- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Enhanced Security Measures in Place: To ensure a safer experience, we’ve implemented additional, temporary security measures for all users.
10-18-2022 04:26 AM
Hey everyone,
I am currently trying to migrate a configuration of a Cisco ASA to PAN using Expedition.
Unfortunately the customer is not only using the "normal" inbound rules on ASA but also outbound rules.
ASA rule processing is a bit different from PAN:
Packet arrives from source (maybe 10.1.1.1) on interface 1/1 -> Packet is send through inbound rules of ingress interface -> Routing etc. -> Packet is send through outbound rules of egress interface -> Packet is send to the destination (maybe 10.2.2.2) on interface 1/2.
It could be that there is a inbound rule on interface 1/1 like that:
Source 10.1.1.1
Destination any
Service any
Action allow
On interface 1/2 there could be an outbound rule like:
Source 10.1.1.1
Destination 10.2.2.2
Service tcp-22
Action allow
And sometimes it is the other way around (inbound rule more specific than outbound rule).
In some rare cases there are exact matches (same rule on one interface inbound and another one outbound).
Expedition handles all inbound and outbound rules as security policies and writes them all into the PAN ruleset in a top-down-way.
This results in a ruleset that is different from the one on the ASA.
In the example above, if the inbound rule is matched first, the destination 10.1.1.1 would be allowed to communicate everywhere on the PAN.
But on the ASA the traffic would go the outbound rules later on and would eventually be blocked based on that.
Is there any way in Expedition to match the incoming and outgoing rules together in order to create rules for the PAN that would result in the same security level like the ASA ruleset with both type of rules?
Any hint is highly appreciated.
Thanks,
Tim
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!