Expedition Articles
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Featured Article
Generate the XML configuration by running this command from the CLI   show configuration | display xml | no-more   Before you import a Juniper SRX into Expedition, there are some manual checks we can do to verify the migration will work.   The configuration must start only with <configuration> tag, you have to replace everything before or inside that tag by only <configuration> The configuration must end with </configuration> any other text after it must be removed         Here's an example on how a SRX config should look when you edit:   <configuration> .... .... </configuration>   For integrity validation is a good practice try to open the XML file from FIREFOX browser becasue if something is breaking the XML integretity FIREFOX will notice to you which line has an invalid character. You must replace the invalid character before upload it to Expedition This is an example of wrong configuration. It seems someone created the file but stored with wrong jumps on it, so Firefox will complain about the format.        If we edit the file, we can see this at line 911 of the config file:   <pre-shared-key> <ascii-text>$9$4xxxxxxxxxxxx</asc ii-text> </pre-shared-key>    To fix this example, we have to remove the break line after </asc to:   <pre-shared-key> <ascii-text>$9$4xxxxxxxxxxxx</ascii-text> </pre-shared-key>  Fix all the problems before importing into Expedition.   Hope this helps.
View full article
Some times we need to reduce the amount of Objects to be migrated or just for optimization and there is one technique that can help us to reduce objects   Its common when we have used Expedition to migrate a configuration from CISCO or FORTINET to have address objects named as H-X.X.X.X or N-X.X.X.X-XX or even if the name was just an IP Address, but they were created as Address Object and count as Object. There is one function inside Expedition to convert them as IP Address that will be only Used on Rules as IP Address or IP Ranges hard-coded as Source or Destination on Rules. So they will not be used as Address Objects anymore.   This has pros and cons but if our Goal is reduce the amount of Address Objects this can help us.   Search from OBJECTS -> ADDRESS with right-click in one Address select the Predefined Filter called "Name is IP address". This will search the Address where the name is an IP Address.         We can add more filters to this process, Select the Filters Options and add all the Address where the name starts with H- for example, and the objects that starts with N- and the objects that starts with RANGE-, put the focus only on Address.         After Run SQL select the Address you want to transform to an IP Address and right-click with your mouse over one of the selected Address and select the option "Transform" -> "Object To IpAddress" and automatically all those objects will be renamed with the IP or Range Address (netmasks will be added as well in case are not /32) and will be marked internally as "dummy" objects, those objects will not be considered at the time to generate the XML or API Calls.       You can check before to transform them as IP Address if they are part of any group by going to TOOLS and SEARCH & REPLACE.                 
View full article
  • 54 Posts
  • 273 Subscriptions
Customer Advisories

Your security posture is important to us. If you’re a Palo Alto Networks customer, be sure to login to see the latest critical announcements and updates in our Customer Advisories area.

Learn how to subscribe to and receive email notifications here.

Listen to PANCast

PANCast is a Palo Alto Networks podcast that provides actionable insights to customers, helping you maximize your investment while improving your cybersecurity posture.

Top Contributors