Enhanced Security Measures in Place:   To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.

Base Configuration Definition

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Base Configuration Definition

L2 Linker

Migrating a Fortinet config and I just finished remapping interfaces.  I saw a previous thread on Base Configuration but it was unresolved.  Wondering what the "base configuration" is defined as.  Is it the same as "factory reset"?   If I'm migrating from a FGT1000C to a PAN3060 do I factory reset a 3060 and import that into Expedition?

 

Shout out to PaloAlto to make Expedition a supported application with a more intuitive User Guide.  PAN should want customers to be successful when they are migrating away from their competition.

8 REPLIES 8

L3 Networker

I don't want to get into the details of Expedition and its history so I'll skip that.


In regard to your base config file, take the new 3060, remove all VWIRE references, then save the config and export it as a base file XML.  Note, it should be the version you want to use , i.e. 6, 7 or 8.

 

When you are done with all your migration manipulations in Expedition, then you need to set the Base config.  This is where you go and import the base config and then merge the changes into the base config.  You can also attach to the new 3060 and add it to Expedition as a "Device".  Once that is done successfully, you can use the "Device" as your base config.


Hope that helps.

Bob

L5 Sessionator

The base configuration is the PanOS XML configuration file you intend to merge your migrated configuration into. 

 

The reason there is no default base configuration installed is due to the assumption that there can be a number of different options where your migrated configuration will be merged into. Some examples are described below. 

 

The base configuration can come from many sources depending on your migration target:

 

1) New migration base configuration, with no Panorama in the configuration path. The base configuration in this case is most likely the XML configuration from the hardware of VM firewall you intend to merge the migrated configurations into. You do not have to perform a factory default of the configuration. For new deployments its recommended to first stage the firewall (HW or VM) by installing the licenses for the subscriptions then updating the app/threat/url/wildfire/globalprotect databases prior to generating a base configuration. One can walk through the configuration to remove any unwanted configurations, but it is common to add additional configs such as mgmt IP, DNS, NTP and other settings in the configurations prior to saving a configuration snapshot then using it as your base confioguration. 

 

2) New migration, no panorama, but the migrated configurations will be merged into an existing firewall. The target here was to collapse multiple firewalls into a single Palo Alto firewall. This migration is commonly performed in phases (migrate and deploy FW config #1, then schedule the migration and deployment of FW config #2, ...). The base configuration used in this case will be the running configuration exported from the firewall that is in production. 

 

3) New migration, Panorama will be used to manage the security policies and objects but not the networking (i.e. no Panorama templates). This configuration will have 2 base configurations. Base config #1 will be your Panorama configuration, the migrated security policies and objects (Address/services - associated groups) and other supporting configs (tags, log forwarding and threat profiles - from Iron skillet or existing from Panorama) will be merged into the appropriate Panorama device group. As the networking configuration will be managed on the firewall config locally, base config #2 will be from the firewall which can use the steps from #1 or #2 above.

 

4) New migration, Panorama will manage security policies and objects and networking. For this case your base configuration will be your Panorama configuration and the migrated configurations will be merged into the appropriate Panorama device-group or template. 

 

There are some example of the needs and use cases behind the use of the base-config. Hope this helps, and more documentation is coming up for Expedition. 

So, factory reset a 3060, remove VWire configs and then do a Named Configuration Backup?  Import that into Expedition?

I'm using Panorama to manage all settings/config for the 3060.  How do I export a config from the Panorama which will be used to import to Expedition?

Yes exactly.  Once you are done with your migration, you will use this as the blank base config.  Your work will be merged into it.


Check out page 11 of the Expedition user's guide.

 

https://live.paloaltonetworks.com/t5/Expedition-Articles/Expedition-Documentation/ta-p/215619

 

 

Yes exactly.  Once you are done with your migration, you will use this as the blank base config.  Your work will be merged into it.


Check out page 11 of the Expedition user's guide.

 

https://live.paloaltonetworks.com/t5/Expedition-Articles/Expedition-Documentation/ta-p/215619

 

 

First import the blank FW into Pano.  Then export the Pano file into Expedition and pick your FW that you want to use as your base image.

There are multiple options available when talking about "Export".   Are we talking about Named Configuration Snapshot, Configuration Version or Device State when we say "Export"?

 

As I side note, I'm going to import the device into Panorama when the conversion is done so none of the conversion process will involve Panorama.

  • 10992 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!