https://live.paloaltonetworks.com/t5/expedition-discussions/cisco-asa-to-panorama-partial-configuration-question/m-p/578852#M4967 <P>We currently use Panorama to manage multiple firewalls across our organization.</P> <P>&nbsp;</P> <P>We have a Edge ASA Cluster we are needing to migrate over to an existing pair of Palo Alto Firewalls, managed by Panorama.&nbsp;&nbsp;</P> <P>I would like to only migrate over the Objects, Security Policies, and NAT rules, From the Cisco ASA config to the Panorama.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>I have imported my ASA config into Expedition, is it okay to delete the network interfaces, zones, etc that were imported with the ASA config? and only focus on the objects, security policies, and nat rules?</P> <P>&nbsp;</P> <P>Is the Best Practice way of merging the ASA objects, Security policies, and NAT rules to our Panorama, by using the Load Partial Config commands in the cli of the panorama?</P> Thu, 29 Feb 2024 14:54:41 GMT JRichardson2 2024-02-29T14:54:41Z https://live.paloaltonetworks.com/t5/expedition-discussions/cisco-asa-to-panorama-partial-configuration-question/m-p/578852#M4967 <P>We currently use Panorama to manage multiple firewalls across our organization.</P> <P>&nbsp;</P> <P>We have a Edge ASA Cluster we are needing to migrate over to an existing pair of Palo Alto Firewalls, managed by Panorama.&nbsp;&nbsp;</P> <P>I would like to only migrate over the Objects, Security Policies, and NAT rules, From the Cisco ASA config to the Panorama.&nbsp;&nbsp;</P> <P>&nbsp;</P> <P>I have imported my ASA config into Expedition, is it okay to delete the network interfaces, zones, etc that were imported with the ASA config? and only focus on the objects, security policies, and nat rules?</P> <P>&nbsp;</P> <P>Is the Best Practice way of merging the ASA objects, Security policies, and NAT rules to our Panorama, by using the Load Partial Config commands in the cli of the panorama?</P> Thu, 29 Feb 2024 14:54:41 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/cisco-asa-to-panorama-partial-configuration-question/m-p/578852#M4967 JRichardson2 2024-02-29T14:54:41Z https://live.paloaltonetworks.com/t5/expedition-discussions/cisco-asa-to-panorama-partial-configuration-question/m-p/578860#M4968 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/133189">@JRichardson2</a>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>Thank you for reaching out.</P> <P>&nbsp;</P> <P>In Expedition, you can manage Objects and Policies, which should be sufficient. However, please note that if your rules reference specific "zones", these zones must be declared in your device (Panorama). Otherwise, you will not be able to push or commit your configuration. The same applies to tags and other objects used in your Objects or Policies.</P> <P>&nbsp;</P> <P>To ensure best practices, please follow these guidelines:</P> <UL> <LI> <P>For network-related information such as interfaces and zones, use the "set" command on the CLI.</P> </LI> <LI> <P>For objects such as tags, addresses, address groups, services, service groups, applications, routes, security rules, and NAT rules, use the "load partial mode merge" command on the CLI.</P> </LI> </UL> <P>If you have any further questions, feel free to ask.</P> <P>&nbsp;</P> <P>Thank you!</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> <P>&nbsp;</P> Thu, 29 Feb 2024 16:19:53 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/cisco-asa-to-panorama-partial-configuration-question/m-p/578860#M4968 dpuigdomenec 2024-02-29T16:19:53Z https://live.paloaltonetworks.com/t5/expedition-discussions/cisco-asa-to-panorama-partial-configuration-question/m-p/578884#M4969 <P>Yes, the Zones on my Panorama managed firewalls are different than what was imported into Expedition from my ASA config.</P> <P>For clarification, I will need to change the Zones on my Expedition ASA config to match that of what I will be applying them to on the Palo Alto config?</P> <P>&nbsp;</P> <P>For example.</P> <P>ASA Config in Expedition</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="JRichardson2_0-1709232748634.png" style="width: 400px;"><img src="https://live.paloaltonetworks.com/t5/image/serverpage/image-id/57957i353BAFB4D79F7A23/image-size/medium/is-moderation-mode/true?v=v2&amp;px=400" role="button" title="JRichardson2_0-1709232748634.png" alt="JRichardson2_0-1709232748634.png" /></span></P> <P>On my Palo Alto managed firewalls, the zone name I will be applying these rules to is named "WEB_DMZ" for the dmz side, and "Outside" for the outside side.&nbsp; Will it error out being that the Cisco outside interface is a lowercase o vs the Palo Alto side is a Capital O.?&nbsp; Thanks.</P> Thu, 29 Feb 2024 18:55:15 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/cisco-asa-to-panorama-partial-configuration-question/m-p/578884#M4969 JRichardson2 2024-02-29T18:55:15Z https://live.paloaltonetworks.com/t5/expedition-discussions/cisco-asa-to-panorama-partial-configuration-question/m-p/579041#M4970 <P>Hi&nbsp;<a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/133189">@JRichardson2</a>&nbsp;</P> <P>I recommend that the security rules and NAT rules contain the correct names of your zones before pushing them to your device.</P> <P>You can do that by renaming your zones or by doing a bulk change on your security rules updating the field zone to and zone from.</P> <P>Let me know if I can help in anything else,</P> <P>Best regards,</P> <P>David</P> <P>&nbsp;</P> Fri, 01 Mar 2024 16:46:33 GMT https://live.paloaltonetworks.com/t5/expedition-discussions/cisco-asa-to-panorama-partial-configuration-question/m-p/579041#M4970 dpuigdomenec 2024-03-01T16:46:33Z