Migration Tool Software from Cisco ASA 5545 to Palo alto 3220

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Migration Tool Software from Cisco ASA 5545 to Palo alto 3220

L1 Bithead

Hi Folks,
I read that Migration Tool Software offered free of charge to Palo Alto Networks ACE
partners, is that true? if yes then what is the process for that and how can i use it?

Thanks in advance.

2 accepted solutions

Accepted Solutions

L4 Transporter

Hi @Shubhamkumaryadav 

 

Expedition is offered free of charge and can help you migrating CISCO ASA and other 3rd parties vendors to Palo Alto Networks NGFW and Panorama. 

 

Furthermore it can help you doing PANOS configuration optimisations like removing unused objects, merge duplicated objects by name, value or both, as well as other predefined useful filters.

 

If you are new in Expedition maybe you would like to join the beta program for Expedition2. Please follow below article for the onboarding process: https://live.paloaltonetworks.com/t5/expedition-articles/introducing-expedition-2-beta/ta-p/542787

 

Also you can take a look at below series of videos using Expedition1 to cover your use case, a complete workflow migration from CISCO to Palo Alto Networks: https://www.youtube.com/playlist?list=PLD6FJ8WNiIqVez8EBeoyRsnQcKTA5FuZ-

 

Let me share some other links to get in touch with Expedition.

To report any finding or request assistance please send an email to fwmigrate@paloaltonetworks.com

 

Hope this information helps you,

 

Best regards,

 

David

 

View solution in original post

@Shubhamkumaryadav Could it be your policy and objects are defined in panorama , if that's the case, you should import panorama running-config to Expedition. 

View solution in original post

12 REPLIES 12

L4 Transporter

Hi @Shubhamkumaryadav 

 

Expedition is offered free of charge and can help you migrating CISCO ASA and other 3rd parties vendors to Palo Alto Networks NGFW and Panorama. 

 

Furthermore it can help you doing PANOS configuration optimisations like removing unused objects, merge duplicated objects by name, value or both, as well as other predefined useful filters.

 

If you are new in Expedition maybe you would like to join the beta program for Expedition2. Please follow below article for the onboarding process: https://live.paloaltonetworks.com/t5/expedition-articles/introducing-expedition-2-beta/ta-p/542787

 

Also you can take a look at below series of videos using Expedition1 to cover your use case, a complete workflow migration from CISCO to Palo Alto Networks: https://www.youtube.com/playlist?list=PLD6FJ8WNiIqVez8EBeoyRsnQcKTA5FuZ-

 

Let me share some other links to get in touch with Expedition.

To report any finding or request assistance please send an email to fwmigrate@paloaltonetworks.com

 

Hope this information helps you,

 

Best regards,

 

David

 

Hi Davi,
While importing xml config file to expedition exported from palo alto firewall which is associated with panorama is not showing stats in dashboard, for example not shoving policy, ae interfaces and routing, in short not showing 99% config except 3 application and 2 physical interfaces. 

@Shubhamkumaryadav Could it be your policy and objects are defined in panorama , if that's the case, you should import panorama running-config to Expedition. 

Hi Dpuigdomenec,

I have mirgrade police from ASA 5525 to PaloAlto. But there are some policies that have the same Source Zone and Destination Zone fields or are left blank. Does Expedition have a feature to modify such cases?

Quynhlx

Hi @lxuanquynh 

 

Expedition could run an autozone on NAT and Security Rules for you.

 

First please make sure you Network is properly defined, that means review your interfaces are properly defined and have a zone assigned, also your VR has a default static route. Having a default static route is a must to execute the autozone assign.

 

Once all this information is fine create an snapshot of the project so at any time you can go back to this specific project status.

 

Then execute below steps:

 

1. Go to Security Rules grid,

2. Select one rule or all, but for testing purposes I will suggest select first some controlled rules,

3. Click on right mouse button and select autozone assign.

4. Select your template (Network information) and your VR to use

5. Select the scope of the executions; selected rules or all rules

6. Select if you want to calculate source zones and destination zones

7. Select if you want to apply NAT rules information for destination zones.

8. Click on calculate 

9. Wait for the process to finish

10. Review tab Monitor to check for some warning on the process

 

Note: The same process could be executed on NAT rules. Take into account that as Palo Alto Networks only allows having 1 zone on the to (destination) zone for NAT rules, when Expedition detects that the NAT rule needs having more than one to zone, then it clones the NAT rule for every to zone needed, increasing the number of NAT rules than originally were migrated.

If you identify some finding please open a TAC case including your original configuration and share the TAC case number with us using the email fwmigrate <fwmigrate@paloaltonetworks.com>. We will be happy to assist you.

 

Hope this information helps you,

 

Best,

 

David

L1 Bithead

Thanks for support Dpuigdomenec,

I will try and respond.

Quynhlx

Hi @lychiang 
AS you suggested tried xml config exported from panorama for particular device group and template stack but again after importing to expedition but after that i see nothing in policy and vpn and network config. 

Hi @Shubhamkumaryadav When you export the config from panorama, please export the whole running-config without selecting device group or template, Expedition only reads whole running-config not partial. 

L1 Bithead

HI @lychiang I Have 21 firewall in panorama if i export whole config then how would i migrate rules from ASA to specific palo alto firewall? that is why i am selecting device group, template and template stack should be enough right? also checked this xml file in browser is has all config which i need but when i import to expedition its does not come with any value to dashboard.

Hi @Shubhamkumaryadav It is is important to create a new device group and new template in panorama for your ciscoasa migration before you export the whole running config file out, so when you merge the ciscoasa and panorama config, you only merge the ciscoasa migrated config to the new device group and template , that way ,when you load the config on panorama, you can  load the new device group and template from the exported expedition config. Hope this clear. 

L1 Bithead

Hi @lychiang, So basically you are saying i should export full funning config from panorama which includes 21 filrewalls and newly created device group and template, after that import this to expedition and merge the ASA cinfg to the new device group and template, and then load back to panorama, this time it will have 21 firewall config plus ASA config in the form of newly device group and template right ? what about template stack should create this stack after that?

Yes, you can create template stack after you import the new template back. 

  • 2 accepted solutions
  • 6106 Views
  • 12 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!