Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
438
Views
0
Helpful
1
Replies

Problems with Firepower Migration tool and Checkpoint

Andymong
Level 1
Level 1

‎11-14-2022 07:46 AM

Has anyone actually managed to get this working? I've been going at it for 3 months now. Non-VSX, R81.x OR R80.40, Mac, Windows, neither the offline method nor the online methods work and produce cryptic error messages at the end. Accounts, access expert passwords etc have been validated multiple times. Building the zip file according to the documentation also does not seem to go through. The Tool Version 3.0.1-7373 and 3.0.2-7393 won't even start up on Windows 10. So I have been working with V3.0-7165 mostly. But I also tried 3.0.2 on Mac. 

My Checkpoint Management is already on R81.10 though (supported only R80) . 

This is one of the errors I'm getting: (simple I know..should be .tar instead of .tar.gz?) 

2022-09-26 15:30:27,057 [INFO | connect_cp.py] > /opt/CPsuite-R81.10/fw1/bin/upgrade_tools/show_package-2022-09-26_15-30-10.tar.gz

2022-09-26 15:30:27,231 [ERROR | cp_device_connection.py] > Bad file format

2022-09-26 15:30:27,233 [ERROR | connect_cp.py] > Unable to download .tar file.

1 person had this problem
0 Helpful
1 Reply 1

Miyauchi1021
Level 1
Level 1

‎03-31-2025 04:35 PM

It's been quite a while, but I recently encountered the same issue again, so I'm leaving a note here for future reference.


This is now clearly documented in the FMT documentation, and the root cause is listed as "Incorrect Credentials."
https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide-CP/migrating-check-point-firewall-to-threat-defense-with-migration-tool/m_troubleshooting_migration_issues.html#:~:text=The%20credentials%20used%20must%20have%20a...

Most likely, the default "admin" user on the Check Point management server has /etc/cli.sh set as its shell.(User Management>Users>shell)
However, due to some cosmic law of the universe, it appears that the user used for configuration extraction with FMT must have /bin/bash as their shell.

Please create a user with /bin/bash as the login shell in both the Check Point GUI (Gaia) and SmartConsole, and run FMT using that user. This should resolve the error.
(Note: in order to log in via SmartConsole, a valid license must be applied to the Check Point management server.)
From the following page, prepare a user with /bin/bash according to whether your environment distributes Check's Management and Gateway or not.
https://www.cisco.com/c/en/us/td/docs/security/firepower/migration-tool/migration-guide-CP/migrating-check-point-firewall-to-threat-defense-with-migration-tool/m-check-point-to-threat-defense-migration-workflow.html#Cisco_Task.dita_40d2f703-599e-4df7...


I don't quite understand why only CheckPoint has to use FMT from config extraction, or why FMT is supposed to have administrative access to the system it is running on,
Anyway, this is the solution.

Hope this helps!

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card