Please refer to the individual vendor sections for instructions on how to export the configuration. For quick vendor navigation, use the table of contents to the right
Export Configuration from GUI:
The configuration can be exported directly from the FortiGate firewalls.
1. Using the Web UI
• Go to Admin -> Configuration -> Backup-> Select to backup to your Local PC or to a USB Disk.
• If VDOMs are enabled, select VDOM configuration (VDOM Config) and then select the VDOM name that you want to migrate from the list.
2. Using the CLI
execute backup config management-station <comment>
Use the same command to backup a VDOM configuration by first entering the commands:
config vdom edit <vdom_name>
The configuration is exported as a “.conf” file and is readable using a text file editor like notepad.
1. Export the configuration file
Juniper SRX (Junos) configuration files are similar to PAN-OS configuration files in that they can be exported in either Set or XML formats. In order to use Expedition to perform the migration, we need the Juniper configuration file in XML format. We actually need to export the configuration from the Juniper device in the XML format by running the following command from the SRX CLI:
show config | display xml | no-more
2. Modify the configuration file
For Import to Expedition 2.0 , you can import the original xml configuration directly , do not need to go through this step
The file has to start with XML tag
<configuration> without attributes and end with the closing
</configuration> tag. Failure to remove the unneeded attributes is the leading cause of failure during the import into Expedition. The first line of the XML file should look like the following:
The last line of the XML file should end with
</configuration> and is shown below:
The configuration is exported as a .xml file and is readable using a xml editor.
To Backup or Save a Config File
1. Using the WebUI:
Select Configuration -> Update -> Config File
In the Download Configuration from Device section, select Save to File Then in the File Download dialog box, click Save. Navigate to the location where you want to save the configuration file (cfg.txt), then click Save.
2. Using the CLI:
Save the output with below commands:
set console page 0get config
if Screenos is managed by NSM; rule description is only visible in NSM not directly on FW
- Obtain the newest Checkpoint ShowPolicy package via Checkpoint ShowPolicy Package
- Following below commands to create SCP user on Checkpoint Security Management Server , the scp user will be used to transfer the checkpoint configurations from checkpoint management server to your local machine.
add user scpuser uid 2600 homedir /home/scpuserset user scpuser realname Scpuseradd rba role scpRole domain-type System readwrite-features expertadd rba user scpuser roles scpRoleset user scpuser gid 100 shell /usr/bin/scponlyset user scpuser passwordsave config
- Go into expert mode to run “java -jar web_api_show_package-jar-with-dependencies.jar -option” command. Please refer the Checkpoint ShowPolicy Package for the command options
Running the tool on a Checkpoint Security Management server:
java -jar web_api_show_package-jar-with-dependencies.jar
• Running the tool on a Checkpoint Security Management server for a specific policy package:
java -jar web_api_show_package-jar-with-dependencies.jar -k <PACKAGE NAME>
• Running the tool on a Checkpoint Multi-Domain Server for specific domain and a specific policy package:
java -jar web_api_show_package-jar-with-dependencies.jar -k <PACKAGE NAME> -d <DOMAIN NAME>
This tool is already installed on CheckPoint Security Management servers running version R80 with Jumbo-HF and above.
The Check Point Management Server also has a wrapper script so the tool can be run as
$MDS_FWDIR/scripts/web_api_show_package.sh which in turn executes
java -jar $MDS_FWDIR/api/samples/lib/web_api_show_package-jar-with-dependencies.jar
If you already have tool on CheckPoint Security Management Server, you can follow below steps to export the configuration:
Running the tool on a Security Management server for a specific policy package:
$MDS_FWDIR/scripts/web_api_show_package.sh -k <PACKAGE NAME>
Running the tool on a Multi-Domain Server for specific domain and a specific policy package:
$MDS_FWDIR/scripts/web_api_show_package.sh -k <PACKAGE NAME> -d <DOMAIN NAME>
Use of CMA Name is not supported. Only use the Domain name or the CMA IP.
Finally after doing all this you should be able to transfer the output over SCP. PLEASE NOTE THIS IS ALL ARBITRARY DEPENDING ON WHAT YOU HAVE SET UP AND WHERE YOU WOULD LIKE TO SAVE IT.
The configuration is exported as a .tar.gz file.
show route all
The route file is needed for Expedition to do zone calculations
Both Checkpoint Management server and Gateway with version lower than R80.x , below are the required files:
Please refer corresponding section based on your checkpoint management tool:
Obtain below configuration files from '$FWDIR/conf':
- Objects – objects_5_0.C (Check Point NG/NGX) or objects.C (Check Point 4.x) contains the firewall's object definitions.
- Policy rulebases – *.w or rulebases_5_0.fws. The file name is
"<package name>.W"(default "Standard.W") or "rulebases_5_0.fws".
- Route File, please refer to the previous section step 4
Global Policies and Objects
The files necessary to migrate the global policies and objects are located in the
opt/<cpversion>/conf directory of the MDS. Although these files are synchronized between MDS systems in a multi-MDS environment, it is suggested to pull them from the master MDS, which is authoritative for the database.
- From expert mode CLI on the Provider-1 server, cd to “$MDSDIR/conf”
- Export the Objects_5_0.C, Rulebases_5_0.fws, and Policy.W files
CMA Policies and Objects
Individual CMA object databases are contained in unique subdirectories underneath the “customers” directory on the MDS:
If the customer is using CMA redundancy, it is suggested to pull the files from the “primary” CMA. To retrieve the files required by the migration tool:
- From the MDS/Provider-1 CLI, switch “context” to the relevant CMA
- Navigate to the /conf directory within that CMA
- Export the Objects_5_0.C , Rulebases_5_0.fws and Policy.W files
- Route file, please refer to the previous section step 4
Issue below commands in the CLI:
terminal pager 0more system:running-config / show running
If it's multi-context , you will need to issue below commands to get into each of the context before you issue above two commands:
changeto context <name>changeto system
The configuration is exported as a .txt file and is readable using any text editor.
Issue below commands in CLI:
no cli pager sessionshow current-config
The configuration is exported as a .txt file, .EXP format is not supported.
Add all your Sidewinder rules into a single file and upload it or use the Copy from Clipboard. Depending on the version some of this commands will fail but others will get same information with the new command
cf interface q > config_sidewinder.txtcf service q >> config_sidewinder.txtcf servicegroup q >> config_sidewinder.txtcf policy q >> config_sidewinder.txtcf route q >> config_sidewinder.txtcf ipaddr q >> config_sidewinder.txtcf iprange q >> config_sidewinder.txtcf subnet q >> config_sidewinder.txtcf netmap q >> config_sidewinder.txtcf domain q >> config_sidewinder.txtcf static q >> config_sidewinder.txtcf netgroup q >> config_sidewinder.txtcf application q >> config_sidewinder.txtcf appgroup q >> config_sidewinder.txtcf host q >> config_sidewinder.txt
Please follow the below instructions to export the StoneSoft configuration:
- Select Menu > File > Export > Export All Elements.
- Select an option: Enter a file name for the export file. Click Browse to select the location where you want to create the file.
- Click Export.