Unlocking App-ID in Firewall Migrations Q & A with Justin

L4 Transporter

Justin, a Partner, shared his experience with the Migration Tool. Check out the Q&A below and ask any questions you may have!


Could you tell us about your recent experience using the MT 3.0?

Most recently we used the tool to move configurations from Palo Alto Networks firewalls into a Panorama Management platform.

Which functionalities of the tool are most useful to you?

I think the tool in general is incredibly useful.  It's not a 100% surefire thing, but it helps myself, and the team migrate existing policies, and the App-ID adoption is critically important.  It quickly becomes apparent when doing a migration with the tool that we can often times slim down the existing rule base by an order of magnitude, especially using App-ID based rules.  I believe it's critically important to ensure the rulebase conversion includes App-ID and that customers/end users don't get into the habit of just converting their port/protocol rules over to Palo Alto Networks firewalls in the same manner.

Have you done a migration from Palo Alto Networks firewalls to Panorama?

Absolutely.  This was probably the easiest migration to perform with the tool, and the ability to selectively add objects where needed to get the panorama configuration needed for conversion was awesome.  The first time we performed a conversion to Panorama, we got it on the first shot, which was great.

You have used previous versions of the tool.  How has this version made your job easier?

The latest version of the tool is lightyears ahead of what the previous versions were.  The useability and feature sets in the latest release make life much easier, and conversion, while still sometimes a complex engagement, seems to go much smoother with all the added options in the 3.0 release. The ability to drag and drop objects, etc, makes things much easier, as well as the fixes, and tweaks to ensure policies migrate smoother are awesome. I've used the migration tool since it's earlier releases, and most recently the 3.0 release prior to public release.  In the past we've done large migrations from NetScreen , and ASA configurations over to Palo Alto Networks firewalls.

Any recommendations or tips for others using the tool?

The biggest thing I always share is again, this is not meant to be  100% fool-proof.  The MT3.0 will get you about 70-80% of the way there, but still requires manual intervention to ensure rules were converted properly, and that the right APP-ID is in place etc. Make sure you're actually converting rules over to App-Id specific rules, in place of port/protocol to really get the value out of the Palo Alto Networks solutions.  If you're not comfortable with rule conversions, or the tool, spend time in the lab playing with the features, and output, and don't hesitate to reach out to a professional to help you as well.