cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Employee++
Employee++

Migrating Policy from R80.10 SmartCenter to R80.10 CMA? Meet your best friend

Currently, the only way to move the policy and its associated objects from the R80.10 SMC to R80.10 CMA is to use Management API based tool - ExportImportPolicyPackage.

You can also migrate from one R80.10 CMA to another R80.10 CMA, as long as the source CMA has not assigned a global policy.

Follow the instructions to download, instal and use the tool.

Use a "-h" command line switch to see all available usage options.

It is supported both on Windows and Linux machines, with Python version 2.7.9 (or 2.7.14) installed.

The tool is an open source, so you are welcome to contribute your ideas and improvements.

We also have an active thread here on CheckMates - https://community.checkpoint.com/docs/DOC-1938.

It’s recommended to test the migration first in lab and to follow the below disclaimer for checking if this option is feasible or not due to too many problematic objects in the Management server database.

Notice: There are some types of objects that the script might not be able to export. In such a case, an appropriate dummy object will be exported instead, and a message will be logged into the log files to notify you of this. In the Check Point SmartConsole you can easily replace each of these objects by searching "export_error" in the search field, see where each object is used, create the necessary object manually, then replace it.

Robert.

8 Replies

Re: Migrating Policy from R80.10 SmartCenter to R80.10 CMA? Meet your best friend

Is this supported to be used in Multi-Domain as well??  Meaning CMA to CMA.

-Juan

0 Kudos
Employee++
Employee++

Re: Migrating Policy from R80.10 SmartCenter to R80.10 CMA? Meet your best friend

Of course, I've mentioned it in the text.

Robert.

0 Kudos

Re: Migrating Policy from R80.10 SmartCenter to R80.10 CMA? Meet your best friend

Does anyone know if the ExportImportPoliceyPackage tool will support global policies as well? Check Point has been providing global policies for very long time, but several restrictions tend to drive users away from global polices so far. I would expect to see similar tools which support global policy package export regardless of having a global policy assigned or not. It would be already good enough when the existing global and local policies could be exported  and merged as a local policy.

0 Kudos
Employee++
Employee++

Re: Migrating Policy from R80.10 SmartCenter to R80.10 CMA? Meet your best friend

Hi,

The ExportImportPoliceyPackage tool does support exporting a global policy package from a global domain.

As you said, currently it does not support exporting a policy from a CMA that has assigned a global policy.

This limitation is only temporary and requires major source code change to support it.

BTW, the source code of this tool is public on GitHub, so anyone can change it.

Robert.

Re: Migrating Policy from R80.10 SmartCenter to R80.10 CMA? Meet your best friend

Hi, If you unassign the Global Policy from the CMA, can you then export the policies and import them to another CMA under R80.10?

0 Kudos
Highlighted

Re: Migrating Policy from R80.10 SmartCenter to R80.10 CMA? Meet your best friend

Yes. Using the ExportImportPolicyPackage you can export packages and import them to another CMA

0 Kudos

Re: Migrating Policy from R80.10 SmartCenter to R80.10 CMA? Meet your best friend

What I found while using this tool is that I had a bunch of groups that were not properly populated when i went to import into my new CMA - just fyi to do a sanity check on your migrated data before moving into production.

0 Kudos

Re: Migrating Policy from R80.10 SmartCenter to R80.10 CMA? Meet your best friend

I wanted to provide this in case anyone else runs into it.  I migrated from R80.10 to R80.30 and ran into a bunch of object collisions.  While this was somewhat expected, and the renames happened correctly, the original objects it collided with were no longer visible in smartconsole when searching.   The interesting thing is that when you went into the groups these objects were originally in they showed up in there, they were just did not show up in normal SmartConsole Objects Explorer view.  To correct this had to go into GUIDBedit and modify the field "cdm_auto_calculated" from "true" to false and save.  Once this was done had to close out of SmartConsole and then log back in again.

Hoping to save someone the same headache I just went through.