In R80 and above, Check Point has introduced a management API that offers a whole new realm of possibilities for managing policies. This also rendered many traditional tools that we might have considered for doing this type of work obsolete (such as cp_merge). The availability of the API has introduced a number of options for using scripts or third-party tools to manage and migrate your firewall policy.
Suppose that you have two Check Point management servers that you want to merge. One is running R80 and the other is running R77.30. You want to eventually end up with a single management server, but don’t want to have to manually copy everything over. What do you do?
That was the same question I faced a short time ago. I recently needed to perform this type of migration, combining the policies of two management servers in order to migrate the management of our office firewall cluster from a legacy management server to one running R80 in AWS. This gave me a great opportunity to learn how tow to use the R80 API.
While researching the best way to accomplish the migration, I came across a tool released by the Check Point APIs Team called ExportImportPolicyPackage. This is a python script that leverages the R80.10 API to create a tar.gz file that can be imported into another management server.
The first challenge
This tool requires R80.10 across the board. The source management server was running R77.30 and the destination one was running R80 in AWS. In order to use the R80.10-compatible tool, I needed to upgrade everything to R80.10 first. To avoid manipulating production systems, I did all this work in VMs in our lab.
The R77.30 management upgrade was relatively straightforward: use the R80.10 migration tools for Pre-R80 Gaia versions (Check_Point_R80.10_migration_tools_PreR80.Gaia.tgz) to run an upgrade_export of the policy on the R77.30 management server, build a VM with a clean install of R80.10, and import the migrated policy. Easy.
The R80 to R80.10 for the destination management server was a bit more interesting. I was originally thinking I could just do an in-place HFA upgrade to R80.10, but since this was running in AWS, this method isn’t supported (sk118717). If you try to run the HFA upgrade, it looks like this:
(Full disclosure – I really wanted to see what would happen if I deleted /etc/in-aws, but I didn’t want to end up with an unsupported configuration for our production environment).
To make this more interesting/annoying, there are not currently any published migration tools for migrating a R80 management server from R80 to R80.10. The R80.10 migration in the first column only works on R80.10 systems, the Pre-R80 migration tools only work on R77.30 and older (and not on R80, I tried). I asked for some advice on what to use, and the SecurePlatform/Linux package was suggested, but that only works on R77.30 and older as well.