Difficulty migrating from Sidewinder

L1 Bithead

Difficulty migrating from Sidewinder

I'm having difficulty importing a sidewinder configuration into Migration Tool 3.0

After import, I see zones and objects, but no security rules, and "Monitor Logs and Reports" is blank.  Only message in /debug is a single line warning about a certificate.

Here's two examples of the rules as exported from Sidewinder (McAfee 7.1):

policy add table=rule name='allow all tcp 23' rulegroup=Administration pos=3 \

    action=allow appdefense=defaultgroup audit=standard authenticator= \

    authgroups='*' dest='*' dest_burbs='*' disable=no inspection_level=none \

    ipsresponse= nat_addr=host:localhost nat_mode=normal redir= redir_port= \

    service=service:Allow_TCP_23 sign_category_grp= source='*' \

    source_burbs='*' timeperiod='*' ts_enable=no \

    ts_reputation=suspicious_unverified_threshold description='' \

    last_changed_by='mortk on Mon Nov 14 11:44:34 2011'

and

policy add table=rule name=Block_Network_Printers rulegroup='' pos=13 \

    action=drop appdefense=group:Protect_computers audit=standard \

    authenticator= authgroups='*' dest='*' dest_burbs=burb:external \

    disable=no inspection_level=comprehensive ipsresponse= \

    nat_addr=host:localhost nat_mode=normal redir= redir_port= \

    service='servicegroup:Internet Services' sign_category_grp= \

    source=netgroup:Network_Printers source_burbs=burb:internal \

    timeperiod='*' ts_enable=no ts_reputation=suspicious_unverified_threshold \

    description='Block network printers' \

    last_changed_by='johnd on Fri Mar 21 15:14:10 2014'

Tags (2)
L7 Applicator

Re: Difficulty migrating from Sidewinder

Hi,

Yes we are aware, our team is working to finalise this part. Please be patience this is a priority for us to have this ready as soon as we can.

L7 Applicator

Re: Difficulty migrating from Sidewinder

Hi k.kadow ,

Please upgrade to the release date 13th may 2015 00 and try it again. Please let us know how it works, all your feedback and help is much appreciated!

L1 Bithead

Re: Difficulty migrating from Sidewinder

Making good progress with the new release.

I did notice the commands Palo Alto suggests do not include netgroups? (Tool doesn't ask for the output of "cf netgroup query" ).


For my source device, all Interfaces are populated with names, but not Interface IPs or descriptions.  Also, disabled interfaces (enabled=no) are treated as if they were enabled.   This isn't a big deal, easy to adjust manually.


Lastly, the commands suggested generates an error on a Sidewinder firewalls with only static routes and no routing protocol, "cf route q" fails.  I added the output of "cf static q" and the static routes did come in, again without descriptions/names.


L7 Applicator

Re: Difficulty migrating from Sidewinder

Hi K.Kadow,

Thanks for the update, If you want to help us to improve the process could you send us the commands used and the config to fwmigrate@paloaltonetworks.com to review why we are reading correctly in order to fix it as soon as we can?

Thanks for your cooperation !

L1 Bithead

Re: Difficulty migrating from Sidewinder

i am havimg a similar issue but with the netmaps and interfaces secondary IPs.

 

when i try to migrate the interface, only the first ip gets migrated. usually the first ip gets migrated and the others does not show up.

 

The netmap issue is that i dont see any natting rule created after migration. not sure if i am missing something but when i only try to upload the netmaps from the sidewinder nothing happen on the tool.

 

other than that poicy, route, interfaces, zones, addresses and address group all worked really well.

 

L7 Applicator

Re: Difficulty migrating from Sidewinder

Hi,

 

NAT in Sidewinder is not supported. Can you share an example of the piece of code that shows the secondary ip address? You can change the Ip address by X.X.X.X :) Thx

L1 Bithead

Re: Difficulty migrating from Sidewinder

sorry for the late reply

this is an example of a seconday IP addresses 

interface add entrytype=interface name=em1 hwdevice=em1 enabled=yes \
burb=internal \
addresses=1.1.1.1/24,2.2.2.2/24,3.3.3.3/24 \
qos_profile='' mtu=1500 description='description'

 

its all seperated by comma and no space between the comma and the next ip

 

fort he NAT i thought it was supported because the tool actually tell you how to get the config for the NAT

 

cf netmap q >> config_sidewinder.txt

 

this is an example of a netmap or NAT

 

netmap add \
name='your name here' \
members=ipaddr:your ip members:second IP member \ (those are your IPADDR
description='your description here' \
last_changed_by='admin on Mon Apr 22 10:54:27 2013'

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!