Migration from Cisco ASA to PAN: Outbound rules

Showing results for 
Show  only  | Search instead for 
Did you mean: 

Migration from Cisco ASA to PAN: Outbound rules

L1 Bithead

Hey everyone,

I am currently trying to migrate a configuration of a Cisco ASA to PAN using Expedition.

Unfortunately the customer is not only using the "normal" inbound rules on ASA but also outbound rules.


ASA rule processing is a bit different from PAN:

Packet arrives from source (maybe on interface 1/1 -> Packet is send through inbound rules of ingress interface -> Routing etc. -> Packet is send through outbound rules of egress interface -> Packet is send to the destination (maybe on interface 1/2.


It could be that there is a inbound rule on interface 1/1 like that:


Destination any

Service any

Action allow


On interface 1/2 there could be an outbound rule like:



Service tcp-22

Action allow


And sometimes it is the other way around (inbound rule more specific than outbound rule).

In some rare cases there are exact matches (same rule on one interface inbound and another one outbound).


Expedition handles all inbound and outbound rules as security policies and writes them all into the PAN ruleset in a top-down-way.

This results in a ruleset that is different from the one on the ASA.


In the example above, if the inbound rule is matched first, the destination would be allowed to communicate everywhere on the PAN.
But on the ASA the traffic would go the outbound rules later on and would eventually be blocked based on that.


Is there any way in Expedition to match the incoming and outgoing rules together in order to create rules for the PAN that would result in the same security level like the ASA ruleset with both type of rules?


Any hint is highly appreciated.



  • 0 replies
  • 77 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!