Migrate ScreenOS device using Migration Tool 3

L3 Networker

Migrate ScreenOS device using Migration Tool 3

Hello,

 

I have several migration project implying migration of ScreenOS FW devices. I'm using Migration Tool v3 in order to help me achieving configuration migration.

 

I'm often facing following issue :

 

When I import the ScreeOS config file and then generate the output file for PanOS device, There is a lots of address objects names that are renamed by replacing the underscore "_" character by a blank space " " character.

 

As an exemple, I have this in the source ScreenOS config file :

 

set policy id 244 name "NYON to MPT CZ with SSG5" from "VPN-SITES" to "Trust"  "LAN-MPTCZ" "LAN-Nyon" "ANY" permit log count
set policy id 244
set dst-address "LAN_WIFI"
exit

 

It is migrated like this in the MT output files :

 

set rulebase security rules "Rule ID 244" option disable-server-response-inspection no
set rulebase security rules "Rule ID 244" from VPN-SITES
set rulebase security rules "Rule ID 244" to Trust
set rulebase security rules "Rule ID 244" source "LAN MPTCZ"
set rulebase security rules "Rule ID 244" destination [ "LAN Nyon" LAN_WIFI ]
set rulebase security rules "Rule ID 244" source-user any
set rulebase security rules "Rule ID 244" application any
set rulebase security rules "Rule ID 244" service any
set rulebase security rules "Rule ID 244" hip-profiles any
set rulebase security rules "Rule ID 244" category any
set rulebase security rules "Rule ID 244" action allow
set rulebase security rules "Rule ID 244" log-end yes
set rulebase security rules "Rule ID 244" disabled no
set rulebase security rules "Rule ID 244" negate-source no
set rulebase security rules "Rule ID 244" negate-destination no
set rulebase security rules "Rule ID 244" profile-setting profiles
set rulebase security rules "Rule ID 244" tag

 

 

As you can see, the object "LAN-MPTCZ" and "LAN-Nyon" are renamed "LAN MPTCZ" and "LAN Nyon", which obviously leads to many errors when trying to push the configuration :

 

[edit]
TSadmin@PA3020_M(active)# set rulebase security rules "Rule ID 244" from VPN-SITES

[edit]
@PA3020_M(active)# set rulebase security rules "Rule ID 244" to Trust

[edit]
@PA3020_M(active)# set rulebase security rules "Rule ID 244" source "LAN MPTCZ"

Server error :  source 'LAN MPTCZ' is not an allowed keyword
 source LAN MPTCZ is an invalid ipv4/v6 address
 source 'LAN MPTCZ' is not a valid reference
 source LAN MPTCZ range separator('-') not found
[edit]
@PA3020_M(active)# set rulebase security rules "Rule ID 244" destination [ "LAN Nyon" LAN_WIFI ]

Server error :  destination 'LAN Nyon' is not an allowed keyword
 destination LAN Nyon is an invalid ipv4/v6 address
 destination 'LAN Nyon' is not a valid reference
 destination LAN Nyon range separator('-') not found
[edit]
@PA3020_M(active)# set rulebase security rules "Rule ID 244" source-user any

[edit]
@PA3020_M(active)# set rulebase security rules "Rule ID 244" application any

[edit]
@PA3020_M(active)# set rulebase security rules "Rule ID 244" service any

[edit]
@PA3020_M(active)# set rulebase security rules "Rule ID 244" hip-profiles any

[edit]
@PA3020_M(active)# set rulebase security rules "Rule ID 244" category any

[edit]
@PA3020_M(active)# set rulebase security rules "Rule ID 244" action allow

[edit]
@PA3020_M(active)# set rulebase security rules "Rule ID 244" log-end yes

[edit]
@PA3020_M(active)# set rulebase security rules "Rule ID 244" disabled no

[edit]
@PA3020_M(active)# set rulebase security rules "Rule ID 244" negate-source no

[edit]
@PA3020_M(active)# set rulebase security rules "Rule ID 244" negate-destination no

[edit]
@PA3020_M(active)# set rulebase security rules "Rule ID 244" profile-setting profiles

 

 

And this also happens for other characters I guess...

 

Is this a bug or is there any trick or workaround to avoid this kind of errors ?

 

I feel I gonna finish with no more hairs on my head by dealing with such time consumming issues...

 

Regards,

 

Laurent

L3 Networker

Re: Migrate ScreenOS device using Migration Tool 3

I just noticed that this is not the underscore "_" character that is replaced, but the dash "-" character, my mistake.

 

I would add that renaming hundreds of object names manually is not an acceptable answer for me. Even using tools like notpad++ replace feature combined with regex matching, or even grep is a tricky job since bank space character is of course everywhere in the config output file !

 

Regards,

 

Laurent

L3 Networker

Re: Migrate ScreenOS device using Migration Tool 3

What is really weird is that sometimes there are characters that are conserved and some others not in the same object :

 

Look at following source config :

 

set policy id 286 from "Trust" to "Untrust"  "CH-BACKUP-3" "Any" "ANY" nat src permit log
set policy id 286 disable
set policy id 286
exit

 

 

And then output config :

 

set rulebase security rules "Rule ID 286" option disable-server-response-inspection no
set rulebase security rules "Rule ID 286" from Trust
set rulebase security rules "Rule ID 286" to Untrust
set rulebase security rules "Rule ID 286" source "CH-BACKUP 3"
set rulebase security rules "Rule ID 286" destination any
set rulebase security rules "Rule ID 286" source-user any
set rulebase security rules "Rule ID 286" application any
set rulebase security rules "Rule ID 286" service any
set rulebase security rules "Rule ID 286" hip-profiles any
set rulebase security rules "Rule ID 286" category any
set rulebase security rules "Rule ID 286" action allow
set rulebase security rules "Rule ID 286" log-end yes
set rulebase security rules "Rule ID 286" disabled yes
set rulebase security rules "Rule ID 286" negate-source no
set rulebase security rules "Rule ID 286" negate-destination no
set rulebase security rules "Rule ID 286" profile-setting profiles

 

 

You can notice that the fisrt dash "-" character in the object "CH-BACKUP-3" is kept, but not the second one...

 

Laurent

L7 Applicator

Re: Migrate ScreenOS device using Migration Tool 3

Hi,

 

Let us check to see if we can reproduce it. Have you checked if the XML config has the same issue or is just the SET commands? Thanks

L3 Networker

Re: Migrate ScreenOS device using Migration Tool 3

Hi,

 

Thanks for your quick answer.

 

Yes this the the same in the XML output file :

 

<entry name="Rule ID 244">
                  <option>
                    <disable-server-response-inspection>no</disable-server-response-inspection>
                  </option>
                  <from>
                    <member>VPN-SITES</member>
                  </from>
                  <to>
                    <member>Trust</member>
                  </to>
                  <source>
                    <member>LAN MPTCZ</member>
                  </source>
                  <destination>
                    <member>LAN Nyon</member>
                    <member>LAN_WIFI</member>
                  </destination>
                  <source-user>
                    <member>any</member>
                  </source-user>
                  <application>
                    <member>any</member>
                  </application>
                  <service>
                    <member>any</member>
                  </service>
                  <hip-profiles>
                    <member>any</member>
                  </hip-profiles>
                  <category>
                    <member>any</member>
                  </category>
                  <action>allow</action>
                  <log-end>yes</log-end>
                  <disabled>no</disabled>
                  <negate-source>no</negate-source>
                  <negate-destination>no</negate-destination>
                  <profile-setting>
                    <profiles/>
                  </profile-setting>
                  <tag/>
                </entry>

 

Regards,

 

Laurent

L7 Applicator

Re: Migrate ScreenOS device using Migration Tool 3

Can you share the config with us? maybe we can move forward. If yes please send us to fwmigrate@paloaltonetworks.com

thx

Highlighted
L7 Applicator

Re: Migrate ScreenOS device using Migration Tool 3

We cannot reproducte it at this time, with the configs we have, Can you confirm you are working with MT higher than 3.3.x? Latest is 3.3.7

L3 Networker

Re: Migrate ScreenOS device using Migration Tool 3

Hi,

 

I cannot share the configuration since this is from one of our customers.

 

Version
3.0
Last Revision: March 26th 2015 02

 

 

So maybe I will try to use a more recent release

 

Thanks for advice,

 

Laurent

 

L7 Applicator

Re: Migrate ScreenOS device using Migration Tool 3

Hi, only guessing if you were able to import the config with the latest migration tool ?

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!