Migrate a Port-Based Policy to PAN-OS Using Expedition
Migrate a like-for-like legacy firewall configuration to a PAN-OS device, including migrating the legacy security policy.
Use Expedition to import a legacy rulebase, clean it up, and achieve a like-for-like migration to a Palo Alto Networks next-generation firewall or a Panorama appliance as the first phase in your migration to an application-based Security policy. Expedition is a great tool for performing bulk operations on multiple objects in a configuration and supports importing legacy configurations from most major firewall vendors.
For Expedition migration workflow details, refer to the Expedition User Guide, which also includes information about how to import objects into a configuration using CSV files and how to import a Day 1 Iron-Skillet configuration.
For managing Expedition, refer to the Expedition Admin Guide, which also includes some user interface information, and to the Expedition Hardening Guide, which provides advice on how to protect the Expedition VM.
Before you begin a migration, ensure you meet the following prerequisites:
- Download Expedition to a management device that supports running a VM.
- SSH and/or SSL connectivity to the Palo Alto Networks Panorama and firewalls to which you’re migrating. SSH access is for connectivity to the CLI and SSL access is for connectivity to the web interface and to push API commands.
- Operational access to the Palo Alto Networks Panorama and firewalls to which you’re migrating so you can push the like-for-like configuration to the PAN-OS applicance.
Professional Services has a wealth of migration experience. You can engage the Professional Services team to help you move a configuration from your legacy devices to Palo Alto Networks next-generation firewalls and Panorama appliances.
- Review the legacy firewall configuration.Understand the goals of the legacy rulebase. Document items you need to know for the migration, such as disabled interfaces on a Juniper SRX device or verifying that traffic is allowed between interfaces with the same security levels, verifying the state of IPSec tunnels, and gathering pre-shared keys on a Cisco ASA device.
- Import the legacy configuration into Expedition and make any required modifications to the configuration.
- Create a newProjectin Expedition.
- Import the migrated source (legacy) configuration into theProjectand inspect it.Check the file format, whether all required files are included, and the Expedition logs and events to ensure the migrated configuration file loaded correctly. If necessary, modify the migrated source file to fix the issues and then check again. Repeat this step until all issues are fixed.
- Import a PAN-OS configuration into theProjectto be the Base configuration for the migration.Get the latest content updates and then import the Base configuration from an existing PAN-OS appliance, either the existing configuration file or the factory default PAN-OS configuration file.The configuration file should match the PAN-OS version you want to use. For example, to run PAN-OS 9.0, import a PAN-OS 9.0 configuration file.
- Clean up the migrated configuration to prepare to merge it with the Base PAN-OS configuration.
- Remove or replace invalid service objects. PAN-OS recognizes only TCP and UDP service ports, and Expedition automatically migrates TCP and UDP service objects to applications. Search for non-IP-based applications and services, such as ping and ICMP, which some legacy devices see as services rather than applications. Replace them with App-ID to classify them as applications and gain visibility into, inspect, and control the traffic.
- To simplify the configuration and reduce its size, remove or replace other invalid objects and unused objects and merge duplicate objects.
- Find and remove disabled rules so they don’t clutter the configuration.
- Rename interfaces to match the interfaces on the PAN-OS appliance. The interface names imported from the legacy device typically don’t match PAN-OS naming conventions.
- When you import the legacy configuration, Expedition automatically assigns zone names. Rename zones so that their names describe the purpose they will fulfill when you migrate the configuration to the PAN-OS appliance and ensure zones are mapped correctly to interfaces.In addition, check the virtual router for static routes. If many static routes exist, use Expedition to migrate the routes to the PAN-OS configuration. If there are only a few static routes, note them and then create them manually after you migrate the configuration.
- Merge the migrated configuration with the PAN-OS Base configuration by dragging and dropping objects from the migrated configuration into the Base configuration.
- Check the merged configuration for duplicate objects that the merge may have created and remove or merge them.
- Before you export the merged configuration to the PAN-OS appliance, clear the ARP cache on switches and routers connected to the PAN-OS appliance and on the PAN-OS appliance to update their ARP tables.On PAN-OS devices, use theclear arp allCLI command. (If necessary, you can clear the ARP cache on a per-interface basis using theclear arp <interface>CLI command.)
- Export the merged configuration to the PAN-OS appliance and load the merged configuration.The method you use depends on how you want to migrate the merged configuration:
- For a new installation on a PAN-OS appliance,Generate XML & Set Output, import the XML file (configuration), and then load it onto the PAN-OS appliance.
- For an existing PAN-OS installation or if you want to migrate the configuration one part at a time instead of all at one time,Generate XML & Set Output, import the XML file (configuration), and then use theload config partialCLI command to select a specific portion of the configuration to load. You need SSH access to use the CLI on a PAN-OS appliance.
- If the PAN-OS appliance is connected to Expedition, you can also use API calls to send portions of or the entire configuration to the appliance.
- After you export the merged configuration to a PAN-OS appliance and load the configuration, use Policy Optimizer to convert the port-based policy to application-based policy.
Recommended For You
Recommended videos not found.