Cisco Firepower Migraton for Palo Alto

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cisco Firepower Migraton for Palo Alto

L1 Bithead

Dear All,

We want to migrate Cisco fire power 4000 series to Palo Alto NGFW. Could you please let me know the best way to do this migration?

Thanks in advance!

 

Best Regards,

Muzammel Haque 

10 REPLIES 10

L4 Transporter

Hello,

you can use Palo Alto migration tool Expedition for details: 

https://www.paloaltonetworks.com/products/secure-the-network/next-generation-firewall/migration-tool

Hi Abdul-Fattah,

Thank you for your prompt suggestions. I have downloaded following file 

- ExpeditionVM-1.1.10.ova and 

- Expedition.tgz

 

Do I need both the files or ExpeditionVM-1.1.10ova is enough. May I request you for any doc's?

 

Thanks & Regards,

Muzammel Haque

 

Hello,

 

For installation there is a video created on the expedition forums demonstrating how to perform this function, you can watch the video here ( https://live.paloaltonetworks.com/t5/expedition-migration-tool/ct-p/migration_tool ), also there are guides listed from that link as well.

 

As for the Cisco FirewPower migration the expedition tool will not migrate over the layer 7 policies but only the layer 3/4 policies so you will need to export the configuration with the asa format for conversion.

Hi,

Thanks for your reply. Someone told me there is a separate tools for migrating Cisco Fire Power to Palo Alto, but I am not sure. Is there any specific migration tools for fire power?

 

Best Regards,

Muzammel Haque

For layer 7 migration policies we offer no tool. But for cisco ASA configurations the expedition tool will work fine.

Hi 

i am also planning to migrate cisco firepower 2130 to palo alto 5500 series firewall 

when i download the migration tool in the ubuntu as per suggested document 

we are getting apache2 ubuntu default page 

can anyone help us how to solve this issue 

Hello @HemanthV 

 

I believe I answered this on another thread, we will use that one for your answer.

L1 Bithead

jorlan72/FirePalo: FirePalo helps you convert rules and objects from Cisco FirePower to Palo Alto (g...

FirePalo (Windows GUI) helps you convert rules and objects from Cisco FirePower to Palo Alto

(See the "Sceenshots from the application.docx")

Run "show access-control-config" from the FTD device and save output to a textfile. Open the textfile in FirePalo.exe and it will create editable objects. Finally, "commit" the changes and create a configuration in SET format that can be pasted into a Palo Alto device or Panorama.

This version will not convert device configuration like interfaces, routing or NAT. Some manual work needed for User-ID, URL Categories and Application filters.

Download the PaloAppID.txt file and place it with the FirePalo.exe. It contains all the Palo Alto APP-ID's

FirePalo also lets you export sections of the configuration to edit in preferred editor and than import the result back (great for search and replace). In addition you can easily lowercase or uppercase sections (or the entire configuration) and cut object names automatically to supported length. Further, you can convert services to applications (as not all services from FTD are supported as a service). Finally, you can add tags for objects, so that all rules using a certain object get the tag set.

Easily select if this is a standalone or Panorama configuration to be created (so that device group get included in the configuration).

FirePalo takes the output from the FTD and first turns it into a treeview. It then takes all the items in the treeview and creates objects you can edit, providing an unique ID for each object. This binds everything to the correct rules and all edits will be in place when you finally turn the objects into a treeview again ("commit"). You can then look through the result as a treeview and make more changes if needed (and then doing a new commit).

When everything looks good, you can generate the final configuration in SET format and paste it into the Palo Alto device or Panorama CLI.

Cyber Elite
Cyber Elite

I have done a couple of FTD to PANW migrations.  Expedition works very well for the CLI.  I developed a Python script to log into the FMC API and collect the ACP config.  (I also collected the objects, but they may all be in the CLI already.)  I then created Expedition CSV files to import into Expedition on top of the CLI config.  It works well!

 

Expedition currently does not support the import of URLs in security policy rules via CSV.

 

The FTD CLI config is just like the ASA except the security policy.  You can delete those except the ones created for IPsec tunnels.  As with all ASA migrations, you need to fix (1) dynamic routes, and (2) IKE Phase 1 algorithms.  Usually adding static routes for RFC1918 to the inside fixes the routes so Expedition will apply the correct destination zones.  In one case, I converted the dynamic route table text to CLI commands and imported, and it worked fine.  With regard to IPsec, the command "show vpn-sessiondb detailed l2l" will show you the algorithms in use so that you can manually configure them in Expedition.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.

Very cool tool!

Help the community: Like helpful comments and mark solutions.
  • 10259 Views
  • 10 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!