Post

Check Point Policy Migration

Posted
By Sena Perdiana 1 min read

Migrating firewall policies to Check Point can follow two main paths: Check Point-to-Check Point migration, typically using the Migration Tool outlined in sk180923, which ensures smooth transfer of configuration between versions or appliances. For migrations from other firewall vendors, Check Point offers the SmartMove tool described in sk115416, enabling automated conversion of rules from platforms like Cisco ASA, Fortinet, and Palo Alto into Check Point format.


Between Check Point

First download the 2 required files stated on the SK and copy them to the Management Server.

x


Here we put them on ‘/home/admin/cp’ directory along with the exported policy files, then configure the environment variables to point to the python sdk

1

export PYTHONPATH=$PYTHONPATH:/home/admin/cp/cp_mgmt_api_python_sdk-master/

x


Next we run the tool with additional parameter for the tool to skip all the existing objects, then select import and point it to the exported policy

1

python3 ExportImportPolicyPackage-master/import_export_package.py --skip-duplicate-objects True

x


Next all we need to change is the custom name for the imported package, and select run

x

x


Now all the objects, policies, and NAT rules have been imported as a new policy package

x


From Different Firewall

First download the ‘Check Point SmartMove Tool’ file from the SK and place it on our windows machine along with exported policy

x


Run the tool, select the vendor source, and point it to the exported policy

x


After running the tool, we will get a bunch of files, some of them are the reports of the convert results

x


This one shows all the successfully converted objects

x


This one for NAT rules

x


This one for the policy rules

x


And this one, which is also for policy rules but optimized in a way that check point thinks is more organized and tidy

x


Next copy the xnet1_object.sh and xnet1_policy.sh to the management server, run dos2unix to convert DOS/Windows format to Unix format, and give 777 permssion

1
2

dos2unix xnet1_object.sh xnet1_policy.sh
chmod 777 xnet1_object.sh xnet1_policy.sh

x


And finally, we run the script, starting with the object one

x

x


And then the policy one

x

x


On SmartConsole, we will see the imported objects, NAT, and policy rules have been imported as a new policy package

x


Security, Check Point
Check Point
This post is licensed under CC BY 4.0 by the author.