Hello to all and sorry if this has been posted before. We are new to Palo Alto Networks Firewall. We are in the process of procurring and installing our first PAN device. With that in mind we do have quite a bit of experience with Cisco ASA FW but none currently with PAN FW. With that in mind we don't know how much time would be involved with migration the configuration of the ASA FW to PAN FW and what to expect. I have downloaded and tried to use the migration tool but I was lost trying to figure it out. We have tested PAN FW and we were pleased with it. We know training is needed as well. Looking for some help here. Thanks in advance.
Difficult question. I like migration tool a lot and i would use it in any case.
But if your existing configuration isn't big and complex and you think you will migrate it without tools quicker than mastering migration tool, then do it manually.
I believe with time you will find both PA and migration tool interfaces easy to use.
I once too was in the same boat as yourself. Since then I have migrated many times from one vendor to a PAN. I honeslty have never used the migration tool but heard its a great product that I'm sure your SE would be willing to help you with. The reason I always chose to do it manually was for two main reasons. First I would gain a lot of familiarity with the PAN and second it enabled me to clean up any old configs/object/rules that were no longer required. It was always teadious and using a spereadsheet helped out a lot but in the end it was always worth going to the PAN with a fresh config.
Once again I would say lean on your SE a lot, that is one reason they are there :).
Personally I always rebuild the config with the Palo in mind; as good as the migration tool is there is no guarentee that it's going to move everything over correctly. Migrating ASA configs either works really well or it causes the object remarks and some objects all together to not really move over all that well. I think this is more to do with how much of a mess ASDM makes of the configuration, so if you lean on ASDM heavily over the CLI I would recommend a rebuild over a migration.
That being said I've had this stance for a while and have not used the current migration tool, so all of the issues that I've run into may be 'out of date' and not actually pose any issue anymore.
I've never personally used the migraton tool but I have done the UTD for it (which specifically migrates from ASA to PA), but I have manually migrated ASAs to PA and my advice is since the two approaches are worlds apart, you need to really understand the PA philosophy if you want to do it manually. And in my case, I love the PA approach so much, that I rather enjoyed the manual migration process. The biggest difference, aside from AppID, is you can easily combine several ASA rules into a single PA security policy.
Regardless of your method, there are some things the migration tool doesn't do such as IPSEC tunnel migration and virtually anything else that requires a password that's normally hidden by the show run command (which is what you input into the migration tool).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!