06-01-2018 08:44 AM - edited 12-11-2020 01:39 AM
With the new version of Checkpoint Smartcenter R80, the way to obtain the rules has changed.
To export the configuration from a Checkpoint R80 we are gonna need to download a tool from the Checkpoint's Github. We want to be sure we download latest version of the tool since the one it comes installed in your SmartCenter usually is old and may contain bugs.
So first open your preferred web browser and go to:
Check the latest, at the moment of updating this post latest version was 2.0.6, so in order to download it we have to click on the file named: web_api_show_package-jar-with-dependencies.jar
After download the file you have to UPLOAD it to your SmartCenter Server where Checkpoint R80 management is running.
Use your SCP preferred tool to do it.
Please read the README.md file shown in https://github.com/CheckPointSW/ShowPolicyPackage to understand how to run the downloaded file properly, pay special attention to the Examples
Before you run the command verify the Checkpoint API is running otherwise this tool will fail to execute. Please read this if you don' t know how to enable/verify if your API is UP and Running
Now you can RUN the tool from CLI as EXPERT
java -jar web_api_show_package-jar-with-dependencies.jar -v
The output from that command will let you know what Packages are available to export
Last command we have to run is the following where PACKAGE_NAME is the name you have chosen from the previous command and in case you are in a MULTI-DOMAIN environment specify the DOMAIN_NAME too (-d is OPTIONAL):
java -jar web_api_show_package-jar-with-dependencies.jar -k <PACKAGE NAME> -d <DOMAIN NAME>
This will create a new tgz file which you will use as is to import into Expedition Importation page.
Exporting Routing and interfaces
From the Firewall CLI, you can run the following:
netstat -nr > routes.txt
With all this information, we can go to Expedition, Create a new Project, enter the Project, and go to IMPORT > CHECKPOINT > VERSION R80.
References: Checkpoint Website article about the show package tool
Hi @armingojak Rule Hitcount info is only for PAN-OS configuration with log connector configuration not for checkpoint configuration.
Does the gateway and Management server need to be on R80.X?
For this export method , the checkpoint management server needs to be on R80 and above . If the version is below R80 , there is different way to export checkpoint config , please refer to the instructions listed in the expedition tool by navigate to Import -> Checkpoint
Is there an actual example of what to expect or what to do? After I extract the thr Checkpoint tgz I have a list of files. One in html and one in json.
Directory of C:\Users\Steve\Desktop\migration\show_package-2022-02-15_13-56-35
02/28/2022 11:52 AM <DIR> .
02/28/2022 11:52 AM <DIR> ..
02/15/2022 01:57 PM 136,124 fwinternal_071417 Application-Management server.html
02/15/2022 01:57 PM 58,501 fwinternal_071417 Application-Management server.json
02/15/2022 01:57 PM 394,514 fwinternal_071417 NAT-Management server.html
02/15/2022 01:57 PM 309,528 fwinternal_071417 NAT-Management server.json
02/15/2022 01:56 PM 605,852 fwinternal_071417 Security-Management server.html
02/15/2022 01:56 PM 535,288 fwinternal_071417 Security-Management server.json
02/15/2022 01:57 PM 143,359 fwinternal_071417 Threat Prevention-Management server.html
02/15/2022 01:57 PM 53,668 fwinternal_071417 Threat Prevention-Management server.json
02/15/2022 01:57 PM 24,263 fwinternal_071417_gateway_objects.html
02/15/2022 01:57 PM 15,725 fwinternal_071417_gateway_objects.json
02/15/2022 01:57 PM 1,755,183 fwinternal_071417_objects.html
02/15/2022 01:57 PM 1,746,651 fwinternal_071417_objects.json
02/15/2022 01:57 PM 10,608 index.html
02/15/2022 01:57 PM 2,054 index.json
02/15/2022 01:57 PM 160,319 IPS-Management server.html
02/15/2022 01:57 PM 70,742 IPS-Management server.json
02/15/2022 01:57 PM 32,723 show_package-2022-02-15_13-56-35.elg
18 File(s) 6,055,102 bytes
2 Dir(s) 439,113,048,064 bytes free
Instructions on Expedition say:
Your package from Checkpoint should be a tar file and you should also have a route file, you will need to upload both files into expedition. If you need assistance with how to export a tar file from checkpoint you can use the following link ( https://panos.pan.dev/docs/expedition/expedition_export ) Once that is uploaded to actually import it into expedition you should reference that route file from the drop down part of the import section, then you can click import and it will perform the parse process.
Hi @SteveKrall , please refer to the instructions under "Import"->"Checkpoint" ->"R80.x or higher" as shown in the below image, you will upload your show_package-2022-02-15_13-56-35.tgz file and route file at the same time.
Thanks for this helpful community.
I am trying to migrate from Checkpoint R80.40 to PA460s via Expedition.
When I try to generate the show policy package on CheckPoint I get the following error:-
# java -jar web_api_show_package-jar-with-dependencies.jar
Script stopped running due to severe error!
Result file location: show_package-2022-05-13_12-46-56.tar.gz
Hi @Terry_Chan This tool is developed by checkpoint, please refer below website for details: