Fortinet black logo

Online Help

6.2.2
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.2
6.2.1
6.2.0
6.0.3
6.0.2
6.0.1
6.0.0

Saving the Check Point source configuration file

Saving the Check Point source configuration file

Before starting the conversion wizard, save a copy of your Check Point configuration file to the computer where FortiConverter is installed.

To acquire the configuration, please download the following files from the management system, ensure the configuration is in a text format. FortiConverter can't take binary files.

Use the following command to find the files:

# find / -name "filename"

1. Both Checkpoint Smart Center & Gateways with version before R80.10

2. Both Checkpoint Smart Center & Gateways are in version R80.10 & Later

3. Smart Center is on R80.10 and later but Gateways are below R80 such as R77

4. Provider – 1 to Fortigate conversion

5. Provider-1 to FortiManager conversion

1. Both Checkpoint Smart Center & Gateways with version before R80.10

  • Object definitions – "objects_5_0.C" (Check Point NG/NGX) or "objects.C" (Check Point 4.x) contains the firewall's object definitions.
  • Policy rulebases – "*.w" or "rulebases_5_0.fws". The file name is "<package name>.W" (default "Standard.W") or "rulebases_5_0.fws".
  • Route information (optional) – Helps FortiConverter to correctly interpret the network topology being converted. To get this data, enter the route print command (for example, "netstat -nr") on the firewall node and then copy and paste the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a host route, a network route, and so on. The output varies by the platform.
  • User and user groups file (optional) – "fwauth.NDB"
  • Identity role file (optional) - Helps FortiConverter to identify the identity role names referenced in Check Point policies and set them as policy user groups. However, FortiConverter cannot convert the identity roles themselves into FortiGate objects. Users should configure them manually using FSSO in FortiGate.
  • [Optional] ifconfig File (For vlan id consistency) – This file can help the converter to determine the user-set vlan-id for interfaces, if the information is provided. To get this data, enter the command "ifconfig -a" then copy and paste the output into a plain text file.

File paths:

File

File name

Path

Object definitions

objects_5_0.C (Checkpoint NG/NGX)

objects.C (Checkpoint 4.x_)

$FWDIR/conf

Policy and Rule definitions

rulebase_5_0.fws

<package name>.W

$FWDIR/conf

User and User Group file

fwauth.NDB

$FWDIR/conf/

—or—

$FWDIR/database/

Identity Role file

identity_roles.C

$FWDIR/conf/

Route information

NA

Save output of route print command from firewall

Uploader Icons used in tool:

2. Both Checkpoint Smart Center & Gateways are in version R80.10 & Later

  • Policy and rule definitions – "*.csv". The Policy and NAT CSV files can be exported from the Smart Console (refer screenshot below)
  • Object definitions – "objects_5_0.C" (Check Point NG/NGX) or "objects.C" (Check Point 4.x) contains the firewall's object definitions.
  • Route information (optional) – Helps FortiConverter to correctly interpret the network topology being converted. To get this data, enter the route print command (for example, "netstat -nr") on the firewall node and then copy and paste the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a host route, a network route, and so on. The output varies by the platform.
  • User and user groups file (optional) – "fwauth.NDB"
  • Identity role file (optional) - Helps FortiConverter to identify the identity role names referenced in Check Point policies and set them as policy user groups. However, FortiConverter cannot convert the identity roles themselves into FortiGate objects. Users should configure them manually using FSSO in FortiGate.
  • [Optional] ifconfig File (For vlan id consistency) – This file can help the converter to determine the user-set vlan-id for interfaces, if the information is provided. To get this data, enter the command "ifconfig -a" then copy and paste the output into a plain text file.

File Path:

File File name Path
Object definitions objects_5_0.C (Checkpoint NG/NGX) $FWDIR/conf
objects.C (Checkpoint 4.x_)
User and User Group file fwauth.NDB $FWDIR/conf/ —or— $FWDIR/database/

Identity Role file

identity_roles.C

$FWDIR/conf/

Route information NA Save output of route print command from firewall

Export Policy file (CSV Format):

Export Nat file (CSV Format)

Uploader Icons used in tool:

Note: Alternately, you can chose to download Policy and rule definitions file "rulebases_5_0.fws" from following path if you are interested to cross verify it with CSV file $FWDIR/conf/rulebase_5_0.fws

3. Smart Center is on R80.10 and later but Gateways are below R80 such as R77

  • Policy and rule definitions – "*.csv". The Policy and NAT CSV files can be exported from the Smart Console (refer above screenshots)
  • Object definitions – "objects_5_0.C" (Check Point NG/NGX) or "objects.C" (Check Point 4.x) contains the firewall's object definitions.
  • Route information (optional) – Helps FortiConverter to correctly interpret the network topology being converted. To get this data, enter the route print command (for example, "netstat -nr") on the firewall node and then copy and paste the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a host route, a network route, and so on. The output varies by the platform.
  • User and user groups file (optional) – "fwauth.NDB"
  • Identity role file (optional) - Helps FortiConverter to identify the identity role names referenced in Check Point policies and set them as policy user groups. However, FortiConverter cannot convert the identity roles themselves into FortiGate objects. Users should configure them manually using FSSO in FortiGate.
  • [Optional] ifconfig File (For vlan id consistency) – This file can help the converter to determine the user-set vlan-id for interfaces, if the information is provided. To get this data, enter the command "ifconfig -a" then copy and paste the output into a plain text file.

File Path:

File File name Path
Object definitions objects_5_0.C (Checkpoint NG/NGX) /opt/CPR77CMP-R80/conf
Policy and Rule definitions rulebase_5_0.fws /opt/CPR77CMP-R80/conf
<package name>.W
User and User Group file fwauth.NDB /opt/CPR77CMP-R80/conf

Identity Role file

identity_roles.C

/opt/CPR77CMP-R80/conf

Route information NA Save output of route print command from firewall
Note: Alternately, you can choose to download Policy and rule definitions file "rulebases_5_0.fws" from following path if you are interested to cross verify it with CSV file: /opt/CPR77CMP-R80/conf

4. Provider – 1 to Fortigate conversion

Usually used while converting a single checkpoint firewall to a Fortigate. In this case chose "Smartcenter" option while doing the conversion

4.1 Both MDS/CMA & Gateways are on version before R80.10

MDS is running with multiple CMA domains and we need to convert a single CMA to FortiGate, please refer Section-1 to fetch the files.

4.2 Both MDS/CMA & Gateways are on version R80.10 Or later

MDS is running with multiple CMA domains and we need to convert a single CMA to FortiGate, please refer Section-2 to fetch the files.

4.3 MDS/CMA is on R80.10 but Gateways running below R80 such as R77

  • We can fetch policy and Nat csv files as mentioned above as the management server running with R80.
  • Object definitions and user files are available in the below table.

File Path:

File File name Path
Object definitions objects_5_0.C (Checkpoint NG/NGX) /opt/CPmds-R80/customers/<CMA_Server>/CPR77CMP-R80/conf/
Policy and Rule definitions rulebase_5_0.fws /opt/CPmds-R80/customers/<CMA_Server>/CPR77CMP-R80/conf/
<package name>.W
User and User Group file fwauth.NDB /opt/CPmds-R80/customers/<CMA_Server>/CPR77CMP-R80/conf/
Route information NA Save output of route print command from firewall
Note: Alternately, you can choose to download Policy and rule definitions file "rulebases_5_0.fws" from following path if you are interested to cross verify it with CSV file: /opt/CPmds-R80/customers/<CMA_Server>/CPR77CMP-R80/conf/

5. Provider-1 to FortiManager conversion

Usually used while converting a multiple checkpoint firewall configuration to Fortimanager output. In this case use "Provider-1" option while doing the conversion

  • MDS definitions – "mdss.C" This file contains the MDS hierarchy.
  • MDS object definitions – "objects_5_0.C" This file contains the definition of domains in each MDS.
  • Global object definitions – "objects_5_0.C" This file contains the definition of objects used in global policies.
  • Global policy rule bases – "rulebases_5_0.fws" This file contains the definition of global policies.
  • Global policy assignments – "customers.C"
  • CMA domain files – Every CMA needs a set of "objects_5_0.C", "rulebases_5_0.fws" and "fwauth.NDB"(optional) files as the input.

File Path:

File

File name

Path

MDS definitions

mdss.C

$MDSDIR/conf/mdsdb

MDS object definitions

objects_5_0.C

$MDSDIR/conf/mdsdb

Global object definitions

objects_5_0.C

$MDSDIR/conf/

Global policy rule bases

rulebases_5_0.fws

$MDSDIR/conf/

Global policy assignments

customers.C

$MDSDIR/conf/mdsdb

CMA object definitions

objects_5_0.C

Path format: "/opt/<mds name>/customers/<Domain mgmt. server name>/<CMA>/<fw name>/conf"

e.g. "opt\CPmds-R76\customers\domain-1_Management_Server\CPsuite-R76\fw1\conf"
CMA policy rulebases rulebases_5_0.fws CMA policy rulebases rulebases_5_0.fws

Uploader Icons used in tool:

Previous
Next

Saving the Check Point source configuration file

Before starting the conversion wizard, save a copy of your Check Point configuration file to the computer where FortiConverter is installed.

To acquire the configuration, please download the following files from the management system, ensure the configuration is in a text format. FortiConverter can't take binary files.

Use the following command to find the files:

# find / -name "filename"

1. Both Checkpoint Smart Center & Gateways with version before R80.10

2. Both Checkpoint Smart Center & Gateways are in version R80.10 & Later

3. Smart Center is on R80.10 and later but Gateways are below R80 such as R77

4. Provider – 1 to Fortigate conversion

5. Provider-1 to FortiManager conversion

1. Both Checkpoint Smart Center & Gateways with version before R80.10

  • Object definitions – "objects_5_0.C" (Check Point NG/NGX) or "objects.C" (Check Point 4.x) contains the firewall's object definitions.
  • Policy rulebases – "*.w" or "rulebases_5_0.fws". The file name is "<package name>.W" (default "Standard.W") or "rulebases_5_0.fws".
  • Route information (optional) – Helps FortiConverter to correctly interpret the network topology being converted. To get this data, enter the route print command (for example, "netstat -nr") on the firewall node and then copy and paste the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a host route, a network route, and so on. The output varies by the platform.
  • User and user groups file (optional) – "fwauth.NDB"
  • Identity role file (optional) - Helps FortiConverter to identify the identity role names referenced in Check Point policies and set them as policy user groups. However, FortiConverter cannot convert the identity roles themselves into FortiGate objects. Users should configure them manually using FSSO in FortiGate.
  • [Optional] ifconfig File (For vlan id consistency) – This file can help the converter to determine the user-set vlan-id for interfaces, if the information is provided. To get this data, enter the command "ifconfig -a" then copy and paste the output into a plain text file.

File paths:

File

File name

Path

Object definitions

objects_5_0.C (Checkpoint NG/NGX)

objects.C (Checkpoint 4.x_)

$FWDIR/conf

Policy and Rule definitions

rulebase_5_0.fws

<package name>.W

$FWDIR/conf

User and User Group file

fwauth.NDB

$FWDIR/conf/

—or—

$FWDIR/database/

Identity Role file

identity_roles.C

$FWDIR/conf/

Route information

NA

Save output of route print command from firewall

Uploader Icons used in tool:

2. Both Checkpoint Smart Center & Gateways are in version R80.10 & Later

  • Policy and rule definitions – "*.csv". The Policy and NAT CSV files can be exported from the Smart Console (refer screenshot below)
  • Object definitions – "objects_5_0.C" (Check Point NG/NGX) or "objects.C" (Check Point 4.x) contains the firewall's object definitions.
  • Route information (optional) – Helps FortiConverter to correctly interpret the network topology being converted. To get this data, enter the route print command (for example, "netstat -nr") on the firewall node and then copy and paste the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a host route, a network route, and so on. The output varies by the platform.
  • User and user groups file (optional) – "fwauth.NDB"
  • Identity role file (optional) - Helps FortiConverter to identify the identity role names referenced in Check Point policies and set them as policy user groups. However, FortiConverter cannot convert the identity roles themselves into FortiGate objects. Users should configure them manually using FSSO in FortiGate.
  • [Optional] ifconfig File (For vlan id consistency) – This file can help the converter to determine the user-set vlan-id for interfaces, if the information is provided. To get this data, enter the command "ifconfig -a" then copy and paste the output into a plain text file.

File Path:

File File name Path
Object definitions objects_5_0.C (Checkpoint NG/NGX) $FWDIR/conf
objects.C (Checkpoint 4.x_)
User and User Group file fwauth.NDB $FWDIR/conf/ —or— $FWDIR/database/

Identity Role file

identity_roles.C

$FWDIR/conf/

Route information NA Save output of route print command from firewall

Export Policy file (CSV Format):

Export Nat file (CSV Format)

Uploader Icons used in tool:

Note: Alternately, you can chose to download Policy and rule definitions file "rulebases_5_0.fws" from following path if you are interested to cross verify it with CSV file $FWDIR/conf/rulebase_5_0.fws

3. Smart Center is on R80.10 and later but Gateways are below R80 such as R77

  • Policy and rule definitions – "*.csv". The Policy and NAT CSV files can be exported from the Smart Console (refer above screenshots)
  • Object definitions – "objects_5_0.C" (Check Point NG/NGX) or "objects.C" (Check Point 4.x) contains the firewall's object definitions.
  • Route information (optional) – Helps FortiConverter to correctly interpret the network topology being converted. To get this data, enter the route print command (for example, "netstat -nr") on the firewall node and then copy and paste the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a host route, a network route, and so on. The output varies by the platform.
  • User and user groups file (optional) – "fwauth.NDB"
  • Identity role file (optional) - Helps FortiConverter to identify the identity role names referenced in Check Point policies and set them as policy user groups. However, FortiConverter cannot convert the identity roles themselves into FortiGate objects. Users should configure them manually using FSSO in FortiGate.
  • [Optional] ifconfig File (For vlan id consistency) – This file can help the converter to determine the user-set vlan-id for interfaces, if the information is provided. To get this data, enter the command "ifconfig -a" then copy and paste the output into a plain text file.

File Path:

File File name Path
Object definitions objects_5_0.C (Checkpoint NG/NGX) /opt/CPR77CMP-R80/conf
Policy and Rule definitions rulebase_5_0.fws /opt/CPR77CMP-R80/conf
<package name>.W
User and User Group file fwauth.NDB /opt/CPR77CMP-R80/conf

Identity Role file

identity_roles.C

/opt/CPR77CMP-R80/conf

Route information NA Save output of route print command from firewall
Note: Alternately, you can choose to download Policy and rule definitions file "rulebases_5_0.fws" from following path if you are interested to cross verify it with CSV file: /opt/CPR77CMP-R80/conf

4. Provider – 1 to Fortigate conversion

Usually used while converting a single checkpoint firewall to a Fortigate. In this case chose "Smartcenter" option while doing the conversion

4.1 Both MDS/CMA & Gateways are on version before R80.10

MDS is running with multiple CMA domains and we need to convert a single CMA to FortiGate, please refer Section-1 to fetch the files.

4.2 Both MDS/CMA & Gateways are on version R80.10 Or later

MDS is running with multiple CMA domains and we need to convert a single CMA to FortiGate, please refer Section-2 to fetch the files.

4.3 MDS/CMA is on R80.10 but Gateways running below R80 such as R77

  • We can fetch policy and Nat csv files as mentioned above as the management server running with R80.
  • Object definitions and user files are available in the below table.

File Path:

File File name Path
Object definitions objects_5_0.C (Checkpoint NG/NGX) /opt/CPmds-R80/customers/<CMA_Server>/CPR77CMP-R80/conf/
Policy and Rule definitions rulebase_5_0.fws /opt/CPmds-R80/customers/<CMA_Server>/CPR77CMP-R80/conf/
<package name>.W
User and User Group file fwauth.NDB /opt/CPmds-R80/customers/<CMA_Server>/CPR77CMP-R80/conf/
Route information NA Save output of route print command from firewall
Note: Alternately, you can choose to download Policy and rule definitions file "rulebases_5_0.fws" from following path if you are interested to cross verify it with CSV file: /opt/CPmds-R80/customers/<CMA_Server>/CPR77CMP-R80/conf/

5. Provider-1 to FortiManager conversion

Usually used while converting a multiple checkpoint firewall configuration to Fortimanager output. In this case use "Provider-1" option while doing the conversion

  • MDS definitions – "mdss.C" This file contains the MDS hierarchy.
  • MDS object definitions – "objects_5_0.C" This file contains the definition of domains in each MDS.
  • Global object definitions – "objects_5_0.C" This file contains the definition of objects used in global policies.
  • Global policy rule bases – "rulebases_5_0.fws" This file contains the definition of global policies.
  • Global policy assignments – "customers.C"
  • CMA domain files – Every CMA needs a set of "objects_5_0.C", "rulebases_5_0.fws" and "fwauth.NDB"(optional) files as the input.

File Path:

File

File name

Path

MDS definitions

mdss.C

$MDSDIR/conf/mdsdb

MDS object definitions

objects_5_0.C

$MDSDIR/conf/mdsdb

Global object definitions

objects_5_0.C

$MDSDIR/conf/

Global policy rule bases

rulebases_5_0.fws

$MDSDIR/conf/

Global policy assignments

customers.C

$MDSDIR/conf/mdsdb

CMA object definitions

objects_5_0.C

Path format: "/opt/<mds name>/customers/<Domain mgmt. server name>/<CMA>/<fw name>/conf"

e.g. "opt\CPmds-R76\customers\domain-1_Management_Server\CPsuite-R76\fw1\conf"
CMA policy rulebases rulebases_5_0.fws CMA policy rulebases rulebases_5_0.fws

Uploader Icons used in tool:

Previous
Next