Palo Alto Expedition Tool - Fortigate Configuration Migration

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Palo Alto Expedition Tool - Fortigate Configuration Migration

L1 Bithead
Dear Team, Need to know how to migrate the Fortigate configuration file to Palo Alto Expedition Tool. Please share if any documentation specific to Fortigate to Palo Alto Migration.
3 REPLIES 3

Cyber Elite
Cyber Elite

Hello,

Depending on the amount of policies in the Forti device, I always preferred to build everything from scratch. That way everything is already layer 7 and inspected.

 

https://docs.paloaltonetworks.com/best-practices/9-0/best-practices-for-migrating-to-application-bas...

 

Regards,

L4 Transporter

@ecesureshkumar I am not aware of Fortigate-specific documentation, but the Expedtion guides are here: 

 

https://live.paloaltonetworks.com/t5/Expedition-Articles/Expedition-Documentation/ta-p/215619

 

 

Cyber Elite
Cyber Elite

Hi @ecesureshkumar ,

 

There is a newer Expedition user guide here -> https://live.paloaltonetworks.com/t5/expedition-articles/expedition-user-guide-v1-2/ta-p/285157.  It is really good.  There are a few things I would like to highlight:

 

  1. The 1st PAN-OS configuration imported becomes your base config.  It doesn't matter at which step you load it.  I prefer to load the Day 1 Configuration on the new firewall, export it and import it into Expedition.  In that way, you will have many best practices configured.
  2. With regard to cleaning up objects, do the groups first.  Then click the green button in the lower right, and more unused member objects may show up.
  3. If the config is grayed-out or doesn't show, make sure you select the correct drop downs in the bottom right.  Most of the time, you will be working with vsys1.
  4. Clicking on the dashboard numbers will automatically enable a filter.  Clear filters in the top right.  You can also select predefined filters from right-click.
  5. Right-click and select Search and Replace to show you where in the config file and object is used.  After Search and Replace comes up, you have to check the box next to the object.
  6. If the config has ICMP in the security policy, importing the Palo Alto > Snippets > Custom Applications creates ICMP App-IDs.
  7. I like to export the XML and load on the firewall.  It will replace the entire config.  You could also use the API or load config partial.
  8. With regard to @OtakarKlier 's comment.  Expedition can sometimes cause commit errors because of XML syntax errors.  I always load these on a lab firewall first to fix the issues before the customer firewall.  However, for large configurations, Expedition saves me a LOT of time cleaning unused, duplicate, and invalid objects.  The resulting config is SO much better.  I prefer using it then doing the config from scratch.
  9. The majority of the commit errors are self-explanatory.  A very few times (both associated with IPsec) I got commit failures with no warning.  This article was useful -> https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000PMb2CAG.  You can always delete the offending config piece.

That's enough for now.  I love the tool.  If you have issues, send an email to fwmigrate@paloaltonetworks.com.

 

Thanks,

 

Tom

Help the community: Like helpful comments and mark solutions.
  • 14866 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!