Expedition Articles

With the new version of Checkpoint Smartcenter R80, the way to obtain the rules has changed.    Exporting Security Rules   After you login to your SmartCenter, you have to run the following command to know what policies are avaialble for exportation:   mgmt_cli show access-layers - uid: "xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxx" name: "Internet Security" type: "access-layer" domain: uid: "xxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" name: "SMC User" domain-type: "domain"   In this case, "Internet Security" is my Rulebase to export for migration. Based on what we have seen from the Checkpoint API, in case we have more than 400 rules, we have to use an offload to generate exportations in chunks of 400 rules, which means if we have 650 security rules, we will have to do this:   mgmt_cli show access-rulebase offset 0 limit 400 name "Internet Security" details-level "full" use-object-dictionary true --format json > RuleSet_0_400.json mgmt_cli show access-rulebase offset 401 limit 650 name "Internet Security" details-level "full" use-object-dictionary true --format json > RuleSet_401_650.json   After we created all the json files, we will need to create a new file, and we will name it "order" to put inside the filenames in the order they need to be read, like in this example:   Edit "order" file   RuleSet_0_400.json RuleSet_401_650.json   After that, we have to ZIP it. To do it right, all these three files need to be under the same folder, and from within the folder, we can run the command from the CLI:   zip Rules.zip *   This will create a new Rules.zip only contaning the three files without any other folder inside. It's important to remember when you create the ZIP file to avoid having any folder inside the ZIP file—just the json and "order" files.   If the Security rules are less than 400, we have to just export to a single json file. There is no need to ZIP it then.    Exporting Nat Rules   For Nat rules, we have found the limitation is for 500 Nat Rules per export, so we can apply the samething we did with the Security Rules. For example, we are going to sat we have 600 Nat Rules.   Notice the name of the Ruleset, in this case, is Internet without Security at the end. You have to check from the SmartCenter to see the Nat ruleset Name.   mgmt_cli show nat-rulebase offset 0 limit 500 package "Internet" details-level "full" use-object-dictionary true --format json > NATRuleSet_0_500.json mgmt_cli show nat-rulebase offset 501 limit 600 package "Internet" details-level "full" use-object-dictionary true --format json > NATRuleSet_501_600.json   After we created all the json files, we will need to create a new file, and we will name it "order" to put inside the filenames in the order they need to be read, like in this example:   Edit "order" file   NATRuleSet_0_500.json NATRuleSet_501_600.json   After that, we have to ZIP it. To do it right, all these three files need to be under the same folder, and from within the folder, we can run the command from the CLI:   zip NatRules.zip *   If the Nat rules are less than 500, we have to just export to a single json file. There is no need to ZIP it then.   Exporting Routing and interfaces   From the Firewall CLI, you can run the following:   netstat -nr > routes.txt   Export the routes.txt to where you store the NatRules.zip and Rules.zip   With all this information, we can go to Expedition, Create a new Project, enter the Project, and go to IMPORT > CHECKPOINT > VERSION R80.   Assign a name to your configuration such as "MyInternetGW" Select the Rules.zip for Security Rules Select the NatRules.zip for Nat rules Select the routes.txt for the routes Click UPLOAD