Configuration Migration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Configuration Migration

L0 Member

Hello to all and sorry if this has been posted before. We are new to Palo Alto Networks Firewall. We are in the process of procurring and installing our first PAN device. With that in mind we do have quite a bit of experience with Cisco ASA FW but none currently with PAN FW. With that in mind we don't know how much time would be involved with migration the configuration of the ASA FW to PAN FW and what to expect. I have downloaded and tried to use the migration tool but I was lost trying to figure it out. We have tested PAN FW and we were pleased with it. We know training is needed as well. Looking for some help here. Thanks in advance.

8 REPLIES 8

L6 Presenter

Difficult question. I like migration tool a lot and i would use it in any case.

But if your existing configuration isn't big and complex and you think you will migrate it without tools quicker than mastering migration tool, then do it manually.

I believe with time you will find both PA and migration tool interfaces easy to use.

 

 

Community Team Member

Hi @amedley,

 

I agree with @santonic ... in addition, there's a dedicated migration tool page that has its own discussion board and articles :

 

https://live.paloaltonetworks.com/t5/Migration-Tool/ct-p/migration_tool

 

Cheers,

-Kim.

 

LIVEcommunity team member, CISSP
Cheers,
Kiwi
Please help out other users and “Accept as Solution” if a post helps solve your problem !

Read more about how and why to accept solutions.

Cyber Elite
Cyber Elite

Hello,

I once too was in the same boat as yourself. Since then I have migrated many times from one vendor to a PAN. I honeslty have never used the migration tool but heard its a great product that I'm sure your SE would be willing to help you with. The reason I always chose to do it manually was for two main reasons. First I would gain a lot of familiarity with the PAN and second it enabled me to clean up any old configs/object/rules that were no longer required. It was always teadious and using a spereadsheet helped out a lot but in the end it was always worth going to the PAN with a fresh config.

 

Once again I would say lean on your SE a lot, that is one reason they are there :).

 

Regards,

Cyber Elite
Cyber Elite

Personally I always rebuild the config with the Palo in mind; as good as the migration tool is there is no guarentee that it's going to move everything over correctly. Migrating ASA configs either works really well or it causes the object remarks and some objects all together to not really move over all that well. I think this is more to do with how much of a mess ASDM makes of the configuration, so if you lean on ASDM heavily over the CLI I would recommend a rebuild over a migration. 

That being said I've had this stance for a while and have not used the current migration tool, so all of the issues that I've run into may be 'out of date' and not actually pose any issue anymore. 

L0 Member

Thank you all that responded the comments here will help!

I've never personally used the migraton tool but I have done the UTD for it (which specifically migrates from ASA to PA), but I have manually migrated ASAs to PA and my advice is since the two approaches are worlds apart, you need to really understand the PA philosophy if you want to do it manually. And in my case, I love the PA approach so much, that I rather enjoyed the manual migration process. The biggest difference, aside from AppID,  is you can easily combine several ASA rules into a single PA security policy.

 

Regardless of your method, there are some things the migration tool doesn't do such as IPSEC tunnel migration and virtually anything else that requires a password that's normally hidden by the show run command (which is what you input into the migration tool).

@bradk14,

I love how many rules you can combine on the PA that need to be seperate access rules on the ASA. I've taken 900+ access rules on an ASA and gotten it down to 300-400 rules on the PA. 

L0 Member

hi, I was reading your post, I´m trying to find the UTD migration tool course guide, I have acccess to the cloudshare enviroment but I cant finde the guide, can you share it with me? or tell me where to download it.

 

regards

Jorge cortez

  • 6003 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!