Support Center > Search Results > SecureKnowledge Details
Using cp_merge utility Technical Level

Table of Contents

  • Introduction
  • Limitations
  • Procedure: Export on source Security Management server
  • Procedure: Import on target Security Management Server
  • Notes
  • Related solution


The cp_merge tool is a merge utility that provides two major functionalities:

  1. Export and import of Security policy packages.

  2. Merging of objects from a given file into the Security Management server database.

Important: in R80 and later, the cp_merge tool is obsolete and does not work. Refer to Check Point CheckMates Community for an alternative tools such as the one described in this article for exporting/importing a policy package.


  • Merge of VSX objects is not supported!
  • The cp_merge utility is not supported on Multi-Domain Management servers. This would also extend to the CMAs / Domain Management Servers contained within them.

    Although limited in the code, this operation can be performed by Check Point Professional Services. For further assistance, contact

  • Merge of Application Control and URL Filtering policies is not supported.

  • The import might fail if Security Gateway / Cluster objects are used within any policy package, or as a policy installation targets (administrator can temporarily remove the Security Gateway / Cluster objects from the policies and turned off policy installation targets).


Procedure: Export on source Security Management server

  1. Close all SmartConsole GUI clients.

  2. Create a temporary directory on the source Security Management server.

  3. Run the following from this directory:
    • To see what are the installed policy packages, run:

      [Expert@HostName]# cp_merge list_policy

    • Export all the policy packages by running:

      [Expert@HostName]# cp_merge export_policy

      Note: The policy packages will appear in the directory.

    • Copy the '$FWDIR/conf/objects_5_0.C' file to that directory:

      [Expert@HostName]# cp $FWDIR/conf/objects_5_0.C </path_to/directory_name>


Procedure: Import on target Security Management server

  1. Go to the target (merging) machine and create a temporary import directory, for example /home/admin/import.

  2. Transfer all files that were exported from the source machine to the import directory.

  3. Run the following from the import directory:

    • To merge the object files, run:

      [Expert@HostName]# cp_merge merge_objects

    • To import Security policy, run:

      [Expert@HostName]# cp_merge import_policy -f <policy_name>.pol -n <new_policy_name>

      Each Security policy should be installed separately and named accordingly.
      Repeat the previous step until all Security policies will be installed.
    • R65 is also available - be certain you are in Expert Mode to run command.



  • SmartConsole clients may interfere with the cp_merge utility and prevent it from changing the repository. Therefore, all SmartConsole GUI clients must be closed.

  • To use cp_merge, both Managements Servers (source and target) must have the same Check Point version installed.

  • The import operation fails if the policy uses objects that were deleted after the policy was exported.

  • Security policy package names are case-sensitive.

  • The Security policy package import is performed one policy package at a time.

  • When running cp_merge and connecting to the database, the user credentials must have GUI permissions (a SmartDashboard administrator has to be chosen and not a WebUI user).

  • The merge operation uses the object name as a key. Objects with the same names in both the source and destination databases will not be merged, even if other properties (like IP address) are different. It is up to the administrator to resolve any issues with name collisions (this is best done by editing the source or destination databases before export / import).

  • cp_merge does not overwrite ANY duplicated entry - it will not enter any duplicate entry that already exists. (An entry is considered to be a duplicate if both the name and IP address are identical, no other values will be considered (NAT settings, object color etc.)).


Applies To:
  • This solution replaces sk22285, sk34814, sk24354, sk56880

Give us Feedback
Please rate this document