    "track.type": "Log", 
    "content-negate": false, 
    "source.10": "IH-57.170-VDI", 
    "track.per-connection": true, 
    "source.9": "IH-63.58-VDI", 
    "content.0": "Any", 
    "content-direction": "any", 
    "track.alert": "none", 
    "source.1": "IH-57.192-VDI", 
    "source.0": "IH-57.187-VDI", 
    "source.3": "IH-63.25-VDI", 
    "source.2": "IH-57.172-VDI", 
    "source.5": "IH-57.167-VDI", 
    "source.4": "IH-57.250-VDI", 
    "source.7": "IH-63.30-VDI", 
    "source.6": "IH-63.36-VDI", 
    "source-negate": false, 
    "track.accounting": false, 
    "position": 20, 
    "install-on.0": "Policy Targets", 
    "comments": "\ud14c\ub77c\uc2a4\ud2b8\ub9bc \ud3ec\ud2b8(5000) \uc624\ud508 2014.5.12 \ubc31\uc815\ud604\n14-GIB-94180 2014.5.8 \ubc31\uc815\ud604\n15-GIA-64258 2015.05.13 \uc774\uc9c4\uc544\n16-GIB-12218 2016.01.28 \ud669\ubcd1\ub9cc", 
    "custom-fields.field-1": "", 
    "custom-fields.field-3": "", 
    "custom-fields.field-2": "", 
    "destination-negate": false, 
    "vpn.0": "Any", 
    "enabled": true, 
    "time.0": "Any", 
    "destination.2": "CH-201.20.19.97-ocb97", 
    "destination.1": "CH-201.20.19.99-ocb99", 
    "destination.0": "CH-201.20.19.131-ocb13", 
    "service.0": "sybase5000", 
    "service.1": "MySQL", 
    "name": "ICD-20170201-19", 
    "source.8": "IH-63.49-VDI", 
    "service-negate": false, 
    "track.per-session": false, 
    "action": "Accept", 
    "action-settings.enable-identity-captive-portal": false

Regards,

Is there any update?

Hi,
As I mentioned above, issue 3 is fixed and delivered. You can download and use the new code.
Make sure that Python SDK is also downloaded (it is updated too).
We are still checking the problem in issue 1and inform you when ready.
Meanwhile, please verify that the sections duplication is solved.
Thanks.

#3 issue is fixed.
I'm waiting for #1 issue

Great. We will inform on issue 1 ASAP.

Hi,
After an intensive investigation we found the problem in issue 1. The problem occurs for rule cells with more then 10 items. The root couse for this problem was a CSV file generated during export process (contained in the policy tar file).
We are now working on a fix, which hopefully will be delivered during next week.
Thank you for your patience.
APIs team.

A fix is committed.
Please download an updated source.
Thanks!