Converting Cisco ASA Access Lists to PAN

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Converting Cisco ASA Access Lists to PAN

L3 Networker

Is there an easy way to convert a Cisco ACL to PAN format. Right now I have a 70 line ACL and it looks like each ACL will require 14 set commands. At this point I'm thinking it might be easier to just enter the 70 ACLs into the PAN via the GUI. 

Any other thoughts on how to speed the operation? thanks!

 

set rulebase security rules Beaglerun-L2L-VPN from corpfw2-untrust
set rulebase security rules Beaglerun-L2L-VPN to corp-vpn
set rulebase security rules Beaglerun-L2L-VPN source RFC-1918
set rulebase security rules Beaglerun-L2L-VPN destination any
set rulebase security rules Beaglerun-L2L-VPN source-user any
set rulebase security rules Beaglerun-L2L-VPN category any
set rulebase security rules Beaglerun-L2L-VPN application [ ssh ssh-tunnel]
set rulebase security rules Beaglerun-L2L-VPN service application-default
set rulebase security rules Beaglerun-L2L-VPN hip-profiles any
set rulebase security rules Beaglerun-L2L-VPN action allow
set rulebase security rules Beaglerun-L2L-VPN profile-setting group Corp-Default-SecPro-Block-nourl
set rulebase security rules Beaglerun-L2L-VPN log-start yes
set rulebase security rules Beaglerun-L2L-VPN log-setting QradarSyslogForwarder
set rulebase security rules Beaglerun-L2L-VPN disabled no

2 accepted solutions

Accepted Solutions

an ASA 70 line ACL probably means no more than 15 policies in PA. Personally I would just convert them myself manually in the GUI (and have).

 

https://live.paloaltonetworks.com/t5/Migration-Tool-Articles/Download-the-Migration-Tool/ta-p/56582

 

also I don't believe all those commands, like setting source user to any is necessary.

 

also it's generally considered good practice to only log at session end. logging at session start is usually done only for troubleshooting purposes (you can reference the session browser prior to the session's termination)

--
CCNA Security, PCNSE7

View solution in original post

Cyber Elite
Cyber Elite

@palomed,

I just wanted to make sure that you knew you could actually combine all of those set commands into just one command. It would look like the following:

 

set rulebase security rules Beaglerun-L2L-VPN from corpfw2-untrust to corp-vpn source RFC-1918 destination any application [ ssh ssh-tunnel ] service application-default action allow disabled no log-start yes log-setting QradarSyslogForwarder profile-setting group Corp-Default-SecPro-Block-nourl

 

Just a few notes:

-log-start being yes with no log-end setting is uncommon. Are you sure you didn't want to log-end yes and leave log-start as no, that would be the most common.

- A lot of these commands are kind of unnessassary. For example category, hip-profiles, and disabled no could all easily be left out as that is the assumed settings on a new security rule.

- Any set command can be combined but keep in mind that there is not an 'add' command so if you wish to add an application you will need to make sure your set command includes all applications you actually wish to have on the security policy.

View solution in original post

4 REPLIES 4

L6 Presenter

Not sure if MigrationTool can be of any help. To me, it is a policy-like look 

Do you have a link to the migration tool?

an ASA 70 line ACL probably means no more than 15 policies in PA. Personally I would just convert them myself manually in the GUI (and have).

 

https://live.paloaltonetworks.com/t5/Migration-Tool-Articles/Download-the-Migration-Tool/ta-p/56582

 

also I don't believe all those commands, like setting source user to any is necessary.

 

also it's generally considered good practice to only log at session end. logging at session start is usually done only for troubleshooting purposes (you can reference the session browser prior to the session's termination)

--
CCNA Security, PCNSE7

Cyber Elite
Cyber Elite

@palomed,

I just wanted to make sure that you knew you could actually combine all of those set commands into just one command. It would look like the following:

 

set rulebase security rules Beaglerun-L2L-VPN from corpfw2-untrust to corp-vpn source RFC-1918 destination any application [ ssh ssh-tunnel ] service application-default action allow disabled no log-start yes log-setting QradarSyslogForwarder profile-setting group Corp-Default-SecPro-Block-nourl

 

Just a few notes:

-log-start being yes with no log-end setting is uncommon. Are you sure you didn't want to log-end yes and leave log-start as no, that would be the most common.

- A lot of these commands are kind of unnessassary. For example category, hip-profiles, and disabled no could all easily be left out as that is the assumed settings on a new security rule.

- Any set command can be combined but keep in mind that there is not an 'add' command so if you wish to add an application you will need to make sure your set command includes all applications you actually wish to have on the security policy.

  • 2 accepted solutions
  • 4696 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!