cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Extract a policy from 77.30 and move it to 80.10

I'm looking for a way to extract a policy from 77.30 and move it to 80.10 mgmt. There were some solutions posted on different occasions but none is correct.

- confwiz is for older versions

- python tool is for 80.10

Before opening a ticket with CheckPoint, I would like to know if somebody was successful.

Many thanks for your feedback.

Catalin

0 Kudos
14 Replies

Re: extract a policy from 77.30 and move it to 80.10

you can use upgrade tool for migrate a single cma and then import to r80.10 with cma migrate , this at least work 100% with mds non sure about smartcenter but it should work in the same way

Re: extract a policy from 77.30 and move it to 80.10

It is also possible to simply upgrade the R77.30 to R80.10 keeping the policy...

Re: extract a policy from 77.30 and move it to 80.10

Unfortunately upgrade is not an option.

0 Kudos

Re: extract a policy from 77.30 and move it to 80.10

I was thinking about 'upgrade export ' but hopping about something better, thanks.

0 Kudos
Vladimir
Jade

Re: extract a policy from 77.30 and move it to 80.10

"migrate export" is the correct tool for the job. What is it that you find difficult or problematic with it?

I'd suggest running a pre-upgrade verifier first to see if there are any issues with the process. If there are, migrate export to the same version, restore in VM environment, make necessary adjustments to remove issues mentioned by verifier and re-run the migrate export with the 80.10 version of tools. 

0 Kudos

Re: extract a policy from 77.30 and move it to 80.10

The issue is that I have to export only one policy from 77.30 and migrate to 80.10. The others will stay on 77.30 for now. Taking only the relevant policy and the DB used by that policy, this is problematic. Maybe the manual way is a better option!? Recreating the objects and the rules, if there are not so many. Just asking if somebody had to do the same.

0 Kudos
Vladimir
Jade

Re: extract a policy from 77.30 and move it to 80.10

Thanks for the explanation.

Unfortunately, I do not believe that there is a way to do that in 77.30 to R80.XX moves without intermediate steps I have described above.

You'd have to create an intermediate VM, delete the rest of the Policy Packages on it and migrate export the one remaining.

0 Kudos

Re: extract a policy from 77.30 and move it to 80.10

Hi Vladimir,

indeed 'migrate export/import' was the tool. Then I cleaned the policy and DB and ran the migrations tools to 80.10 on 77.30 VM. After some time, importing was done on 80.10 VM. As you mentioned already, without intermediary steps, I don't see how else we can do it. Thanks!

Vladimir
Jade

Re: extract a policy from 77.30 and move it to 80.10

You are wSmiley Happylcome!

Admin
Admin

Re: extract a policy from 77.30 and move it to 80.10

There is no "simple" solution to this problem as the configuration databases and formats used are very different.

In addition to the other options mentioned here, you might be able to do something like:

  • Use odump/ofiller to dump the relevant data from R77.30 into CSV files
  • Write scripts to parse these CSV files into the appropriate mgmt_cli commands to create the policies in R80.x

No matter which approach you take, some assembly will be required.

0 Kudos
Vladimir
Jade

Re: extract a policy from 77.30 and move it to 80.10

It'd be nice to have an option to "export policy package" in SmartConsole in R80.XX, instead of relying on scripts with their own dependencies and possibilities of errors and omissions.

0 Kudos
Admin
Admin

Re: extract a policy from 77.30 and move it to 80.10

Interestingly enough, you can export the rules as a CSV file right from SmartConsole in R80.x:

However, there is no way to import this CSV file again, or all the objects it refers to, which would be required for the CSV file to be useful.

A useful policy package export would have to include not only the rules but the objects in it.

Agree this is an area for improvement.

0 Kudos
Vladimir
Jade

Re: extract a policy from 77.30 and move it to 80.10

BTW: the CSV export does cheesy job: the group members are not included in it.

Old Web visualization tool was actually much better, since we've could wrestle Excel to extract useful data from it.

Re: extract a policy from 77.30 and move it to 80.10

Thank you Vladimir and Dameon for your input. CheckPoint doesn't support any solution to extract 77.30 policy and migrate it to 80.10. In the end I was able to import successfully only the objects (via script) and I was recreating the groups manually. Because that specific policy I had to migrate was small, in the end I did it manually.

0 Kudos