Migration from Cisco ASA to PAN: Outbound rules

Tim_Adelmann — Tue, 18 Oct 2022 11:26:26 GMT

Hey everyone,

I am currently trying to migrate a configuration of a Cisco ASA to PAN using Expedition.

Unfortunately the customer is not only using the "normal" inbound rules on ASA but also outbound rules.

ASA rule processing is a bit different from PAN:

Packet arrives from source (maybe 10.1.1.1) on interface 1/1 -> Packet is send through inbound rules of ingress interface -> Routing etc. -> Packet is send through outbound rules of egress interface -> Packet is send to the destination (maybe 10.2.2.2) on interface 1/2.

It could be that there is a inbound rule on interface 1/1 like that:

Source 10.1.1.1

Destination any

Service any

Action allow

On interface 1/2 there could be an outbound rule like:

Source 10.1.1.1

Destination 10.2.2.2

Service tcp-22

Action allow

And sometimes it is the other way around (inbound rule more specific than outbound rule).

In some rare cases there are exact matches (same rule on one interface inbound and another one outbound).

Expedition handles all inbound and outbound rules as security policies and writes them all into the PAN ruleset in a top-down-way.

This results in a ruleset that is different from the one on the ASA.

In the example above, if the inbound rule is matched first, the destination 10.1.1.1 would be allowed to communicate everywhere on the PAN.
But on the ASA the traffic would go the outbound rules later on and would eventually be blocked based on that.

Is there any way in Expedition to match the incoming and outgoing rules together in order to create rules for the PAN that would result in the same security level like the ASA ruleset with both type of rules?

Any hint is highly appreciated.

Thanks,
Tim

topic Migration from Cisco ASA to PAN: Outbound rules in Expedition Discussions

Migration from Cisco ASA to PAN: Outbound rules