Expedition was conceived to reduce the time and efforts a security admin needs to improve and optimize their Palo Alto Networks configurations. Following that effort, we have added, within Expedition, support not only to run a BPA analysis if not also be able to remediate some of the failed checks (all related to Device Config) and now integration with the project IronSkillet. https://github.com/PaloAltoNetworks/iron-skillet
Generate the XML configuration by running this command from the CLI
show configuration | display xml | no-more
Before you import a Juniper SRX into Expedition, there are some manual checks we can do to verify the migration will work.
The configuration must start only with <configuration> tag, you have to replace everything before or inside that tag by only <configuration>
The configuration must end with </configuration> any other text after it must be removed
Here's an example on how a SRX config should look when you edit:
<configuration> .... .... </configuration>
For integrity validation is a good practice try to open the XML file from FIREFOX browser becasue if something is breaking the XML integretity FIREFOX will notice to you which line has an invalid character. You must replace the invalid character before upload it to Expedition
This is an example of wrong configuration. It seems someone created the file but stored with wrong jumps on it, so Firefox will complain about the format.
If we edit the file, we can see this at line 911 of the config file:
<pre-shared-key> <ascii-text>$9$4xxxxxxxxxxxx</asc ii-text> </pre-shared-key>
To fix this example, we have to remove the break line after </asc to:
<pre-shared-key> <ascii-text>$9$4xxxxxxxxxxxx</ascii-text> </pre-shared-key>
Fix all the problems before importing into Expedition.
Hope this helps.
Some times we need to reduce the amount of Objects to be migrated or just for optimization and there is one technique that can help us to reduce objects
Its common when we have used Expedition to migrate a configuration from CISCO or FORTINET to have address objects named as H-X.X.X.X or N-X.X.X.X-XX or even if the name was just an IP Address, but they were created as Address Object and count as Object. There is one function inside Expedition to convert them as IP Address that will be only Used on Rules as IP Address or IP Ranges hard-coded as Source or Destination on Rules. So they will not be used as Address Objects anymore.
This has pros and cons but if our Goal is reduce the amount of Address Objects this can help us.
Search from OBJECTS -> ADDRESS with right-click in one Address select the Predefined Filter called "Name is IP address". This will search the Address where the name is an IP Address.
We can add more filters to this process, Select the Filters Options and add all the Address where the name starts with H- for example, and the objects that starts with N- and the objects that starts with RANGE-, put the focus only on Address.
After Run SQL select the Address you want to transform to an IP Address and right-click with your mouse over one of the selected Address and select the option "Transform" -> "Object To IpAddress" and automatically all those objects will be renamed with the IP or Range Address (netmasks will be added as well in case are not /32) and will be marked internally as "dummy" objects, those objects will not be considered at the time to generate the XML or API Calls.
You can check before to transform them as IP Address if they are part of any group by going to TOOLS and SEARCH & REPLACE.