1. Pre-Migration Planning

✅ Understand the Environment

• Identify the Checkpoint firewall model, software version, and licensing.

• Note the number of policies, NAT rules, objects, VPN settings, and security profiles.

• List down all interface configurations and IP addressing schemes.

• Check if there are any application-layer protections enabled on Checkpoint.

✅ Backup Existing Checkpoint Configuration

Use SmartConsole to export the full configuration:# Run from CLI to take a backup

backup -f checkpoint_backup.tgz

2. Export Checkpoint Configuration for Migration

Export policies and objects using Check Point SmartDashboard or CLI:# Export using CPInfo tool

cpinfo -o checkpoint_config.txt

• Alternatively, generate an HTML report of policies using Web Visualization Tool (WVT) to help with manual review.

Export Using SmartDashboard (Web Visualization Tool - WVT)

Steps:

1. Open Check Point SmartDashboard.

2. Go to File > Export.

3. Select "Web Visualization Tool (WVT)" to export policies in HTML format.

4. Save the output file: checkpoint_rules.html.

For objects export:mgmt_cli -r true show objects --format json > objects.json

3. Convert Configuration Using Palo Alto Expedition Tool

Palo Alto provides Expedition, a migration tool to convert Checkpoint configurations.

✅ Install and Set Up Expedition

1. Download Expedition from Palo Alto's site.

   
   

Download tools from this URL - LIVEcommunity - Expedition 1.2.100 Hotfix Information - LIVEcommunity - 996000

2. Install it on Ubuntu 20.04+ or a VM.

3. Access it via a web browser: https://<Expedition_IP>.

   
   

✅ Import Checkpoint Configurations

• Open Expedition and go to Import > Checkpoint.

• Upload rules.json, objects.json, and NAT policies.

• Map Checkpoint policies to Palo Alto structures:

  • Security Rules → Palo Alto Security Policies

  • NAT Rules → Palo Alto NAT Policies

  • Address Objects → Palo Alto Address Groups

  • Services → Palo Alto Application & Service Objects

• Resolve unsupported elements manually (e.g., inline layers, global objects).

  
  

✅ Validate and Optimize Rules

• Remove duplicate or unused rules.

• Convert legacy services to App-ID-based rules in Palo Alto.

• Reorder rules for best performance and security.

4. Manually Review & Adjust Configuration

Some settings may require manual adjustments:

🔹 Security Policies & Zones

• Palo Alto uses zones, unlike Checkpoint. Assign correct zones for each rule.

• Example Zone Mapping:

  • Checkpoint Inside Network → Palo Alto Trust Zone

  • Checkpoint DMZ → Palo Alto DMZ Zone

  • Checkpoint Internet → Palo Alto Untrust Zone

🔹 NAT Rules

• Ensure bidirectional NAT is correctly configured.

Example Manual NAT Rule in Palo Alto: shCopyEditset nat rule "WebServer_NAT" from "untrust" to "trust" source any destination 203.0.113.100 service http destination-translation 192.168.1.10

🔹 Application & Service Mappings

• Palo Alto uses App-ID instead of traditional ports.

• Replace service-based rules with App-ID-based security policies.

🔹 VPN Migration

• Checkpoint VPN settings do not migrate automatically.

• Reconfigure VPN tunnels manually:

  • IPsec Phase 1 & 2 settings

  • VPN gateways and authentication

  • Pre-shared keys and IKE settings

5. Import Configuration into Palo Alto Firewall

✅ Upload Converted Configuration

• In Palo Alto Web UI, go to Device > Setup > Import Config.

• Upload the converted XML file from Expedition.

• Click Load and Validate Configuration.

• Resolve any validation errors before proceeding.

6. Testing & Validation

✅ Lab Testing (Before Deployment)

• Use a Test Firewall before applying to production.

• Perform connectivity tests:

  • Ping between internal hosts.

  • Test internet access and NAT.

  • Validate application filtering and App-ID rules.

  • Verify VPN tunnel establishment.

✅ User Acceptance Testing (UAT)

• Engage stakeholders to test business-critical applications.

• Check for false positives in security policies.

• Adjust policies if needed.

✅ Monitor Logs & Traffic

• Go to Monitor > Traffic Logs and analyze rule hits.

Use CLI to check logs:show session all

show counter global filter severity error

7. Deployment & Go-Live

✅ Schedule Maintenance Window

• Backup the existing configuration on both Checkpoint and Palo Alto.

• Apply new configuration to the Palo Alto firewall.

• Monitor for any unexpected behavior.

✅ Post-Migration Validation

• Confirm all security rules are enforced correctly.

• Review Palo Alto Threat Logs for any missed threats.

• Optimize policies for better performance.

Summary of Migration Steps

🔐 If You Are Importing from Checkpoint R80.10 or Higher, Follow the Steps Below to Prepare the Configuration for Expedition Tool

✅ Important Steps to Import Checkpoint R80.10+ Configs into Expedition

✅ Steps to Import Checkpoint R80.10+ Configuration into Expedition Tool

1. Download the Required .jar File

Download the web_api_show_package-jar-with-dependencies.jar file from the official CheckPoint GitHub repository:

🔗URL:https://github.com/CheckPointSW/ShowPolicyPackage/releases/download/V2.0.6/web_api_show_package-jar-with-dependencies.jar

2. Upload the .jar File to the CheckPoint Management Server

Use an SCP tool like WinSCP or the scp command to transfer the downloaded .jar file to your CheckPoint Management Server.

3. Run the Command as Expert User

After uploading, log in as Expert user and run the following command on the Management Server:

java -jar web_api_show_package-jar-with-dependencies.jar -v

This will list all available policy packages and configurations.

4. List and Choose the Package to Export

Review the list of packages displayed in the output and identify the package name you want to export.

5. Run the Export Command

Execute the following command to export the selected package:

Step 2- EDIT interface and zone , VR accordingly to your new setup-

6. Select the Exported File

Once the export completes, locate the generated .tgz file. This file contains the full access rules and configuration details.

7. (Optional) Create a Route File

If you need to include route information, generate it by running the following commands on the firewall:

netstat -nr

or

show route all

Save the output into a .txt file for later upload.

8. Upload the Exported Files to Expedition

• In the Expedition UI, select the .tgz file using the Browse button.

• Also upload the route file if required.

• Click Upload to import the configuration for further processing.

At the end of reading , test your knowledge !! take this quizzz