Thank you @G_W_Albrecht for your answer, I have already a case with TAC but it take a lot of time.

Do you know where I can found the logs related to the migration ?

Thank you again

No - you could look into the script itself.

We have a problem with both tables.def and implied_rules.def.

I built a new Management server in Azure and replaced these two files, that fixed the error for tables.def but we still have the same problem with implied_rules.def.

I have downloaded the install .tgz from checkpoint so will extract the file from there and see if that lets me get past this error.

It seem the --ignore_warnings flag needs to be inside the script as if you append it to the end of command it is simply ignored.

I do have a TAC case open under our management server for this error but as it is a migration and not a break fix I am having difficulty getting help from TAC, I am also waiting for the paperwork to go through for our support on Smart-1 cloud which is further complicating the issue.

Thanks

I add the line:

echo "--ignore_warnings" > migrate_flags

towards the end of the script after echo: "-force-upgrade-flow" > migrate flags

This allowed the script to complete, not sure if this is a recommended method?

I will try import the file to the Infinity Portal and see if everything works that side.

I think you don't have an other solution, and you will not have an issue to ignore the .def files because after the migration you open a case to remplace the default .def with yours , and all will be ok.

@Ian_Cresswell Well, you can use "--ignore_warnings" but the issue is that it will ignore all warnings and not only warnings about .def files. 
So if you want to use it I recommend first to run it without this flag and see if you getting warnings about .def only and then to run it with "--ignore_warnings". However, personally I prefer the @M_Soler solution i.e. to replace .def files with the default .def files. This way migration will not hang on .def and you will still get other warnings.

Thats 100% true, I used it myself few times and it does work with that flag on, but definitely does not address the real issue as to why it fails in the first place.

Best regards,

Andy

I did try that, I replaced the implied_rules.def with the file I extracted from Check_Point_R81.10_T335_Fresh_Install_and_Upgrade.tar but still got the same error regarding this file.

I had a similar problem with table.def but that was resolved once I replaced that file.

Not sure what else to do, do you have a suggestion where else I could get a copy of implied_rules.def?

I did not see any other errors or warnings in the Upgrade Report

I can get you clean file from that version if you like, but no clue if it would work.

Let me know.

Andy

Yes please Andy, would appreciate that.

I am on R81.10 with the latest hotfix applied.

OF COURSE mate, happy to try help you! Can you please message me directly with your email and I can send you the file securely?

Andy

K, just sent it, its encrypted email, not sure if it may ask you to create an account, but if it gets too complicated, I gave you my direct email as well, so shoot me a message and we can connect offline. Im sure it wont take more than 2 IT dudes to send a file 🤣🤣

Andy

I got it , thanks Andy.

Will try with this file and let you know how it goes.

Lets do remote later if you are allowed to.Im very persistent guy, I dont give up easily on things, so Im fairly confident we can figure it out...this is in case file I gave you does not work.

Cheers mate.

Andy

Hi Andy

Unfortunately I got the same error Inspect files have been modified:/opt/CPsuite-R81.10/fw1/lib/implied_rules.def

I first simply replaced the file and when that didn't work I did a cpstop, replaced the file, ran cpstart and then ran the script again, same error.

I can do a remote session, just let me know when you are available, I am free the rest of the day today.

Dont worry, we will figure this out...I have some Fortinet stuff to do, but should be good any time between 12 and 2.30 pm. Im in EST, what about you? If its same time zone, we can do say 1-2 pm est?

Andy

I am in the GMT time zone, I am available up until 2pm EST, if you can make it earlier that be easier for me but I can make myself available until 2pm EST, you are helping me after all....

Just sent you direct email, Im fairly sure I can do it earlier.

Andy

Ok, my Fortinet thing was delayed till later this week, so Im free now. Please send the invite or I can create zoom meeting.

Andy

Thanks for your time earlier Andy, as you can see no matter what we do it always complains about the implied_rules.def file, even after I replaced it with a clean file from the checkpoint install files.

With the [echo "-force-upgrade-flow" "--ignore_warnings" >> migrate_flags] it does allow the migration tool to complete and creates the import file.

I have imported this to the infinity portal and everything looks fine, except, CME.

CME is enabled but there is nothing listed under the CME Management Name and when I try add an account under the Accounts (Controllers) section, it allows me to enter the details but when I click on Add it has a little think and then reverts to a blank page and never adds the account.

Does anyone have any idea on how to configure CME in the Infinity Portal?

Im very glad we spoke Ian, as it also got me thinking about CME part you showed me. As I mentioned to you over zoom, I also checked portal of a customer we support, as they have whole CP suite and in S1C portal, I dont see anything under CME tab, same as what you have.

I could be totally mistaken about this, but I was under impression that CME was only relevant in Azure vmss environment.

https://sc1.checkpoint.com/documents/IaaS/WebAdminGuides/EN/CP_CME/Content/Topics-CME/Overview.htm

By the way, did you see screenshot I emailed you about those custom inspect files?

Best,

Andy

Hi Andy

The gateways I am trying to link up with CME are vmss gateways in Azure, they are in our database on the on Prem Management server.

I saw your attachment about the custom inspect files, at the moment my Infinity Portal looks the same, my worry is if any changes were made to my environment that affected the implied_rules.def file they would not be present in the infinity portal. Not sure if Checkpoint is able to import my implied_rules.def file to ensure it matches what I have on Prem?

I know some folks in TAC have backend access to S1C environments, so if you give them tenant ID, they can log in and check, for sure. I see what you mean about vmss gateways, totally makes sense in that case.

Andy