07-26-2023 03:55 AM
Hi Folks,
I read that Migration Tool Software offered free of charge to Palo Alto Networks ACE
partners, is that true? if yes then what is the process for that and how can i use it?
Thanks in advance.
07-26-2023 05:01 AM
Expedition is offered free of charge and can help you migrating CISCO ASA and other 3rd parties vendors to Palo Alto Networks NGFW and Panorama.
Furthermore it can help you doing PANOS configuration optimisations like removing unused objects, merge duplicated objects by name, value or both, as well as other predefined useful filters.
If you are new in Expedition maybe you would like to join the beta program for Expedition2. Please follow below article for the onboarding process: https://live.paloaltonetworks.com/t5/expedition-articles/introducing-expedition-2-beta/ta-p/542787
Also you can take a look at below series of videos using Expedition1 to cover your use case, a complete workflow migration from CISCO to Palo Alto Networks: https://www.youtube.com/playlist?list=PLD6FJ8WNiIqVez8EBeoyRsnQcKTA5FuZ-
Let me share some other links to get in touch with Expedition.
To report any finding or request assistance please send an email to fwmigrate@paloaltonetworks.com
Hope this information helps you,
Best regards,
David
08-02-2023 01:43 PM
@Shubhamkumaryadav Could it be your policy and objects are defined in panorama , if that's the case, you should import panorama running-config to Expedition.
07-26-2023 05:01 AM
Expedition is offered free of charge and can help you migrating CISCO ASA and other 3rd parties vendors to Palo Alto Networks NGFW and Panorama.
Furthermore it can help you doing PANOS configuration optimisations like removing unused objects, merge duplicated objects by name, value or both, as well as other predefined useful filters.
If you are new in Expedition maybe you would like to join the beta program for Expedition2. Please follow below article for the onboarding process: https://live.paloaltonetworks.com/t5/expedition-articles/introducing-expedition-2-beta/ta-p/542787
Also you can take a look at below series of videos using Expedition1 to cover your use case, a complete workflow migration from CISCO to Palo Alto Networks: https://www.youtube.com/playlist?list=PLD6FJ8WNiIqVez8EBeoyRsnQcKTA5FuZ-
Let me share some other links to get in touch with Expedition.
To report any finding or request assistance please send an email to fwmigrate@paloaltonetworks.com
Hope this information helps you,
Best regards,
David
08-02-2023 01:26 PM
Hi Davi,
While importing xml config file to expedition exported from palo alto firewall which is associated with panorama is not showing stats in dashboard, for example not shoving policy, ae interfaces and routing, in short not showing 99% config except 3 application and 2 physical interfaces.
08-02-2023 01:43 PM
@Shubhamkumaryadav Could it be your policy and objects are defined in panorama , if that's the case, you should import panorama running-config to Expedition.
08-02-2023 09:12 PM
Hi Dpuigdomenec,
I have mirgrade police from ASA 5525 to PaloAlto. But there are some policies that have the same Source Zone and Destination Zone fields or are left blank. Does Expedition have a feature to modify such cases?
08-03-2023 12:05 AM
Hi @lxuanquynh
Expedition could run an autozone on NAT and Security Rules for you.
First please make sure you Network is properly defined, that means review your interfaces are properly defined and have a zone assigned, also your VR has a default static route. Having a default static route is a must to execute the autozone assign.
Once all this information is fine create an snapshot of the project so at any time you can go back to this specific project status.
Then execute below steps:
1. Go to Security Rules grid,
2. Select one rule or all, but for testing purposes I will suggest select first some controlled rules,
3. Click on right mouse button and select autozone assign.
4. Select your template (Network information) and your VR to use
5. Select the scope of the executions; selected rules or all rules
6. Select if you want to calculate source zones and destination zones
7. Select if you want to apply NAT rules information for destination zones.
8. Click on calculate
9. Wait for the process to finish
10. Review tab Monitor to check for some warning on the process
Note: The same process could be executed on NAT rules. Take into account that as Palo Alto Networks only allows having 1 zone on the to (destination) zone for NAT rules, when Expedition detects that the NAT rule needs having more than one to zone, then it clones the NAT rule for every to zone needed, increasing the number of NAT rules than originally were migrated.
If you identify some finding please open a TAC case including your original configuration and share the TAC case number with us using the email fwmigrate <fwmigrate@paloaltonetworks.com>. We will be happy to assist you.
Hope this information helps you,
Best,
David
08-03-2023 01:14 AM
Thanks for support Dpuigdomenec,
I will try and respond.
08-04-2023 01:50 AM
Hi @lychiang
AS you suggested tried xml config exported from panorama for particular device group and template stack but again after importing to expedition but after that i see nothing in policy and vpn and network config.
08-04-2023 08:50 AM
Hi @Shubhamkumaryadav When you export the config from panorama, please export the whole running-config without selecting device group or template, Expedition only reads whole running-config not partial.
08-05-2023 11:03 AM
HI @lychiang I Have 21 firewall in panorama if i export whole config then how would i migrate rules from ASA to specific palo alto firewall? that is why i am selecting device group, template and template stack should be enough right? also checked this xml file in browser is has all config which i need but when i import to expedition its does not come with any value to dashboard.
08-07-2023 08:23 AM
Hi @Shubhamkumaryadav It is is important to create a new device group and new template in panorama for your ciscoasa migration before you export the whole running config file out, so when you merge the ciscoasa and panorama config, you only merge the ciscoasa migrated config to the new device group and template , that way ,when you load the config on panorama, you can load the new device group and template from the exported expedition config. Hope this clear.
08-08-2023 12:49 AM
Hi @lychiang, So basically you are saying i should export full funning config from panorama which includes 21 filrewalls and newly created device group and template, after that import this to expedition and merge the ASA cinfg to the new device group and template, and then load back to panorama, this time it will have 21 firewall config plus ASA config in the form of newly device group and template right ? what about template stack should create this stack after that?
08-08-2023 08:13 AM
Yes, you can create template stack after you import the new template back.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
