Firewall Configuration Migration Tool

Technical Training for OS v 1.6.1

Albert Estevez Polo

aestevez@paloaltonetworks.com

Webinar Agenda

Migration Tool Overview

Demo of an Check Point configuration

migration

Q&A

Page 2 |

Firewall Configuration Migration Training - June 2011

Migration Tool Introduction

Palo Alto Networks migration toolkit offered free of charge to

qualified partners to assist with migration projects

Migration
Features
Migration
Tool Features
Configuration
Migration

o Migrates Security
policies
o Migrates NAT
policies
(Check Point only)
o Address objects
(including groups)
o Service objects
(including groups)
o Route table entries

Page 3 |

Configuration
Editor

Configuration
Consolidation

o Offline security policy

editor
o Edit address objects
o Edit service objects
o Edit Zones

o Useful tool when

consolidating multiple
firewall configurations
o Merges a new
configuration into a
production firewall
configuration

Firewall Configuration Migration Training - June 2011

Migration Tool Benefits

A standard migration flow:

Firewall Migration Process
1.

Network design and requirements analysis

2. Migrate the existing firewall rules and objects

3.

Review the migrated rules and objects

4.

Finalize the firewall configuration

5.

Functional testing and validation

6.

Cutover to the new firewall

7.

Post cutover monitoring and policy tuning

Page 4 |

Automation saves
time

Firewall Configuration Migration Training - June 2011

Reduces migration
errors

Supported Vendors
Supported Firewall configuration migrations
Vendor

OS Versions supported

Cisco ASA/PIX/FWSM
Cisco IOS

PIX OS: 6.0.x, 7.x, 8.x, ASA OS: 7.x, 8.0-8.1

IOS 11.x and newer, extended ACLs only

Juniper/NetScreen

ScreenOS ver 5.x for NetScreen and SSG platforms

(SRX Jun-OS configs are not supported)

Check Point

FW-1 R65, R70, R71, R75 are supported

Fortinet

FortiOS 3.x 4.x

Note: configurations will be converted to PAN-OS .xml format that

can be directly imported into a Palo Alto Networks firewall

Page 7 |

Firewall Configuration Migration Training - June 2011

Migration Features List

Cisco IOS

Cisco PIX/ASA

Juniper/
NetScreen

Check Point

Fortinet

NAT Rule Migration

TBD

TBD

TBD

TBD

VPN Configuration

TBD

TBD

TBD

TBD

TBD

Rule Conversion

Topics
Security Zone
Migration
Security Policy
Migration

Object Conversion
Static Routes
Address Objects
Address Groups
Address Ranges
Services
Service Groups

Services Ranges
Page 8 |

Firewall Configuration Migration Training - June 2011

Migration Walk-Through

Page 9 |

Firewall Configuration Migration Training - June 2011

Migration Steps
1. Obtain the production firewall configuration files

2. Import the firewall configuration into the migration tool

3. Review the migration logs and migrated rules and objects
4. Review and the migrated security policies
5. Correct any configuration incompatibilities and generate a
PAN-OS XML configuration file
6. Import and Load the generated configuration
7. Finalize the configuration on the Palo Alto Networks firewall

Page 10 |

Firewall Configuration Migration Training - June 2011

1. Obtain the Production Firewall Configuration Files

See Appendix B on the steps to export and format Cisco, CheckPoint

and Juniper/NetScreen configuration files

Prior to importing, the respective configuration files must be named

using the following conventions

(note: file names are case sensitive)
Configuration

Required files

CheckPoint

objects_5_0.C
routes.txt
PolicyName.W
rulebases_5_0.fws (optional - for migrating comments)

Cisco

config_cisco.txt

Juniper/NetScreen

config_screenos.txt

Page 11 |

Firewall Configuration Migration Training - June 2011

2. Import the production firewall configuration file

Open the Web interface and upload the configuration
HTTP://<IP Address of Migration Server>

Page 12 |

Firewall Configuration Migration Training - June 2011

2. Import the production firewall configuration file

Choose the source of the configuration file and a pop-up window will

appear to import the config files

Page 13 |

Firewall Configuration Migration Training - June 2011

3. Review the migrated logs and objects

Review and edit

objects

Page 14 |

Warning messages
and policy editor

Firewall Configuration Migration Training - June 2011

3. Review the migrated logs and objects (Contd)

The objects to review window

allows for viewing and editing of

the address and service objects
and route entries
The route entries are used for

Zone assignments in the

security policies
For Check Point configs the

Zones must be manually entered

For NetScreen, Fortinet and

Cisco ASA configs the Zones

will be learned from the
configuration
Zones can be renamed as

needed

Page 15 |

Firewall Configuration Migration Training - June 2011

3. Review the migrated logs and objects (Contd)

Review the address and service

objects
Note: All migrated objects are

not displayed. Only objects that

need to be reviewed are listed
Object values can be manually

edited in the review pane by

clicking on the value

Page 16 |

Firewall Configuration Migration Training - June 2011

3. Review the migration logs and warnings

Pay particular attention to

warning messages
These message are

pointing so some implicit

NAT rules not migrated
Also warning messages

pointing to non-TCP/UDP
service objects that need to
be reviewed and corrected
prior to generating the XML
config file

Page 17 |

Firewall Configuration Migration Training - June 2011

4. Review the migrated Security Policies

Security Policy Editor menu options

Description
Refresh

Refreshes the Security Policy page to reflect any changes made to address and service
objects and zone assignments made to route entries

Auto Assign Zone

Assigns the source and destination zone by referencing the route entries

Enable

Enables a security policy

Disable

Disables a security policy

Delete

Deletes a security policy

Merge

Merges security policies

Save

Saves the changes (after enabling, disabling and merging policies)

Search windows can be used to search for specific address and service
objects used in the security policies

Page 18 |

Firewall Configuration Migration Training - June 2011

4. Review the migrated Security Policies

Review and edit the

migrated security
policies
Pay attention to the

Click a field in the

security policy to
open the security
policy editing window

Zone assignments

Edit the objects in the security policy

and click Save
The window must be manually closed
after editing and saving.

Page 19 |

Firewall Configuration Migration Training - June 2011

4. Review the migrated Security Policies

Security policy zone assignments
Zones are learned from the Route entries

The IPs and IP subnets are read in the security policies and

compared against the route table entries to assign the Source and
Destination zones in the policies
The default is to assign any for the Zone

Edit the Zone option in the Interfaces and zones window

A red hash indicates the setting has not been saved

Edit the Zone

Page 20 |

Firewall Configuration Migration Training - June 2011

4. Review the migrated Security Policies

Security policy zone assignments (contd)
After editing the Zone settings, click Save

In the Security Policy Editor choose Auto Assign Zone to re-assign

the source and destination zone in the security policy configurations

The migration software will make a best effort to assign the zones in

the security policy

Edit the Zone

Page 21 |

Firewall Configuration Migration Training - June 2011

Choose Auto
Assign Zone
to transfer the
Zones to the
security
policies

5. Generating a PAN-OS configuration file

Configure the management

settings using the Device Config

tab

Note: If importing a PAN-OS

config to use the Config Editor or

Config Consolidator options, the
management settings will be
copied from the imported PANOS config file
Objects to review
Device Config

Page 22 |

Firewall Configuration Migration Training - June 2011

5. Generating a PAN-OS configuration file

Generate a configuration file after reviewing and correcting

the objects listed in the warning logs

Any errors will be displayed when generating the XML file
Use the Reload Data option to correct errors related to the

address objects
Service and address objects can be edited to correct any

errors

Page 23 |

Firewall Configuration Migration Training - June 2011

5. Generating a PAN-OS configuration file

Create XML will generate a PAN-OS configuration file using the

migrated objects and policies

Note: the version 3.x setting generates a config file that is compatible

with PAN-OS 3.x and 4.0.x.

Create XML version 3.x

Page 24 |

Firewall Configuration Migration Training - June 2011

5. Generating a PAN-OS configuration file

Review and correct any errors displayed when creating the configuration

file
Common errors are address objects migrated with invalid addressed or

netmasks
Corrections can be made by issuing the Reload Data function

manually editing the object

Page 25 |

Firewall Configuration Migration Training - June 2011

or

5. Generating a PAN-OS configuration file

After correcting the errors, start the Create XML function
Choose L3 to maintain the Zone assignments in the security policies

The L2 option is used primarily when migrating Transparent firewall

configurations from NetScreen and Cisco FWSM

The L2 configuration will replace the source and destination zones in the

security policies to a default Trust

Page 26 |

Firewall Configuration Migration Training - June 2011

5. Generating a PAN-OS configuration file

The config file is saved as a zip file
Unzip and import the XML configuration file into your Palo Alto Networks

firewall

Page 27 |

Firewall Configuration Migration Training - June 2011

6. Import and Load the configuration file

Import the migrated config file into your Palo Alto Firewall
This step assumes you have previously assigned a management IP and

can access the management console via HTTPS or SSH

(this example will use HTTPS)

Page 28 |

Firewall Configuration Migration Training - June 2011

6. Import and Load the configuration file

Load the migrated config

file into your Palo Alto

Firewall

----Do not Commit until you

have thoroughly reviewed
and finalized the
configuration
-----

Page 29 |

Firewall Configuration Migration Training - June 2011

7. Finalizing the Configuration

Configuration review checklist:
Configuration Review
1) Network

Configure the Interfaces:

Mode (L2, Vwire, L3)
IP Address
Zone assignment

2) Virtual-Router

Default gateway
Static Routes

3) Security Policies

Security Policies:
Destination Zone assignments
Convert service port to appID policies where needed

4) NAT policies

NAT Policies:
Create source and destination NAT policies (as needed)

5) Custom Services

Consolidate services where possible to remove duplicate and

overlapping objects
Review any custom services to verify the port assignments

Page 30 |

Firewall Configuration Migration Training - June 2011

7. Finalizing the Configuration

After reviewing and finalizing the migrated configuration, commit
the changes
At this stage the firewall will have a base configuration including
the migrated objects and policies. Once the base configuration
committed, you can now configure advanced settings such as SSLVPN, IPSec VPN, UserID, etc Please see the PAN-OS
Administrator guide or the Palo Alto Networks Knowledgebase
for documentation on how to configure specific features.

Page 31 |

Firewall Configuration Migration Training - June 2011

TOOLS
Beyond Migrations

Tools
The new Tools section is created to help in some

migrations when is not necessary to migrate all from the

legacy device to your new Palo Alto Networks NextGen
Device, and you want to perform some changes in the
configuration or maybe delete a lot of unused Objects
before to clean some rules for example.

Page 33 |

2011 Palo Alto Networks. Proprietary and Confidential.

Migration Translator
The translator process can help you to migrate a policy

where some address objects will change their name and

the address, in this case you have and OLD object (based
in the IP address) and needs to be changed by optionaly a
new IP address or a new Name or BOTH.
Another feature that includes is automaticaly if you want to

change the OLD IP address 1.1.1.1 and the OLD name is

like asdf-1.1.1.1-host the tool will change the OLD IP
address by the new one without to write the new name into
the CSV file required to do that (translate.csv).
The CSV file must be filled with this field order (; separated)
-

Page 34 |

OLD_IP;NEW_NAME;NEW_IP

2011 Palo Alto Networks. Proprietary and Confidential.

Migration Zone Translator

In Big migrations is necessary to change the names in the

new platforms by design requirements.

If the zone name is auto retrieved from the configuration

like in Cisco, Juniper or Fortinet we can use this feature to

say which OLD Zone name will be translated by a NEW
one. And for instance change all the rules afected too.
The file must be create with the name (translate-zones.csv)

and the internal config will be

-

Page 35 |

OLD_ZONE_NAME;NEW_ZONE_NAME

2011 Palo Alto Networks. Proprietary and Confidential.

Migration Split Config

In some situations when we import a configuration to the

Migration Tool we get all the security policies and all the
interface and zone information but we want to migrate only
some zones and only the rules afected by this zones
We must to create a CSV file called (translate-zones.csv) the

same if we want to use the Zone Translator and only write

inside the Zones that we want to use in our migration, the
rest of the zones in the configuration will be erased and all
the rules afected too.
If you dont want to change the name of the zones you

must fill the CSV file like this

-

Page 36 |

OLD_ZONE_NAME;OLD_ZONE_NAME

2011 Palo Alto Networks. Proprietary and Confidential.

Calculate Unused Objects

The system perform an initial check for used or not objects
But if you make changes, add / delete rules, uses another

Tools like the Config Splitter the most common is that

exists lots of objects that in the begining were used but not
now.
Using this feature the system recheck all the objects based

in the policies to know if is used or not and updates the

Statistics in the Generate Report option.

Page 37 |

2011 Palo Alto Networks. Proprietary and Confidential.

Demo Prctica
Al Turrn

Appendix A:
Downloading and Installing the Migration
Server software

Obtaining the Migration Tool Software

The software is offered free of charge to Palo Alto Networks ACE

partners. Contact your local Palo Alto Networks SE for access or

request to be added to the Firewall Migration community on our
Live website.
https://live.paloaltonetworks.com/index.jspa
Support is provided on a best effort basis via the following

methods:
-

Contacting your local Palo Alto Networks SE

Sending an email to fwmigrate@paloaltonetworks.com

Note: Please do not contact the general Palo Alto Networks support hotline for
questions related to the use or installation of the Migration software. The standard
Palo Alto Networks support is not available for assistance with this software.

Page 40 |

Firewall Configuration Migration Training - June 2011

Running the Migration Tool Software

The Migration Tool is packaged as a virtual machine

image that runs on VMware:

Platform

OS Versions supported

VMware Player

Version 3.1.1 and newer

VMware ESX

Version 3.0 and newer

Hardware requirements are dependent on the VMware

platform chosen (Player or ESX)

Recommended hardware

CPU

P4 or newer

RAM

1 GB

HDD

2 GB

Interface

NAT and Bridged modes are supported

Page 41 |

Firewall Configuration Migration Training - June 2011

Running the Migration Server Virtual Machine

1. Unzip the Migration Tool
virtual machine onto the host
machine
2. Start your VMware player and
choose:
Open a Virtual Machine
3. Browse to the directory
where the Migration Server
files were unzipped and open
the file
MigrationToolVM.vmx
4. After installation, choose Play
virtual machine to boot the
VM

Page 42 |

Firewall Configuration Migration Training - June 2011

Running the Migration Server (contd)

5. When prompted for the
virtual machine information,
choose: I copied it

6. Upon booting, the Migration

Server will acquire an IP
address that can be accessed
locally. The IP address that is
configured will be displayed
in the VMWare console
Note: The default Network
Adapter setting in VMware
Player is to use NAT and
acquire an IP address
dynamically

Page 43 |

Firewall Configuration Migration Training - June 2011

Accessing the Migration Server

7. The Migration Tool server interface can be accessed locally by opening a
browser to: http://<assigned IP address>

After accessing the management console upgrade the migration software to the
latest version. The upgrade process uses SSH to contact the update server, if the
upgrade process fails verify your network firewall is allowing outbound SSH
connections from the virtual machine.

Page 44 |

Firewall Configuration Migration Training - June 2011

Menu Tools
FROM: Choose the firewall config
to migrate (Fortinet migration support
will be added in an upcoming release)

SYSTEM: Management options

for log management and
software reboot

SETTINGS: Used to set the

environment prior to starting
a migration. Options include
migrating just the objects or
objects+rules. Can also set the
extended mode to support
longer object names
UPGRADE: Initiates the upgrade
of the migration software.
Internet access is required to
upgrade the Migration
Software OS
Page 45 |

Firewall Configuration Migration Training - June 2011

Appendix B: Exporting Existing Firewall

Configurations

NetScreen/Juniper Migration
The file you upload must be called config_screenos.txt
You can obtain the configuration file from the WebUI:
Configuration Update Config File,
From the CLI capture and save to a text file the output from get
conf

Page 47 |

Firewall Configuration Migration Training - June 2011

Cisco PIX/ASA/FWSM Migration

The file you upload must be called config_cisco.txt
Capture and save to a text file the output from show run

Page 48 |

Firewall Configuration Migration Training - June 2011

Check Point Migration

Check Point migrations require three files:

1. objects_5_0.C
2. PolicyName.W
3. routes.txt
The name of the policy file (referred to here as PolicyName.W)

will have whatever name you assigned it, but look for a .W
extension associated with it in the SmartCenter/management
console.
The rulebases_5_0.fws is not required but is recommended to

be included for migration as it includes the object comments

There are multiple methods to find and export the files. Some

options will be listed in the following slides.

Page 49 |

Firewall Configuration Migration Training - June 2011

Check Point Migration (contd)

Export the objects_5_0.C, PolicyName.W and rulebases_5_0.fws
files from the SmartCenter management console:
1.

Close all SmartDashboard connections to SmartCenter

2.

As a recommended precaution issue cpstop.exe to stop all

Check Point services.

3.

Log in to the CLI with administrator privileges or open Windows

explorer for Windows installations

4.

Navigate to the directory $FWDIR/conf to find the necessary

files.

5.

The objects_5_0.C and rulebases_5_0.fws will be named

exactly. The Policy file will have the name assigned by the
administrator, with a .W file extension

Page 50 |

Firewall Configuration Migration Training - June 2011

Check Point Migration (contd)

A second option to find the necessary files is to use the find
command to search.

Preferably you will want to issue the command from the

Smartcenter server.
>find / -name *.W
Find the files that match the following:

-The .W file matches the policy file configured by the firewall

administrator
-Export the objects and rulebases files found in the same directory
where the policy file (.W) was found
Page 51 |

Firewall Configuration Migration Training - June 2011

Check Point Migration (contd)

Generating the routes.txt file:
1. Log in to the firewall CLI
2. Run the command netstat nr > routes.txt
3. Export the routes.txt file

Page 52 |

Firewall Configuration Migration Training - June 2011

Appendix C: Assigning an IP to the

Migration Server

Assigning an IP Address to the Migration server

The default Vmware Player setting is to enable DHCP
Static IP assignment can also be configured using the steps below
Log into the VM console using the admin account:
Username: admin Password: paloalto

Run the setup or ifconfig utility from the CLI and follow the menu
to assign an IP address to be used by the Migration software for
access
Note: when using the ifconfig option the IP addresses is not saved
and will be lost after a reboot. IP assignment using the setup
utility is saved.

Page 54 |

Firewall Configuration Migration Training - June 2011

Assigning an IP Address to the Migration server

Page 55 |

Firewall Configuration Migration Training - June 2011