- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
05-06-2024 10:02 AM
We have a pair of Palo PA820 firewalls that were pulled out of service. I want to use them to replace a pair of Cisco ASA 5508s. I'm planning to wipe the configuration on the PA820s before we start. Then I just need to port the ASA config to an a Palo version of the same config. I can't bring the Palos up on the network beforehand, because they would conflict with the current ASAs. So I don't want to import anything from the current Palo Altos.
Also PA820s are not in the list of Palo firewalls in the current version of Expedition. The list jumps from PA500 to PA3000. How can I build a config that I know will work on a PA820?
I created a project with a PA500, and then imported the Cisco ASA config. The config shows objects for vsys1 and vsys2, but I never specified that I was running a Palo with two Vsys instances, and don't plan to run multiple Vsys instances. Why do I have two and how do I get rid of that? Is it because I didn't import a Palo config to start?
Once I'm done I don't want to deploy a config to a Palo that is up and connected (again, that would conflict with the ASAs). I was hoping I could just get a CLI version of the config that I could apply via the console. Then we can arrange a change window to swap from the ASA firewalls to the Palos. Is this kind of a migration not possible with Palo/Expedition? Am I going to have to remove the ASAs and replace them with the Palos and go through all of this during a change window? It seems if I could just pre-config the Palos and swap them in I could save a ton of what will be down time fussing with the config and trying to deploy it to the Palos.
05-07-2024 02:48 AM
Hi @dsmall-pa
Thanks for reaching out.
Videos:
Let me share with you a set of youtube videos that will help on your migration workflow: https://www.youtube.com/playlist?list=PLD6FJ8WNiIqVez8EBeoyRsnQcKTA5FuZ-
Expedition FW models:
Select any PA, the once you selected is fine.
CISCO migration vsys:
By default a Cisco migration is only creating the vsys1. Please check that you follow the steps defined in the above videos
Generate Output:
Once you have your configuration ready to be pushed to your FW you can generate the PANOS XML and do a load config partial or just get the set commands to execute them via CLI. Please check the last video.
Let me know if you have any other question.
Best regards,
David
05-07-2024 02:48 AM
Hi @dsmall-pa
Thanks for reaching out.
Videos:
Let me share with you a set of youtube videos that will help on your migration workflow: https://www.youtube.com/playlist?list=PLD6FJ8WNiIqVez8EBeoyRsnQcKTA5FuZ-
Expedition FW models:
Select any PA, the once you selected is fine.
CISCO migration vsys:
By default a Cisco migration is only creating the vsys1. Please check that you follow the steps defined in the above videos
Generate Output:
Once you have your configuration ready to be pushed to your FW you can generate the PANOS XML and do a load config partial or just get the set commands to execute them via CLI. Please check the last video.
Let me know if you have any other question.
Best regards,
David
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!