Check Point的Policy Package匯出/匯入,官方有提供open source的工具。

我寫了一個shell script讓這個Policy Package匯出/匯入的工具,可以直接在管理機 Security Management Server上執行。

已經測試過R81.10, R81.20的管理機可以使用沒問題。

確認管理機的API來源IP

如果沒有打算使用下面的shell sciprt直接在Security Management Server本機執行ExportImportPolicyPackage,就會需要確認API call的來源IP,照理說直接在本機執行我寫的shell script在來源IP上應該只要選擇"Management server only"就可以了。

API Src

Export/Import Policy Package

SSH進入Security Management Server之後,切換到expert mode。 然後貼上下面的command line,照選單操作應該就沒問題了。

在使用Check Point的ExportImportPolicyPackage工具時,因為需要輸入密碼,如果你的SSH Client對於特殊符號敏感,可能會發生輸入錯誤的密碼,導致出現Login failed的錯誤訊息。


/bin/bash <(curl_cli -sSL -k https://cp.birdlex.net/exportimport.sh)

匯出Policy Package

# 1. 選擇匯入/匯出,輸入1為匯入,輸入2為匯出

Welcome to the Policy Package Import/Export Tool.
What would you like to do?
1. Import a package
2. Export a package
99. Exit
2
# 2. 輸入Policy Package name
# 大小寫敏感

Please enter a Policy Package name to export:
Standard
# 3. 輸入Policy Package name
# 注意!大小寫敏感

Please enter a Policy Package name to export:
Standard
# 3. 輸入1,手動輸入帳密

Please select a login method:
1. Enter user credentials manually
2. Login as Root
3. Use an existing session file
4. Use an existing session UID
99. Back
1
# 4. 確認設定沒問題後輸入2執行

The script will run with the following parameters:
Export Access-Control layers = True
Export NAT layers = True
Export Threat-Prevention layers = True
Export HTTPS Inspection layers = True
Output-file name = None
Management Server IP = 127.0.0.1
Management Server Port = 443
Management Server Domain = None
1. Change Settings
2. Run
2
# 5. 輸入帳號密碼

Please enter your username:
admin

Please enter your password:

匯出的Policy Package檔案在 ~/script/ExportImportPolicyPackage-5.8.1/ 的路徑中。

References