Running Expedition 1.2.84 - need to import from ScreenOS

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Running Expedition 1.2.84 - need to import from ScreenOS

L1 Bithead

Running Expedition 1.2.84.
Finally getting what I need to retire my SG1000s.

I need to import from ScreenOS - Do I need to do a Juniper Screen2Junos first, or is there a ScreenOS plugin for Expedition?

I'd prefer to avoid a double-convert.

My plan is to define vsys/zone/interface directly on the Palo NGFW and then just migrate the objects and policies.

I've heard warnings about trying to get Expedition to migrate the NAT policies, so if that doesn't look like it is working I'll probably just do the NAT policies manually after the Address and Service objects and Security Policies have been migrated.

2 accepted solutions

Accepted Solutions

L4 Transporter

Hi @Eric_Troldahl 

 

You should be good to select the parser Juniper->Netscreen to parse a ScreenOS configuration using Expedition.

 

Networking information could be defined directly on you device or you could use as well the set commands generated by Expedition.

Just in case it can help you let me add here some video tutorial on how to execute the migration workflow on Expedition. The video is using CISCO but the workflow is the same no matter the 3rd party vendor.

 

https://www.youtube.com/playlist?list=PLD6FJ8WNiIqVez8EBeoyRsnQcKTA5FuZ-

 

Hope this helps and let us know if you have any other questions,

 

Best,

 

David

 

 

View solution in original post

L1 Bithead

ScreenOS migrations are supported.  Just check for predefined services (SNMP in ScreenOS is udp/tcp 161/162), custom timeouts (minutes or 10s units), n search for services using port 65000 and addresses with 1.1.1.1 (invalid entries).  Plus Global rules will need to be modified with specific zones n NATs need to be reviewed n MIPs need to be done in both directions.  

View solution in original post

5 REPLIES 5

L4 Transporter

Hi @Eric_Troldahl 

 

You should be good to select the parser Juniper->Netscreen to parse a ScreenOS configuration using Expedition.

 

Networking information could be defined directly on you device or you could use as well the set commands generated by Expedition.

Just in case it can help you let me add here some video tutorial on how to execute the migration workflow on Expedition. The video is using CISCO but the workflow is the same no matter the 3rd party vendor.

 

https://www.youtube.com/playlist?list=PLD6FJ8WNiIqVez8EBeoyRsnQcKTA5FuZ-

 

Hope this helps and let us know if you have any other questions,

 

Best,

 

David

 

 

L1 Bithead

ScreenOS migrations are supported.  Just check for predefined services (SNMP in ScreenOS is udp/tcp 161/162), custom timeouts (minutes or 10s units), n search for services using port 65000 and addresses with 1.1.1.1 (invalid entries).  Plus Global rules will need to be modified with specific zones n NATs need to be reviewed n MIPs need to be done in both directions.  

L0 Member

I am in your position right now on my Last ISG1000 to migrate to a Palo. We used Expedition to migrate approximately 10 ISG1000s to PA-3020s. The configurations we had on the isg1000s were simple. We output the isg1000 configs to notepad and then uploaded to expedition. Our last ISG1000 is a bit more complex and has MIPs and DIPs. Expedition shows it was able to convert them and create the NAT policies and Service Policies. We are unsure if they are correct, and we are still looking for someone to provide insight if they were converted correctly. 

 

You should be good to go just uploading a notepad of the configs to expedition to convert.  

Hi @mwarnock 

You can start checking the /tmp/error file, the monitor tab and the invalid filters. If some object is not supported it should appear there.

Let me know if you need any other assistance.

Best regards,

David

We have not cutover that last one due to production traffic reasons and being unsure of the accuracy of the NAT rule conversion from MIPs and DIPs. This means we are left to verify this by hand. We currently converted the juniper isg1000 config to Palo and we have uploaded it to a newly created device group and it sits waiting review and any corrections before we upload it to a new pa-3410 that is powered and awaiting pano push. 

  • 2 accepted solutions
  • 1239 Views
  • 5 replies
  • 0 Likes
  • 77 Subscriptions
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!