How to Migrate from NetScreen/Juniper Services for Security Policies

Printer Friendly Page

PAN-OS has two predefined services, service-http and service-https.

To migrate from NetScreen/Juniper's security policies using their predefined service easily, run (copy & paste) the following commands in CLI configuration mode and use it in security policy configuration.

Note: Some service names are not exactly the same as the one used by NetScreen/Juniper due to the literal limitation of PAN-OS.

set service AOL protocol tcp port 5190-5194
set service APPLE-ICHAT-SNATMAP protocol udp port 5678
set service BGP protocol tcp port 179
set service CHARGEN protocol udp port 19
set service DHCP-Relay protocol udp port 67
set service DISCARD protocol udp port 9
set service DNS protocol udp port 53
set service ECHO protocol udp port 7
set service FINGER protocol tcp port 79
set service FTP protocol tcp port 21
set service GNUTELLA protocol udp port 6346-6347
set service GOPHER protocol tcp port 70
set service GTP protocol tcp port 3386
set service H323 protocol tcp port 1720
set service HTTP-EXT protocol tcp port 8000-8001
set service IDENT protocol tcp port 113
set service IKE protocol udp port 500
set service IKE-NAT protocol udp port 500
set service IMAP protocol tcp port 143
set service InternetLocatorService protocol tcp port 389
set service IRC protocol tcp port 6660-6669
set service L2TP protocol udp port 1701
set service LDAP protocol tcp port 389
set service LPR protocol tcp port 515
set service MAIL protocol tcp port 25
set service MGCP-CA protocol udp port 2727
set service MGCP-UA protocol udp port 2427
set service MS-RPC-EPM protocol udp port 135
set service MS-SQL protocol tcp port 1433
set service MSN protocol tcp port 1863
set service NBDS protocol udp port 138
set service NBNAME protocol udp port 137
set service NetMeeting protocol tcp port 1720
set service NFS protocol udp port 111
set service NNTP protocol tcp port 119
set service NS_Global protocol tcp port 15397
set service NS_Global_Pro protocol tcp port 15397
set service NSM protocol udp port 69
set service NTP protocol udp port 123
set service PC-Anywhere protocol udp port 5632
set service POP3 protocol tcp port 110
set service PPTP protocol tcp port 1723
set service RADIUS protocol udp port 1812-1813
set service Real_Media protocol tcp port 7070
set service REXEC protocol tcp port 512
set service RIP protocol udp port 520
set service RLOGIN protocol tcp port 513
set service RSH protocol tcp port 514
set service RTSP protocol tcp port 554
set service SCCP protocol tcp port 2000
set service SIP protocol udp port 5060
set service SMB protocol tcp port 139
set service SMTP protocol tcp port 25
set service SNMP protocol udp port 161
set service SQL_Monitor protocol udp port 1434
set service SQLNet_V1 protocol tcp port 1525
set service SQLNet_V2 protocol tcp port 1521
set service SSH protocol tcp port 22
set service SUN-RPC-PORTMAPPER protocol udp port 111
set service SYSLOG protocol udp port 514
set service TALK protocol udp port 517-518
set service TCP-ANY protocol tcp port 0-65535
set service TELNET protocol tcp port 23
set service TFTP protocol udp port 69
set service UDP-ANY protocol udp port 0-65535
set service UUCP protocol udp port 540
set service VDO_Live protocol tcp port 7000-7010
set service VNC protocol tcp port 5800
set service WAIS protocol tcp port 210
set service WHOIS protocol tcp port 43
set service WINFRAME protocol tcp port 1494
set service X-WINDOWS protocol tcp port 6000-6063
set service YMSG protocol tcp port 5050

For the following services of NetScreen/Juniper, you can use App-ID instead of service on Palo Alto Networks device:

Service Name (JNPR)App-ID Name (PAN)
ICMP Address Maskicmp_address_mask (custom)
ICMP Dest Unreachableicmp_destination_unreachable (custom)
ICMP Fragment Neededicmp_destination_unreachable (custom)
ICMP Fragment Reassemblyicmp_destination_unreachable (custom)
ICMP Host Unreachableicmp_destination_unreachable (custom)
ICMP Parameter Problemicmp_destination_unreachable (custom)
ICMP Port Unreachableicmp_destination_unreachable (custom)
ICMP Protocol Unreachicmp_destination_unreachable (custom)
ICMP Redirecticmp_redirect (custom)
ICMP Redirect Hosticmp_redirect (custom)
ICMP Redirect TOS & Hosticmp_redirect (custom)
ICMP Redirect TOS & Neticmp_redirect (custom)
ICMP Source Quenchicmp_source_quench (custom)
ICMP Source Route Failicmp_destination_unreachable (custom)
ICMP Time Exceededicmp_time_exceeded (custom)
ICMP-ANYicmp_any (custom)
ICMP-INFOicmp_info (custom)
ICMP-TIMESTAMPicmp_timestamp (custom)

To configure the custom App-ID shown in the above list, copy and paste the following commands in the CLI configuration mode:

set application icmp_source_quench category networking
set application icmp_source_quench subcategory ip-protocol
set application icmp_source_quench technology network-protocol
set application icmp_source_quench risk 1
set application icmp_source_quench consume-big-bandwidth no
set application icmp_source_quench able-to-transfer-file no
set application icmp_source_quench used-by-malware no
set application icmp_source_quench evasive-behavior no
set application icmp_source_quench has-known-vulnerability no
set application icmp_source_quench pervasive-use no
set application icmp_source_quench prone-to-misuse no
set application icmp_source_quench tunnel-applications no
set application icmp_source_quench tunnel-other-application no
set application icmp_source_quench data-ident no
set application icmp_source_quench virus-ident no
set application icmp_source_quench file-type-ident no
set application icmp_source_quench spyware-ident no
set application icmp_source_quench default ident-by-icmp-type 4
set application icmp_any category networking
set application icmp_any subcategory ip-protocol
set application icmp_any technology network-protocol
set application icmp_any risk 1
set application icmp_any consume-big-bandwidth no
set application icmp_any able-to-transfer-file no
set application icmp_any used-by-malware no
set application icmp_any evasive-behavior no
set application icmp_any has-known-vulnerability no
set application icmp_any pervasive-use no
set application icmp_any prone-to-misuse no
set application icmp_any tunnel-applications no
set application icmp_any tunnel-other-application no
set application icmp_any data-ident no
set application icmp_any virus-ident no
set application icmp_any file-type-ident no
set application icmp_any spyware-ident no
set application icmp_any default ident-by-ip-protocol 1
set application icmp_timestamp category networking
set application icmp_timestamp subcategory ip-protocol
set application icmp_timestamp technology network-protocol
set application icmp_timestamp risk 1
set application icmp_timestamp consume-big-bandwidth no
set application icmp_timestamp able-to-transfer-file no
set application icmp_timestamp used-by-malware no
set application icmp_timestamp evasive-behavior no
set application icmp_timestamp has-known-vulnerability no
set application icmp_timestamp pervasive-use no
set application icmp_timestamp prone-to-misuse no
set application icmp_timestamp tunnel-applications no
set application icmp_timestamp tunnel-other-application no
set application icmp_timestamp data-ident no
set application icmp_timestamp virus-ident no
set application icmp_timestamp file-type-ident no
set application icmp_timestamp spyware-ident no
set application icmp_timestamp default ident-by-icmp-type 13
set application icmp_info category networking
set application icmp_info subcategory ip-protocol
set application icmp_info technology network-protocol
set application icmp_info risk 1
set application icmp_info consume-big-bandwidth no
set application icmp_info able-to-transfer-file no
set application icmp_info used-by-malware no
set application icmp_info evasive-behavior no
set application icmp_info has-known-vulnerability no
set application icmp_info pervasive-use no
set application icmp_info prone-to-misuse no
set application icmp_info tunnel-applications no
set application icmp_info tunnel-other-application no
set application icmp_info data-ident no
set application icmp_info virus-ident no
set application icmp_info file-type-ident no
set application icmp_info spyware-ident no
set application icmp_info default ident-by-icmp-type 15
set application icmp_address_mask category networking
set application icmp_address_mask subcategory ip-protocol
set application icmp_address_mask technology network-protocol
set application icmp_address_mask risk 1
set application icmp_address_mask consume-big-bandwidth no
set application icmp_address_mask able-to-transfer-file no
set application icmp_address_mask used-by-malware no
set application icmp_address_mask evasive-behavior no
set application icmp_address_mask has-known-vulnerability no
set application icmp_address_mask pervasive-use no
set application icmp_address_mask prone-to-misuse no
set application icmp_address_mask tunnel-applications no
set application icmp_address_mask tunnel-other-application no
set application icmp_address_mask data-ident no
set application icmp_address_mask virus-ident no
set application icmp_address_mask file-type-ident no
set application icmp_address_mask spyware-ident no
set application icmp_address_mask default ident-by-icmp-type 17
set application icmp_redirect category networking
set application icmp_redirect subcategory ip-protocol
set application icmp_redirect technology network-protocol
set application icmp_redirect risk 1
set application icmp_redirect consume-big-bandwidth no
set application icmp_redirect able-to-transfer-file no
set application icmp_redirect used-by-malware no
set application icmp_redirect evasive-behavior no
set application icmp_redirect has-known-vulnerability no
set application icmp_redirect pervasive-use no
set application icmp_redirect prone-to-misuse no
set application icmp_redirect tunnel-applications no
set application icmp_redirect tunnel-other-application no
set application icmp_redirect data-ident no
set application icmp_redirect virus-ident no
set application icmp_redirect file-type-ident no
set application icmp_redirect spyware-ident no
set application icmp_redirect default ident-by-icmp-type 5
set application icmp_destination_unreachable category networking
set application icmp_destination_unreachable subcategory ip-protocol
set application icmp_destination_unreachable technology network-protocol
set application icmp_destination_unreachable risk 1
set application icmp_destination_unreachable consume-big-bandwidth no
set application icmp_destination_unreachable able-to-transfer-file no
set application icmp_destination_unreachable used-by-malware no
set application icmp_destination_unreachable evasive-behavior no
set application icmp_destination_unreachable has-known-vulnerability no
set application icmp_destination_unreachable pervasive-use no
set application icmp_destination_unreachable prone-to-misuse no
set application icmp_destination_unreachable tunnel-applications no
set application icmp_destination_unreachable tunnel-other-application no
set application icmp_destination_unreachable data-ident no
set application icmp_destination_unreachable virus-ident no
set application icmp_destination_unreachable file-type-ident no
set application icmp_destination_unreachable spyware-ident no
set application icmp_destination_unreachable default ident-by-icmp-type 3
set application icmp_time_exceeded category networking
set application icmp_time_exceeded subcategory ip-protocol
set application icmp_time_exceeded technology network-protocol
set application icmp_time_exceeded risk 1
set application icmp_time_exceeded consume-big-bandwidth no
set application icmp_time_exceeded able-to-transfer-file no
set application icmp_time_exceeded used-by-malware no
set application icmp_time_exceeded evasive-behavior no
set application icmp_time_exceeded has-known-vulnerability no
set application icmp_time_exceeded pervasive-use no
set application icmp_time_exceeded prone-to-misuse no
set application icmp_time_exceeded tunnel-applications no
set application icmp_time_exceeded tunnel-other-application no
set application icmp_time_exceeded data-ident no
set application icmp_time_exceeded virus-ident no
set application icmp_time_exceeded file-type-ident no
set application icmp_time_exceeded spyware-ident no
set application icmp_time_exceeded default ident-by-icmp-type 11

owner: kmiwa


FYI, for all those who are using this, the list above for the services only matches the first line in the predefined list from netscreen -- so it will not be a complete migration. For example, SNMP should be both udp/tcp 161 and udp/tcp 162 to be a strict migration from netscreen instead of just the listed:

set service SNMP protocol udp port 161

Good luck!

Im trying to find out if there is any demo video or UTD on the MT that goes over the migration of Netscreen policies?