Professional Documents
Culture Documents
Webinar Agenda
Q&A
Page 2 |
Migration
Features
Migration
Tool Features
Configuration
Migration
o Migrates Security
policies
o Migrates NAT
policies
(Check Point only)
o Address objects
(including groups)
o Service objects
(including groups)
o Route table entries
Page 3 |
Configuration
Editor
Configuration
Consolidation
4.
5.
6.
7.
Page 4 |
Automation saves
time
Reduces migration
errors
Supported Vendors
Supported Firewall configuration migrations
Vendor
OS Versions supported
Cisco ASA/PIX/FWSM
Cisco IOS
Juniper/NetScreen
Check Point
Fortinet
Page 7 |
Cisco PIX/ASA
Juniper/
NetScreen
Check Point
Fortinet
TBD
TBD
TBD
TBD
VPN Configuration
TBD
TBD
TBD
TBD
TBD
Rule Conversion
Topics
Security Zone
Migration
Security Policy
Migration
Object Conversion
Static Routes
Address Objects
Address Groups
Address Ranges
Services
Service Groups
Services Ranges
Page 8 |
Migration Walk-Through
Page 9 |
Migration Steps
1. Obtain the production firewall configuration files
Page 10 |
Required files
CheckPoint
objects_5_0.C
routes.txt
PolicyName.W
rulebases_5_0.fws (optional - for migrating comments)
Cisco
config_cisco.txt
Juniper/NetScreen
config_screenos.txt
Page 11 |
Page 12 |
Page 13 |
Page 14 |
Warning messages
and policy editor
needed
Page 15 |
objects
Note: All migrated objects are
Page 16 |
warning messages
These message are
pointing to non-TCP/UDP
service objects that need to
be reviewed and corrected
prior to generating the XML
config file
Page 17 |
Refreshes the Security Policy page to reflect any changes made to address and service
objects and zone assignments made to route entries
Assigns the source and destination zone by referencing the route entries
Enable
Disable
Delete
Merge
Save
Search windows can be used to search for specific address and service
objects used in the security policies
Page 18 |
migrated security
policies
Pay attention to the
Zone assignments
Page 19 |
The IPs and IP subnets are read in the security policies and
compared against the route table entries to assign the Source and
Destination zones in the policies
The default is to assign any for the Zone
Page 20 |
Page 21 |
Choose Auto
Assign Zone
to transfer the
Zones to the
security
policies
Page 22 |
address objects
Service and address objects can be edited to correct any
errors
Page 23 |
Page 24 |
file
Common errors are address objects migrated with invalid addressed or
netmasks
Corrections can be made by issuing the Reload Data function
Page 25 |
or
Page 26 |
firewall
Page 27 |
Page 28 |
Page 29 |
2) Virtual-Router
Default gateway
Static Routes
3) Security Policies
Security Policies:
Destination Zone assignments
Convert service port to appID policies where needed
4) NAT policies
NAT Policies:
Create source and destination NAT policies (as needed)
5) Custom Services
Page 30 |
Page 31 |
TOOLS
Beyond Migrations
Tools
The new Tools section is created to help in some
Page 33 |
Migration Translator
The translator process can help you to migrate a policy
Page 34 |
OLD_IP;NEW_NAME;NEW_IP
Page 35 |
OLD_ZONE_NAME;NEW_ZONE_NAME
Migration Tool we get all the security policies and all the
interface and zone information but we want to migrate only
some zones and only the rules afected by this zones
We must to create a CSV file called (translate-zones.csv) the
Page 36 |
OLD_ZONE_NAME;OLD_ZONE_NAME
Page 37 |
Demo Prctica
Al Turrn
Appendix A:
Downloading and Installing the Migration
Server software
methods:
-
Note: Please do not contact the general Palo Alto Networks support hotline for
questions related to the use or installation of the Migration software. The standard
Palo Alto Networks support is not available for assistance with this software.
Page 40 |
OS Versions supported
VMware Player
VMware ESX
CPU
P4 or newer
RAM
1 GB
HDD
2 GB
Interface
Page 41 |
Page 42 |
Page 43 |
After accessing the management console upgrade the migration software to the
latest version. The upgrade process uses SSH to contact the update server, if the
upgrade process fails verify your network firewall is allowing outbound SSH
connections from the virtual machine.
Page 44 |
Menu Tools
FROM: Choose the firewall config
to migrate (Fortinet migration support
will be added in an upcoming release)
NetScreen/Juniper Migration
The file you upload must be called config_screenos.txt
You can obtain the configuration file from the WebUI:
Configuration Update Config File,
From the CLI capture and save to a text file the output from get
conf
Page 47 |
Page 48 |
1. objects_5_0.C
2. PolicyName.W
3. routes.txt
The name of the policy file (referred to here as PolicyName.W)
will have whatever name you assigned it, but look for a .W
extension associated with it in the SmartCenter/management
console.
The rulebases_5_0.fws is not required but is recommended to
2.
3.
4.
5.
Page 50 |
Page 52 |
Run the setup or ifconfig utility from the CLI and follow the menu
to assign an IP address to be used by the Migration software for
access
Note: when using the ifconfig option the IP addresses is not saved
and will be lost after a reboot. IP assignment using the setup
utility is saved.
Page 54 |
Page 55 |