Showing results for 
Search instead for 
Did you mean: 


Checkpoint to ASA migration

Hello Experts,

I tried the command mentioned in step 2 on WVT at the mentioned link:

However it generated only one output file for security policies.

How do I get other files like communities, index , nat-policy netwok-object and services.


What sort of support forum Cisco is running where no one responds !!!!!!!!!!!!


Hi Sarabjeet,

As per i could see from the tool, you need to collect data as mentioned in Config's gathering steps.

CheckPoint Firewall Data Collection Steps
  1. Download the Web Visualization Tool (WVT) from the website of CheckPoint appropriate for your version of CheckPoint Firewall
  2. Run the command (EXACTLY IN THE SAME FORMAT) from the workstation authorized to access the SmartCenter Server
    "cpdb2web -s <smartcentername/ip> -u <adminusername> -p <adminpassword> -o <outputfolder> -m <gatewayname>"
    where gatewayname is the name of the gateway whose policies are to be converted.
    In Provider-1, use the virtual IP address associated with the CMA in place of the SmartCenter IP.
    The output of this command will be a set of XML files
  3. Now collect the interfaces and routing information. Login to the gateway whose policies are to be converted. Change to the Expert Mode. Run the commands"ifconfig -a" and "netstat -rnv" in order and save the output in a text file named "networking.txt" in the folder created above. In case of Provider-1, this is slightly different, here is the example
  4. Alternatively, for the above step, if you cannot provide the networking.txt file due to some reasons like say you want to do manual modifications to interfaces & routes, or say if your CheckPoint platform is not generating the compatible networking.txt file, then in that case, you can manually create a file named as"routes.txt".
    The sample format of the routes.txt file is provided here
  5. Now Create a ZIP file out of this Config file (For Windows Users: Select the File, Right-Click, 'Send to → Compressed Zip Folder')
  • Note 1 - A Firewall configuration will not get converted if the default route is not found. Add a temporary dummy default route for the conversion purpose, if needed.
  • Note 2 - To summarize, the input ZIP file should have the following 8 files in total. Ensure that there are no other files or folders in the ZIP file.
    1. communities.xml
    2. index.xml
    3. NAT_Policy.xml
    4. network_objects.xml
    5. Security_Policy.xml
    6. services.xml
    7. users.xml
    8. networking.txt OR routes.txt
  • Note 3 - The name of the Security Policy and NAT Policy files should be "Security_Policy.xml" and "NAT_Policy.xml" respectively. Manually rename them if this is not the case.
  • Note 4 - In case if there are multiple Security and NAT Policy files, keep only the ones which is to be converted and rename them with the above-mentioned names.

i think it is more of things related to checkpoint tool.  Please try the below steps.

Hope it helps.


Akshay Rastogi

Remember to rate helpful posts.


This is a community forum supported primarily by the freely given volunteer time of your networking peers. There is no guaranteed response.

Even the Cisco folks contributing here are doing so on a bast effort basis above and beyond their "day jobs".

If you require guaranteed service level support, then Cisco offers a whole range of paid support options, primarily via the Smartnet support contract vehicles.

Content for Community-Ad