Cisco FTD/FMC Migration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Cisco FTD/FMC Migration

L0 Member

We had serval Cisco Firepower FTD firewalls managed from FMC that needed to be migrated to Palo Alto. We tried several methods before we finaly landed on to extract the config from FMC via API and import it in to Expedition.

So we had an consultant to make som Python scripts to extract the config and convert it to CSV files for import into Expedition.

This was realy a game changer. You can check out the scrips at GitHub; Ericrulec/Cisco-to-PaloAlto-Migration: Python scripts for migrating from Cisco FMC to PaloAlto throu...

If you have any question, just contact me or the developer.

1 accepted solution

Accepted Solutions

L0 Member

Make sure that your csv files are not containing any 'exel formatting' and that EOL are set to CR, LF or CR/LF.

I use Notepad ++ for editing.

View solution in original post

2 REPLIES 2

L0 Member

Make sure that your csv files are not containing any 'exel formatting' and that EOL are set to CR, LF or CR/LF.

I use Notepad ++ for editing.

L1 Bithead

FirePalo/README.md at main · jorlan72/FirePalo (github.com)

FirePalo

FirePalo (Windows GUI) helps you convert rules and objects from Cisco FirePower to Palo Alto

(See the "Sceenshots from the application.docx")

Run "show access-control-config" from the FTD device and save output to a textfile. Open the textfile in FirePalo.exe and it will create editable objects. Finally, "commit" the changes and create a configuration in SET format that can be pasted into a Palo Alto device or Panorama.

This version will not convert device configuration like interfaces, routing or NAT. Some manual work needed for User-ID, URL Categories and Application filters.

Download the PaloAppID.txt file and place it with the FirePalo.exe. It contains all the Palo Alto APP-ID's

FirePalo also lets you export sections of the configuration to edit in preferred editor and than import the result back (great for search and replace). In addition you can easily lowercase or uppercase sections (or the entire configuration) and cut object names automatically to supported length. Further, you can convert services to applications (as not all services from FTD are supported as a service). Finally, you can add tags for objects, so that all rules using a certain object get the tag set.

Easily select if this is a standalone or Panorama configuration to be created (so that device group get included in the configuration).

FirePalo takes the output from the FTD and first turns it into a treeview. It then takes all the items in the treeview and creates objects you can edit, providing an unique ID for each object. This binds everything to the correct rules and all edits will be in place when you finally turn the objects into a treeview again ("commit"). You can then look through the result as a treeview and make more changes if needed (and then doing a new commit).

When everything looks good, you can generate the final configuration in SET format and paste it into the Palo Alto device or Panorama CLI.

  • 1 accepted solution
  • 2835 Views
  • 2 replies
  • 2 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!