- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
01-13-2021 03:44 AM
Dear All,
We want to migrate Cisco fire power 4000 series to Palo Alto NGFW. Could you please let me know the best way to do this migration?
Thanks in advance!
Best Regards,
Muzammel Haque
01-13-2021 06:15 AM
Hello,
you can use Palo Alto migration tool Expedition for details:
https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/migration-tool
01-13-2021 07:07 AM
Hi Abdul-Fattah,
Thank you for your prompt suggestions. I have downloaded following file
- ExpeditionVM-1.1.10.ova and
- Expedition.tgz
Do I need both the files or ExpeditionVM-1.1.10ova is enough. May I request you for any doc's?
Thanks & Regards,
Muzammel Haque
01-13-2021 07:51 AM
Hello,
For installation there is a video created on the expedition forums demonstrating how to perform this function, you can watch the video here ( https://live.paloaltonetworks.com/t5/expedition-migration-tool/ct-p/migration_tool ), also there are guides listed from that link as well.
As for the Cisco FirewPower migration the expedition tool will not migrate over the layer 7 policies but only the layer 3/4 policies so you will need to export the configuration with the asa format for conversion.
01-13-2021 09:41 PM
Hi,
Thanks for your reply. Someone told me there is a separate tools for migrating Cisco Fire Power to Palo Alto, but I am not sure. Is there any specific migration tools for fire power?
Best Regards,
Muzammel Haque
01-14-2021 08:16 AM
For layer 7 migration policies we offer no tool. But for cisco ASA configurations the expedition tool will work fine.
01-22-2021 09:19 AM
Hi
i am also planning to migrate cisco firepower 2130 to palo alto 5500 series firewall
when i download the migration tool in the ubuntu as per suggested document
we are getting apache2 ubuntu default page
can anyone help us how to solve this issue
02-05-2024 04:09 AM - edited 02-05-2024 08:44 AM
FirePalo (Windows GUI) helps you convert rules and objects from Cisco FirePower to Palo Alto
(See the "Sceenshots from the application.docx")
Run "show access-control-config" from the FTD device and save output to a textfile. Open the textfile in FirePalo.exe and it will create editable objects. Finally, "commit" the changes and create a configuration in SET format that can be pasted into a Palo Alto device or Panorama.
This version will not convert device configuration like interfaces, routing or NAT. Some manual work needed for User-ID, URL Categories and Application filters.
Download the PaloAppID.txt file and place it with the FirePalo.exe. It contains all the Palo Alto APP-ID's
FirePalo also lets you export sections of the configuration to edit in preferred editor and than import the result back (great for search and replace). In addition you can easily lowercase or uppercase sections (or the entire configuration) and cut object names automatically to supported length. Further, you can convert services to applications (as not all services from FTD are supported as a service). Finally, you can add tags for objects, so that all rules using a certain object get the tag set.
Easily select if this is a standalone or Panorama configuration to be created (so that device group get included in the configuration).
FirePalo takes the output from the FTD and first turns it into a treeview. It then takes all the items in the treeview and creates objects you can edit, providing an unique ID for each object. This binds everything to the correct rules and all edits will be in place when you finally turn the objects into a treeview again ("commit"). You can then look through the result as a treeview and make more changes if needed (and then doing a new commit).
When everything looks good, you can generate the final configuration in SET format and paste it into the Palo Alto device or Panorama CLI.
02-08-2024 11:15 AM
I have done a couple of FTD to PANW migrations. Expedition works very well for the CLI. I developed a Python script to log into the FMC API and collect the ACP config. (I also collected the objects, but they may all be in the CLI already.) I then created Expedition CSV files to import into Expedition on top of the CLI config. It works well!
Expedition currently does not support the import of URLs in security policy rules via CSV.
The FTD CLI config is just like the ASA except the security policy. You can delete those except the ones created for IPsec tunnels. As with all ASA migrations, you need to fix (1) dynamic routes, and (2) IKE Phase 1 algorithms. Usually adding static routes for RFC1918 to the inside fixes the routes so Expedition will apply the correct destination zones. In one case, I converted the dynamic route table text to CLI commands and imported, and it worked fine. With regard to IPsec, the command "show vpn-sessiondb detailed l2l" will show you the algorithms in use so that you can manually configure them in Expedition.
Thanks,
Tom
02-08-2024 04:36 PM
Very cool tool!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!