Can Expedition migration Cisco Fire Power to Palo Alto?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Can Expedition migration Cisco Fire Power to Palo Alto?

L3 Networker

Hi,

 

Can Expedition migration Cisco Fire Power to Palo Alto?

 

Thanks

8 REPLIES 8

L5 Sessionator

To some extend they are supported.

Give it a try and let us know if you find something that should be addressed.

I'm sort of reving an old thread, but here it goes anyway:
can Expedition migrate a FTD configuration to PA?

I've exported the FTD config from the LINA mode by entering the command:

system support diagnostic-cli and then I exported the configuration with the command:

show running-config.

This prints out a config file that has very similar syntax to ASA but not totally the same. And after I've imported this config file to Expedition I can see some stats but no policies.

Hello @tkosec 

 

Expedition will not be able to perform a migration of firepower, but if you can export the configuration from the ASA you can migrate from there. Because firepower runs layer 7 in a separate unit we are unable to do that migration. So expedition will only do the migration for layers 3-4 and you will need to do the layer 7 migration within the PAN.

Hi, Azuniga,

 

thanks for your reply.

It would be totally OK if I could just migrate the L3-4 configuration, and the commands that I've used do export the FTD's configuration in a type that's the most similar to the old vanilla ASA. But, since it is an FTD configuration, it is a bit different and that's probably why I can't get it to go.

It would be great if more comprehensive support for FTD migration (even if just on the L3-4 level) would be added to Expedition sometime in the future.


@tkosec wrote:

Hi, Azuniga,

 

thanks for your reply.

It would be totally OK if I could just migrate the L3-4 configuration, and the commands that I've used do export the FTD's configuration in a type that's the most similar to the old vanilla ASA. But, since it is an FTD configuration, it is a bit different and that's probably why I can't get it to go.

It would be great if more comprehensive support for FTD migration (even if just on the L3-4 level) would be added to Expedition sometime in the future.


Expedition will not be able to perform a migration of firepower, but if you can export the configuration from the ASA you can migrate from there. Because firepower runs layer 7 in a separate unit we are unable to do that migration.

Hi there,

 

Has there been any progress regarding this? Is it now possible to do a Firepower migration, including L7, using the Expedition tool?

 

Ta.

 

Ho

Hello @HonoAl 

 

No at this time expedition does not support layer 7 policies from Cisco Firepower.

L1 Bithead

FirePalo (Windows GUI) helps you convert rules and objects from Cisco FirePower to Palo Alto

(See the "Sceenshots from the application.docx")

Run "show access-control-config" from the FTD device and save output to a textfile. Open the textfile in FirePalo.exe and it will create editable objects. Finally, "commit" the changes and create a configuration in SET format that can be pasted into a Palo Alto device or Panorama.

This version will not convert device configuration like interfaces, routing or NAT. Some manual work needed for User-ID, URL Categories and Application filters.

Download the PaloAppID.txt file and place it with the FirePalo.exe. It contains all the Palo Alto APP-ID's

FirePalo also lets you export sections of the configuration to edit in preferred editor and than import the result back (great for search and replace). In addition you can easily lowercase or uppercase sections (or the entire configuration) and cut object names automatically to supported length. Further, you can convert services to applications (as not all services from FTD are supported as a service). Finally, you can add tags for objects, so that all rules using a certain object get the tag set.

Easily select if this is a standalone or Panorama configuration to be created (so that device group get included in the configuration).

FirePalo takes the output from the FTD and first turns it into a treeview. It then takes all the items in the treeview and creates objects you can edit, providing an unique ID for each object. This binds everything to the correct rules and all edits will be in place when you finally turn the objects into a treeview again ("commit"). You can then look through the result as a treeview and make more changes if needed (and then doing a new commit).

When everything looks good, you can generate the final configuration in SET format and paste it into the Palo Alto device or Panorama CLI.
jorlan72/FirePalo: FirePalo helps you convert rules and objects from Cisco FirePower to Palo Alto (g...

  • 7949 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!