Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Catalin_Ciubot1
Participant

Extract a policy from 77.30 and move it to 80.10

I'm looking for a way to extract a policy from 77.30 and move it to 80.10 mgmt. There were some solutions posted on different occasions but none is correct.

- confwiz is for older versions

- python tool is for 80.10

Before opening a ticket with CheckPoint, I would like to know if somebody was successful.

Many thanks for your feedback.

Catalin

0 Kudos
14 Replies
Marco_Valenti
Advisor

you can use upgrade tool for migrate a single cma and then import to r80.10 with cma migrate , this at least work 100% with mds non sure about smartcenter but it should work in the same way

G_W_Albrecht
Legend
Legend

It is also possible to simply upgrade the R77.30 to R80.10 keeping the policy...

Catalin_Ciubot1
Participant

Unfortunately upgrade is not an option.

0 Kudos
Catalin_Ciubot1
Participant

I was thinking about 'upgrade export ' but hopping about something better, thanks.

0 Kudos
Vladimir
Champion
Champion

"migrate export" is the correct tool for the job. What is it that you find difficult or problematic with it?

I'd suggest running a pre-upgrade verifier first to see if there are any issues with the process. If there are, migrate export to the same version, restore in VM environment, make necessary adjustments to remove issues mentioned by verifier and re-run the migrate export with the 80.10 version of tools. 

0 Kudos
Catalin_Ciubot1
Participant

The issue is that I have to export only one policy from 77.30 and migrate to 80.10. The others will stay on 77.30 for now. Taking only the relevant policy and the DB used by that policy, this is problematic. Maybe the manual way is a better option!? Recreating the objects and the rules, if there are not so many. Just asking if somebody had to do the same.

0 Kudos
Vladimir
Champion
Champion

Thanks for the explanation.

Unfortunately, I do not believe that there is a way to do that in 77.30 to R80.XX moves without intermediate steps I have described above.

You'd have to create an intermediate VM, delete the rest of the Policy Packages on it and migrate export the one remaining.

0 Kudos
Catalin_Ciubot1
Participant

Hi Vladimir,

indeed 'migrate export/import' was the tool. Then I cleaned the policy and DB and ran the migrations tools to 80.10 on 77.30 VM. After some time, importing was done on 80.10 VM. As you mentioned already, without intermediary steps, I don't see how else we can do it. Thanks!

Vladimir
Champion
Champion

You are w:)lcome!

PhoneBoy
Admin
Admin

There is no "simple" solution to this problem as the configuration databases and formats used are very different.

In addition to the other options mentioned here, you might be able to do something like:

  • Use odump/ofiller to dump the relevant data from R77.30 into CSV files
  • Write scripts to parse these CSV files into the appropriate mgmt_cli commands to create the policies in R80.x

No matter which approach you take, some assembly will be required.

0 Kudos
Vladimir
Champion
Champion

It'd be nice to have an option to "export policy package" in SmartConsole in R80.XX, instead of relying on scripts with their own dependencies and possibilities of errors and omissions.

0 Kudos
PhoneBoy
Admin
Admin

Interestingly enough, you can export the rules as a CSV file right from SmartConsole in R80.x:

However, there is no way to import this CSV file again, or all the objects it refers to, which would be required for the CSV file to be useful.

A useful policy package export would have to include not only the rules but the objects in it.

Agree this is an area for improvement.

0 Kudos
Vladimir
Champion
Champion

BTW: the CSV export does cheesy job: the group members are not included in it.

Old Web visualization tool was actually much better, since we've could wrestle Excel to extract useful data from it.

Catalin_Ciubot1
Participant

Thank you Vladimir and Dameon for your input. CheckPoint doesn't support any solution to extract 77.30 policy and migrate it to 80.10. In the end I was able to import successfully only the objects (via script) and I was recreating the groups manually. Because that specific policy I had to migrate was small, in the end I did it manually.

0 Kudos