Migration from Cisco ASA to PAN: Outbound rules

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Migration from Cisco ASA to PAN: Outbound rules

L1 Bithead

Hey everyone,

I am currently trying to migrate a configuration of a Cisco ASA to PAN using Expedition.

Unfortunately the customer is not only using the "normal" inbound rules on ASA but also outbound rules.

 

ASA rule processing is a bit different from PAN:

Packet arrives from source (maybe 10.1.1.1) on interface 1/1 -> Packet is send through inbound rules of ingress interface -> Routing etc. -> Packet is send through outbound rules of egress interface -> Packet is send to the destination (maybe 10.2.2.2) on interface 1/2.

 

It could be that there is a inbound rule on interface 1/1 like that:

Source 10.1.1.1

Destination any

Service any

Action allow

 

On interface 1/2 there could be an outbound rule like:

Source 10.1.1.1

Destination 10.2.2.2

Service tcp-22

Action allow

 

And sometimes it is the other way around (inbound rule more specific than outbound rule).

In some rare cases there are exact matches (same rule on one interface inbound and another one outbound).

 

Expedition handles all inbound and outbound rules as security policies and writes them all into the PAN ruleset in a top-down-way.

This results in a ruleset that is different from the one on the ASA.

 

In the example above, if the inbound rule is matched first, the destination 10.1.1.1 would be allowed to communicate everywhere on the PAN.
But on the ASA the traffic would go the outbound rules later on and would eventually be blocked based on that.

 

Is there any way in Expedition to match the incoming and outgoing rules together in order to create rules for the PAN that would result in the same security level like the ASA ruleset with both type of rules?

 

Any hint is highly appreciated.

 

Thanks,
Tim

0 REPLIES 0
  • 1013 Views
  • 0 replies
  • 0 Likes
  • 77 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!