expedition palo alto device requirement

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

expedition palo alto device requirement

L1 Bithead

Hello,

does using the expedition tool require having a palo alto device or can i just export the config as a file and install it on the device later ?

 

 

1 accepted solution

Accepted Solutions

Hi @hattia 

 

The base config should be the one you get from you PA device.

If you don't have access to it, you can create a dummy empty configuration using the iron-skilled option. 

 

Steps:

 

- Login to Expedition

- Go to Project and select your project

- Go to Import and select Palo Alto

- Go to Iron-Skilled fullfil the required information and click on Generate and Import

 

The result will be an empty configuration you can use to play and drag and drop your migrated objects.

 

Hope this helps,

 

Best regards,

 

David 

View solution in original post

8 REPLIES 8

L1 Bithead

Hi,

 

you don't need a device for using expedition. As you mentioned, you can import a config that you previously exported. 

Please note that having a device also integrated in Expedition brings a lot of QoL improvedments. For instance, you can push changes directly to that device etc. 

 

I hope that helps.

 

Regards!

Hello,

 

thanks for your response. just to make things clear, i have a multi context ASA i want to migaret to Palo alto. 

i installed the expedition VM and uploaded the ASA Configuration. now, i want to export the configuration to palo alto but i currently dont have access to the PA Firewalls. can you provide me with the steps or documentation to get the configuration as a file to later restore it on the PA Firewalls ?

 

thanks in advance

L1 Bithead

Here is a youtube series that covers an ASA case: https://www.youtube.com/playlist?list=PLD6FJ8WNiIqVez8EBeoyRsnQcKTA5FuZ-

 

If you follow these steps, in the very last section, in the "Export" section you can download the XML file that you can import to your PA Firewall.

 

I hope this helps.

so according to the videos i need a base configuration. where can i get that ?

Hi @hattia 

 

The base config should be the one you get from you PA device.

If you don't have access to it, you can create a dummy empty configuration using the iron-skilled option. 

 

Steps:

 

- Login to Expedition

- Go to Project and select your project

- Go to Import and select Palo Alto

- Go to Iron-Skilled fullfil the required information and click on Generate and Import

 

The result will be an empty configuration you can use to play and drag and drop your migrated objects.

 

Hope this helps,

 

Best regards,

 

David 

hello @dpuigdomenec,

 

thank you for your response, but i'm struggling with the migration of a multi-context ASA since the method you mentioned seems to only create a single Vsys. is there a way to have multiple Vsys? and what configuration should be put into the shared part of PA config, is it the system context of ASA?

 

Thank You

Hey @hattia 

Do you have access to your panOS device and can export an empty multi vsys config from there? You could use this as your base configuration. 

 

In the meantime, I will check internally how to achieve it alternatively.

Hi @hattia 

Currently Expedition1 / Expedition2 is only generating one vsys when importing an ASA file. So split that into different vsys in Expedition could be complicated. Also you will need to have the vsys/DG defined on your base configuration on your device first. Expedition does not allow you to define a new vsys/DG.
 
When importing an ASA config we use the “access-group access_list_name in interface interface_name” to only import those rules referenced by the access_list_name and put them on vsys1. A way it came to my mind is to do different imports with only having active the desired access-group by each vsys. 
The result will be having as many as source files on Expedition as vsys you need to migrate, so you can use the drag and drop from each source to the desired vsys and later do the merge.
Take into account to go to Dashboard and fix duplicates as well as check the network as could have duplicated interfaces, vr…
 
Hope this helps,
 
David
  • 1 accepted solution
  • 2559 Views
  • 8 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!