User ID and Expedition

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

User ID and Expedition

L1 Bithead

I am doing a migration from ASA. All seems to be ok in Expedition so far. However the Objects < User ID tab is blank and mentions something about API. There is also a Plugins < User ID section which is also blank.

 

The ASA config has lots of user id dependencies built into the rules/policies. I have not been able to find any documentation that goes deep enough into the current version of Expedition to be worthwhile and nothing out there that I have found talks about the User ID function within Expedition.

 

The customer is concerned that the policies aren't migrating over with a 1:1 ruleset using User ID against their Active Directory environment like the rules did on their ASA. In the end we will have over 10k rules so going back into panorama and adding the user id component to every rule is not an option.

 

We have taken the step of adding all of the AD Groups in the Group Mappings section of the Panorama that are referenced in the ASA config.

 

Can anyone help provide a "how to" on migrations from ASA to PAN when the ASA rules already have and must keep the User ID variable in them?

 

4 REPLIES 4

L6 Presenter

Hi @micharr User-ID migration from ciscoasa is not supported by Expedition.  Please see supported objects :

https://live.paloaltonetworks.com/t5/expedition-articles/expedition-supported-3rd-party-vendor-matri...

 

L2 Linker

I am working on a palo fw to panorama migration which includes user id. I can see the user ids in the policies of expedition but i cant seem to find where the group mappings are. Is user id not fullly supported on expedition?

L6 Presenter

Hi @PktBlocker for Palo Alto Networks Firewall migration to panorama, you do not need to use Expedition,  You can refer below for detailed, if you ran into any issues, you can open a TAC case, TAC should be able to help you out.

 

https://docs.paloaltonetworks.com/panorama/11-0/panorama-admin/manage-firewalls/transition-a-firewal...

 

Hi @lychiang a few reason iam going to use expedition verses direct on the panorama. 

1: I dont want to manage these particular firewalls, there will be a different set that the policies will go on.

2: This is an acquisition so we usually just pull the policies/nats/routes and integrate them into our panorama templates and security profiles but in this cause they were heavy on the user id feature.

 

Is this not the best way to do this when migrating a palo to palo?

  • 1520 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!