Can we do the migration from ASA to Palo-Alto in bit-and-peices, like we have interfaces, zones and routes already configured on Palo-Alto. we want to migrate only objects, object-groups, service-groups and policies from ASA to palo-alto, so that this ASA configuration get added to existing Palo-Alto configuration.
Hi @ali426 ,
Yes, you should be able to achieve what you need. I would suggest you to use the Palo Alto configuration migration tool Expedition - https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/migration-tool
Check the Live community for some guides - https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool
What I would suggest you to do is:
- Export ASA running configuration as well as the running config of the target Palo Alto FW.
- Create new project in Expedition and import both configurations
- You will use the PAN FW config as base config, from which you can keep all the settings you want
- Expedition will do the heavy lifting of converting all the objects and all rule
Note: I would encourage you to review the converted rules and fine tune them before exporting to PAN FW.
- Using the PAN FW config used as base config, merge the objects and security and nat rules from ASA config.
The process of merging and generating the final config for import to PAN FW could be bit confusing if you haven't used Expedition, but I would recommend you to check the Live community and also Palo Alto official YouTube channel have entire playlist for what you want to achieve - https://www.youtube.com/watch?v=-gbQ-YcgoPs&list=PLD6FJ8WNiIqVez8EBeoyRsnQcKTA5FuZ-&ab_channel=PaloA...
@ali426 if you're still at it, the way @aleksandar.astardzhiev will work perfectly. Do pay attention if you are migrating from ASA in several steps, f.x. multiple ASA contexts into the same PAN firewall config, duplicate services and nested service groups might cause you headache. Get in touch if you need help.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!