I believe that this approach will create a couple of issues, because the destination CMA is on the same MDS as the source one. If you migrate without any changes, then IP address of the CMA will stay the same together with all certificates. Also, I believe that there will be some difficulties with rule UIDs.

Nadezda Zuka‌

Do you plan to delete the source domain?

Do you need to copy only objects and rules of one policy package?

Do you have VSX gateways?

Do you have some more tricky and difficult configurations in the policy, than just for example firewall rules, NAT, VPN?

I'm thinking about cp_merge tool - sk33751. It is officially not supported with MDS/CMA, but you can export objects and rules from a CMA for sure. Then you can import it to a virtual machine, do some tricks with it and then try cp_merge again for new domain or import "migrate export" from the virtual machine.

Aleksei, the IP will not remain the same for the CMA, as you export and import into a new CMA with a different IP.

It will keep all SIC's and indeed the certificate will remain the same and this will cause some issues, you will have a duplicate certificates in the MDS. I know there was a way to reset this certificate but you will loose all SIC with that as well.

I can recall we did a similar thing about 10 years ago, we needed to split a Domain into 2, a customers company split up and a couple of gateways went left an the other went right, each already had a different policy so it was easy to just export and import as a new domain, but we never noticed the underwater issues with the certificates, that became apparent a couple of years later. I do not know what the problem was we ran into, but I do know it is more than just cosmetic.

Thank you for answers!

Yes, we have VSX, so source and target firewalls are virtual systems on the same VSX cluster.

It is only objects and rules need to be copied, no specific configuration - just firewall and NAT rules.

The situation is as following: customer is changing its name, and as we have not found any easy way to rename domain name and management server, as well VS name (which seems to be impossible at all, as per CheckPoint support answer). So we are going to create a new domain with new management server (other IP address), and of course new VS.

I was searching a fast way to migrate the policy from one domain into another, and then in service window, we will delete old VS interfaces and enable those on new VS in new domain.

You can still do the Migrate export and import the new domain, however, before importing you need to create a file to allow the import, then when done you need to delete the VS from the domain completely. this can be done with the aid of GUI-DBedit, but will require you to be very careful into knowing what you are doing. Ie make sure the master VSX Domain is locked while you're making the changes by having a dashboard open in read-write, same for the original domain. 

Then you can attempt to delete the VS network objects and the vs-slot entries.

I always prefer to have a valid rollback plan.. so deleting original VS just after policy import-export doesn't seem acceptable..

Well, I expected some kind of official Check Point solution for this, so if there is no such, manual copy-pasting policy could be the way to go.. but I am wondering, why there is no easy way of exporting policy and importing to other domain, or why we cannot rename domain from GUI...

Nadezda, you keep the ORIGINAL Domain up and running until you are ready to move over to the new VS, as you said you will create a new VS in the new Domain to do the actual migration.

once you have imported the Domain you first need to clear all references for the original VS, that is still managed by the original Domain and replace this with the new VS.