Migrating Checkpoint R80 [UPDATED on December 2020]

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.
Audit
Last Reviewed: 08-10-2023 06:22 AM
Audited By: kiwi
L7 Applicator
89% helpful (8/9)

With the new version of Checkpoint Smartcenter R80, the way to obtain the rules has changed. 

 

Exporting Configuration

 

To export the configuration from a Checkpoint R80 we are gonna need to download a tool from the Checkpoint's Github. We want to be sure we download latest version of the tool since the one it comes installed in your SmartCenter usually is old and may contain bugs.

 

So first open your preferred web browser and go to:

 

https://github.com/CheckPointSW/ShowPolicyPackage/releases

 

Check the latest, at the moment of updating this post latest version was 2.0.6, so in order to download it we have to click on the file named: web_api_show_package-jar-with-dependencies.jar

 

https://github.com/CheckPointSW/ShowPolicyPackage/releases/download/V2.0.6/web_api_show_package-jar-with-dependencies.jar

 

After download the file you have to UPLOAD it to your SmartCenter Server where Checkpoint R80 management is running.

Use your SCP preferred tool to do it.

 

Please read the README.md file shown in https://github.com/CheckPointSW/ShowPolicyPackage to understand how to run the downloaded file properly, pay special attention to the Examples

 

Before you run the command verify the Checkpoint API is running otherwise this tool will fail to execute. Please read this if you don' t know how to enable/verify if your API is UP and Running

 

Now you can RUN the tool from CLI as EXPERT

 

java -jar web_api_show_package-jar-with-dependencies.jar -v

 

The output from that command will let you know what Packages are available to export

 

Last command we have to run is the following where PACKAGE_NAME is the name you have chosen from the previous command and in case you are in a MULTI-DOMAIN environment specify the DOMAIN_NAME too (-d is OPTIONAL):

 

 java -jar web_api_show_package-jar-with-dependencies.jar -k <PACKAGE NAME> -d <DOMAIN NAME>

 

This will create a new tgz file which you will use as is to import into Expedition Importation page.

 

Exporting Routing and interfaces

 

From the Firewall CLI, you can run the following:

 

netstat -nr > routes.txt

 

With all this information, we can go to Expedition, Create a new Project, enter the Project, and go to IMPORT > CHECKPOINT > VERSION R80.

 

  1. Assign a name to your configuration such as "MyInternetGW"
  2. Select the tgz file and attache it to the proper input
  3. Select the routes.txt for the routes
  4. Click UPLOAD

 

References: Checkpoint Website article about the show package tool

 

 

Rate this article:
Comments
L6 Presenter

Hi @armingojak Rule Hitcount info is only for PAN-OS configuration with log connector configuration not for checkpoint configuration. 

Does the gateway and Management server need to be on R80.X? 

L6 Presenter

For this export method , the checkpoint management server needs to be on R80 and above .  If the version is below R80 , there is different way to export checkpoint config , please refer to the instructions listed in the expedition tool by navigate to Import -> Checkpoint

L2 Linker

Is there an actual example of what to expect or what to do?  After I extract the thr Checkpoint tgz I have a list of files.  One in html and one in json.

 

Directory of C:\Users\Steve\Desktop\migration\show_package-2022-02-15_13-56-35

02/28/2022 11:52 AM <DIR> .
02/28/2022 11:52 AM <DIR> ..
02/15/2022 01:57 PM 136,124 fwinternal_071417 Application-Management server.html
02/15/2022 01:57 PM 58,501 fwinternal_071417 Application-Management server.json
02/15/2022 01:57 PM 394,514 fwinternal_071417 NAT-Management server.html
02/15/2022 01:57 PM 309,528 fwinternal_071417 NAT-Management server.json
02/15/2022 01:56 PM 605,852 fwinternal_071417 Security-Management server.html
02/15/2022 01:56 PM 535,288 fwinternal_071417 Security-Management server.json
02/15/2022 01:57 PM 143,359 fwinternal_071417 Threat Prevention-Management server.html
02/15/2022 01:57 PM 53,668 fwinternal_071417 Threat Prevention-Management server.json
02/15/2022 01:57 PM 24,263 fwinternal_071417_gateway_objects.html
02/15/2022 01:57 PM 15,725 fwinternal_071417_gateway_objects.json
02/15/2022 01:57 PM 1,755,183 fwinternal_071417_objects.html
02/15/2022 01:57 PM 1,746,651 fwinternal_071417_objects.json
02/15/2022 01:57 PM 10,608 index.html
02/15/2022 01:57 PM 2,054 index.json
02/15/2022 01:57 PM 160,319 IPS-Management server.html
02/15/2022 01:57 PM 70,742 IPS-Management server.json
02/15/2022 01:57 PM 32,723 show_package-2022-02-15_13-56-35.elg
18 File(s) 6,055,102 bytes
2 Dir(s) 439,113,048,064 bytes free

 

Instructions on Expedition say:

L4 Transporter

Hello @SteveKrall 

 

Your package from Checkpoint should be a tar file and you should also have a route file, you will need to upload both files into expedition. If you need assistance with how to export a tar file from checkpoint you can use the following link ( https://panos.pan.dev/docs/expedition/expedition_export ) Once that is uploaded to actually import it into expedition you should reference that route file from the drop down part of the import section, then you can click import and it will perform the parse process.

L6 Presenter

Hi @SteveKrall , please refer to the instructions under "Import"->"Checkpoint" ->"R80.x or higher" as shown in the below image, you will upload your show_package-2022-02-15_13-56-35.tgz file and route file at the same time. 

 

Screen Shot 2022-02-28 at 12.04.14 PM.png

L0 Member

Hi all,

 

Thanks for this helpful community.

 

I am trying to migrate from Checkpoint R80.40 to PA460s via Expedition.

 

When I try to generate the show policy package on CheckPoint I get the following error:-

 

# java -jar web_api_show_package-jar-with-dependencies.jar
Script stopped running due to severe error!
Result file location: show_package-2022-05-13_12-46-56.tar.gz

 

Any ideas/suggestions?

 

Thanks.

L6 Presenter

Hi @Terry_Chan This tool is developed by checkpoint, please refer below website for details:

https://github.com/CheckPointSW/ShowPolicyPackage

 

 

L1 Bithead

i ran the commands correctly and i see it's show_package-2023-10-03_10-09-57.tar.gz and not a tgz file 

when i run 

tar xvzf show_package-2023-10-03_10-09-57.tar.gz it only shows this file 

 

[Expert@CPMgmt:0]# tar xvzf show_package-2023-10-03_10-09-57.tar.gz
show_package-2023-10-03_10-09-57.elg

 

what's up with this?

L1 Bithead

Attempting to Export Configuration from Smart Console: 

Smart-1 Server

R81.20 HT 26

Many Clusters / Several Policies

Expedition Version 2 - latest vesrion 1.2.74 Ubuntu version 20.x.x

loaded the web_api_show_package-jar-with-dependencies.jar into /opt/CPsuite-R81.20/fw1/scripts

ran it on the CP MGMT server in Expert mode

show_package-2023-10-03_09-51-15.tar.gz was created but it's only 1kb

un packed it by change the name to tgz and looked at the files

no JASON no HTML file just a log file elg. 

 

what am i doing wrong? what steps have i missed? looking for some guidance. thank you.

L6 Presenter

@cjthorse82, tar.gz is the correct format .  but should be larger than 1kb. Please review the instructions on exporting checkpoint config using showpackage tool, you might need to specify specific package name or domain name in the command. 

 

https://github.com/CheckPointSW/ShowPolicyPackage

 

 

 

L1 Bithead

@lychiang thank you very much! I specified the package name and it exported! and now I'm cooking! thank you have a great day. 

 

used it like this: 

 

java -jar web_api_show_package-jar-with-dependencies.jar -k <PACKAGE NAME>

 

put it into expedition2 and it's working. 

  • 103622 Views
  • 62 comments
  • 3 Likes
Register or Sign-in
Contributors
Article Dashboard
Version history
Last Updated:
‎12-11-2020 01:39 AM
Updated by: