Migration without Expedition

Announcements

ATTENTION Customers, All Partners and Employees: The Customer Support Portal (CSP) will be undergoing maintenance and unavailable on Saturday, November 7, 2020, from 11 am to 11 pm PST. Please read our blog for more information.

Reply
Highlighted
L2 Linker

Migration without Expedition

Hello

If I wanted to migrate from Checkpoint to Palo with Panorama, but not use Expedition, what would be the general steps?

 

Thank you for your time.


Accepted Solutions
Highlighted
L4 Transporter

Well @MrWonderful ,

 

You can still use the Expedition tool to do the bulk work and convert all network objects and apply them on the new firewall. That way you can configure the rules one by one manually. I would still suggest to to use Expedition for the rules, adjust the rules (replace known ports with applications, remove unused rules etc), generate set commands and apply them on the new FW manually.

 

 

View solution in original post


All Replies
Highlighted
Cyber Elite

@MrWonderful,

You would essentially be rebuilding the entire configuration and duplicating what you already have configured on the checkpoint. That's actually a good thing in my mind because it gives you a chance to review your existing configuration and only move over what you actually currently need, while also "palotizing" the configuration. 

Highlighted
L4 Transporter

Hi @BPry ,

 

Fully agree with the review and the "palotization", but I would still use the Expedition and do the review there. Remove what is not required, replace ports with applications and etc an then generate PAN config.

 

@MrWonderful  "Work smart, not hard" - why would you prefer to waist time and energy in configuring all of the objects and rules when the tool do it for you with a blink of an eyes?

Highlighted
L2 Linker

@AlexanderAstardzhiev Long story short....because my employer is making me do it that way.

Highlighted
L4 Transporter

Well @MrWonderful ,

 

You can still use the Expedition tool to do the bulk work and convert all network objects and apply them on the new firewall. That way you can configure the rules one by one manually. I would still suggest to to use Expedition for the rules, adjust the rules (replace known ports with applications, remove unused rules etc), generate set commands and apply them on the new FW manually.

 

 

View solution in original post

Highlighted
L2 Linker

I would use the Expedition for the initial import and massage the configuration from there. Depending on your DB it's a lot of work to recreate a policy set and you are bound to make some copy/paste errors. With the bulk change tools in Expedition it's easy to change context, names and add policies to zones.

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!