Migrate a Port-Based Policy to PAN-OS Using Expedition
Migrate a like-for-like legacy firewall configuration
to a PAN-OS device, including migrating the legacy security policy.
Use Expedition to import a
legacy rulebase, clean it up, and achieve a like-for-like migration
to a Palo Alto Networks next-generation firewall or a Panorama appliance
as the first phase in your migration to an application-based Security
policy. Expedition is a great tool for performing bulk operations
on multiple objects in a configuration and supports importing legacy
configurations from most major firewall vendors.
topic summarizes the Expedition workflow. The Live community provides
support for Expedition, including how to obtain the tool and detailed documentation about how
to use the tool.
Palo Alto Networks technical support (TAC)
does not provide support for Expedition.
migration workflow details, refer to the Expedition User Guide, which
also includes information about how to import objects into a configuration using
CSV files and how to import a Day 1 Iron-Skillet configuration.
managing Expedition, refer to the Expedition Admin Guide, which
also includes some user interface information, and to the Expedition
Hardening Guide, which provides advice on how to protect the Expedition
Before you begin a migration, ensure you meet the following
Download Expedition to a management
device that supports running a VM.
SSH and/or SSL connectivity to the Palo Alto Networks Panorama
and firewalls to which you’re migrating. SSH access is for connectivity
to the CLI and SSL access is for connectivity to the web interface
and to push API commands.
Operational access to the Palo Alto Networks Panorama and
firewalls to which you’re migrating so you can push the like-for-like
configuration to the PAN-OS applicance.
Professional Services has a wealth
of migration experience. You can engage the Professional Services
team to help you move a configuration from your legacy devices to
Palo Alto Networks next-generation firewalls and Panorama appliances.
Review the legacy firewall configuration.
Understand the goals of the legacy rulebase. Document items
you need to know for the migration, such as disabled interfaces
on a Juniper SRX device or verifying that traffic is allowed between
interfaces with the same security levels, verifying the state of
IPSec tunnels, and gathering pre-shared keys on a Cisco ASA device.
Import the legacy configuration into Expedition and make
any required modifications to the configuration.
Create a new
Import the migrated source (legacy) configuration into
and inspect it.
Check the file format, whether all required files are included,
and the Expedition logs and events to ensure the migrated configuration
file loaded correctly. If necessary, modify the migrated source
file to fix the issues and then check again. Repeat this step until
all issues are fixed.
Import a PAN-OS configuration into the
be the Base configuration for the migration.
Get the latest content updates and then
import the Base configuration from an existing PAN-OS appliance,
either the existing configuration file or the factory default PAN-OS
The configuration file should match
the PAN-OS version you want to use. For example, to run PAN-OS 9.0,
import a PAN-OS 9.0 configuration file.
Clean up the migrated configuration to prepare to merge
it with the Base PAN-OS configuration.
Remove or replace invalid service objects. PAN-OS recognizes
only TCP and UDP service ports, and Expedition automatically migrates TCP
and UDP service objects to applications. Search for non-IP-based
applications and services, such as ping and ICMP, which some legacy
devices see as services rather than applications. Replace them with
App-ID to classify them as applications and gain visibility into,
inspect, and control the traffic.
To simplify the configuration and reduce its size, remove
or replace other invalid objects and unused objects and merge duplicate
Find and remove disabled rules so they don’t clutter the
Rename interfaces to match the interfaces on the PAN-OS appliance. The
interface names imported from the legacy device typically don’t
match PAN-OS naming conventions.
When you import the legacy configuration, Expedition automatically assigns zone names. Rename zones
so that their names describe the purpose they will fulfill when
you migrate the configuration to the PAN-OS appliance and ensure
zones are mapped correctly to interfaces.
In addition, check
the virtual router for static routes. If many static routes exist,
use Expedition to migrate the routes to the PAN-OS configuration.
If there are only a few static routes, note them and then create
them manually after you migrate the configuration.
Merge the migrated configuration with the PAN-OS Base
configuration by dragging and dropping objects from the migrated
configuration into the Base configuration.
Check the merged configuration for duplicate objects
that the merge may have created and remove or merge them.
Before you export the merged configuration to the PAN-OS
appliance, clear the ARP cache on switches and routers connected
to the PAN-OS appliance and on the PAN-OS appliance to update their
On PAN-OS devices, use the
clear arp all
(If necessary, you can clear the ARP cache on a per-interface basis
clear arp <interface>
Export the merged configuration to the PAN-OS appliance
and load the merged configuration.
The method you use depends on how you want to migrate the
For a new installation on a
Generate XML & Set Output
import the XML file (configuration), and then load it onto the PAN-OS
For an existing PAN-OS installation or if you want to migrate
the configuration one part at a time instead of all at one time,
XML & Set Output
, import the XML file (configuration),
and then use the
load config partial
command to select a specific portion of the configuration to load.
You need SSH access to use the CLI on a PAN-OS appliance.
If the PAN-OS appliance is connected to Expedition, you can
also use API calls to send portions of or the entire configuration
to the appliance.