Migration Tool Best Practices

Printer Friendly Page

Migration Tool 3.0 Best Practices

Always load both the Legacy configuration file, and target device or base configuration file in the Tool, and select the platform from the drop-down on the top right of this screen. Then select your target, or intended target platform (device or VM). The system will display the “Recommended Platform” on the bottom right +25% capacity, with a comparison to your candidate configuration. The extra 25% adds some cushion in your projects for future objects. Consider a capacity size depending on your project and customer needs.

Clone all Rules

Try to clone all rules before the APP-ID migration process starts, and apply the APP-ID migration above yours or your customer’s rules. This will ensure your customers have a smooth transition. With the rules containing the APP-ID adoption above the legacy L3/L4 rules you will ensure that your customer is protected by the Next Generation Firewall.

If any changes are made to the connected device you must select it from the Device Tab in order to reload its configuration file and objects.

Check for new Updates from the Updates Tab frequently. The Migration Tool 3 is a live project that is under continuous improvement, and we strive to improve in all aspects of the tool.

Cisco ASA Migrations

The Migration Tool 3.0 is capable to migrate from Cisco IOS 8.3 and higher at this moment. While trying to migrate from older versions you may have some issues especially with NAT rules.

The work around that is to export the config to a PAN-OS XML format, and import this format into the new MT3.0 where you may continue to work on all the new features.


A good practice, if not an obligation for us, would be to adopt the APP-ID concept into all our migration projects. The reason is simple. We are a Next-generation firewall platform and by NOT using App-IDs we are doing a disservice to the customers that will have rule bases migrated over as simple L3/L4 rules with no L7 protection.

There is a complete guide on how to Migrate App-ID on the MT3.0 User Guide Chapter 4.

Two phases in the Migration Process

Always try at least to have all Migrations in 2 Phases:

  • 1st using the devices already in place at the customer site (when available) in TAP or VWire mode, capture all traffic log for at least 15 days prior to the cutover.
  • 2nd use the MT3.0 and configure a Connector to the new device (PAN-OS) and:
  • Separate the unknown to known traffic from the logs.
  • Identify the unknown traffic with the customer and create new APP-ID signatures (even if port base at this point) for unknown but approved traffic.
  • Restrict unknown/not approved by the client traffic in the Security Policies
  • Clone each policy containing known traffic already identified by the MT3.0  with their proper APP-IDs. These policies should be placed above the legacy (port base) policies on the targeted device.
  • Offer a review 20 days after the cutover to the customer in order to securely remove the L3/L4 rules from the security policies and have a full, or at least 85% L7 security policy applied to each customer.
Tags (1)

Where can we find the MT 2.5 version to do this work around? I looked around every Palo support site to find it but there is no visible download.

Ask Questions Get Answers Join the Live Community
Version history
Revision #:
1 of 1
Last update:
‎03-26-2015 10:13 AM
Updated by: