- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
03-23-2023 06:30 AM
Hi Team,
We want to migrate our firewalls from cisco ASA to Palo Alto. Instead of performing hot cutover, we are thinking the other option by connecting them inline to existing firewalls so that it will just monitor all policy and etc, which will help us to fix any of the configurations so that we can remove the existing firewalls without any major issue. Please suggest a way to deploy or share if there is any documentation relate to it.
03-23-2023 07:40 AM
If you want to put Palos inline then it's interfaces need to be in virtual-wire mode for that period.
It allows to capture traffic and reverse engineer what policies need to be configured but it is way easier to migrate like-to-like to be sure everything is working after migration and then tune policies as needed.
03-23-2023 08:12 AM
Hello,
If the PAN's are running newer code, etc, they will learn and suggest applications to the policies as you input them.
Regards,
03-23-2023 09:12 AM
Yes @Raido_Rattameister Intially i thought the same of doing like-to-like migration, but we won't have any user for UAT during maintenance window, only they will be available in the next morning. Since we have some hundred of policies, if many are impacted it would be a nightmare. In order avoid that i looking for virrual wire option, is there migration document available?
03-23-2023 09:13 AM
Hi @OtakarKlier It's a PA 5420 model and so we would run a latest code.
03-23-2023 09:22 AM
Hello,
I also want to point out that there is the 'Expedition' tool for migrating configurations from another platform to Palo Alto. I have not used it before, however others have stated that it worked fairly well. Also I would suggesting on leaning on your sales engineer to help out, etc.
https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool
Regards,
03-23-2023 09:50 AM
Expedition is very nice tool but depending of ASA config it needs manual review and not everything is migrated over.
Unless customer is ok to fix any upcoming issues morning after migration I would definitely expect customer side UAT testing right after failover.
05-05-2023 05:51 AM
Is there any sample configuration to set it up for inline , so that i can review the polices and fix them.
05-05-2023 07:37 AM
Hello,
So the inline method, you will want to do the following:
Hope that makes sense.
05-05-2023 07:56 AM
@OtakarKlier Thanks for your input.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!