Migrate a Port-Based Policy to PAN-OS Using Expedition
Migrate a like-for-like legacy firewall configuration to a PAN-OS device, including migrating the legacy security policy.
Use Expedition to import a legacy rulebase, clean it up, and achieve a like-for-like migration to a Palo Alto Networks next-generation firewall or Panorama as the first phase in your migration to application-based Security policy. Expedition is a great tool for performing bulk operations on multiple objects in a configuration. Expedition supports importing legacy configurations from most major firewall vendors.
Palo Alto Networks technical support (TAC) does not provide support for Expedition.
For Expedition migration workflow details, refer to the Expedition User Guide, which also includes information about how to import objects into a configuration using CSV files and how to import an Iron-Skillet Day 1 configuration.
For managing Expedition, refer to the Expedition Admin Guide, which also includes some user interface information, and to the Expedition Hardening Guide, which provides advice on how to protect the Expedition VM.
Before you begin a migration, ensure you meet the following prerequisites:
- Download Expedition to a management device that supports running a VM.
- SSH and/or SSL connectivity to the Palo Alto Networks Panorama and/or firewalls to which you’re migrating. SSH access is for connectivity to the CLI and SSL access is for connectivity to the web interface and to push API commands.
- Operational access to the Palo Alto Networks Panorama and/or firewalls to which you’re migrating so you can push the like-for-like configuration to the PAN-OS device(s).
Professional Services has a wealth of migration experience. You can engage Professional Services’ expertise to help you move a configuration from your legacy devices to Palo Alto Networks next-generation firewalls.
- Review the legacy firewall configuration.Understand the goals of the legacy rulebase. Document items you need to know for the migration, such as disabled interfaces on a Juniper SRX device or verifying that traffic is allowed between interfaces with the same security levels, verifying the state of IPSec tunnels, and gathering pre-shared keys on a Cisco ASA device.
- Import the legacy configuration into Expedition and make any required modifications to the configuration.
- Create a new Project in Expedition.
- Import the migrated source (legacy) configuration into the Project and inspect it.Check the file format, whether all required files are included, and check Expedition logs and events to ensure the migrated configuration file loaded correctly. If necessary, modify the migrated source file to fix the issues, then check again. Iterate until all issues are fixed.
- Import a PAN-OS configuration into the Project to be the Base configuration for the migration.Get the latest Content Updates and then import the Base configuration from an existing PAN-OS device, either the device’s configuration file or the factory default PAN-OS configuration file.The configuration file should match the PAN-OS version you want to use. For example, to use PAN-OS 9.0, import a 9.0 PAN-OS configuration file.
- Clean up the migrated configuration to prepare to merge it with the Base PAN-OS configuration.
- Remove or replace invalid service objects. PAN-OS recognizes only TCP and UDP service ports, and Expedition automatically migrates TCP and UDP service objects to applications. Search for non-IP-based applications and services, such as ping and ICMP, which some legacy devices see as services rather than applications. Replace them with App-ID to classify them as applications and gain visibility into, inspect, and control the traffic.
- To simplify the configuration and reduce its size, remove or replace other invalid objects and unused objects, and merge duplicate objects.
- Find and remove disabled rules so they don’t clutter the configuration.
- Rename interfaces to match the PAN-OS device interfaces. The interfaces names imported from the legacy device typically don’t match PAN-OS naming conventions.
- When you import the legacy configuration, Expedition automatically assigns zone names. Rename zones so that their names describe the purpose they will fulfill when you migrate the configuration to the PAN-OS device and ensure zones are mapped correctly to interfaces.In addition, check the virtual router for static routes. If many static routes exist, use Expedition to migrate the routes to PAN-OS. If there are only few static routes, note them and then create them manually after migrating the configuration.
- Merge the migrated configuration with the PAN-OS Base configuration by dragging and dropping objects from the migrated configuration into the Base configuration.
- Check the merged configuration for duplicate objects the merge may have created and remove or merge them.
- Before you export the merged configuration to the PAN-OS device, clear the ARP cache on switches and routers connected to the PAN-OS device and on the PAN-OS device to update their ARP tables.On PAN-OS devices, use the CLI commandclear arp all. (If necessary, you can clear the ARP cache on a per-interface basis using the CLI commandclear arp <interface>.)
- Export the merged configuration to the PAN-OS device and load the merged configuration.The method you use depends on how you want to migrate the merged configuration:
- For a new installation on a PAN-OS device,Generate XML & Set Output, import the XML file (configuration), and then load it on the PAN-OS device.
- For an existing PAN-OS installation or if you want to migrate the configuration one piece at a time,Generate XML & Set Output, import the XML file (configuration), and then use the CLI commandload config partialto select a specific portion of the configuration to load. You need SSH access to use the CLI on a PAN-OS device.
- If the PAN-OS device is connected to Expedition, you can also use API calls to send portions of or the whole configuration to the device.
- After you export the merged configuration to a PAN-OS device and load the configuration, use Policy Optimizer to convert the port-based policy to application-based policy.
Recommended For You
Recommended videos not found.