Expedition Articles

Dynamic Log Connectors and Devices Monitor

L7 Applicator

Be the first to discover the new dynamic log connector functionality and learn about App-ID Adoption and the new Device Monitor...

Expedition supports migration sections of the below Vendor's configuration to PAN-OS configuration **The list of tested Vendor OS version, version not listed here needs further validations ***Juniper VPN configuration conversion will be supported in Expedition 2.x Table1: Expedition supports converting 3rd Party vendors config sections (Updated on 2020/07/7) Note: Table will be updated when new support added Vendor Supported Vendor OS** Global Address Object Address Objects Address Group Objects Service Objects Service Group Objects Security Policy NAT Policy Network Interface (L3 only) Routing(Static Routes Only) VPN Checkpoint R75,R77 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ > R80 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Cisco ASA 9.0, 9.1,9.6,8.2,8.4, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ FirePower [only in ASA syntax] ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Fortinet Fortigate 4.0, 5.0,6.0 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ IBM XGS 5.1 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ Juniper All Netscreen Firewalls (ScreenOS) ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ *** Junos 11.4, 12.1, 12.3 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ *** Forcepoint Sidewinder ✔ ✔ ✔ ✔ ✔ ✔ ✔ Stonesoft ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

With the new version of Checkpoint Smartcenter R80, the way to obtain the rules has changed. Exporting Configuration To export the configuration from a Checkpoint R80 we are gonna need to download a tool from the Checkpoint's Github. We want to be sure we download latest version of the tool since the one it comes installed in your SmartCenter usually is old and may contain bugs. So first open your preferred web browser and go to: https://github.com/CheckPointSW/ShowPolicyPackage/releases Check the latest, at the moment of updating this post latest version was 2.0.6, so in order to download it we have to click on the file named: web_api_show_package-jar-with-dependencies.jar https://github.com/CheckPointSW/ShowPolicyPackage/releases/download/V2.0.6/web_api_show_package-jar-with-dependencies.jar After download the file you have to UPLOAD it to your SmartCenter Server where Checkpoint R80 management is running. Use your SCP preferred tool to do it. Please read the README.md file shown in https://github.com/CheckPointSW/ShowPolicyPackage to understand how to run the downloaded file properly, pay special attention to the Examples Before you run the command verify the Checkpoint API is running otherwise this tool will fail to execute. Please read this if you don' t know how to enable/verify if your API is UP and Running Now you can RUN the tool from CLI as EXPERT java -jar web_api_show_package-jar-with-dependencies.jar -v The output from that command will let you know what Packages are available to export Last command we have to run is the following where PACKAGE_NAME is the name you have chosen from the previous command and in case you are in a MULTI-DOMAIN environment specify the DOMAIN_NAME too (-d is OPTIONAL): java -jar web_api_show_package-jar-with-dependencies.jar -k <PACKAGE NAME> -d <DOMAIN NAME> This will create a new tgz file which you will use as is to import into Expedition Importation page. Exporting Routing and interfaces From the Firewall CLI, you can run the following: netstat -nr > routes.txt With all this information, we can go to Expedition, Create a new Project, enter the Project, and go to IMPORT > CHECKPOINT > VERSION R80. Assign a name to your configuration such as "MyInternetGW" Select the tgz file and attache it to the proper input Select the routes.txt for the routes Click UPLOAD References: Checkpoint Website article about the show package tool

Symptoms When Importing either PAN-OS configuration or 3rd party vendor configuration, the import progress bar stuck in the middle without throwing any errors. Diagnosis All migrations in Expedition 1 leave traces for debugging in the error file located in /tmp/error. Below we present an example of an error that could be reported on a migration: In this specific case, the migration parser could not complete due to a limit amount of RAM allowed to be used in the migration process (Allowed memory size of 4GB exhausted) Solution Fortunately, this is RAM limit simple to handle. In your Expedition WEBUI, go to "Settings" -> "CUSTOM PARAMS", increase the allowed RAM ("PARSER_max_execution_memory") to a larger value without exceeding your VM RAM. If you have 16G RAM in your expedition VM, you could change the value up to "16G" as shown in the below screenshot below. Notice that in most of the cases, your configuration won't be as large that becomes necessary to allocate such a large amount of "Allowed RAM". For most scenarios, 4GB should be enough, therefore try allocating 6GB or 8GB until your migration can be completed.

Expedition – The Glue Between IronSkillet and Best Practices Expedition was conceived to reduce the time and efforts a security admin needs to improve and optimize their Palo Alto Networks configurations. Following that effort, we have added, within Expedition, support not only to run a BPA analysis if not also be able to remediate some of the failed checks (all related to Device Config) and now integration with the project IronSkillet. https://github.com/PaloAltoNetworks/iron-skillet

Access Expedition GUI Using Google Chrome with Certification Error Symptoms Can't access Expedition GUI using Google chrome, error message ' NET::ERR_CERT_COMMON_NAME_INVALID' displayed as below screenshot, and you are not able to proceed to the website. Please note: It's best practice to not proceed to the site failed on certificate error only when self-signed cert is used in Expedition and you confirmed it's safe to proceed to the site. View of Chrome Error - NET::ERR_CERT_COMMON_NAME_INVALID Diagnosis For Google Chrome 58 and later, only the subjectAlternativeName extension, not commonName, is used to match the domain name and website certificate. If the certificate doesn’t have the correct subjectAlternativeName extension, users get a NET::ERR_CERT_COMMON_NAME_INVALID error letting them know that the connection isn’t private and will not provide you an option to proceed to the URL. Please see the article for more details: https://support.google.com/chrome/a/answer/7391219?hl=en Solution Perform the below steps to re-install the self-signed certification with subjectAltName in Expedition: SSH to Expedition cd to /tmp Modify req.conf by issue below command: $ sudo vi req.conf copy and past below section in req.conf, modify attributes in the file to match your organization ........................................................................................ [req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = US ( Replace this with your county name) ST = VA ( Replace this with your state name) L = SomeCity ( Replace this with your city name) O = MyCompany ( Replace this with your company name) OU = MyDivision ( Replace this with your organization name) CN = 192.168.44.131 ( Replace this IP with your Expedition IP ) [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = 192.168.44.131 ( Replace this IP with your Expedition IP ) DNS.2 = company.com DNS.3 = company.net ........................................................................................ saves the changes with ESC :wq! Issue below commands in order: $ sudo openssl genrsa -out server.key 3072 -config req.conf $ sudo openssl req -new -x509 -key server.key -sha256 -out certificate.pem -days 730 -config req.conf $ sudo cp server.key /etc/ssl/certs/ $ sudo cp certificate.pem /etc/ssl/certs/ Modify the default-ssl.conf by issue below command: $ sudo vi /etc/apache2/sites-enabled/default-ssl.conf Find below two lines in the default-ssl.conf and replace the path SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key with SSLCertificateFile /etc/ssl/certs/certificate.pem SSLCertificateKeyFile /etc/ssl/certs/server.key saves the changes with ESC :wq Restart Apache by issue below command: $ sudo systemctl restart apache2 Try access the Expedition GUI again Google chrome should now present you an option under "Advanced" to proceed to the URL.

ABOUT Expedition is the fourth evolution of the Palo Alto Networks Migration Tool. The purpose of this tool is to help reduce the time and efforts of migrating a configuration from a supported vendor to Palo Alto Networks. By using Expedition (Migration Tool), everyone can convert a configuration from Checkpoint, Cisco, or any other vendor to a PAN-OS and give you more time to improve the results. Expedition (Migration Tool) 3 added some functionalities to allow our customers to enforce security policies based on App-ID and User-ID as well. READ MORE NOTE: Expedition is supported by the community as best effort. The Palo Alto Networks TAC does not provide support, so please post your questions in the community by clicking "Ask Questions" below. Get the Expedition Installer Expedition Installation This video provides a quick tutorial on installing Expedition on Ubuntu Server 16.04. Get the Legacy Expedition OVA Get the Legacy Expedition VM Ask Questions Get the Guides Tutorial Videos

Explore the Expedition Dashboard Expedition Dashboard There are 2 parts related to the VM Stats, one controls the stats for the local VM running the GUI and the ML Health in case is running on another VM shows the stats from the remote Expedition VM. That means you can setup 2 Expedition VMs and use one for the GUI and another with more CPU and RAM to run the data analysis and machine learning. If this is your case just go to SETTINGS -> M. Learning and setup the IP address where your Expedition with more resources is running and click on SAVE. The Task Manager must be always UP and controls all the backend jobs requested from the GUI like to retrieve contents from a device using the API keys. Expedition comes with a self-check list to at least show you if there is something that can be improved in the system or if some dependencies or required functions are working properly or missing. Close to the logo you can find the version and the released day plus what version of the Best Practices Assessment Tool is running.

What is Expedition? Expedition is the fourth evolution of the Palo Alto Networks Migration Tool. The main purpose of this tool was help reducing the time and efforts to migrate a configuration from one of the supported vendors to Palo Alto Networks. By using the Migration Tool, everyone can convert a configuration from Checkpoint or Cisco or any other vendor to a PAN-OS and give you more time to improve the results. Migration Tool 3 added some functionalities to allow our customers to enforce security policies based on App-ID and User-ID as well. With Expedition, we have gone one step further, not only because we want to continue helping to facilitate the transition of a security policy from others vendors to PAN-OS, but we want to ensure the outcome is the best as possible. This is why we added a Machine Learning module that can help you generate new security policies based on real log traffic and the introduction of the Best Practices Assessment Tool to check the configuration complies with the Best Practices recommended by our security experts. With all these huge improvements we expect the next time you use Expedition the journey to the excellence will be easier. NOTE: Expedition is supported by the community as best effort The Palo Alto Networks TAC does not provide support, so please post your questions in the community. Go to: Expedition landing page on LIVEcommunity

(DO NOT EDIT resolv.conf) If needed, the steps to statically configure a DNS server to the Expedition server will be to edit the dns-nameserver in the /etc/network/interfaces file. Editing resolv.conf is not reliable as any edits will be overwritten on reboot of the Expedition server. expedition@Expedition:/etc/network$ sudo vi interfaces Configured to use DHCP # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto ens33 iface ens33 inet dhcp dns-nameservers 8.8.8.8 4.2.2.2 Configured with a static IP # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). source /etc/network/interfaces.d/* # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto ens33 iface ens33 inet static address 192.168.252.136 netmask 255.255.255.0 gateway 192.168.252.2 dns-nameservers 8.8.8.8 4.2.2.2

Expedition uses PHP to perform the backend actions. Some of those require interactions with MariaDB databases and use mysqli as a driver to connect to these databases. In order to ensure that connections to the database are alive, we want to modify one of the PHP System parameters that allows reconnections to the database once those are lost. Open a terminal to Expedition and edit the following files: 1. php.ini for Apache Edit the php.ini file for Apache with the following command sudo nano /etc/php/7.0/apache2/php.ini change (you can use the Search feature with ^W) mysqli.reconnect = Off to mysqli.reconnect = On Write the changes with ^O and exit nano with ^X 2. php.ini for CLI Edit the php.ini file for Apache with the following command sudo nano /etc/php/7.0/cli/php.ini change (you can use the Search feature with ^W) mysqli.reconnect = Off to mysqli.reconnect = On Write the changes with ^O and exit nano with ^X 3. Apply the changes Once the changes are done, apply them by sudo service apache2 restart

Generate the XML configuration by running this command from the CLI show configuration | display xml | no-more Before you import a Juniper SRX into Expedition, there are some manual checks we can do to verify the migration will work. The configuration must start only with <configuration> tag, you have to replace everything before or inside that tag by only <configuration> The configuration must end with </configuration> any other text after it must be removed Here's an example on how a SRX config should look when you edit: <configuration> .... .... </configuration> For integrity validation is a good practice try to open the XML file from FIREFOX browser becasue if something is breaking the XML integretity FIREFOX will notice to you which line has an invalid character. You must replace the invalid character before upload it to Expedition This is an example of wrong configuration. It seems someone created the file but stored with wrong jumps on it, so Firefox will complain about the format. If we edit the file, we can see this at line 911 of the config file: <pre-shared-key> <ascii-text>$9$4xxxxxxxxxxxx</asc ii-text> </pre-shared-key> To fix this example, we have to remove the break line after </asc to: <pre-shared-key> <ascii-text>$9$4xxxxxxxxxxxx</ascii-text> </pre-shared-key> Fix all the problems before importing into Expedition. Hope this helps.

Expedition comes with a built-in messaging queue system. This mechanism allows it to prepare some tasks and send it to the queue. With this, we can run jobs internally without having to wait until the job is finished in the same page we are. The first thing you will have to do when you enter in Expedition is check if the process is UP or DOWN, click on START in case is DOWN. If this is DOWN the Jobs will not be executed until it get's UP again. Dashboard Some of the tasks relaying in the TASK MANAGER are: Download contents from Devices Auto-Zone Function Retrieve dynamic reports from firewalls for App-ID and User-ID adoption Machine Learning Debug: If you want to see the output generated by the jobs running from the Queue you can see the content here: tail -f /home/userSpace/panReadOrders.log

There are many ways to replace Zones in your Rules but there is one that really makes a difference. The idea in this example is replace the Zone called VPN-Didac by Untrust. So the approach we will take is filter by the Zone and see where this zone is used and then do the replace. From within the Project navigate to Network and then click on Zones. From there right-click on the Zone (point he mouse over the name) we want to replace, in our case VPN-Didac and select Add to filter. This will create a new filter and we need to activate it by using drag and drop to drop it under ACTIVE folder and click on APPLY FILTER button. Navigate to TOOLS and Search and Replace. Select from the left panel where the output from the filters are listed the Zone we want to replace and then Expedition will search in what groups or policies has been used. In our example we will click on Security Policies and we will select all the rules where this zone was seen and we will add to Replace, the same will do with the Nat Policies shown as well. After that we will click on REPLACE. From the REPLACE view and keeping all the elements selected choose from the combo called Replace by "Zones" and then from the next combo called "To" select the zone you want to be replaced by the one you searched. Click on Replace All and check from the Rules the change was effectively done. Done !

Question Can I export my project to another Expedition instance? Answer Yes you can! Export a Project: Warning: Only Expedition Super-Users can Import and Export Projects. Login to your Expedition Go to Projects Tab Select the project you want to export and click on Settings Projects View 4. Go to the Import/Export sub-Tab 5. Click on the Export button. 6. Click on Save Import Export View Import a Project: 1. Create a new Project 2. Click on Settings of the project 3. Go to the Import/Export sub-Tab 4. From the Import fieldset click on Browse to select the project to import 5. Click on Save Warning: In case the project already exists the content will be replaced by the new one, whatever it was in the project will be replaced with the new content. The log connectors will be removed from the project because they reference devices that may not exists where you are importing the project. Import Export View

There is a time when you already started a project and then you need to import the configuration from one device you didn't created yet. From the Expedition Dashboard, go to Devices and add the new device. After generate the keys and import the contents go to the Projects view Select your project and click on settings Go to Devices Select the firewall you want to bring to your project Click on the Arrow that points to the Right Click on Save Project's Settings View Now when you enter into your project and navigate to the Import tab you will see the device to be imported.

In Expedition, there are many different ways to setup a filter. Let's start from the beginning. Case A) Project Dashboard: Project Dashboard When you click on one of the counters from the PROJECT STATISTICS Expedition will set a filter and will jump into the object selected. If you click on services Duplicated counter this is the filter will take action plus you will be transported to the Services view Filter Window Case B) Predefined Filters From any objects view when we press right-click an advanced menu will be shown, one of the options its called predefined filters, just open the list and select the one you want to automatically create and apply the filter. Right-click over one service Each type of object can have their own predefined filters but usually they are common between them Case C) Custom Filters Click on Filters from the Objects or Policies view to get access to the Filter assistant Access to Filter Assistant A new window will show up. From here we can create our custom filter Scope: Where this filter will apply, The more number of objects you add to the scope will reduce the amount of fields common between them to be able to search by, like if you select as scope address and addressgroups you can search only by name, tag and description because those are the fields in common, if you only select address all the fields related to address can be used to search like ipaddress, cidr, etc... Field: the field we want use to filter Operator: It can be equal, or contains, etc What to search: Text we want to search on the selected field. to CREATE the filter click on the plus button Creating custom filter To Apply the new filter we have to select the filter from AVAILABLE and DROP into ACTIVE folder Click on APPLY FILTER Edit Custom Filter From the Objects and Policies views, you can see if there is any Active filter and Clear them all Remember when creating a custom filter, first add to the available filters and then drop it into the ACTIVE to apply the filter.

Expedition comes with a framework to manage the Role-Based Access Control, this will help you to add users with different level of privileges. 1) Expedition User Roles: a) Super User: This Role allows the User to manage everything on Expedition b) Admin: This Role allows the user to Create projects and devices but cannot change system settings or add new users c) User: This Role allows the user only to enter on Expedition and see projects and devices where has been granted access. View of adding a new user to Expedition 2) Project User Roles: When a project is created by an Expedition Super-User or Admin, this can be edited by clicking on Settings View of Expedition Project Settings From the Settings window, we can add Expedition Users to the Project. Inside the Project, we have different Roles: a) admin: This Role can change the Project Settings and modify all the content within it. b) user: This Role can edit the project contents but it cannot change the project settings to add more devices or users to the project. c) viewer: This Role is for read-only purposes. Doesn't have any privileges to change nothing inside the project or manage the project settings. View of Edit Project panos to add Expedition users. As an example, you can create a new Expedition user with Role (User) and attach this user to one Project as (admin), in this case the User be able to manage only the project and the content but it will be unable to add more projects, devices or users to Expedition. Hope this helps to clarify how to assign Roles.

Symptoms Sometimes you have the need to add the same Security Profile or Log forwarding Profile or even a TAG to a large amount of Security Policies. When the number of rules is really high the function MULTIEDIT can be sometimes SLOW. How can i perform BULK changes for common problems really FAST? Diagnosis Solution With version 1.0.107, we introduced a new way to perform BULK CHANGES in a really super fast way. From POLICIES, you can use right click or click on the TOP RIGHT menu button for Options View of Security Policies Bulk Changes Here you will find all the available options for BULK CHANGES. At the time to select one option you will have to select if want to apply the change to all the Rules or just the selected ones. The changes will be made immediately.

Expedition offers local user authentication and external user authentication via LDAP and Radius servers. In this example, we will illustrate how to configure external authentication via a Windows Active Directory server. Settings in LDAP Server We have created a server under the domain sctc.domain.local, defined a group called "developers" and added a user "didac gil" with logon name "didacgil9". In the figure, we can notice that users authenticate with the suffix "@sctc.domain.local". We will have to take account of this value for providing the correct settings in Expedition to complete the user authentication. View of Active Directors Users and Computers, highlighting @sctc.domain.local in a user account. Defining LDAP Server in Expedition In Expedition, we will first define the LDAP authentication server. Only Superusers have rights for server registration or modification. We have two different approaches for user authentication. Approach 1. User needs to enter full logon name Define a server providing the desired server's name, the server's address and port, server type (Windows or Linux), Search DN parameters and SSL and/or TLS usage. In our case, we our server responds at sctc.domain.local port:389 and we have named LDAP_approach1. The users that will use this server for authentication belong to the developers group, therefore we have provided the following Search DN: "CN=developers,DC=sctc,DC=domain,DC=local". Contact your Active Directory administrator to verify your correct Search DN parameters. View of Approach 1 to Add New LDAP Server using the address sctc.domain.local. After saving, we will test the server settings clicking on the diagnostics icon. We will be required to enter an existing user's credentials. View of LDAP Test Connection A feedback will be provided with the results of the connection. Through this approach, users will have to provide their full account name for authentication. In our case, didacgil9@sctc.domain.local will be the user name account required to have a valid authentication. Approach 2. Server specifies the user suffix In this case, we will facilitate the user's logon, providing the suffix already in the server settings. This way, a user will only have to write their account name "didacgil9". View of Approach 2 to Add New LDAP Server using the address sctc.domain.local. Notice that using this approach, all users must share the same suffix in order to be able to validate their credentials.

Expedition (updated to version 1.1.11) User Guide Version 1.2 What is Expedition? Expedition is the fourth evolution of the Palo Alto Networks Migration Tool. The original main purpose of this tool was to help reduce the time and effort to migrate a configuration from one of the supported vendors to Palo Alto Networks. By using the Migration Tool, everyone can convert a configuration from Checkpoint or Cisco or any other vendor to a PAN-OS and give you more time to improve the results. Migration Tool 3 added some functionalities to allow our customers to enforce security policies based on App-ID and User-ID as well. With Expedition, we have gone one step further, not only because we want to continue helping to facilitate the transition of a security policy from others vendors to PAN-OS but we want to ensure the outcome makes use of the most advanced features of the platform to get you closer to the best of the possible configurations. For this reason, we added a Machine Learning module, which can help you to generate new security policies based on real log traffic, and we have introduced the Best Practices Assessment Tool, which checks whether the configuration complies with the Best Practices recommended by our security experts. With all these huge improvements, we expect the next time you use Expedition the journey to excellence will be easier. Login Login From the Web Interface Web Interface Login This is only referencing the access via web interface Username admin Password paloalto SECURITY WARNING: We encourage you to change the username and password after your first login. Changing default credentials As a best practice, we recommend that you change the default credentials as soon as possible (DP – upon first log in) Web Interface Login After you log in via the web browser, follow these instructions to change the password for the “admin” user. A new window to change the password will be shown: Type the current password Type NEW password Re-type NEW password Click on Save Remember the password length has to be at least 10 characters long. Let’s Migrate Expedition can help you migrate pieces of configuration from other security vendors and import them into a Palo Alto Networks configuration. The goal is to reduce time and mistakes. Expedition results always need to be reviewed by a professional with knowledge of the vendor that has been migrated and with Palo Alto Networks technologies as well. There is no easy button that magically converts a configuration from any vendor to Palo Alto Networks without applying the right methodologies and using qualified people. Migration Workflow The migration workflow applies to all the vendors we support: Import a Configuration (from a supported vendor) Export Unused Objects Report Remove Unused Clean Invalid Objects Rename, Remap Interfaces to PAN-OS Naming Convention Import a Base Configuration (Palo Alto Networks configuration from the device that you are migrating to) Move Objects From the Configuration Migrated to the Base Configuration. Merge Remove Duplicates (if any) Generate the Output (XML, SET Commands, API Calls) First step will be always creating a Project, then enter the project by double-click on it. Importing a configuration into the project Expedition can read from different sources. For more specific insights on each vendor, go to the Appendix at the end of this document. Here we will describe the common procedure to migrate any configuration. Navigate to the Import Tab and select from what vendor you want to migrate. After the configuration has been imported to Expedition, check for invalid objects and clean them before you move forward. Project Dashboard As a good starting point, it’s recommended to take a look at the Project Statistics panel. We can search here for invalid, unused, and duplicate objects. We can go straight to review the invalid services by clicking on the number shown under the invalid column for the Services Row. That will move the view to Services, which is located under Objects and will apply a predefined filter to show only the Invalid Services. Remove Unused Objects Before searching how to fix those invalid services, it’s important to remove what was imported but not used in any security or NAT policy. Let's call them unused objects. To remove the unused objects, you have to navigate to the Objects Tab and look at the bottom right bar. At the very end, you will find three buttons. The green button will recalculate the objects that are defined as used or not used. This should be used after changes have been made on the configuration, so Expedition can recalculate the used objects. The red button is will remove the unused objects from the configuration. The third button with the "X" on it will export a report with all the unused objects. We recommend exporting the Excel file to track which objects will be removed from the configuration when you click on the red button, and it’s good to keep it for your migration records. After export the Excel file, click the red button to remove all the unused, and recheck your dashboard to see if you reduced the number of fixes you have to make. Fixing Invalid Services Every time you import a configuration from a vendor other than Palo Alto Networks, it's common to have what we call invalid services. We consider invalid services all of those who were based on IP protocols other than TCP or UDP. For example, you can find ICMP services related or IPSec, GRE. After we have removed the Unused Objects, only the used ones will be kept for remediation. In the case of invalid services, the only way to fix it, in case the original service was not TCP or UDP, is change it to an App-ID from Palo Alto Networks. To update the App-IDs, just right-click on the invalid service and click Search and Replace from the advanced menu. This will open up the Tools Tab and show you the Search & Replace Tab. The view is divided in two panels: the left panel shows the output of the applied filters and the right panel will show you where the selected items from the left panel are used. Replace Services by App-ID Select the service to be replaced. For instance, in our example, we will select the Group where ICMP was a member and clicked the Replace button located on the bottom bar. Click Security Policy (1) then select the rule where the service is used and click Replace again. If you want to see the rule(s) that use this object, just double-click on the rule and you will be redirected to the Policy Tab and a filter by that rule will be applied. After review, move back to the Tools Tab, click the Search & Replace Tab, and click on Replace. In this example, we are replacing a service by an App-ID, so select Replace by “Applications” and then to “ICMP” and click Replace All. There are a couple options enabled by default: Split rules when needed – In case we are replacing services by App-ID, check if the rule where the invalid service is in use has more services defined. In that situation, the rule will be cloned to allow the new App-ID but removing all the other services from the cloned rule, and then the invalid service will be removed from the original rule. By doing this, we don’t mix services with apps in the same rule which can lead to change the original behavior of the rule. Remove Service from Group – In case the invalid service was a member of a group, it will be removed after the replace as a member. This procedure can be used in many other ways. For example, if we want to filter by a service or address and remove that object from the configuration, just select the object from the Search Results panel then add to Replace from where it was being used. To replace, select Replace by combo “Remove.” That will remove the object from where it was used, or if you have an address-group or service-group and you want to replace it by the members instead, you will do the same but in the Replace and select “Members” then click Replace All. After replacement of the invalid objects, you can repeat the step for removing the unused objects since they will not be used anymore. Remapping Interface Names Expedition, when imports configurations from other vendors, keeps the original interface names to make the validation process easier after the import. The problem with that is naming usually doesn’t match the one that Palo Alto Networks expects, so we have to rename them to ensure the changes will be captured by our Palo Alto Networks configuration. For example, we import a configuration from Cisco, and the interface names are “Ethernet1/1” which is very similar to a Palo Alto Networks naming convention, but, in our case, it must be all in lowercase. To convert it to the proper naming convention, you can select the Ethernet1/1 that is parent for more sub-interfaces (vlan tags) and click on the Remap Interface Name located at the bottom left-side bar. From there, select Slot 1 and ethernet1/1. After clicking the Remap button, the Expedition tool will replace the name of the interface in the whole configuration, including any references to it and any subinterfaces. You will have to repeat the process to adapt all the interfaces that you want to migrate. Import Your Base Configuration What is the Base Configuration? Base Configuration is a device's specific configuration that is usually taken from the Palo Alto Networks device that you are migrating to. The base configuration should be used, as the name suggests, as a base and should be merged with the imported third-party vendor configuration that you have imported and manipulated. The result of the merge should be a working and migrated Palo Alto Networks configuration. The first PAN-OS configuration imported into the project will be assigned as Base Configuration. The Base Configuration is the one that will be used at the time to export the configuration out of Expedition or by generating an XML file or API calls. Any changes made to the Base Configuration will be applied to the output. To import a Base Configuration, click the Import Tab from the PALO ALTO Tab and enter a link to your XML file that you previously exported from your PAN-OS device or just double click on one of the devices added to the project (if any) to import the config from the snapshot stored in Expedition. After that, you can check from the Export Tab that the config has been set as Base Config by seeing if it has been placed in the right panel. From there, you can select what objects we want to move from the left panel to the Base Configuration (right panel) by using drag and drop. In case you want to move the objects from the left panel and convert them as shared objects, drop them into the Shared vsys/DG. After the merge, they will be transformed into shared objects, and all the references to them will point to the new shared objects (from policies, groups, etc). Merge Objects to your Base Configuration All migrated objects should be visible on the left panel under the Export Tab. The right panel should have your Base Configuration that you previously imported. You just need to drag and drop the migrated objects and policies from the left to the right. You can select certain parts of the migrated configuration to be moved to the final configuration or all of them. Please make sure you place the objects and policies into the desired vsys configuration. Repeat the same procedure with the Zones, Interfaces, Virtual Router(s) and drop them into the correct vsys. The final step is to merge the migrated configuration and your base configuration and create you final configuration. To do this, click the MERGE button. After this action, all the selected objects will be transferred from one configuration to the Base Configuration. If you want to see how it looks, you need to change the selected configuration and the vsys to the Base Configuration from the bottom bar by going to the Objects Tab. This will filter and show you the objects and rules on the Base Configuration. After you have created the final configuration, you have two options to deploy it. One option is a manual XML file export that can be deployed on the Palo Alto Networks device to which you are migrating, and the other option is to use API calls to send parts of the configuration or the whole configuration to the device if that Palo Alto Networks device is already connected to Expedition. Find Duplicates After the Merge and Removing Them It is recommended that you run another check for duplicates and remove or merge them after a configuration migration. A common scenario is to have duplicates amongst objects, services, and/or interfaces. Using the dashboard from within the project, it will tell you how many duplicated objects you have in your current configuration. You can click on the duplicate object to go to the object view, and Expedition will filter by duplicate and by name predefined filter. Next, check the duplicated services to demonstrate the workflow to follow and get rid of them. The object in Pink is a Shared object, so that means you have selected the vsys equal to all from the bottom bar. This will do a search across all the vsys/DG to find objects seen more than once. In our example, we want to keep the object that already exists as Shared and make all the references within the vsys/DG points after the merge to the Shared object only and finally the duplicated object out from the Shared will be removed. First, select the duplicated objects you want to keep and then right-click and select Merge Options and “Set as Primary.” That will tell Expedition to keep the one we set as Primary after Merging the duplicated objects. When the object has been set as Primary, you will notice a new icon appear. Now you can apply the Merge type. In our case, we will use Merge by Name and Value to validate only the same duplicated object is merged. Right-click and select “Merge” then click “By Name & Value.” This will be applied to the selected objects or, in case you didn’t select any, it will be applied to all the results from the filter applied. You can change the filter and add a predefined filter to show only the duplicated services by name only and then apply the merge by the same concept, only by name as well. All this can be done with the right-click “Select predefined filter.” Generating the Output When you are finished cleaning your configuration, it’s time to get the results and export from Expedition and import into your Palo Alto Networks device (Firewall or Panorama). Navigate to the Export TAB. Under the Mapping Tab, there is a button at the bottom bar-left titled “Generate XML & SET Output.” By pressing this button, Expedition will generate a XML configuration file and based on that configuration (and using a script called Pan-Python made by Kevin Steves https://github.com/kevinsteves/pan-python) it will generate the Set commands as well. After the generation, a new window with the download links will appear. Click the Downloads button to get access to that window as well. You can generate API Calls to be sent to your devices in case you created them before and you added to the project you are working on. In that case, you will need to go under the tab titled, “API Output Manager.” Here, you have several options. We will start covering Atomic and Subatomic. Atomic calls will be API calls where with a single API call will add all the address, for instance, to a specific vsys/DG. If you select subatomic, you will get one API call by element you have. If you have 500 addresses, you will get 500 API calls, one for each address. With Atomic, you will get just one API call containing the 500 addresses inside. Step One: Click on “Atomic” or “Subatomic” and click the “Step 1” button to create all the API calls. After that, the ID of each API call will tell you the order in which you have to send the API call. Yes, order matters. If you don’t select any, all API calls will be sent in the proper order. Step Two: Click “Step 2” button and select the DEVICE where you want to send the API calls and send them all. After the API call is sent, you will get the response from the device itself. If it was successful, you will see in the output. Appendix A: Import Importing CSV files From within a project, it's possible to import CSV files containing objects that you want to add to you current configuration. Requirements You must have a configuration previously loaded in order to import something else on top by using CSV files. How the CSV file must be created: The character used to split by columns is the semi-colon “;” The character used to split members inside a column is the comma “,” Process Select the object type you want to import. Example: Static Routes Select the CSV file from your laptop Map your columns with the predefined fields from the right panel Select where to import the new data loaded from the CSV and mapped In this example, routes are part of Templates and need to be imported into a Virtual-Router. Plus, select the virtual-system where your VR is located. Then click Import Data. Order matters! If want to import Service Groups, you need to first import the services used on those Groups or the import will not be successful. Importing an IronSkillet Day1 Configuration IronSkillet is a project made by Palo Alto Networks to create a configuration that is already configured with some of the best practices recommended by our security experts. If you need to add a Base Configuration into Expedition to use it as a base to migrate something else, it's very simple now with the integration built in Expedition. Process Create a project and click to get in. After you enter the project, go to IMPORT. Then click the Tab title "Iron-Skillet." From here, you can configure some parameters before the configuration is created. You can modify the parameters by hand, or, if you have an IronSkillet configuration file, you can load it to automatically fill the fields. Select the Configuration Type (Firewall or Panorama) this will generate the type of configuration selected. PAN-OS Version. You can select if the configuration you need but it must be 8.0 or 8.1 or X.X If you have an IronSkillet configuration, you can click LOAD FROM CLIPBOARD and paste the content from the file and then click SAVE. That will automatically fill the fields configured. Example: https://raw.githubusercontent.com/PaloAltoNetworks/iron-skillet/panos_v8.0/my_configs/sample-mgmt-dhcp/my_variables.py After the changes are made, you have to click on GENERATE CONFIG AND IMPORT. This will create a Palo Alto Networks configuration file based on your selection (Firewall or Panorama) and with the selected version and all the changes made in the parameters will be applied to it. After IronSkillet generates the new configuration, Expedition will Encrypt it and automatically imported into the Project. If this is the first Palo Alto Networks configuration loaded on the Project, Expedition will set it as the Base Configuration. Revision History Date Revision Comment June 22, 2018 A First release of this document. October 16,2018 B Added Appendix A April 1,2019 C Updated Screenshots August 27, 2019 D Created LIVEcommunity Article and Editorial Revisions

Hello Expedition Community, The process to install and deploy Expedition has been changed by offering an installable script that can be used to deploy onto your own instance of Ubuntu 16.04 LTS. Cloud and On-Prem Ready The changes in the Expedition installation provides greater flexibility allowing users to deploy Expedition on-prem onto their local hyper-visor or onto a cloud compute resource in AWS, Azure, and Google Cloud. The attached document describes the OS requirements (Ubuntu 16.0.4) and recommend compute resources. Download and read the attached Expedition installer guide. To get started with your Expedition installation, download the Expedition installer script: https://conversionupdates.paloaltonetworks.com/expeditionInstaller.tgz Additional Information Download and follow the use case examples in the available Expedition Admin Guide and Technotes: https://live.paloaltonetworks.com/t5/Expedition-Articles/Expedition-Documentation/ta-p/215619 Ask questions in the Expedition Community https://live.paloaltonetworks.com/t5/Expedition-Discussions/bd-p/ExpeditionDiscussions