ASA migration to PA

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

ASA migration to PA

L2 Linker

Hi Team,

We want to migrate our firewalls from cisco ASA to Palo Alto. Instead of performing hot cutover, we are thinking the other option by connecting them inline to existing firewalls so that it will just monitor all policy and etc, which will help us to fix any of the configurations so that we can remove the existing firewalls without any major issue. Please suggest a way to deploy or share if there is any documentation relate to it.

9 REPLIES 9

Cyber Elite
Cyber Elite

If you want to put Palos inline then it's interfaces need to be in virtual-wire mode for that period.

It allows to capture traffic and reverse engineer what policies need to be configured but it is way easier to migrate like-to-like to be sure everything is working after migration and then tune policies as needed.

 

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Cyber Elite
Cyber Elite

Hello,

If the PAN's are running newer code, etc, they will learn and suggest applications to the policies as you input them.

 

Regards,

Yes @Raido_Rattameister  Intially i thought the same of doing like-to-like migration, but we won't have any user for UAT during maintenance window, only they will be available in the next morning. Since we have some hundred of policies, if many are impacted it would be a nightmare. In order avoid that i looking for virrual wire option, is there migration document available?

Hi @OtakarKlier It's a PA 5420 model and so we would run a latest code. 

Cyber Elite
Cyber Elite

Hello,

I also want to point out that there is the 'Expedition' tool for migrating configurations from another platform to Palo Alto. I have not used it before, however others have stated that it worked fairly well. Also I would suggesting on leaning on your sales engineer to help out, etc.

 

https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool

 

Regards,

Cyber Elite
Cyber Elite

Expedition is very nice tool but depending of ASA config it needs manual review and not everything is migrated over.

Unless customer is ok to fix any upcoming issues morning after migration I would definitely expect customer side UAT testing right after failover.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

Is there any sample configuration to set it up for inline , so that i can review the polices and fix them.

Cyber Elite
Cyber Elite

Hello,

So the inline method, you will want to do the following:

  1. Create a virtual wire, vwire, ie port 1 and 2
    1. 1 will be from the PAN to the ASA and 2 will be from the PAN to the internal switch
  2. Create a Allow ALL policy between the two zones
    1. Then make sure to keep that Allow ALL policy at the bottom, eg last policy
    2. Create any policies for the traffic that are specific above the policy so that it will get hit first.

Hope that makes sense.

@OtakarKlier  Thanks for your input.

  • 4165 Views
  • 9 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!