Fortinet white logo
Fortinet white logo

Online Help

Check Point Start options

Check Point Start options

This table lists the start settings.

Setting Description
Profile
Description Enter a description of the configuration.
Output Options
Output Format Select the appropriate output for your target Fortinet device.
FOS Version The configuration syntax is slightly different among FortiOS 6.2, 6.4, 7.0 and 7.2. Select the version that corresponds to the FortiOS version on the target.
Smart Center and VSX Input
Before R80.10 Select this option if the configuration is from a SmartCenter device with version before R80.10.

R80.10 or later

Select this option if the configuration is from a SmartCenter with version R80.10 or later device.

JSON Export

Select this option if the configuration is an archived JSON file exported from the Check Point “ShowPolicyPackage” tool.

Object Definition File

(objects_5_0.C)

Select the object definition file. This file should include the definition of firewalls, interfaces and firewall objects.

Policy Information File

(Standard.W or rulebases_5_0.fws)

Select the policy information file. This file should include the policy informations and manual NAT rules in each policy package. This is only needed for devices with SmartCenter version before R80.

Policy File (CSV Format)

(R80.10 or later)

Select the policy file in CSV format. This is only needed when "R80.10 or later" is selected.

NAT File (CSV Format)

(R80.10 or later)

Select the NAT rule file in CSV format. This is only needed when "R80.10 or later" is selected.

[Optional] User & User Group File(fwauth.NDB) Select the user and user group file.

[Optional] Identity Role File (identity_roles.C)

Select the identity role file. (SmartCenter only)

[Optional] ifconfig File

(For vlan id consistency)

Select the result text file from linux command "ifconfig" output.

The file would help to determine the vlan-id of interfaces if provided.

Provider-1 Input
MDS Definition File (mdss.c) Select the MDS definition file. This file should include the MDS hierarchy.
MDS Object File (objects_5_0.c) Select the MDS object definition file.
Global Policy Object File (objects_5_0.c) Select the global object definition file. This file should include the definition of global objects.
Global Policy Rulebase File (rulebases_5_0.fws) Select the global policy information file. This file should include the information of policies and manual NAT rules in each global policy package.
Global Policy Assignment(customer.C) Select the global policy assignment file.

Target device (Optional)

Target device

Select the model of the target device, or select a device connected to FortiConverter.

Conversion Options
Discard unreferenced firewall objects

This option can be useful if your target device has table size limitations.

You can view the unreferenced objects that FortiConverter removed on the Tuning page.

Automatically generate policy interfaces Specifies whether FortiConverter generates policy interfaces using a Check Point route file. (For example, a file you obtained using the netstat -nr command.) You select the route file on the Policy package page. Check Point policies define rules for network-to-network communication. When you migrate a Check Point configuration to FortiGate, which uses policies that define rules for interface-to-interface communication, you can use the Check Point router information to determine which interface a policy uses. If you disable this option, or router information isn’t available, FortiConverter uses the "any" interface. This option is disabled in Provider-1 conversion.
Increase Address and Service Table Sizes for High-End Models You can customize the maximum table sizes that FortiConverter uses when Adjust table sizes is selected. For more information, see Adjusting table sizes.
Route-based IPSec Specifies whether Route-based IPSec is used for this conversion.
Number of year-long schedules from day in month schedules Specifies how many years of one-time schedules to generate. The wizard converts Check Point "day in month" schedules into equivalent one-time FortiGate schedules.
Comment Options
Interface Comment Specifies whether FortiConverter copies the interface comment from the source configuration to the mapped FortiGate interface.
Address Comment Specifies whether FortiConverter copies the address comment from source configuration to the converted FortiGate address.
Service Comment Specifies whether FortiConverter copies the service comment from the source configuration to converted FortiGate service.
Policy comment - Add policy package name and rule number Include policy package name, policy number and NAT rule number in the comment of output policy.
Policy comment - Preserve the original comment Include the original comment in source file in the comment of the output policy.

Generate global objects in a separate file

FortiConverter can distinguish global objects in the configuration and output the converted global objects into a separated file.

Remove self-traffic addresses and polices

Self-traffic polices should be configured in Check Point, but they are not necessary in FortiOS. FortiConverter comments out the self-traffics policies or remove self-traffic addresses from policies when this option is enabled.

NAT Merge Options
Ignore firewall policies with all or any addresses when processing NAT rules Specifies whether FortiConverter ignores firewall policies with an "all" or "any" address when it merges a NAT rule and a firewall policy to create a FortiGate NAT policy. FortiConverter creates new policies in the output configuration based on where NAT rules to firewall policies intersect. Because firewall policies that use "all" or "any" as the address create many intersections, Fortinet recommends that you ignore them.
Enable Central NAT merge Specifies whether FortiConverter converts NATs to FortiGate central NATs instead of policy-based NATs.
Enable identity match of NAT policy Specifies whether FortiConverter converts or ignores any identity NAT rules in the source configuration. The "range" and "network" address objects in a Check point configuration can include hide NAT and static NAT. Check Point performs NAT only when a host in the IP range of the address object communicates with a host outside that range. To disable NAT for traffic with both source and destination inside the address range, Check Point generates an automatic rule called an "identity NAT rule". By default, FortiConverter excludes this type of rule from the conversion because it performs no NAT after it is converted and generates redundant policies. You can enable this option to generate policies based on the identity NAT rules.

Policy index start from 1 instead of 10000

When selected, the serial number of firewall policies will start from 1 instead of 10000.

Split Address group From VPN Phase2 selector

If the remote side of VPN is not a FortiGate but a device of other vendor, setting an address group in the VPN phase2 quick selector does not work. When this option is enabled, a VPN phase2 object with an address group in the selector would be split into multiple objects with subnet or a range in selector.

Get routing info from source configuration file

Fet the routing information from the source configuration file instead from nstats command

Add prefix to the address objects which will trigger VIP/DNAT

Adds "v-" prefix to the name if an address would be referenced in a VIP.

NGFW policy-based mode

When selected, the conversion will be in NGFW policy-based mode.

"firewall policy" will become "firewall security-policy" instead, and "set application 00000" will be generated in policies, which requires manual processing. There will also be some other minor differences adapted for the NGFW policy-based CLI.

Enable merging of parent inner layer policy to child policies

When a policy has action "inner layer", and its child has src/dst address as "any", the policy’s address will apply to the child’s.

Disable arp-reply for all ippools and vips

Add "set arp-reply disable" for all IPPool and VIPs

NAT Merge Depth

Hide NAT

Static NAT

Rule NAT

Specifies which types of NAT FortiConverter merges with the output firewall policies, or whether FortiConverter performs NAT merge based on object names or values.

  • Off – FortiConverter converts firewall policies only and doesn't perform NAT merge for this type of NAT. This is useful for performing a quick, initial conversion to discover any conversion issues.
  • Object Names – FortiConverter performs NAT merge based on matching address names in firewall policies and NAT rules.
  • Object Values – FortiConverter performs NAT merge based on matching address values in firewall policies and NAT rules. It generates the most accurate matching of NAT rules and policies, but in most cases, it also generates more NAT policies.

Because it can take FortiConverter several hours to complete a conversion that include a large number of NAT rules, Fortinet recommends that you turn off or limit NAT merge for your initial conversion. Then, resolve any issues with the conversion before you run it again with NAT merge enabled. For more information, including example matches, see NAT merge options.

Convert Static NATs into VIP/source NAT pairs

When this option is enabled (in policy NAT mode only), a static NAT rule would be converted into a central SNAT rule and an unidirectional VIP object. Otherwise it would be converted into a bidirectional VIP object

Comment Options

Policy comment - Preserve UUID from the original rule

Append the policy UUID given in the Check Point source config as part of policy comments to make it easier to correlate source and converted policies .

Separate multiple comments into different lines

When a policy is merged from multiple firewall or NAT rules, the original comments of the rules would be concatenated directly as the comment of the new policy. Enable this option to separate the original comments into different lines inside the new comment.

Check Point Start options

Check Point Start options

This table lists the start settings.

Setting Description
Profile
Description Enter a description of the configuration.
Output Options
Output Format Select the appropriate output for your target Fortinet device.
FOS Version The configuration syntax is slightly different among FortiOS 6.2, 6.4, 7.0 and 7.2. Select the version that corresponds to the FortiOS version on the target.
Smart Center and VSX Input
Before R80.10 Select this option if the configuration is from a SmartCenter device with version before R80.10.

R80.10 or later

Select this option if the configuration is from a SmartCenter with version R80.10 or later device.

JSON Export

Select this option if the configuration is an archived JSON file exported from the Check Point “ShowPolicyPackage” tool.

Object Definition File

(objects_5_0.C)

Select the object definition file. This file should include the definition of firewalls, interfaces and firewall objects.

Policy Information File

(Standard.W or rulebases_5_0.fws)

Select the policy information file. This file should include the policy informations and manual NAT rules in each policy package. This is only needed for devices with SmartCenter version before R80.

Policy File (CSV Format)

(R80.10 or later)

Select the policy file in CSV format. This is only needed when "R80.10 or later" is selected.

NAT File (CSV Format)

(R80.10 or later)

Select the NAT rule file in CSV format. This is only needed when "R80.10 or later" is selected.

[Optional] User & User Group File(fwauth.NDB) Select the user and user group file.

[Optional] Identity Role File (identity_roles.C)

Select the identity role file. (SmartCenter only)

[Optional] ifconfig File

(For vlan id consistency)

Select the result text file from linux command "ifconfig" output.

The file would help to determine the vlan-id of interfaces if provided.

Provider-1 Input
MDS Definition File (mdss.c) Select the MDS definition file. This file should include the MDS hierarchy.
MDS Object File (objects_5_0.c) Select the MDS object definition file.
Global Policy Object File (objects_5_0.c) Select the global object definition file. This file should include the definition of global objects.
Global Policy Rulebase File (rulebases_5_0.fws) Select the global policy information file. This file should include the information of policies and manual NAT rules in each global policy package.
Global Policy Assignment(customer.C) Select the global policy assignment file.

Target device (Optional)

Target device

Select the model of the target device, or select a device connected to FortiConverter.

Conversion Options
Discard unreferenced firewall objects

This option can be useful if your target device has table size limitations.

You can view the unreferenced objects that FortiConverter removed on the Tuning page.

Automatically generate policy interfaces Specifies whether FortiConverter generates policy interfaces using a Check Point route file. (For example, a file you obtained using the netstat -nr command.) You select the route file on the Policy package page. Check Point policies define rules for network-to-network communication. When you migrate a Check Point configuration to FortiGate, which uses policies that define rules for interface-to-interface communication, you can use the Check Point router information to determine which interface a policy uses. If you disable this option, or router information isn’t available, FortiConverter uses the "any" interface. This option is disabled in Provider-1 conversion.
Increase Address and Service Table Sizes for High-End Models You can customize the maximum table sizes that FortiConverter uses when Adjust table sizes is selected. For more information, see Adjusting table sizes.
Route-based IPSec Specifies whether Route-based IPSec is used for this conversion.
Number of year-long schedules from day in month schedules Specifies how many years of one-time schedules to generate. The wizard converts Check Point "day in month" schedules into equivalent one-time FortiGate schedules.
Comment Options
Interface Comment Specifies whether FortiConverter copies the interface comment from the source configuration to the mapped FortiGate interface.
Address Comment Specifies whether FortiConverter copies the address comment from source configuration to the converted FortiGate address.
Service Comment Specifies whether FortiConverter copies the service comment from the source configuration to converted FortiGate service.
Policy comment - Add policy package name and rule number Include policy package name, policy number and NAT rule number in the comment of output policy.
Policy comment - Preserve the original comment Include the original comment in source file in the comment of the output policy.

Generate global objects in a separate file

FortiConverter can distinguish global objects in the configuration and output the converted global objects into a separated file.

Remove self-traffic addresses and polices

Self-traffic polices should be configured in Check Point, but they are not necessary in FortiOS. FortiConverter comments out the self-traffics policies or remove self-traffic addresses from policies when this option is enabled.

NAT Merge Options
Ignore firewall policies with all or any addresses when processing NAT rules Specifies whether FortiConverter ignores firewall policies with an "all" or "any" address when it merges a NAT rule and a firewall policy to create a FortiGate NAT policy. FortiConverter creates new policies in the output configuration based on where NAT rules to firewall policies intersect. Because firewall policies that use "all" or "any" as the address create many intersections, Fortinet recommends that you ignore them.
Enable Central NAT merge Specifies whether FortiConverter converts NATs to FortiGate central NATs instead of policy-based NATs.
Enable identity match of NAT policy Specifies whether FortiConverter converts or ignores any identity NAT rules in the source configuration. The "range" and "network" address objects in a Check point configuration can include hide NAT and static NAT. Check Point performs NAT only when a host in the IP range of the address object communicates with a host outside that range. To disable NAT for traffic with both source and destination inside the address range, Check Point generates an automatic rule called an "identity NAT rule". By default, FortiConverter excludes this type of rule from the conversion because it performs no NAT after it is converted and generates redundant policies. You can enable this option to generate policies based on the identity NAT rules.

Policy index start from 1 instead of 10000

When selected, the serial number of firewall policies will start from 1 instead of 10000.

Split Address group From VPN Phase2 selector

If the remote side of VPN is not a FortiGate but a device of other vendor, setting an address group in the VPN phase2 quick selector does not work. When this option is enabled, a VPN phase2 object with an address group in the selector would be split into multiple objects with subnet or a range in selector.

Get routing info from source configuration file

Fet the routing information from the source configuration file instead from nstats command

Add prefix to the address objects which will trigger VIP/DNAT

Adds "v-" prefix to the name if an address would be referenced in a VIP.

NGFW policy-based mode

When selected, the conversion will be in NGFW policy-based mode.

"firewall policy" will become "firewall security-policy" instead, and "set application 00000" will be generated in policies, which requires manual processing. There will also be some other minor differences adapted for the NGFW policy-based CLI.

Enable merging of parent inner layer policy to child policies

When a policy has action "inner layer", and its child has src/dst address as "any", the policy’s address will apply to the child’s.

Disable arp-reply for all ippools and vips

Add "set arp-reply disable" for all IPPool and VIPs

NAT Merge Depth

Hide NAT

Static NAT

Rule NAT

Specifies which types of NAT FortiConverter merges with the output firewall policies, or whether FortiConverter performs NAT merge based on object names or values.

  • Off – FortiConverter converts firewall policies only and doesn't perform NAT merge for this type of NAT. This is useful for performing a quick, initial conversion to discover any conversion issues.
  • Object Names – FortiConverter performs NAT merge based on matching address names in firewall policies and NAT rules.
  • Object Values – FortiConverter performs NAT merge based on matching address values in firewall policies and NAT rules. It generates the most accurate matching of NAT rules and policies, but in most cases, it also generates more NAT policies.

Because it can take FortiConverter several hours to complete a conversion that include a large number of NAT rules, Fortinet recommends that you turn off or limit NAT merge for your initial conversion. Then, resolve any issues with the conversion before you run it again with NAT merge enabled. For more information, including example matches, see NAT merge options.

Convert Static NATs into VIP/source NAT pairs

When this option is enabled (in policy NAT mode only), a static NAT rule would be converted into a central SNAT rule and an unidirectional VIP object. Otherwise it would be converted into a bidirectional VIP object

Comment Options

Policy comment - Preserve UUID from the original rule

Append the policy UUID given in the Check Point source config as part of policy comments to make it easier to correlate source and converted policies .

Separate multiple comments into different lines

When a policy is merged from multiple firewall or NAT rules, the original comments of the rules would be concatenated directly as the comment of the new policy. Enable this option to separate the original comments into different lines inside the new comment.