Migration without Expedition

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

Migration without Expedition

L2 Linker

Hello

If I wanted to migrate from Checkpoint to Palo with Panorama, but not use Expedition, what would be the general steps?

 

Thank you for your time.

1 accepted solution

Accepted Solutions

Well @MrWonderful ,

 

You can still use the Expedition tool to do the bulk work and convert all network objects and apply them on the new firewall. That way you can configure the rules one by one manually. I would still suggest to to use Expedition for the rules, adjust the rules (replace known ports with applications, remove unused rules etc), generate set commands and apply them on the new FW manually.

 

 

View solution in original post

5 REPLIES 5

Cyber Elite
Cyber Elite

@MrWonderful,

You would essentially be rebuilding the entire configuration and duplicating what you already have configured on the checkpoint. That's actually a good thing in my mind because it gives you a chance to review your existing configuration and only move over what you actually currently need, while also "palotizing" the configuration. 

Hi @BPry ,

 

Fully agree with the review and the "palotization", but I would still use the Expedition and do the review there. Remove what is not required, replace ports with applications and etc an then generate PAN config.

 

@MrWonderful  "Work smart, not hard" - why would you prefer to waist time and energy in configuring all of the objects and rules when the tool do it for you with a blink of an eyes?

@aleksandar.astardzhiev Long story short....because my employer is making me do it that way.

Well @MrWonderful ,

 

You can still use the Expedition tool to do the bulk work and convert all network objects and apply them on the new firewall. That way you can configure the rules one by one manually. I would still suggest to to use Expedition for the rules, adjust the rules (replace known ports with applications, remove unused rules etc), generate set commands and apply them on the new FW manually.

 

 

L2 Linker

I would use the Expedition for the initial import and massage the configuration from there. Depending on your DB it's a lot of work to recreate a policy set and you are bound to make some copy/paste errors. With the bulk change tools in Expedition it's easy to change context, names and add policies to zones.

  • 1 accepted solution
  • 2952 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!