09-20-2019 07:56 PM
09-23-2019 12:37 AM
To some extend they are supported.
Give it a try and let us know if you find something that should be addressed.
08-25-2020 01:56 AM
I'm sort of reving an old thread, but here it goes anyway:
can Expedition migrate a FTD configuration to PA?
I've exported the FTD config from the LINA mode by entering the command:
system support diagnostic-cli and then I exported the configuration with the command:
show running-config.
This prints out a config file that has very similar syntax to ASA but not totally the same. And after I've imported this config file to Expedition I can see some stats but no policies.
08-25-2020 08:29 AM
Hello @tkosec
Expedition will not be able to perform a migration of firepower, but if you can export the configuration from the ASA you can migrate from there. Because firepower runs layer 7 in a separate unit we are unable to do that migration. So expedition will only do the migration for layers 3-4 and you will need to do the layer 7 migration within the PAN.
08-25-2020 10:22 AM
Hi, Azuniga,
thanks for your reply.
It would be totally OK if I could just migrate the L3-4 configuration, and the commands that I've used do export the FTD's configuration in a type that's the most similar to the old vanilla ASA. But, since it is an FTD configuration, it is a bit different and that's probably why I can't get it to go.
It would be great if more comprehensive support for FTD migration (even if just on the L3-4 level) would be added to Expedition sometime in the future.
09-28-2020 10:01 PM
@tkosec wrote:
Hi, Azuniga,
thanks for your reply.
It would be totally OK if I could just migrate the L3-4 configuration, and the commands that I've used do export the FTD's configuration in a type that's the most similar to the old vanilla ASA. But, since it is an FTD configuration, it is a bit different and that's probably why I can't get it to go.
It would be great if more comprehensive support for FTD migration (even if just on the L3-4 level) would be added to Expedition sometime in the future.
Expedition will not be able to perform a migration of firepower, but if you can export the configuration from the ASA you can migrate from there. Because firepower runs layer 7 in a separate unit we are unable to do that migration.
11-30-2020 12:49 AM
Hi there,
Has there been any progress regarding this? Is it now possible to do a Firepower migration, including L7, using the Expedition tool?
Ta.
Ho
02-05-2024 08:45 AM
FirePalo (Windows GUI) helps you convert rules and objects from Cisco FirePower to Palo Alto
(See the "Sceenshots from the application.docx")
Run "show access-control-config" from the FTD device and save output to a textfile. Open the textfile in FirePalo.exe and it will create editable objects. Finally, "commit" the changes and create a configuration in SET format that can be pasted into a Palo Alto device or Panorama.
This version will not convert device configuration like interfaces, routing or NAT. Some manual work needed for User-ID, URL Categories and Application filters.
Download the PaloAppID.txt file and place it with the FirePalo.exe. It contains all the Palo Alto APP-ID's
FirePalo also lets you export sections of the configuration to edit in preferred editor and than import the result back (great for search and replace). In addition you can easily lowercase or uppercase sections (or the entire configuration) and cut object names automatically to supported length. Further, you can convert services to applications (as not all services from FTD are supported as a service). Finally, you can add tags for objects, so that all rules using a certain object get the tag set.
Easily select if this is a standalone or Panorama configuration to be created (so that device group get included in the configuration).
FirePalo takes the output from the FTD and first turns it into a treeview. It then takes all the items in the treeview and creates objects you can edit, providing an unique ID for each object. This binds everything to the correct rules and all edits will be in place when you finally turn the objects into a treeview again ("commit"). You can then look through the result as a treeview and make more changes if needed (and then doing a new commit).
When everything looks good, you can generate the final configuration in SET format and paste it into the Palo Alto device or Panorama CLI.
jorlan72/FirePalo: FirePalo helps you convert rules and objects from Cisco FirePower to Palo Alto (g...
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
