Expedition Tool To Migrate vsys

Reply
Highlighted
L0 Member

Expedition Tool To Migrate vsys

Greetings ,

Can Expedetion tool migrate from PAN A that has 2 Vsys to PAN B with 1 Vsys

 


Accepted Solutions
Highlighted
L4 Transporter

Re: Expedition Tool To Migrate vsys

yes collapsing a multi-vsys into a single vsys configuration is a use case for Expedition. 

 

Think of Expedition as a PanOS configuration editor. After importing the 2 configurations you can then use Expedition to move objects from one configuration to the other. In your use case you will want to set the single VSYS config as your base configuration (where you are moving configurations to).

 

Prior to starting the recommendations is to have a design in mind. For example, when you collapse the multi-vsys config into a single vsys, you will want to consider design options to include:

 

-if both vsys are layer-3, will you be collapsing to a single VR or use multi-VR's in the single vsys config.

-will you be consolidating VLAN's onto a single trunk

-will some interfaces be combined into same zones 

 

there are many other design considerations, but its recommended to have a design goal prior to starting. 

View solution in original post


All Replies
Highlighted
L4 Transporter

Re: Expedition Tool To Migrate vsys

yes collapsing a multi-vsys into a single vsys configuration is a use case for Expedition. 

 

Think of Expedition as a PanOS configuration editor. After importing the 2 configurations you can then use Expedition to move objects from one configuration to the other. In your use case you will want to set the single VSYS config as your base configuration (where you are moving configurations to).

 

Prior to starting the recommendations is to have a design in mind. For example, when you collapse the multi-vsys config into a single vsys, you will want to consider design options to include:

 

-if both vsys are layer-3, will you be collapsing to a single VR or use multi-VR's in the single vsys config.

-will you be consolidating VLAN's onto a single trunk

-will some interfaces be combined into same zones 

 

there are many other design considerations, but its recommended to have a design goal prior to starting. 

View solution in original post

Highlighted
L0 Member

Re: Expedition Tool To Migrate vsys

Thanks SJanita.

You do have valid points. 

Highlighted
L0 Member

Re: Expedition Tool To Migrate vsys

Hi,

In my case, I'm going to be using Expedition to do 2 migrations:

-first migration: (2) separate Cisco ASA firewalls into (1) multi-VSYS PA-7050 managed by Panorama.  For this migration, I'd assume that the tasks would be (after licensing, upgrading Panorama & the 7050 of course): (1) get a best practice config onto the PA-7050 with multi-vsys checked off (in Device > Setup) with the 2 VSYS's defined, (2) connect the 7050 to Panorama, (3) connect Panorama to my Expedition project, (4) migrate ASA 5585 #1 over to its VSYS (via "API Output Manager" in Expedition--1 entity at a time--addresses 1st etc. just to be careful, see what fails etc.), (5) repeat for ASA 5585 #2 into its VSYS

 

-2nd migration is tricky--this is (1) single ASA 5585 in multi-context mode (Cisco's version of multi-vsys, where there is a base firewall config with "contexts" off of that, each context is a virtual firewall).  For this migration, I'd assume that the tasks would be (after licensing, etc.): (1) get a best practice config (with the contents of the "base" ASA config into that manually) onto the PA-7050 with multi-vsys checked off (in Device > Setup) with the 2 VSYS's defined, (2) connect the 7050 to Panorama, connect Panorama to my Expedition project, (3) migrate ASA 5585 Context #1 over to its VSYS (via "API Output Manager" in Expedition--1 entity at a time--addresses 1st etc. just to be careful, see what fails etc.), (5) repeat for ASA 5585 Context #2 into its VSYS

 

Thoughts?  Any tech notes you can share?  Thanks

Highlighted
L2 Linker

Re: Expedition Tool To Migrate vsys

Migrating several 5585 myself. I am not sure how the multi context would resolve into Expedition. Would think that you would build a vsys to match each context in the palo alto's themselves as a base line if that is the model you wish to continue. I would recommend getting your expedition stood up, import the 5585 and see how it looks inside there to see how the multi context are handled. 

 

Some things can't be built net new in the expedition so you might have to skeleton build your interfaces, vsys, zones and other things that you find yourself needing in the palo. If you have a Pan as mentioned in your description, you can build this in your template and push just to the pan then import that to expedition as your base line before you try to merge your rules with the base config. 

 

It has taken me a lot of tries and abandoned projects to get close to what we might want. Been at it for about 3 months now. Expedition can be forgiving so save snap points before you merge configs so you can roll back. I generally have to start over when it gets to messy. 

 

Expedition doesn't seem to do everything I want or expected, but it gives you a good idea and a starting point. 

 

Just see how your current environment translates into expedition and plan from there. Hope this gave you a direction. 

 

 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!