Saving the Check Point source configuration file from Smart Center
1. Both Checkpoint Smart Center & Gateways with version before R80.10
2. Both Checkpoint Smart Center & Gateways are in version R80.10 & Later
3. Smart Center is on R80.10 and later but Gateways are below R80 such as R77
4. Exporting configuration file in JSON format using the "ShowPolicyPackage" tool
1. Both Checkpoint Smart Center & Gateways with version before R80.10
- Object definitions – "objects_5_0.C" (Check Point NG/NGX) or "objects.C" (Check Point 4.x) contains the firewall's object definitions.
- Policy rulebases – "*.w" or "rulebases_5_0.fws". The file name is "<package name>.W" (default "Standard.W") or "rulebases_5_0.fws".
- [Optional] Route information – Helps FortiConverter to correctly interpret the network topology being converted. To get this data, enter the route print command (for example,
"netstat -nr"
) on the firewall node and then copy and paste the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a host route, a network route, and so on. The output varies by the platform. - [Optional] User and user groups file – "fwauth.NDB"
- [Optional] Identity role file - Helps FortiConverter to identify the identity role names referenced in Check Point policies and set them as policy user groups. However, FortiConverter cannot convert the identity roles themselves into FortiGate objects. Users should configure them manually using FSSO in FortiGate.
- [Optional] ifconfig File (For vlan id consistency) – This file can help the converter to determine the user-set vlan-id for interfaces, if the information is provided. To get this data, enter the command "
ifconfig -a
" then copy and paste the output into a plain text file. - [Optional] DHCP relay file – This file contains the DHCP relay information of interfaces. To get this data, enter the command
"show configuration bootp"
then copy and paste the output into a plain text file.
File paths:
File |
File name |
Location |
Path or Command |
---|---|---|---|
Object definitions |
objects_5_0.C (Checkpoint NG/NGX) objects.C (Checkpoint 4.x_) |
SmartCenter |
—or—
|
Policy rulebases |
rulebase_5_0.fws <package name>.W |
SmartCenter |
|
User and User Group file |
fwauth.NDB |
SmartCenter |
—or—
|
Identity role file |
identity_roles.C |
Gateway |
|
Route |
NA |
Gateway |
|
ifconfig file |
NA |
Gateway |
|
DHCP relay file |
NA |
Gateway |
|
Uploader Icons used in tool:
2. Both Checkpoint Smart Center & Gateways are in version R80.10 & Later
- Object definitions – "objects_5_0.C" (Check Point NG/NGX) or "objects.C" (Check Point 4.x) contains the firewall's object definitions.
- Rule definitions – "*.csv". The Policy and NAT CSV files can be exported from the Smart Console (refer screenshot below)
- [Optional] Route information – Helps FortiConverter to correctly interpret the network topology being converted. To get this data, enter the route print command (for example,
"netstat -nr"
) on the firewall node and then copy and paste the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a host route, a network route, and so on. The output varies by the platform. - [Optional] User and user groups file –
"fwauth.NDB"
- [Optional] Identity role file - Helps FortiConverter to identify the identity role names referenced in Check Point policies and set them as policy user groups. However, FortiConverter cannot convert the identity roles themselves into FortiGate objects. Users should configure them manually using FSSO in FortiGate.
- [Optional] ifconfig File (For vlan id consistency) – This file can help the converter to determine the user-set vlan-id for interfaces, if the information is provided. To get this data, enter the command "
ifconfig -a
" then copy and paste the output into a plain text file. - [Optional] DHCP relay file – This file contains the DHCP relay information of interfaces. To get this data, enter the command
"show configuration bootp"
then copy and paste the output into a plain text file.
File Path:
File | File name |
Location |
Path or command |
---|---|---|---|
Object definitions | objects_5_0.C (Checkpoint NG/NGX) |
SmartCenter |
$FWDIR/conf
—or—
|
objects.C (Checkpoint 4.x_) |
|
||
Policy and NAT files |
NA |
SmartConsole GUI |
Refer to screenshots below |
User and User Group file | fwauth.NDB |
SmartCenter |
$FWDIR/conf/ —or— $FWDIR/database/ |
Identity Role file |
identity_roles.C |
SmartCenter |
|
Route | NA |
Gateway |
netstat -nr
|
ifconfig file |
NA |
Gateway |
|
DHCP relay file |
NA |
Gateway |
|
Export Policy file (CSV Format):
Export Nat file (CSV Format)
Uploader Icons used in tool:
Note: Alternately, you can chose to download Policy and rule definitions file "rulebases_5_0.fws" from following path if you are interested to cross verify it with CSV file $FWDIR/conf/rulebase_5_0.fws |
3. Smart Center is on R80.10 and later but Gateways are below R80 such as R77
- Object definitions – "objects_5_0.C" (Check Point NG/NGX) or "objects.C" (Check Point 4.x) contains the firewall's object definitions.
- Policy rulebases – "*.w" or "rulebases_5_0.fws". The file name is "<package name>.W" (default "Standard.W") or "rulebases_5_0.fws".
- [Optional] Route information – Helps FortiConverter to correctly interpret the network topology being converted. To get this data, enter the route print command (for example, "netstat -nr") on the firewall node and then copy and paste the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a host route, a network route, and so on. The output varies by the platform.
- [Optional] User and user groups file – "fwauth.NDB"
- [Optional] Identity role file - Helps FortiConverter t
- o identify the identity role names referenced in Check Point policies and set them as policy user groups. However, FortiConverter cannot convert the identity roles themselves into FortiGate objects. Users should configure them manually using FSSO in FortiGate.
- [Optional] ifconfig File (For vlan id consistency) – This file can help the converter to determine the user-set vlan-id for interfaces, if the information is provided. To get this data, enter the command "
ifconfig -a
" then copy and paste the output into a plain text file. - [Optional] DHCP relay file – This file contains the DHCP relay information of interfaces. To get this data, enter the command
"show configuration bootp"
then copy and paste the output into a plain text file.
File Path:
File | File name |
Location |
Path or command |
---|---|---|---|
Object definitions | objects_5_0.C (Checkpoint NG/NGX) |
SmartCenter |
/opt/CPR77CMP-R80/conf
|
Policy rulebases | rulebase_5_0.fws <package name>.W |
SmartCenter
|
/opt/CPR77CMP-R80/conf
|
User and User Group file | fwauth.NDB |
SmartCenter |
/opt/CPR77CMP-R80/conf
|
Identity role file |
identity_roles.C |
SmartCenter |
|
Route | NA |
Gateway |
netstat -nr
|
ifconfig file |
NA |
Gateway |
|
DHCP relay file |
NA |
Gateway |
|
Note: Alternately, you can choose to download Policy and rule definitions file "rulebases_5_0.fws" from following path if you are interested to cross verify it with CSV file:
/opt/CPR77CMP-R80/conf
|
4. Exporting configuration file in JSON format using the "ShowPolicyPackage" tool
WARNING: For Check Point R80-R80.30, please do not use the ShowPolicyPackage tool to export the JSON config. Although Check Point R80-R80.30 supports JSON export, there are some issues in the web API so it could not export complete configurations |
To setup “ShowPolicyPackage” tool:
- Please navigate to Check Point’s GitHub of "ShowPolicyPackage":
- Find the latest version (which is currently v2.0.6) and download the file "web_api_show_package-jar-with-dependencies.jar".
- Use a SCP tool you preferred to upload the file "web_api_show_package-jar-with-dependencies.jar" to the SmartCenter Server where Checkpoint R80 management is running.
Before running the tool, please read the file “README.md” in
https://github.com/CheckPointSW/ShowPolicyPackage to know more about how to run the tool, and please focus more on the section “Examples”.
To run “ShowPolicyPackage” tool:
- Please check if the Check Point API is running. Please follow the steps in this article to check the status or enable the API:
https://community.checkpoint.com/t5/API-CLI-Discussion/Enabling-web-api/td-p/32641
- Run the tool from CLI as "expert":
java -jar web_api_show_package-jar-with-dependencies.jar -v
This command shows the list of packages which can be exported.
- Run the command to export the selected package to JSON:
java -jar web_api_show_package-jar-with-dependencies.jar -k PACKAGE_NAME -d DOMAIN_NAME
("-d DOMAIN_NAME" is needed only when multiple domains exist.)
- A ".tar.gz" file would be generated, which contains the JSON config and can be used as the input of FortiConverter.