topic Converting Cisco ASA Access Lists to PAN in General Topics

Converting Cisco ASA Access Lists to PAN

palomed — Mon, 24 Apr 2017 22:14:23 GMT

Is there an easy way to convert a Cisco ACL to PAN format. Right now I have a 70 line ACL and it looks like each ACL will require 14 set commands. At this point I'm thinking it might be easier to just enter the 70 ACLs into the PAN via the GUI.

Any other thoughts on how to speed the operation? thanks!

set rulebase security rules Beaglerun-L2L-VPN from corpfw2-untrust
set rulebase security rules Beaglerun-L2L-VPN to corp-vpn
set rulebase security rules Beaglerun-L2L-VPN source RFC-1918
set rulebase security rules Beaglerun-L2L-VPN destination any
set rulebase security rules Beaglerun-L2L-VPN source-user any
set rulebase security rules Beaglerun-L2L-VPN category any
set rulebase security rules Beaglerun-L2L-VPN application [ ssh ssh-tunnel]
set rulebase security rules Beaglerun-L2L-VPN service application-default
set rulebase security rules Beaglerun-L2L-VPN hip-profiles any
set rulebase security rules Beaglerun-L2L-VPN action allow
set rulebase security rules Beaglerun-L2L-VPN profile-setting group Corp-Default-SecPro-Block-nourl
set rulebase security rules Beaglerun-L2L-VPN log-start yes
set rulebase security rules Beaglerun-L2L-VPN log-setting QradarSyslogForwarder
set rulebase security rules Beaglerun-L2L-VPN disabled no

Re: Converting Cisco ASA Access Lists to PAN

TranceforLife — Mon, 24 Apr 2017 22:30:19 GMT

Not sure if MigrationTool can be of any help. To me, it is a policy-like look

Re: Converting Cisco ASA Access Lists to PAN

palomed — Mon, 24 Apr 2017 22:42:45 GMT

Do you have a link to the migration tool?

Re: Converting Cisco ASA Access Lists to PAN

bradk14 — Mon, 24 Apr 2017 23:35:56 GMT

an ASA 70 line ACL probably means no more than 15 policies in PA. Personally I would just convert them myself manually in the GUI (and have).

https://live.paloaltonetworks.com/t5/Migration-Tool-Articles/Download-the-Migration-Tool/ta-p/56582

also I don't believe all those commands, like setting source user to any is necessary.

also it's generally considered good practice to only log at session end. logging at session start is usually done only for troubleshooting purposes (you can reference the session browser prior to the session's termination)

Re: Converting Cisco ASA Access Lists to PAN

BPry — Tue, 25 Apr 2017 14:35:29 GMT

@palomed,

I just wanted to make sure that you knew you could actually combine all of those set commands into just one command. It would look like the following:

set rulebase security rules Beaglerun-L2L-VPN from corpfw2-untrust to corp-vpn source RFC-1918 destination any application [ ssh ssh-tunnel ] service application-default action allow disabled no log-start yes log-setting QradarSyslogForwarder profile-setting group Corp-Default-SecPro-Block-nourl

Just a few notes:

-log-start being yes with no log-end setting is uncommon. Are you sure you didn't want to log-end yes and leave log-start as no, that would be the most common.

- A lot of these commands are kind of unnessassary. For example category, hip-profiles, and disabled no could all easily be left out as that is the assumed settings on a new security rule.

- Any set command can be combined but keep in mind that there is not an 'add' command so if you wish to add an application you will need to make sure your set command includes all applications you actually wish to have on the security policy.