Solved: Move only object file from one SMS to another

AmitS · ‎2025-11-19

Hello Team,

We are having one SMS which manages multiple security gateways. Now we have planned to separate one of the gateways cluster from this old SMS to a newer SMS server creating a segregated setup.

Now this new setup has limited polices ~100 count, but has multiple object groups & each object group has approx. 100+ objects (IP, Network) within. Policies we can create manually as those are limited & simple L3_L4 policies.

My query is how can we just migrate these objects from old SMS to new SMS server.

Since the old SMS server is managing multiple setups cluster, doing a migrate export & import to new one will bring the unwanted objects as well, which we don't want & creating these required objects/groups in new SMS server is very time consuming activity & if we miss any object then it would be critical & difficult to track.

Can you guys suggest if you faced similar challenges & how can we achieve this.

I was thinking of moving the object file from old server to new but this would also bring the unwanted objects.

Chris_Atkinson · ‎2025-11-19

Something like this should help: https://community.checkpoint.com/t5/API-CLI-Discussion/Python-tool-for-exporting-importing-a-policy-...

CCSM R77/R80/ELITE

View solution in original post

Don_Paterson · ‎2025-11-19

The Management API can help.

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-group~v1.9.1%20

This will give you an idea of how it works and then you can go from there.

Use a SmartConsole admin account. fwadmin is an example admin account.

Expert mode on the management server CLI:

mgmt_cli login user "fwadmin" > api-sid.txt

mgmt_cli -s api-sid.txt show groups

mgmt_cli -s api-sid.txt show group name <one-of-your-groups> --format json

mgmt_cli -s api-sid.txt show group name <one-of-your-groups> --format json | jq -r '.'

mgmt_cli -s api-sid.txt show group name <one-of-your-groups> --format json | jq -r '.members[] | .name'

The commands log the admin into the API, saving the login result details to the text file. That includes the Session ID.

Then the authenticated session is used to run API commands: show groups and show group

Then jq is used to start to filter the output.

Eventually you will get output that can be used in an API command to create new objects and groups on the new management server

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-group~v1.9.1%20

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-objects-batch~v1.9.1%20

https://sc1.checkpoint.com/documents/latest/APIs/index.html#tips_best_practices~v1.9.1%20

[Expert@management:0]# mgmt_cli add host --batch API-objects.csv

Check Point shares this too:

https://github.com/CheckPointSW/ExportImportPolicyPackage

View solution in original post

the_rock · ‎2025-11-19

I would confirm with TAC as well, but what Chris and Don provided definitely makes sense.

You can also verify all the options by going to https://mgmt_ip/api_docs

Best,
Andy

View solution in original post

PhoneBoy · ‎2025-11-20

migrate_server also brings a lot of other things (like the ICA) you may not want to bring across.
The Python tool referenced by @Chris_Atkinson will get a few more things as well.
This tool is a bit more focused for the task at hand: https://community.checkpoint.com/t5/API-CLI-Discussion/CLI-API-Example-for-exporting-importing-and-d...

View solution in original post

Chris_Atkinson · ‎2025-11-19

Something like this should help: https://community.checkpoint.com/t5/API-CLI-Discussion/Python-tool-for-exporting-importing-a-policy-...

CCSM R77/R80/ELITE

Don_Paterson · ‎2025-11-19

The Management API can help.

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/show-group~v1.9.1%20

This will give you an idea of how it works and then you can go from there.

Use a SmartConsole admin account. fwadmin is an example admin account.

Expert mode on the management server CLI:

mgmt_cli login user "fwadmin" > api-sid.txt

mgmt_cli -s api-sid.txt show groups

mgmt_cli -s api-sid.txt show group name <one-of-your-groups> --format json

mgmt_cli -s api-sid.txt show group name <one-of-your-groups> --format json | jq -r '.'

mgmt_cli -s api-sid.txt show group name <one-of-your-groups> --format json | jq -r '.members[] | .name'

The commands log the admin into the API, saving the login result details to the text file. That includes the Session ID.

Then the authenticated session is used to run API commands: show groups and show group

Then jq is used to start to filter the output.

Eventually you will get output that can be used in an API command to create new objects and groups on the new management server

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-group~v1.9.1%20

https://sc1.checkpoint.com/documents/latest/APIs/index.html#cli/add-objects-batch~v1.9.1%20

https://sc1.checkpoint.com/documents/latest/APIs/index.html#tips_best_practices~v1.9.1%20

[Expert@management:0]# mgmt_cli add host --batch API-objects.csv

Check Point shares this too:

https://github.com/CheckPointSW/ExportImportPolicyPackage

the_rock · ‎2025-11-19

I would confirm with TAC as well, but what Chris and Don provided definitely makes sense.

You can also verify all the options by going to https://mgmt_ip/api_docs

Best,
Andy

PhoneBoy · ‎2025-11-20

migrate_server also brings a lot of other things (like the ICA) you may not want to bring across.
The Python tool referenced by @Chris_Atkinson will get a few more things as well.
This tool is a bit more focused for the task at hand: https://community.checkpoint.com/t5/API-CLI-Discussion/CLI-API-Example-for-exporting-importing-and-d...

Are you a member of CheckMates?

Move only object file from one SMS to another