Fortinet white logo
Fortinet white logo

Online Help

Saving the Check Point source configuration file from Smart Center

Saving the Check Point source configuration file from Smart Center

1. Both Checkpoint Smart Center & Gateways with version before R80.10

2. Both Checkpoint Smart Center & Gateways are in version R80.10 & Later

3. Smart Center is on R80.10 and later but Gateways are below R80 such as R77

4. Exporting configuration file in JSON format using the "ShowPolicyPackage" tool

1. Both Checkpoint Smart Center & Gateways with version before R80.10

  • Object definitions – "objects_5_0.C" (Check Point NG/NGX) or "objects.C" (Check Point 4.x) contains the firewall's object definitions.
  • Policy rulebases – "*.w" or "rulebases_5_0.fws". The file name is "<package name>.W" (default "Standard.W") or "rulebases_5_0.fws".
  • [Optional] Route information – Helps FortiConverter to correctly interpret the network topology being converted. To get this data, enter the route print command (for example, "netstat -nr") on the firewall node and then copy and paste the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a host route, a network route, and so on. The output varies by the platform.
  • [Optional] User and user groups file – "fwauth.NDB"
  • [Optional] Identity role file - Helps FortiConverter to identify the identity role names referenced in Check Point policies and set them as policy user groups. However, FortiConverter cannot convert the identity roles themselves into FortiGate objects. Users should configure them manually using FSSO in FortiGate.
  • [Optional] ifconfig File (For vlan id consistency) – This file can help the converter to determine the user-set vlan-id for interfaces, if the information is provided. To get this data, enter the command "ifconfig -a" then copy and paste the output into a plain text file.
  • [Optional] DHCP relay file – This file contains the DHCP relay information of interfaces. To get this data, enter the command "show configuration bootp" then copy and paste the output into a plain text file.

File paths:

File

File name

Location

Path or Command

Object definitions

objects_5_0.C (Checkpoint NG/NGX)

objects.C (Checkpoint 4.x_)

SmartCenter

$FWDIR/conf

—or—

$FWDIR/database/

Policy rulebases

rulebase_5_0.fws

<package name>.W

SmartCenter

$FWDIR/conf

User and User Group file

fwauth.NDB

SmartCenter

$FWDIR/conf/

—or—

$FWDIR/database/

Identity role file

identity_roles.C

Gateway

$FWDIR/conf/

Route

NA

Gateway

netstat -nr

ifconfig file

NA

Gateway

ifconfig -a

DHCP relay file

NA

Gateway

show configuration bootp

Uploader Icons used in tool:

2. Both Checkpoint Smart Center & Gateways are in version R80.10 & Later

  • Object definitions – "objects_5_0.C" (Check Point NG/NGX) or "objects.C" (Check Point 4.x) contains the firewall's object definitions.
  • Rule definitions – "*.csv". The Policy and NAT CSV files can be exported from the Smart Console (refer screenshot below)
  • [Optional] Route information – Helps FortiConverter to correctly interpret the network topology being converted. To get this data, enter the route print command (for example, "netstat -nr") on the firewall node and then copy and paste the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a host route, a network route, and so on. The output varies by the platform.
  • [Optional] User and user groups file"fwauth.NDB"
  • [Optional] Identity role file - Helps FortiConverter to identify the identity role names referenced in Check Point policies and set them as policy user groups. However, FortiConverter cannot convert the identity roles themselves into FortiGate objects. Users should configure them manually using FSSO in FortiGate.
  • [Optional] ifconfig File (For vlan id consistency) – This file can help the converter to determine the user-set vlan-id for interfaces, if the information is provided. To get this data, enter the command "ifconfig -a" then copy and paste the output into a plain text file.
  • [Optional] DHCP relay file – This file contains the DHCP relay information of interfaces. To get this data, enter the command "show configuration bootp" then copy and paste the output into a plain text file.

File Path:

File File name

Location

Path or command
Object definitions objects_5_0.C (Checkpoint NG/NGX)

SmartCenter

$FWDIR/conf

—or—

$FWDIR/database/

objects.C (Checkpoint 4.x_)

Policy and NAT files

NA

SmartConsole GUI

Refer to screenshots below

User and User Group file fwauth.NDB

SmartCenter

$FWDIR/conf/ —or— $FWDIR/database/

Identity Role file

identity_roles.C

SmartCenter

$FWDIR/conf/

Route NA

Gateway

netstat -nr

ifconfig file

NA

Gateway

ifconfig -a

DHCP relay file

NA

Gateway

show configuration bootp

Export Policy file (CSV Format):

Export Nat file (CSV Format)

Uploader Icons used in tool:

Note: Alternately, you can chose to download Policy and rule definitions file "rulebases_5_0.fws" from following path if you are interested to cross verify it with CSV file $FWDIR/conf/rulebase_5_0.fws

3. Smart Center is on R80.10 and later but Gateways are below R80 such as R77

  • Object definitions – "objects_5_0.C" (Check Point NG/NGX) or "objects.C" (Check Point 4.x) contains the firewall's object definitions.
  • Policy rulebases – "*.w" or "rulebases_5_0.fws". The file name is "<package name>.W" (default "Standard.W") or "rulebases_5_0.fws".
  • [Optional] Route information – Helps FortiConverter to correctly interpret the network topology being converted. To get this data, enter the route print command (for example, "netstat -nr") on the firewall node and then copy and paste the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a host route, a network route, and so on. The output varies by the platform.
  • [Optional] User and user groups file – "fwauth.NDB"
  • [Optional] Identity role file - Helps FortiConverter t
  • o identify the identity role names referenced in Check Point policies and set them as policy user groups. However, FortiConverter cannot convert the identity roles themselves into FortiGate objects. Users should configure them manually using FSSO in FortiGate.
  • [Optional] ifconfig File (For vlan id consistency) – This file can help the converter to determine the user-set vlan-id for interfaces, if the information is provided. To get this data, enter the command "ifconfig -a" then copy and paste the output into a plain text file.
  • [Optional] DHCP relay file – This file contains the DHCP relay information of interfaces. To get this data, enter the command "show configuration bootp" then copy and paste the output into a plain text file.

File Path:

File File name

Location

Path or command
Object definitions objects_5_0.C (Checkpoint NG/NGX)

SmartCenter

/opt/CPR77CMP-R80/conf
Policy rulebases rulebase_5_0.fws <package name>.W

SmartCenter

/opt/CPR77CMP-R80/conf
User and User Group file fwauth.NDB

SmartCenter

/opt/CPR77CMP-R80/conf

Identity role file

identity_roles.C

SmartCenter

/opt/CPR77CMP-R80/conf

Route NA

Gateway

netstat -nr

ifconfig file

NA

Gateway

ifconfig -a

DHCP relay file

NA

Gateway

show configuration bootp

Note: Alternately, you can choose to download Policy and rule definitions file "rulebases_5_0.fws" from following path if you are interested to cross verify it with CSV file: /opt/CPR77CMP-R80/conf

4. Exporting configuration file in JSON format using the "ShowPolicyPackage" tool

WARNING: For Check Point R80-R80.30, please do not use the ShowPolicyPackage tool to export the JSON config. Although Check Point R80-R80.30 supports JSON export, there are some issues in the web API so it could not export complete configurations

To setup “ShowPolicyPackage” tool:

  1. Please navigate to Check Point’s GitHub of "ShowPolicyPackage":

    https://github.com/CheckPointSW/ShowPolicyPackage/releases

  2. Find the latest version (which is currently v2.0.6) and download the file "web_api_show_package-jar-with-dependencies.jar".
  3. Use a SCP tool you preferred to upload the file "web_api_show_package-jar-with-dependencies.jar" to the SmartCenter Server where Checkpoint R80 management is running.

Before running the tool, please read the file “README.md” in

https://github.com/CheckPointSW/ShowPolicyPackage to know more about how to run the tool, and please focus more on the section “Examples”.

To run “ShowPolicyPackage” tool:

  1. Please check if the Check Point API is running. Please follow the steps in this article to check the status or enable the API:

    https://community.checkpoint.com/t5/API-CLI-Discussion/Enabling-web-api/td-p/32641

  2. Run the tool from CLI as "expert":

    java -jar web_api_show_package-jar-with-dependencies.jar -v

    This command shows the list of packages which can be exported.

  3. Run the command to export the selected package to JSON:

    java -jar web_api_show_package-jar-with-dependencies.jar -k PACKAGE_NAME -d DOMAIN_NAME

    ("-d DOMAIN_NAME" is needed only when multiple domains exist.)

  4. A ".tar.gz" file would be generated, which contains the JSON config and can be used as the input of FortiConverter.

Saving the Check Point source configuration file from Smart Center

Saving the Check Point source configuration file from Smart Center

1. Both Checkpoint Smart Center & Gateways with version before R80.10

2. Both Checkpoint Smart Center & Gateways are in version R80.10 & Later

3. Smart Center is on R80.10 and later but Gateways are below R80 such as R77

4. Exporting configuration file in JSON format using the "ShowPolicyPackage" tool

1. Both Checkpoint Smart Center & Gateways with version before R80.10

  • Object definitions – "objects_5_0.C" (Check Point NG/NGX) or "objects.C" (Check Point 4.x) contains the firewall's object definitions.
  • Policy rulebases – "*.w" or "rulebases_5_0.fws". The file name is "<package name>.W" (default "Standard.W") or "rulebases_5_0.fws".
  • [Optional] Route information – Helps FortiConverter to correctly interpret the network topology being converted. To get this data, enter the route print command (for example, "netstat -nr") on the firewall node and then copy and paste the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a host route, a network route, and so on. The output varies by the platform.
  • [Optional] User and user groups file – "fwauth.NDB"
  • [Optional] Identity role file - Helps FortiConverter to identify the identity role names referenced in Check Point policies and set them as policy user groups. However, FortiConverter cannot convert the identity roles themselves into FortiGate objects. Users should configure them manually using FSSO in FortiGate.
  • [Optional] ifconfig File (For vlan id consistency) – This file can help the converter to determine the user-set vlan-id for interfaces, if the information is provided. To get this data, enter the command "ifconfig -a" then copy and paste the output into a plain text file.
  • [Optional] DHCP relay file – This file contains the DHCP relay information of interfaces. To get this data, enter the command "show configuration bootp" then copy and paste the output into a plain text file.

File paths:

File

File name

Location

Path or Command

Object definitions

objects_5_0.C (Checkpoint NG/NGX)

objects.C (Checkpoint 4.x_)

SmartCenter

$FWDIR/conf

—or—

$FWDIR/database/

Policy rulebases

rulebase_5_0.fws

<package name>.W

SmartCenter

$FWDIR/conf

User and User Group file

fwauth.NDB

SmartCenter

$FWDIR/conf/

—or—

$FWDIR/database/

Identity role file

identity_roles.C

Gateway

$FWDIR/conf/

Route

NA

Gateway

netstat -nr

ifconfig file

NA

Gateway

ifconfig -a

DHCP relay file

NA

Gateway

show configuration bootp

Uploader Icons used in tool:

2. Both Checkpoint Smart Center & Gateways are in version R80.10 & Later

  • Object definitions – "objects_5_0.C" (Check Point NG/NGX) or "objects.C" (Check Point 4.x) contains the firewall's object definitions.
  • Rule definitions – "*.csv". The Policy and NAT CSV files can be exported from the Smart Console (refer screenshot below)
  • [Optional] Route information – Helps FortiConverter to correctly interpret the network topology being converted. To get this data, enter the route print command (for example, "netstat -nr") on the firewall node and then copy and paste the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a host route, a network route, and so on. The output varies by the platform.
  • [Optional] User and user groups file"fwauth.NDB"
  • [Optional] Identity role file - Helps FortiConverter to identify the identity role names referenced in Check Point policies and set them as policy user groups. However, FortiConverter cannot convert the identity roles themselves into FortiGate objects. Users should configure them manually using FSSO in FortiGate.
  • [Optional] ifconfig File (For vlan id consistency) – This file can help the converter to determine the user-set vlan-id for interfaces, if the information is provided. To get this data, enter the command "ifconfig -a" then copy and paste the output into a plain text file.
  • [Optional] DHCP relay file – This file contains the DHCP relay information of interfaces. To get this data, enter the command "show configuration bootp" then copy and paste the output into a plain text file.

File Path:

File File name

Location

Path or command
Object definitions objects_5_0.C (Checkpoint NG/NGX)

SmartCenter

$FWDIR/conf

—or—

$FWDIR/database/

objects.C (Checkpoint 4.x_)

Policy and NAT files

NA

SmartConsole GUI

Refer to screenshots below

User and User Group file fwauth.NDB

SmartCenter

$FWDIR/conf/ —or— $FWDIR/database/

Identity Role file

identity_roles.C

SmartCenter

$FWDIR/conf/

Route NA

Gateway

netstat -nr

ifconfig file

NA

Gateway

ifconfig -a

DHCP relay file

NA

Gateway

show configuration bootp

Export Policy file (CSV Format):

Export Nat file (CSV Format)

Uploader Icons used in tool:

Note: Alternately, you can chose to download Policy and rule definitions file "rulebases_5_0.fws" from following path if you are interested to cross verify it with CSV file $FWDIR/conf/rulebase_5_0.fws

3. Smart Center is on R80.10 and later but Gateways are below R80 such as R77

  • Object definitions – "objects_5_0.C" (Check Point NG/NGX) or "objects.C" (Check Point 4.x) contains the firewall's object definitions.
  • Policy rulebases – "*.w" or "rulebases_5_0.fws". The file name is "<package name>.W" (default "Standard.W") or "rulebases_5_0.fws".
  • [Optional] Route information – Helps FortiConverter to correctly interpret the network topology being converted. To get this data, enter the route print command (for example, "netstat -nr") on the firewall node and then copy and paste the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a host route, a network route, and so on. The output varies by the platform.
  • [Optional] User and user groups file – "fwauth.NDB"
  • [Optional] Identity role file - Helps FortiConverter t
  • o identify the identity role names referenced in Check Point policies and set them as policy user groups. However, FortiConverter cannot convert the identity roles themselves into FortiGate objects. Users should configure them manually using FSSO in FortiGate.
  • [Optional] ifconfig File (For vlan id consistency) – This file can help the converter to determine the user-set vlan-id for interfaces, if the information is provided. To get this data, enter the command "ifconfig -a" then copy and paste the output into a plain text file.
  • [Optional] DHCP relay file – This file contains the DHCP relay information of interfaces. To get this data, enter the command "show configuration bootp" then copy and paste the output into a plain text file.

File Path:

File File name

Location

Path or command
Object definitions objects_5_0.C (Checkpoint NG/NGX)

SmartCenter

/opt/CPR77CMP-R80/conf
Policy rulebases rulebase_5_0.fws <package name>.W

SmartCenter

/opt/CPR77CMP-R80/conf
User and User Group file fwauth.NDB

SmartCenter

/opt/CPR77CMP-R80/conf

Identity role file

identity_roles.C

SmartCenter

/opt/CPR77CMP-R80/conf

Route NA

Gateway

netstat -nr

ifconfig file

NA

Gateway

ifconfig -a

DHCP relay file

NA

Gateway

show configuration bootp

Note: Alternately, you can choose to download Policy and rule definitions file "rulebases_5_0.fws" from following path if you are interested to cross verify it with CSV file: /opt/CPR77CMP-R80/conf

4. Exporting configuration file in JSON format using the "ShowPolicyPackage" tool

WARNING: For Check Point R80-R80.30, please do not use the ShowPolicyPackage tool to export the JSON config. Although Check Point R80-R80.30 supports JSON export, there are some issues in the web API so it could not export complete configurations

To setup “ShowPolicyPackage” tool:

  1. Please navigate to Check Point’s GitHub of "ShowPolicyPackage":

    https://github.com/CheckPointSW/ShowPolicyPackage/releases

  2. Find the latest version (which is currently v2.0.6) and download the file "web_api_show_package-jar-with-dependencies.jar".
  3. Use a SCP tool you preferred to upload the file "web_api_show_package-jar-with-dependencies.jar" to the SmartCenter Server where Checkpoint R80 management is running.

Before running the tool, please read the file “README.md” in

https://github.com/CheckPointSW/ShowPolicyPackage to know more about how to run the tool, and please focus more on the section “Examples”.

To run “ShowPolicyPackage” tool:

  1. Please check if the Check Point API is running. Please follow the steps in this article to check the status or enable the API:

    https://community.checkpoint.com/t5/API-CLI-Discussion/Enabling-web-api/td-p/32641

  2. Run the tool from CLI as "expert":

    java -jar web_api_show_package-jar-with-dependencies.jar -v

    This command shows the list of packages which can be exported.

  3. Run the command to export the selected package to JSON:

    java -jar web_api_show_package-jar-with-dependencies.jar -k PACKAGE_NAME -d DOMAIN_NAME

    ("-d DOMAIN_NAME" is needed only when multiple domains exist.)

  4. A ".tar.gz" file would be generated, which contains the JSON config and can be used as the input of FortiConverter.