Palo Alto Expedition Tool - Fortigate Configuration Migration

ecesureshkumar — Mon, 29 Jul 2019 13:40:11 GMT

Dear Team, Need to know how to migrate the Fortigate configuration file to Palo Alto Expedition Tool. Please share if any documentation specific to Fortigate to Palo Alto Migration.

Re: Palo Alto Expedition Tool - Fortigate Configuration Migration

OtakarKlier — Mon, 29 Jul 2019 15:32:17 GMT

Hello,

Depending on the amount of policies in the Forti device, I always preferred to build everything from scratch. That way everything is already layer 7 and inspected.

https://docs.paloaltonetworks.com/best-practices/9-0/best-practices-for-migrating-to-application-based-policy/best-practices-for-migrating-to-application-based-policy/migrate-a-port-based-policy-to-pan-os-using-expedition.html

Regards,

Re: Palo Alto Expedition Tool - Fortigate Configuration Migration

BatD — Mon, 29 Jul 2019 16:21:45 GMT

@ecesureshkumar I am not aware of Fortigate-specific documentation, but the Expedtion guides are here:

https://live.paloaltonetworks.com/t5/Expedition-Articles/Expedition-Documentation/ta-p/215619

Re: Palo Alto Expedition Tool - Fortigate Configuration Migration

TomYoung — Mon, 20 Sep 2021 19:37:28 GMT

Hi @ecesureshkumar ,

There is a newer Expedition user guide here -> https://live.paloaltonetworks.com/t5/expedition-articles/expedition-user-guide-v1-2/ta-p/285157. It is really good. There are a few things I would like to highlight:

The 1st PAN-OS configuration imported becomes your base config. It doesn't matter at which step you load it. I prefer to load the Day 1 Configuration on the new firewall, export it and import it into Expedition. In that way, you will have many best practices configured.
With regard to cleaning up objects, do the groups first. Then click the green button in the lower right, and more unused member objects may show up.
If the config is grayed-out or doesn't show, make sure you select the correct drop downs in the bottom right. Most of the time, you will be working with vsys1.
Clicking on the dashboard numbers will automatically enable a filter. Clear filters in the top right. You can also select predefined filters from right-click.
Right-click and select Search and Replace to show you where in the config file and object is used. After Search and Replace comes up, you have to check the box next to the object.
If the config has ICMP in the security policy, importing the Palo Alto > Snippets > Custom Applications creates ICMP App-IDs.
I like to export the XML and load on the firewall. It will replace the entire config. You could also use the API or load config partial.
With regard to @OtakarKlier 's comment. Expedition can sometimes cause commit errors because of XML syntax errors. I always load these on a lab firewall first to fix the issues before the customer firewall. However, for large configurations, Expedition saves me a LOT of time cleaning unused, duplicate, and invalid objects. The resulting config is SO much better. I prefer using it then doing the config from scratch.
The majority of the commit errors are self-explanatory. A very few times (both associated with IPsec) I got commit failures with no warning. This article was useful -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMb2CAG. You can always delete the offending config piece.

That's enough for now. I love the tool. If you have issues, send an email to fwmigrate@paloaltonetworks.com.

Thanks,

Tom

topic Palo Alto Expedition Tool - Fortigate Configuration Migration in General Topics

Palo Alto Expedition Tool - Fortigate Configuration Migration

Re: Palo Alto Expedition Tool - Fortigate Configuration Migration

Re: Palo Alto Expedition Tool - Fortigate Configuration Migration

Re: Palo Alto Expedition Tool - Fortigate Configuration Migration