My Experience Using the Migration Tool 3.0 for an APP-ID Migration from Panorama Log

L1 Bithead

I did an APP-ID migration from Panorama using the Migration Tool 3.0.

Here are the details of my setup:

1. All policies configured/pushed through Panorama DG, the firewall did not have a local policy.

2. All log were forwarded to Panorama and Panorama can see the traffic logs.

3. The firewall is a PA-7050 and Panorama is M-100.

Here are some caveats I learned:

  • Make sure you are using the latest version of the Migration Tool 3.0. The older version still had some issues reading logs from Panorama, the latest is best.
  • In the log connector section and for the connected device chose the actual firewall, not Panorama.
  • The log source should be Panaroma.
  • If possible, the machine running Migration Tool 3.0 should have local connectivity to Panorama to reduce the latency.
  • In my previous experiences with the tool I was using VPN to connect Panorama, which caused the tool to get stuck during the APP-ID migration process.
  • Start the log period with small intervals to make sure it works first, then switch to a longer time frame such as 30 days.

Please let me know if you have any questions about my experience using the tool!



L7 Applicator

Thanks for sharing the outline.  Very helpful.