I am running the Expedition Tool on our Cisco ASA firewalls and the tools is stating that most of our IP Address, IP Address Groups and Services are invalid. When I go over these invalid objects, they are all part of our VPN filters on our VPN tunnels. Is there anyway for the Tool to recognize that these are ACLs rules in the ASA and that they are not invalid?
before go deep in the troubleshooting, can you verify if you edit the file with "vi" there is no weird characters at the begining of each line line CTRL+M ??? Thanks . And check the format of the config has not been altered, like when a object is defined begins at the very left position and the properties inside it are one space to the right and so... Regards
This is the configuration directly from the firewall (the .cfg file) and nothing would have been altered. The Expedition Tool does not seem to understand VPN filter rules, which is just killing us. We have hundreds of rules to convert over, we just cannot get this Tool to help us, so we are having to do this manually which is just a horrid task! If their is anything you help us with, it would be appreciated!
Please share the config file with us via email to fwmigrate at paloaltonetworks dot com or opening a case with support and share the case number with us. Thanks
I understood what happened.
you have to add as many access-groups to the config as filter you want to import into Expedition.
search by access-group and after the current access-groups add a new entry/es
access-group AWS_Prod_VPC_Filter in interface XXX-rsvpn-untrust-599
Assuming AWS_Prod_VPC_Filter is the ACL name and XXX-rsvpn-untrust-599 is the Interface where the traffic will come IN
Then import the config on a new Project.
Before I added the access-group to the config file, I was only getting 20 security rules from the expedition tool. After I add the lines below, I still only get 20 security rules.
access-group AWS_Prod_VPC_Filter in interface IVDC-rsvpn-untrust-599
access-group AWS_SharedServices_Prod_VPC_Filter in interface IVDC-rsvpn-untrust-599
In addition, there are no interfaces for the access-lists in the configuration. It goes through the tunnel interface of the Cisco ASA firewall which goes through the ASIC and is not a defined interface like on a Palo Alto firewall. Is it possible I am still doing something wrong here with the configuration?
Ok, I go it to work. The access-group does work, I just needed to go into the policies select and do a discovery again manually. The security rules went from 20 to 89 now. So it I am on the right track now.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!