Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Fortinet white logo
Fortinet docs logo DOCUMENT LIBRARY
Products Best Practices Hardware Guides Products A-Z
Summary
By Solution
By 4D Pillars
By Cloud
Secure Networking
Unified SASE
Security Operations
Secure SD-WAN
Secure Access Service Edge (SASE)
ZTNA
LAN Edge
Identity and Access Management
Next Generation Firewall
Public Cloud
Private Cloud
FortiCloud
Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
    • More >>
    Unified SASE
  • Single Vendor SASE
  • Cloud Network Security
  • Secure Endpoint Connectivity
  • Web Application / API Protection
    • More >>
    Security Operations
  • Security Operations Automation
  • Identity
  • Early Detection & Prevention
    • More >>
    Secure Networking
  • Hybrid Mesh Firewall
  • NOC Management
  • LAN
  • WAN
  • Communication & Surveillance
    • Unified SASE
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Cloud Network Security
  • Cloud-Native Security
  • Web Application / API Protection
    • Security Operations
  • Security Operations Automation
  • Endpoint
  • Data Protection
  • Identity
  • Email
  • Early Detection & Prevention
  • Expert Services
  • Edge Firewall
  • Orchestration & management
  • SD Branch
  • Application Delivery
  • Single Vendor SASE
  • Secure Endpoint Connectivity
  • Secure Private Access
  • Thin Edge
  • Identity
  • Application Gateway
  • Enterprise Asset Management
  • Endpoint Agent
  • Agentless Security Posture
  • Identity
  • Wireless
  • Switching
  • Identity
  • Privilege Acccess Management
  • Next Generation Firewall
  • Orchestration & management
  • Expert Services
  • All
  • All
  • Account Management
  • SAAS Management
  • SAAS Application Security
  • Managed Services
  • Platform as a service (PAAS)
  • Other SAAS Services
    • 4D Resources
    Solution Hubs
  • 4D Pillars
  • Cloud
  • Popular Solutions

    • Online Help

    7.0.5
    7.2.0
    7.0.6
    7.0.5
    7.0.4
    7.0.3
    7.0.2
    7.0.1
    7.0.0
    6.2.2
    6.2.1
    6.2.0
    6.0.3
    6.0.2
    6.0.1
    6.0.0

    Saving the Check Point source configuration file from Smart Center

    Saving the Check Point source configuration file from Smart Center

    1. Exporting configuration file in JSON format using the "ShowPolicyPackage" tool

    2. Both Checkpoint Smart Center & Gateways with version before R80.10

    3. Both Checkpoint Smart Center & Gateways are in version R80.10 & Later

    4. Smart Center is on R80.10 and later but Gateways are below R80 such as R77

    1. Exporting configuration file in JSON format using the "ShowPolicyPackage" tool

    WARNING: For Check Point R80-R80.30, please do not use the ShowPolicyPackage tool to export the JSON config. Although Check Point R80-R80.30 supports JSON export, there are some issues in the web API so it could not export complete configurations

    To setup “ShowPolicyPackage” tool:

    1. Please navigate to Check Point’s GitHub of "ShowPolicyPackage":

      https://github.com/CheckPointSW/ShowPolicyPackage/releases

    2. Find the latest version (which is currently v2.0.6) and download the file "web_api_show_package-jar-with-dependencies.jar".
    3. Use a SCP tool you preferred to upload the file "web_api_show_package-jar-with-dependencies.jar" to the SmartCenter Server where Checkpoint R80 management is running.

    Before running the tool, please read the file “README.md” in

    https://github.com/CheckPointSW/ShowPolicyPackage to know more about how to run the tool, and please focus more on the section “Examples”.

    To run “ShowPolicyPackage” tool:

    1. Please check if the Check Point API is running. Please follow the steps in this article to check the status or enable the API:

      https://community.checkpoint.com/t5/API-CLI-Discussion/Enabling-web-api/td-p/32641

    2. Run the tool from CLI as "expert":

      java -jar web_api_show_package-jar-with-dependencies.jar -v

      This command shows the list of packages which can be exported.

    3. Run the command to export the selected package to JSON:

      java -jar web_api_show_package-jar-with-dependencies.jar -k PACKAGE_NAME -d DOMAIN_NAME

      ("-d DOMAIN_NAME" is needed only when multiple domains exist.)

    4. A ".tar.gz" file would be generated, which contains the JSON config and can be used as the input of FortiConverter.

    2. Both Checkpoint Smart Center & Gateways with version before R80.10

    • Object definitions – "objects_5_0.C" (Check Point NG/NGX) or "objects.C" (Check Point 4.x) contains the firewall's object definitions.
    • Policy rulebases – "*.w" or "rulebases_5_0.fws". The file name is "<package name>.W" (default "Standard.W") or "rulebases_5_0.fws".
    • [Optional] Route information – Helps FortiConverter to correctly interpret the network topology being converted. To get this data, enter the route print command (for example, "netstat -nr") on the firewall node and then copy and paste the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a host route, a network route, and so on. The output varies by the platform.
    • [Optional] User and user groups file – "fwauth.NDB"
    • [Optional] Identity role file - Helps FortiConverter to identify the identity role names referenced in Check Point policies and set them as policy user groups. However, FortiConverter cannot convert the identity roles themselves into FortiGate objects. Users should configure them manually using FSSO in FortiGate.
    • [Optional] ifconfig File (For vlan id consistency) – This file can help the converter to determine the user-set vlan-id for interfaces, if the information is provided. To get this data, enter the command "ifconfig -a" then copy and paste the output into a plain text file.
    • [Optional] DHCP relay file – This file contains the DHCP relay information of interfaces. To get this data, enter the command "show configuration bootp" then copy and paste the output into a plain text file.

    File paths:

    File

    File name

    Location

    Path or Command

    Object definitions

    objects_5_0.C (Checkpoint NG/NGX)

    objects.C (Checkpoint 4.x_)

    SmartCenter

    $FWDIR/conf

    —or—

    $FWDIR/database/

    Policy rulebases

    rulebase_5_0.fws

    <package name>.W

    SmartCenter

    $FWDIR/conf

    User and User Group file

    fwauth.NDB

    SmartCenter

    $FWDIR/conf/

    —or—

    $FWDIR/database/

    Identity role file

    identity_roles.C

    Gateway

    $FWDIR/conf/

    Route

    NA

    Gateway

    netstat -nr

    ifconfig file

    NA

    Gateway

    ifconfig -a

    DHCP relay file

    NA

    Gateway

    show configuration bootp

    Uploader Icons used in tool:

    3. Both Checkpoint Smart Center & Gateways are in version R80.10 & Later

    • Object definitions – "objects_5_0.C" (Check Point NG/NGX) or "objects.C" (Check Point 4.x) contains the firewall's object definitions.
    • Rule definitions – "*.csv". The Policy and NAT CSV files can be exported from the Smart Console (refer screenshot below). Before exporting, please display all the columns of the rule tables to ensure that all necessary information is exported.
    • [Optional] Route information – Helps FortiConverter to correctly interpret the network topology being converted. To get this data, enter the route print command (for example, "netstat -nr") on the firewall node and then copy and paste the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a host route, a network route, and so on. The output varies by the platform.
    • [Optional] User and user groups file"fwauth.NDB"
    • [Optional] Identity role file - Helps FortiConverter to identify the identity role names referenced in Check Point policies and set them as policy user groups. However, FortiConverter cannot convert the identity roles themselves into FortiGate objects. Users should configure them manually using FSSO in FortiGate.
    • [Optional] ifconfig File (For vlan id consistency) – This file can help the converter to determine the user-set vlan-id for interfaces, if the information is provided. To get this data, enter the command "ifconfig -a" then copy and paste the output into a plain text file.
    • [Optional] DHCP relay file – This file contains the DHCP relay information of interfaces. To get this data, enter the command "show configuration bootp" then copy and paste the output into a plain text file.

    File Path:

    File File name

    Location

    		 Path or command
    Object definitions objects_5_0.C (Checkpoint NG/NGX)

    SmartCenter

    		 $FWDIR/conf

    —or—

    $FWDIR/database/

    objects.C (Checkpoint 4.x_)

    Policy and NAT files

    NA

    SmartConsole GUI

    Refer to screenshots below
    User and User Group file fwauth.NDB

    SmartCenter

    		 $FWDIR/conf/ —or— $FWDIR/database/

    Identity Role file

    identity_roles.C

    SmartCenter

    $FWDIR/conf/

    Route NA

    Gateway

    		 netstat -nr

    ifconfig file

    NA

    Gateway

    ifconfig -a

    DHCP relay file

    NA

    Gateway

    show configuration bootp

    Export Policy file (CSV Format):

    Export Nat file (CSV Format)

    Uploader Icons used in tool:

    Note: Alternately, you can chose to download Policy and rule definitions file "rulebases_5_0.fws" from following path if you are interested to cross verify it with CSV file $FWDIR/conf/rulebase_5_0.fws

    4. Smart Center is on R80.10 and later but Gateways are below R80 such as R77

    • Object definitions – "objects_5_0.C" (Check Point NG/NGX) or "objects.C" (Check Point 4.x) contains the firewall's object definitions.
    • Policy rulebases – "*.w" or "rulebases_5_0.fws". The file name is "<package name>.W" (default "Standard.W") or "rulebases_5_0.fws".
    • [Optional] Route information – Helps FortiConverter to correctly interpret the network topology being converted. To get this data, enter the route print command (for example, "netstat -nr") on the firewall node and then copy and paste the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a host route, a network route, and so on. The output varies by the platform.
    • [Optional] User and user groups file – "fwauth.NDB"
    • [Optional] Identity role file - Helps FortiConverter t
    • o identify the identity role names referenced in Check Point policies and set them as policy user groups. However, FortiConverter cannot convert the identity roles themselves into FortiGate objects. Users should configure them manually using FSSO in FortiGate.
    • [Optional] ifconfig File (For vlan id consistency) – This file can help the converter to determine the user-set vlan-id for interfaces, if the information is provided. To get this data, enter the command "ifconfig -a" then copy and paste the output into a plain text file.
    • [Optional] DHCP relay file – This file contains the DHCP relay information of interfaces. To get this data, enter the command "show configuration bootp" then copy and paste the output into a plain text file.

    File Path:

    File File name

    Location

    		 Path or command
    Object definitions objects_5_0.C (Checkpoint NG/NGX)

    SmartCenter

    		 /opt/CPR77CMP-R80/conf
    Policy rulebases rulebase_5_0.fws <package name>.W

    SmartCenter

    		 /opt/CPR77CMP-R80/conf
    User and User Group file fwauth.NDB

    SmartCenter

    		 /opt/CPR77CMP-R80/conf

    Identity role file

    identity_roles.C

    SmartCenter

    /opt/CPR77CMP-R80/conf

    Route NA

    Gateway

    		 netstat -nr

    ifconfig file

    NA

    Gateway

    ifconfig -a

    DHCP relay file

    NA

    Gateway

    show configuration bootp

    Note: Alternately, you can choose to download Policy and rule definitions file "rulebases_5_0.fws" from following path if you are interested to cross verify it with CSV file: /opt/CPR77CMP-R80/conf

    [Optional] Policy and NAT Rule File with UUIDs

    This input file entry accepts an Excel worksheet which contains the UUID of firewall and NAT rules. The format of this file is as below:

    1. The Excel file can contain 2 sheets, one for firewall rules and one for NAT rules. The sheet which contains the keyword "NAT" in its name is the NAT rule table, and the other is the policy table.
    2. There can be multiple columns in the sheets, but FortiConverter needs to read 2 columns inside. The first one is "Rule #" which shows the rule number in Check Point and this number should be consistent with the rule number in the CSV files. The second one is "Rule Uid", which shows the UUID of the rules.
    3. The number and order of the rules are always the same as the rules in the CSV files so the tool can always correlate them based on the rule number instead of checking the content.

    Please see an example of the file below:

    Previous
    Next

    Saving the Check Point source configuration file from Smart Center

    Saving the Check Point source configuration file from Smart Center

    1. Exporting configuration file in JSON format using the "ShowPolicyPackage" tool

    2. Both Checkpoint Smart Center & Gateways with version before R80.10

    3. Both Checkpoint Smart Center & Gateways are in version R80.10 & Later

    4. Smart Center is on R80.10 and later but Gateways are below R80 such as R77

    1. Exporting configuration file in JSON format using the "ShowPolicyPackage" tool

    WARNING: For Check Point R80-R80.30, please do not use the ShowPolicyPackage tool to export the JSON config. Although Check Point R80-R80.30 supports JSON export, there are some issues in the web API so it could not export complete configurations

    To setup “ShowPolicyPackage” tool:

    1. Please navigate to Check Point’s GitHub of "ShowPolicyPackage":

      https://github.com/CheckPointSW/ShowPolicyPackage/releases

    2. Find the latest version (which is currently v2.0.6) and download the file "web_api_show_package-jar-with-dependencies.jar".
    3. Use a SCP tool you preferred to upload the file "web_api_show_package-jar-with-dependencies.jar" to the SmartCenter Server where Checkpoint R80 management is running.

    Before running the tool, please read the file “README.md” in

    https://github.com/CheckPointSW/ShowPolicyPackage to know more about how to run the tool, and please focus more on the section “Examples”.

    To run “ShowPolicyPackage” tool:

    1. Please check if the Check Point API is running. Please follow the steps in this article to check the status or enable the API:

      https://community.checkpoint.com/t5/API-CLI-Discussion/Enabling-web-api/td-p/32641

    2. Run the tool from CLI as "expert":

      java -jar web_api_show_package-jar-with-dependencies.jar -v

      This command shows the list of packages which can be exported.

    3. Run the command to export the selected package to JSON:

      java -jar web_api_show_package-jar-with-dependencies.jar -k PACKAGE_NAME -d DOMAIN_NAME

      ("-d DOMAIN_NAME" is needed only when multiple domains exist.)

    4. A ".tar.gz" file would be generated, which contains the JSON config and can be used as the input of FortiConverter.

    2. Both Checkpoint Smart Center & Gateways with version before R80.10

    • Object definitions – "objects_5_0.C" (Check Point NG/NGX) or "objects.C" (Check Point 4.x) contains the firewall's object definitions.
    • Policy rulebases – "*.w" or "rulebases_5_0.fws". The file name is "<package name>.W" (default "Standard.W") or "rulebases_5_0.fws".
    • [Optional] Route information – Helps FortiConverter to correctly interpret the network topology being converted. To get this data, enter the route print command (for example, "netstat -nr") on the firewall node and then copy and paste the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a host route, a network route, and so on. The output varies by the platform.
    • [Optional] User and user groups file – "fwauth.NDB"
    • [Optional] Identity role file - Helps FortiConverter to identify the identity role names referenced in Check Point policies and set them as policy user groups. However, FortiConverter cannot convert the identity roles themselves into FortiGate objects. Users should configure them manually using FSSO in FortiGate.
    • [Optional] ifconfig File (For vlan id consistency) – This file can help the converter to determine the user-set vlan-id for interfaces, if the information is provided. To get this data, enter the command "ifconfig -a" then copy and paste the output into a plain text file.
    • [Optional] DHCP relay file – This file contains the DHCP relay information of interfaces. To get this data, enter the command "show configuration bootp" then copy and paste the output into a plain text file.

    File paths:

    File

    File name

    Location

    Path or Command

    Object definitions

    objects_5_0.C (Checkpoint NG/NGX)

    objects.C (Checkpoint 4.x_)

    SmartCenter

    $FWDIR/conf

    —or—

    $FWDIR/database/

    Policy rulebases

    rulebase_5_0.fws

    <package name>.W

    SmartCenter

    $FWDIR/conf

    User and User Group file

    fwauth.NDB

    SmartCenter

    $FWDIR/conf/

    —or—

    $FWDIR/database/

    Identity role file

    identity_roles.C

    Gateway

    $FWDIR/conf/

    Route

    NA

    Gateway

    netstat -nr

    ifconfig file

    NA

    Gateway

    ifconfig -a

    DHCP relay file

    NA

    Gateway

    show configuration bootp

    Uploader Icons used in tool:

    3. Both Checkpoint Smart Center & Gateways are in version R80.10 & Later

    • Object definitions – "objects_5_0.C" (Check Point NG/NGX) or "objects.C" (Check Point 4.x) contains the firewall's object definitions.
    • Rule definitions – "*.csv". The Policy and NAT CSV files can be exported from the Smart Console (refer screenshot below). Before exporting, please display all the columns of the rule tables to ensure that all necessary information is exported.
    • [Optional] Route information – Helps FortiConverter to correctly interpret the network topology being converted. To get this data, enter the route print command (for example, "netstat -nr") on the firewall node and then copy and paste the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a host route, a network route, and so on. The output varies by the platform.
    • [Optional] User and user groups file"fwauth.NDB"
    • [Optional] Identity role file - Helps FortiConverter to identify the identity role names referenced in Check Point policies and set them as policy user groups. However, FortiConverter cannot convert the identity roles themselves into FortiGate objects. Users should configure them manually using FSSO in FortiGate.
    • [Optional] ifconfig File (For vlan id consistency) – This file can help the converter to determine the user-set vlan-id for interfaces, if the information is provided. To get this data, enter the command "ifconfig -a" then copy and paste the output into a plain text file.
    • [Optional] DHCP relay file – This file contains the DHCP relay information of interfaces. To get this data, enter the command "show configuration bootp" then copy and paste the output into a plain text file.

    File Path:

    File File name

    Location

    		 Path or command
    Object definitions objects_5_0.C (Checkpoint NG/NGX)

    SmartCenter

    		 $FWDIR/conf

    —or—

    $FWDIR/database/

    objects.C (Checkpoint 4.x_)

    Policy and NAT files

    NA

    SmartConsole GUI

    Refer to screenshots below
    User and User Group file fwauth.NDB

    SmartCenter

    		 $FWDIR/conf/ —or— $FWDIR/database/

    Identity Role file

    identity_roles.C

    SmartCenter

    $FWDIR/conf/

    Route NA

    Gateway

    		 netstat -nr

    ifconfig file

    NA

    Gateway

    ifconfig -a

    DHCP relay file

    NA

    Gateway

    show configuration bootp

    Export Policy file (CSV Format):

    Export Nat file (CSV Format)

    Uploader Icons used in tool:

    Note: Alternately, you can chose to download Policy and rule definitions file "rulebases_5_0.fws" from following path if you are interested to cross verify it with CSV file $FWDIR/conf/rulebase_5_0.fws

    4. Smart Center is on R80.10 and later but Gateways are below R80 such as R77

    • Object definitions – "objects_5_0.C" (Check Point NG/NGX) or "objects.C" (Check Point 4.x) contains the firewall's object definitions.
    • Policy rulebases – "*.w" or "rulebases_5_0.fws". The file name is "<package name>.W" (default "Standard.W") or "rulebases_5_0.fws".
    • [Optional] Route information – Helps FortiConverter to correctly interpret the network topology being converted. To get this data, enter the route print command (for example, "netstat -nr") on the firewall node and then copy and paste the output into a plain text file. Codes in the output indicate if the route is a directly connected interface, a host route, a network route, and so on. The output varies by the platform.
    • [Optional] User and user groups file – "fwauth.NDB"
    • [Optional] Identity role file - Helps FortiConverter t
    • o identify the identity role names referenced in Check Point policies and set them as policy user groups. However, FortiConverter cannot convert the identity roles themselves into FortiGate objects. Users should configure them manually using FSSO in FortiGate.
    • [Optional] ifconfig File (For vlan id consistency) – This file can help the converter to determine the user-set vlan-id for interfaces, if the information is provided. To get this data, enter the command "ifconfig -a" then copy and paste the output into a plain text file.
    • [Optional] DHCP relay file – This file contains the DHCP relay information of interfaces. To get this data, enter the command "show configuration bootp" then copy and paste the output into a plain text file.

    File Path:

    File File name

    Location

    		 Path or command
    Object definitions objects_5_0.C (Checkpoint NG/NGX)

    SmartCenter

    		 /opt/CPR77CMP-R80/conf
    Policy rulebases rulebase_5_0.fws <package name>.W

    SmartCenter

    		 /opt/CPR77CMP-R80/conf
    User and User Group file fwauth.NDB

    SmartCenter

    		 /opt/CPR77CMP-R80/conf

    Identity role file

    identity_roles.C

    SmartCenter

    /opt/CPR77CMP-R80/conf

    Route NA

    Gateway

    		 netstat -nr

    ifconfig file

    NA

    Gateway

    ifconfig -a

    DHCP relay file

    NA

    Gateway

    show configuration bootp

    Note: Alternately, you can choose to download Policy and rule definitions file "rulebases_5_0.fws" from following path if you are interested to cross verify it with CSV file: /opt/CPR77CMP-R80/conf

    [Optional] Policy and NAT Rule File with UUIDs

    This input file entry accepts an Excel worksheet which contains the UUID of firewall and NAT rules. The format of this file is as below:

    1. The Excel file can contain 2 sheets, one for firewall rules and one for NAT rules. The sheet which contains the keyword "NAT" in its name is the NAT rule table, and the other is the policy table.
    2. There can be multiple columns in the sheets, but FortiConverter needs to read 2 columns inside. The first one is "Rule #" which shows the rule number in Check Point and this number should be consistent with the rule number in the CSV files. The second one is "Rule Uid", which shows the UUID of the rules.
    3. The number and order of the rules are always the same as the rules in the CSV files so the tool can always correlate them based on the rule number instead of checking the content.

    Please see an example of the file below:

    Previous
    Next