Featured Posts

CCIE-Journals

CCIE-Journals
From Student to Engineer,a journey of discovery.

ASA to palo alto Migration

January 20, 2023    No comments

Migrating from an ASA firewall to a Palo Alto firewall requires a few steps to ensure a smooth transition:

  1. Backup the current ASA configuration: This can be done by using the "write memory" command on the ASA to save the configuration to a file.

  2. Create a new configuration on the Palo Alto firewall: This can be done by manually configuring the firewall using the web interface or by importing a configuration file.

  3. Configure network settings on the Palo Alto firewall: This includes configuring interfaces, zones, virtual routers, and routing protocols.

  4. Configure security policies on the Palo Alto firewall: This includes creating security rules and setting up security zones.

  5. Test the new configuration: Once the configuration is complete, test it by connecting to the network and ensuring that all traffic is flowing as expected.

  6. Cutover: Once testing is complete, switch traffic over to the new firewall by changing the routing or firewall rules on your network devices.

  7. Monitor and troubleshoot: Monitor the new firewall for any issues and troubleshoot as needed.



Migration using expedition tool

The general process for migrating with Expedition tool is as follows:

  1. Install Expedition: Download and install the Expedition tool on a computer that has access to both the ASA and the Palo Alto firewall.

  2. Backup the current ASA configuration: This can be done by using the "write memory" command on the ASA to save the configuration to a file.

  3. Start the migration process: Open Expedition and select the ASA configuration file. The tool will automatically parse the configuration and display the options for migration.

  4. Configure the migration: Use the options in Expedition to configure the migration, such as selecting which elements of the configuration to migrate, and what to name the objects in the new configuration.

  5. Create the new configuration: Use Expedition to create the new configuration on the Palo Alto firewall.

  6. Test the new configuration: Once the configuration is complete, test it by connecting to the network and ensuring that all traffic is flowing as expected.

  7. Cutover: Once testing is complete, switch traffic over to the new firewall by changing the routing or firewall rules on your network devices.

  8. Monitor and troubleshoot: Monitor the new firewall for any issues and troubleshoot as needed.


There are few things to keep in mind when using expedetion as we have double check few components


  1. Limited compatibility: While Expedition supports a wide range of firewall vendors, it may not be compatible with all models or firmware versions.

  2. Complexity: Expedition can be complex to use, and it may require a certain level of technical expertise to properly configure and use the tool.

  3. Inaccuracies: In some cases, the tool may not correctly interpret certain elements of the configuration, resulting in inaccuracies in the migrated configuration.

  4. Limited capabilities: Expedition may not be able to migrate all aspects of a configuration, such as custom scripts or certain advanced features.

  5. Additional manual configuration: Even if Expedition is used, it may be necessary to manually configure some elements of the new firewall, such as routing protocols or VPNs.

After the configuration has been migrated using the Expedition tool, it is important to manually validate certain elements of the new configuration to ensure that they are working correctly. This can include:

  1. Routing protocols: Verify that routing protocols, such as OSPF or BGP, have been configured correctly and that routes are being learned and advertised as expected.

  2. Interfaces and zones: Verify that interfaces and zones have been configured correctly and that traffic is flowing as expected.

  3. Security policies: Verify that security policies have been configured correctly and that traffic is being allowed or denied as expected.

  4. VPNs: Verify that VPNs, such as site-to-site or remote access VPNs, have been configured correctly and that they are working as expected.

  5. Advanced features: Check that the advanced features like Application-ID, User-ID, and others that have been used in the ASA firewall, have been configured correctly in the new firewall.

  6. Custom scripts or commands: Manually validate any custom scripts or commands that were in the original configuration, as these may not have been migrated by the Expedition tool.


It is important to thoroughly test the new configuration to ensure that it is working correctly and that all necessary elements have been migrated. It is also important to plan for a maintenance window, during which the migration can take place, and to have a rollback plan in place in case the migration is not successful.

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)