topic Re: Cisco Firepower Migraton for Palo Alto in Expedition Discussions

Cisco Firepower Migraton for Palo Alto

Muzammel — Wed, 13 Jan 2021 11:44:46 GMT

Dear All,

We want to migrate Cisco fire power 4000 series to Palo Alto NGFW. Could you please let me know the best way to do this migration?

Thanks in advance!

Best Regards,

Muzammel Haque

Re: Cisco Firepower Migraton for Palo Alto

Abdul-Fattah — Wed, 13 Jan 2021 14:15:32 GMT

Hello,

you can use Palo Alto migration tool Expedition for details:

https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/migration-tool

Re: Cisco Firepower Migraton for Palo Alto

Muzammel — Wed, 13 Jan 2021 15:07:03 GMT

Hi Abdul-Fattah,

Thank you for your prompt suggestions. I have downloaded following file

- ExpeditionVM-1.1.10.ova and

- Expedition.tgz

Do I need both the files or ExpeditionVM-1.1.10ova is enough. May I request you for any doc's?

Thanks & Regards,

Muzammel Haque

Re: Cisco Firepower Migraton for Palo Alto

azuniga — Wed, 13 Jan 2021 15:51:07 GMT

Hello,

For installation there is a video created on the expedition forums demonstrating how to perform this function, you can watch the video here ( https://live.paloaltonetworks.com/t5/expedition-migration-tool/ct-p/migration_tool ), also there are guides listed from that link as well.

As for the Cisco FirewPower migration the expedition tool will not migrate over the layer 7 policies but only the layer 3/4 policies so you will need to export the configuration with the asa format for conversion.

Re: Cisco Firepower Migraton for Palo Alto

Muzammel — Thu, 14 Jan 2021 05:41:45 GMT

Hi,

Thanks for your reply. Someone told me there is a separate tools for migrating Cisco Fire Power to Palo Alto, but I am not sure. Is there any specific migration tools for fire power?

Best Regards,

Muzammel Haque

Re: Cisco Firepower Migraton for Palo Alto

azuniga — Thu, 14 Jan 2021 16:16:32 GMT

For layer 7 migration policies we offer no tool. But for cisco ASA configurations the expedition tool will work fine.

Re: Cisco Firepower Migraton for Palo Alto

HemanthV — Fri, 22 Jan 2021 17:19:26 GMT

i am also planning to migrate cisco firepower 2130 to palo alto 5500 series firewall

when i download the migration tool in the ubuntu as per suggested document

we are getting apache2 ubuntu default page

can anyone help us how to solve this issue

Re: Cisco Firepower Migraton for Palo Alto

azuniga — Fri, 22 Jan 2021 18:30:42 GMT

Hello @HemanthV

I believe I answered this on another thread, we will use that one for your answer.

Re: Cisco Firepower Migraton for Palo Alto

Jorgen_Lanesskog — Mon, 05 Feb 2024 16:44:23 GMT

jorlan72/FirePalo: FirePalo helps you convert rules and objects from Cisco FirePower to Palo Alto (github.com)

FirePalo (Windows GUI) helps you convert rules and objects from Cisco FirePower to Palo Alto

(See the "Sceenshots from the application.docx")

Run "show access-control-config" from the FTD device and save output to a textfile. Open the textfile in FirePalo.exe and it will create editable objects. Finally, "commit" the changes and create a configuration in SET format that can be pasted into a Palo Alto device or Panorama.

This version will not convert device configuration like interfaces, routing or NAT. Some manual work needed for User-ID, URL Categories and Application filters.

Download the PaloAppID.txt file and place it with the FirePalo.exe. It contains all the Palo Alto APP-ID's

FirePalo also lets you export sections of the configuration to edit in preferred editor and than import the result back (great for search and replace). In addition you can easily lowercase or uppercase sections (or the entire configuration) and cut object names automatically to supported length. Further, you can convert services to applications (as not all services from FTD are supported as a service). Finally, you can add tags for objects, so that all rules using a certain object get the tag set.

Easily select if this is a standalone or Panorama configuration to be created (so that device group get included in the configuration).

FirePalo takes the output from the FTD and first turns it into a treeview. It then takes all the items in the treeview and creates objects you can edit, providing an unique ID for each object. This binds everything to the correct rules and all edits will be in place when you finally turn the objects into a treeview again ("commit"). You can then look through the result as a treeview and make more changes if needed (and then doing a new commit).

When everything looks good, you can generate the final configuration in SET format and paste it into the Palo Alto device or Panorama CLI.

Re: Cisco Firepower Migraton for Palo Alto

TomYoung — Thu, 08 Feb 2024 19:15:18 GMT

I have done a couple of FTD to PANW migrations. Expedition works very well for the CLI. I developed a Python script to log into the FMC API and collect the ACP config. (I also collected the objects, but they may all be in the CLI already.) I then created Expedition CSV files to import into Expedition on top of the CLI config. It works well!

Expedition currently does not support the import of URLs in security policy rules via CSV.

The FTD CLI config is just like the ASA except the security policy. You can delete those except the ones created for IPsec tunnels. As with all ASA migrations, you need to fix (1) dynamic routes, and (2) IKE Phase 1 algorithms. Usually adding static routes for RFC1918 to the inside fixes the routes so Expedition will apply the correct destination zones. In one case, I converted the dynamic route table text to CLI commands and imported, and it worked fine. With regard to IPsec, the command "show vpn-sessiondb detailed l2l" will show you the algorithms in use so that you can manually configure them in Expedition.

Thanks,

Tom

Re: Cisco Firepower Migraton for Palo Alto

TomYoung — Fri, 09 Feb 2024 00:36:01 GMT

Very cool tool!