Migrating a Fortinet config and I just finished remapping interfaces. I saw a previous thread on Base Configuration but it was unresolved. Wondering what the "base configuration" is defined as. Is it the same as "factory reset"? If I'm migrating from a FGT1000C to a PAN3060 do I factory reset a 3060 and import that into Expedition?
Shout out to PaloAlto to make Expedition a supported application with a more intuitive User Guide. PAN should want customers to be successful when they are migrating away from their competition.
I don't want to get into the details of Expedition and its history so I'll skip that.
In regard to your base config file, take the new 3060, remove all VWIRE references, then save the config and export it as a base file XML. Note, it should be the version you want to use , i.e. 6, 7 or 8.
When you are done with all your migration manipulations in Expedition, then you need to set the Base config. This is where you go and import the base config and then merge the changes into the base config. You can also attach to the new 3060 and add it to Expedition as a "Device". Once that is done successfully, you can use the "Device" as your base config.
Hope that helps.
The base configuration is the PanOS XML configuration file you intend to merge your migrated configuration into.
The reason there is no default base configuration installed is due to the assumption that there can be a number of different options where your migrated configuration will be merged into. Some examples are described below.
The base configuration can come from many sources depending on your migration target:
1) New migration base configuration, with no Panorama in the configuration path. The base configuration in this case is most likely the XML configuration from the hardware of VM firewall you intend to merge the migrated configurations into. You do not have to perform a factory default of the configuration. For new deployments its recommended to first stage the firewall (HW or VM) by installing the licenses for the subscriptions then updating the app/threat/url/wildfire/globalprotect databases prior to generating a base configuration. One can walk through the configuration to remove any unwanted configurations, but it is common to add additional configs such as mgmt IP, DNS, NTP and other settings in the configurations prior to saving a configuration snapshot then using it as your base confioguration.
2) New migration, no panorama, but the migrated configurations will be merged into an existing firewall. The target here was to collapse multiple firewalls into a single Palo Alto firewall. This migration is commonly performed in phases (migrate and deploy FW config #1, then schedule the migration and deployment of FW config #2, ...). The base configuration used in this case will be the running configuration exported from the firewall that is in production.
3) New migration, Panorama will be used to manage the security policies and objects but not the networking (i.e. no Panorama templates). This configuration will have 2 base configurations. Base config #1 will be your Panorama configuration, the migrated security policies and objects (Address/services - associated groups) and other supporting configs (tags, log forwarding and threat profiles - from Iron skillet or existing from Panorama) will be merged into the appropriate Panorama device group. As the networking configuration will be managed on the firewall config locally, base config #2 will be from the firewall which can use the steps from #1 or #2 above.
4) New migration, Panorama will manage security policies and objects and networking. For this case your base configuration will be your Panorama configuration and the migrated configurations will be merged into the appropriate Panorama device-group or template.
There are some example of the needs and use cases behind the use of the base-config. Hope this helps, and more documentation is coming up for Expedition.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!