topic User ID and Expedition in Expedition Discussions

User ID and Expedition

micharr — Thu, 16 Feb 2023 19:12:42 GMT

I am doing a migration from ASA. All seems to be ok in Expedition so far. However the Objects < User ID tab is blank and mentions something about API. There is also a Plugins < User ID section which is also blank.

The ASA config has lots of user id dependencies built into the rules/policies. I have not been able to find any documentation that goes deep enough into the current version of Expedition to be worthwhile and nothing out there that I have found talks about the User ID function within Expedition.

The customer is concerned that the policies aren't migrating over with a 1:1 ruleset using User ID against their Active Directory environment like the rules did on their ASA. In the end we will have over 10k rules so going back into panorama and adding the user id component to every rule is not an option.

We have taken the step of adding all of the AD Groups in the Group Mappings section of the Panorama that are referenced in the ASA config.

Can anyone help provide a "how to" on migrations from ASA to PAN when the ASA rules already have and must keep the User ID variable in them?

Re: User ID and Expedition

lychiang — Thu, 16 Feb 2023 21:49:30 GMT

Hi @micharr User-ID migration from ciscoasa is not supported by Expedition. Please see supported objects :

https://live.paloaltonetworks.com/t5/expedition-articles/expedition-supported-3rd-party-vendor-matrix/ta-p/336922

Re: User ID and Expedition

PktBlocker — Thu, 31 Oct 2024 13:55:09 GMT

I am working on a palo fw to panorama migration which includes user id. I can see the user ids in the policies of expedition but i cant seem to find where the group mappings are. Is user id not fullly supported on expedition?

Re: User ID and Expedition

lychiang — Thu, 31 Oct 2024 15:39:09 GMT

Hi @PktBlocker for Palo Alto Networks Firewall migration to panorama, you do not need to use Expedition, You can refer below for detailed, if you ran into any issues, you can open a TAC case, TAC should be able to help you out.

https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-firewalls/transition-a-firewall-to-panorama-management/migrate-a-firewall-to-panorama-management

Re: User ID and Expedition

PktBlocker — Thu, 31 Oct 2024 15:51:55 GMT

Hi @lychiang a few reason iam going to use expedition verses direct on the panorama.

1: I dont want to manage these particular firewalls, there will be a different set that the policies will go on.

2: This is an acquisition so we usually just pull the policies/nats/routes and integrate them into our panorama templates and security profiles but in this cause they were heavy on the user id feature.

Is this not the best way to do this when migrating a palo to palo?