04-24-2017 03:14 PM
Is there an easy way to convert a Cisco ACL to PAN format. Right now I have a 70 line ACL and it looks like each ACL will require 14 set commands. At this point I'm thinking it might be easier to just enter the 70 ACLs into the PAN via the GUI.
Any other thoughts on how to speed the operation? thanks!
set rulebase security rules Beaglerun-L2L-VPN from corpfw2-untrust
set rulebase security rules Beaglerun-L2L-VPN to corp-vpn
set rulebase security rules Beaglerun-L2L-VPN source RFC-1918
set rulebase security rules Beaglerun-L2L-VPN destination any
set rulebase security rules Beaglerun-L2L-VPN source-user any
set rulebase security rules Beaglerun-L2L-VPN category any
set rulebase security rules Beaglerun-L2L-VPN application [ ssh ssh-tunnel]
set rulebase security rules Beaglerun-L2L-VPN service application-default
set rulebase security rules Beaglerun-L2L-VPN hip-profiles any
set rulebase security rules Beaglerun-L2L-VPN action allow
set rulebase security rules Beaglerun-L2L-VPN profile-setting group Corp-Default-SecPro-Block-nourl
set rulebase security rules Beaglerun-L2L-VPN log-start yes
set rulebase security rules Beaglerun-L2L-VPN log-setting QradarSyslogForwarder
set rulebase security rules Beaglerun-L2L-VPN disabled no
04-24-2017 04:33 PM - edited 04-24-2017 04:35 PM
an ASA 70 line ACL probably means no more than 15 policies in PA. Personally I would just convert them myself manually in the GUI (and have).
https://live.paloaltonetworks.com/t5/Migration-Tool-Articles/Download-the-Migration-Tool/ta-p/56582
also I don't believe all those commands, like setting source user to any is necessary.
also it's generally considered good practice to only log at session end. logging at session start is usually done only for troubleshooting purposes (you can reference the session browser prior to the session's termination)
04-25-2017 07:35 AM
I just wanted to make sure that you knew you could actually combine all of those set commands into just one command. It would look like the following:
set rulebase security rules Beaglerun-L2L-VPN from corpfw2-untrust to corp-vpn source RFC-1918 destination any application [ ssh ssh-tunnel ] service application-default action allow disabled no log-start yes log-setting QradarSyslogForwarder profile-setting group Corp-Default-SecPro-Block-nourl
Just a few notes:
-log-start being yes with no log-end setting is uncommon. Are you sure you didn't want to log-end yes and leave log-start as no, that would be the most common.
- A lot of these commands are kind of unnessassary. For example category, hip-profiles, and disabled no could all easily be left out as that is the assumed settings on a new security rule.
- Any set command can be combined but keep in mind that there is not an 'add' command so if you wish to add an application you will need to make sure your set command includes all applications you actually wish to have on the security policy.
04-24-2017 03:30 PM - edited 04-24-2017 03:30 PM
Not sure if MigrationTool can be of any help. To me, it is a policy-like look
04-24-2017 03:42 PM
Do you have a link to the migration tool?
04-24-2017 04:33 PM - edited 04-24-2017 04:35 PM
an ASA 70 line ACL probably means no more than 15 policies in PA. Personally I would just convert them myself manually in the GUI (and have).
https://live.paloaltonetworks.com/t5/Migration-Tool-Articles/Download-the-Migration-Tool/ta-p/56582
also I don't believe all those commands, like setting source user to any is necessary.
also it's generally considered good practice to only log at session end. logging at session start is usually done only for troubleshooting purposes (you can reference the session browser prior to the session's termination)
04-25-2017 07:35 AM
I just wanted to make sure that you knew you could actually combine all of those set commands into just one command. It would look like the following:
set rulebase security rules Beaglerun-L2L-VPN from corpfw2-untrust to corp-vpn source RFC-1918 destination any application [ ssh ssh-tunnel ] service application-default action allow disabled no log-start yes log-setting QradarSyslogForwarder profile-setting group Corp-Default-SecPro-Block-nourl
Just a few notes:
-log-start being yes with no log-end setting is uncommon. Are you sure you didn't want to log-end yes and leave log-start as no, that would be the most common.
- A lot of these commands are kind of unnessassary. For example category, hip-profiles, and disabled no could all easily be left out as that is the assumed settings on a new security rule.
- Any set command can be combined but keep in mind that there is not an 'add' command so if you wish to add an application you will need to make sure your set command includes all applications you actually wish to have on the security policy.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
