About Jonathan_C

Hi @Kaliman, what I ended up doing with this was to get the objects and policies out of the Watchguard in a spreadsheet, then using pandevice wrote some code to push it programmatically to the PANW.   Once you have that, then fix the security profile groups. I was lucky enough the migration I worked on was on some small firewalls so the policy wasn't crazy complex   hope this helps ... View more

" you tell the primary to use OktaSSOPri and you tell the secondary to use OktaSSOSec, those settings should stay unique after a commit and config sync"   You would expect so, I agree with you. This is not the case though. If I tell the Primary to use "OktaSSOPri" and the secondary to use "OktaSSOSec" I end up with both firewalls using one or the other but not separate due to the sync process   "I don't understand the use case of having different login info between an HA pair"   When you use Okta for admin access, you provide the landing page, which is essentially the login page for the firewalls, since the devices have different hostnames and different management IP addresses Okta treats these as two separate profiles and generates different metadata for those profiles, this is the reason you end up needing different auth profile in the HA pair ... View more

" You'll need to set two different auth profiles ("OktaSSOPri", "OktaSSOSec" for example), and set the active to use one and passive to use the other."   I have tried this, however because the auth profile syncs between both firewalls I end up with the same profile on both everytime. I have set "OktaSSOSec" on the passive device and I end up with the same profile on the primary, which doesn't makes sense to me. So no matter the order both FWs end up with the same profile and Okta then works for one and not the other.    Have you managed to get around this and get Okta admin access working on both devices of the HA pair?   I have raised this with support and been told they are aware of the issue but not in the pipeline to fix it. ... View more

@BatD I ended up taking a mixed approach. The security policies on the Watchguard were less than a 100 so I got the table from the web interface and moved it to an Excel spreadsheet. From there worked out the address objects and address groups and put then in PANW format in a different spreadsheet.   Once I had the basic policy looking like a PANW policy, I used Pandevice (https://pandevice.readthedocs.io/en/latest/configtree.html) to write a script and load the policies and objects onto the new firewalls.   The NATs on the other hand, was a completely manual process as I had to match all the possible traffic flows. It was a bit of a process but once I got the first FW correct the other 3 were fairly straight forward.   @alestevez I agree with you, Watchguards are not common on the enterprise but as businesses grow and mature they are moving to an enterprise platform, hence the question. PA-200 wouldn't be considered enterprise for example but they are good enough for remote sites or small business that want to take a step towards modern firewalls. I can get you a configuration file from one of the old boxes. ... View more