This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
AmitS
Participant
‎2025-11-19 02:45 AM
Jump to solution

Move only object file from one SMS to another

Hello Team,

We are having one SMS which manages multiple security gateways. Now we have planned to separate one of the gateways cluster from this old SMS to a newer SMS server creating a segregated setup.

Now this new setup has limited polices ~100 count, but has multiple object groups & each object group has approx. 100+ objects (IP, Network) within. Policies we can create manually as those are limited & simple L3_L4 policies.

My query is how can we just migrate these objects from old SMS to new SMS server. 

Since the old SMS server is managing multiple setups cluster, doing a migrate export & import to new one will bring the unwanted objects as well, which we don't want & creating these required objects/groups in new SMS server is very time consuming activity & if we miss any object then it would be critical & difficult to track.

Can you guys suggest if you faced similar challenges & how can we achieve this.

I was thinking of moving the object file from old server to new but this would also bring the unwanted objects.

 

Labels
0 Kudos
4 Solutions

Accepted Solutions
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-11-19 03:15 AM
Jump to solution

Something like this should help: https://community.checkpoint.com/t5/API-CLI-Discussion/Python-tool-for-exporting-importing-a-policy-...

CCSM R77/R80/ELITE

View solution in original post

0 Kudos
Don_Paterson
MVP Gold
MVP Gold
‎2025-11-19 03:16 AM
Jump to solution

The Management API can help.

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-group~v1.9.1%20

 

This will give you an idea of how it works and then you can go from there.

Use a SmartConsole admin account. fwadmin is an example admin account.

Expert mode on the management server CLI:

mgmt_cli login user "fwadmin" > api-sid.txt

mgmt_cli -s api-sid.txt show groups

 mgmt_cli -s api-sid.txt show group name <one-of-your-groups> --format json

 mgmt_cli -s api-sid.txt show group name <one-of-your-groups> --format json | jq -r '.'

mgmt_cli -s api-sid.txt show group name <one-of-your-groups> --format json | jq -r '.members[] | .name'

 

The commands log the admin into the API, saving the login result details to the text file. That includes the Session ID.

Then the authenticated session is used to run API commands: show groups and show group

Then jq is used to start to filter the output.

 

Eventually you will get output that can be used in an API command to create new objects and groups on the new management server

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-group~v1.9.1%20 

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-objects-batch~v1.9.1%20

https://sc1.checkpoint.com/documents/latest/APIs/index.html#tips_best_practices~v1.9.1%20 

[Expert@management:0]# mgmt_cli add host --batch API-objects.csv

 

Check Point shares this too:

https://github.com/CheckPointSW/ExportImportPolicyPackage

 

View solution in original post

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-19 03:52 AM
Jump to solution

I would confirm with TAC as well, but what Chris and Don provided definitely makes sense.

You can also verify all the options by going to https://mgmt_ip/api_docs

Best,
Andy
"Have a great day and if its not, change it"

View solution in original post

0 Kudos
PhoneBoy
Admin
Admin
‎2025-11-20 07:45 AM
Jump to solution

migrate_server also brings a lot of other things (like the ICA) you may not want to bring across.
The Python tool referenced by @Chris_Atkinson will get a few more things as well.
This tool is a bit more focused for the task at hand: https://community.checkpoint.com/t5/API-CLI-Discussion/CLI-API-Example-for-exporting-importing-and-d... 

View solution in original post

0 Kudos
4 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2025-11-19 03:15 AM
Jump to solution

Something like this should help: https://community.checkpoint.com/t5/API-CLI-Discussion/Python-tool-for-exporting-importing-a-policy-...

CCSM R77/R80/ELITE
0 Kudos
Don_Paterson
MVP Gold
MVP Gold
‎2025-11-19 03:16 AM
Jump to solution

The Management API can help.

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-group~v1.9.1%20

 

This will give you an idea of how it works and then you can go from there.

Use a SmartConsole admin account. fwadmin is an example admin account.

Expert mode on the management server CLI:

mgmt_cli login user "fwadmin" > api-sid.txt

mgmt_cli -s api-sid.txt show groups

 mgmt_cli -s api-sid.txt show group name <one-of-your-groups> --format json

 mgmt_cli -s api-sid.txt show group name <one-of-your-groups> --format json | jq -r '.'

mgmt_cli -s api-sid.txt show group name <one-of-your-groups> --format json | jq -r '.members[] | .name'

 

The commands log the admin into the API, saving the login result details to the text file. That includes the Session ID.

Then the authenticated session is used to run API commands: show groups and show group

Then jq is used to start to filter the output.

 

Eventually you will get output that can be used in an API command to create new objects and groups on the new management server

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-group~v1.9.1%20 

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-objects-batch~v1.9.1%20

https://sc1.checkpoint.com/documents/latest/APIs/index.html#tips_best_practices~v1.9.1%20 

[Expert@management:0]# mgmt_cli add host --batch API-objects.csv

 

Check Point shares this too:

https://github.com/CheckPointSW/ExportImportPolicyPackage

 

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-19 03:52 AM
Jump to solution

I would confirm with TAC as well, but what Chris and Don provided definitely makes sense.

You can also verify all the options by going to https://mgmt_ip/api_docs

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2025-11-20 07:45 AM
Jump to solution

migrate_server also brings a lot of other things (like the ICA) you may not want to bring across.
The Python tool referenced by @Chris_Atkinson will get a few more things as well.
This tool is a bit more focused for the task at hand: https://community.checkpoint.com/t5/API-CLI-Discussion/CLI-API-Example-for-exporting-importing-and-d... 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events