New to the Palo Alto platform and have a migration question

Showing results for 
Show  only  | Search instead for 
Did you mean: 

New to the Palo Alto platform and have a migration question

L1 Bithead

I am fairly new to the company I work for and have inherited a network that has two ISP's with two firewalls.  One firewall is an older ASA and the other is a small Sonicwall.


I have pretty good experience with the ASA platform.  However, the Sonicwall is new.


They currently have a DMZ configured on the Sonicwall using something called "Transparent Mode".  From my ASA experience, it seems to act a little like NAT exemption.  The purpose of this DMZ is to allow specific "inside" traffic to reach a server using an inside private address range.  Then that server functions as sort of a proxy that is connected "transparently" to the outside using a public IP address.


The purpose of this set-up is meet PCI requirements.


My question is, how could this be migrated to a PA-3050 platform?  Virtualwire?  


In the ASA world, I would create a DMZ that uses a private address space exclusively for that zone and create NAT and ACL rules that control traffic into and out of the zone to the outside.  Additionally, I would use NAT exemption and ACLs on the inside interface to allow inside sourced traffic to reach hosts in the DMZ without being NAT'ed and according to the ACL rules.


L2 Linker

I would try to use the migration tool to migrate a sonicwall/asa config to a PANW config:


- Regards,



Are you going to move over the entire configurations from SonicWall to PANW?


Or do you want similar functionaly on the PANW, much like the SonicWall and ASA thats already configured?

L6 Presenter

I'm not failiar with Sonicwall. But that server sounds like classical proxy and has nothing to do with any special modes on firewall. The only question is if this proxy server has 2 interfaces (on with private and one with public IP) or just a single interface on private IP and then FW does SNAT to public IP.

Virtual wire in PA is literally just a wire: a pair of ports that act like a wire, no IP, no MAC address.



L1 Bithead



We did a successful migration from ASA to Palo Alto Firewall, the migration tools comes in handy when you want to convert the traditonal Layer3-Layer4 rules with an exception of NAT policies. You need to make sure Migration tool is capable of supporting SONIC wall,


Personnaly I didnt rely much on the migraiton tool and if the number of rules are less then migrating in phased way would be better or even in one go, we did over 15,000 rules migraiton spanning over 10 zone. Our aprroach was in phases and we took it zone by zone based on each rule.

Yes it was time consuming but the out come was awesome as we were able to conver the rules based on App id, user id along with security pofiles.


Based on my experience manual migration is the best approach to achieve the better results.





I find Migration tool very useful. I did numerous migrations (from ASA, Juniper, Checkpoint) and every time it was almost 100% accurate. 

But I don't think it supports Sonic wall. 

Have been busy on several other projects and I am just now getting back to this.


My plan is to insert the PA3050 into the network with TAP interfaces to get a handle on what is actually traversing the network.


Eventually, the plan is to migrate the functionality of both the SonicWall and the ASA into the PA3050.


Since I did the original post, I did find out a little more about how the "Transparent Mode" works.



“Transparent mode is like the device having a Public IP and "sharing" the WAN subnet BUT is still fully protected by the firewall and security services (IPS/Gateway AV, etc) with no NAT to get in the way.”


This is the only zone functionality in either firewall that I am not sure how to configure in the PA3050.  Everything else seems to have a logical PaloAlto version that can be figured out. and would give us the same functionality.


Of course, that functionality is not nearly as robust as what the PA3050 is capable of - but at least we could do away with the other two devices.  Then I can concentrate on applying those more advanced features.


Ok, i think i understand what they mean. No other (serious) FW has this. But it can be easily be sorted.


If you have a lot of public IPs and don't mind sacrificing a couple (for broadcast, network, gw...) set up a DMZ with public IPs on PA. This will also allow you best control over servers in that segment.


If you can't afford that make a virtual wire pair of ports and connect that server through it. 



Yep, those were the only two options I could come up with as well.


I was leaning more to using the virtual wire approach but wanted to make sure I was thinking this out correctly.


Thanks for your assistance on this.


Best Regards


Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!