topic Re: ASA migration to PA in General Topics

ASA migration to PA

Bkrishnamoorthy — Thu, 23 Mar 2023 13:30:27 GMT

Hi Team,

We want to migrate our firewalls from cisco ASA to Palo Alto. Instead of performing hot cutover, we are thinking the other option by connecting them inline to existing firewalls so that it will just monitor all policy and etc, which will help us to fix any of the configurations so that we can remove the existing firewalls without any major issue. Please suggest a way to deploy or share if there is any documentation relate to it.

Re: ASA migration to PA

Raido_Rattameister — Thu, 23 Mar 2023 14:40:57 GMT

If you want to put Palos inline then it's interfaces need to be in virtual-wire mode for that period.

It allows to capture traffic and reverse engineer what policies need to be configured but it is way easier to migrate like-to-like to be sure everything is working after migration and then tune policies as needed.

Re: ASA migration to PA

OtakarKlier — Thu, 23 Mar 2023 15:12:11 GMT

Hello,

If the PAN's are running newer code, etc, they will learn and suggest applications to the policies as you input them.

Regards,

Re: ASA migration to PA

Bkrishnamoorthy — Thu, 23 Mar 2023 16:12:39 GMT

Yes @Raido_Rattameister Intially i thought the same of doing like-to-like migration, but we won't have any user for UAT during maintenance window, only they will be available in the next morning. Since we have some hundred of policies, if many are impacted it would be a nightmare. In order avoid that i looking for virrual wire option, is there migration document available?

Re: ASA migration to PA

Bkrishnamoorthy — Thu, 23 Mar 2023 16:13:35 GMT

Hi @OtakarKlier It's a PA 5420 model and so we would run a latest code.

Re: ASA migration to PA

OtakarKlier — Thu, 23 Mar 2023 16:22:03 GMT

Hello,

I also want to point out that there is the 'Expedition' tool for migrating configurations from another platform to Palo Alto. I have not used it before, however others have stated that it worked fairly well. Also I would suggesting on leaning on your sales engineer to help out, etc.

https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool

Regards,

Re: ASA migration to PA

Raido_Rattameister — Thu, 23 Mar 2023 16:50:44 GMT

Expedition is very nice tool but depending of ASA config it needs manual review and not everything is migrated over.

Unless customer is ok to fix any upcoming issues morning after migration I would definitely expect customer side UAT testing right after failover.

Re: ASA migration to PA

Bkrishnamoorthy — Fri, 05 May 2023 12:51:24 GMT

Is there any sample configuration to set it up for inline , so that i can review the polices and fix them.

Re: ASA migration to PA

OtakarKlier — Fri, 05 May 2023 14:37:26 GMT

Hello,

So the inline method, you will want to do the following:

Create a virtual wire, vwire, ie port 1 and 2
1. 1 will be from the PAN to the ASA and 2 will be from the PAN to the internal switch
Create a Allow ALL policy between the two zones
1. Then make sure to keep that Allow ALL policy at the bottom, eg last policy
2. Create any policies for the traffic that are specific above the policy so that it will get hit first.

Hope that makes sense.

Re: ASA migration to PA

Bkrishnamoorthy — Fri, 05 May 2023 14:56:18 GMT

@OtakarKlier Thanks for your input.