Palo Alto Networks

Migration Tool Version 3.0

Users Guide

Contact Information
Corporate Headquarters:
Palo Alto Networks
4401 Great America Parkway
Santa Clara, CA 95054
http://www.paloaltonetworks.com/contact/contact/

About this Guide

This guide takes you through the utilization of the new Palo Alto Networks Migration Tool 3. This guide is
designed for users with previous knowledge of the PAN-OS platform.
The Palo Alto Networks Migration Tool 3 replaces previous versions of the Migration Tool. Refer to the following
resources for additional information:
For information on the additional capabilities of Palo Alto Networks firewalls and for instructions
on configuring the features on the firewall, refer to
https://www.paloaltonetworks.com/documentation. 
To provide feedback on the documentation, please write to us at:
documentation@paloaltonetworks.com. 
To access to the Community, which includes the knowledge base, discussion forums, and videos,
refer to https://live.paloaltonetworks.com. 
To contact the migration team, refer to fwmigrate@paloaltonetworks.com
To manage your account or devices go to the support portal: support.paloaltonetworks.com
For the latest release notes, go to the software downloads page at
https://support.paloaltonetworks.com/Updates/SoftwareUpdates. 

Palo Alto Networks, Inc.

www.paloaltonetworks.com 2015 Palo Alto Networks. All rights reserved. Palo Alto Networks and Palo Alto Networks
Migration Tool 3 are registered trademarks of Palo Alto Networks, Inc.
Revision Date: January 9, 2015
Table of Contents

Overview .....................................................................................................1
How the System Works ...............................................................................2
The Main Dashboard ..................................................................................3
Dashboard Elements ..................................................................................3
System Commands ..........................................................................3
System Resources (Usage) .............................................................4
Projects ............................................................................................4
Add New Projects ...........................................................................5
Load Selected .................................................................................5
Filter ................................................................................................5
Remove ...........................................................................................5
Remove All ......................................................................................5
Devices ............................................................................................6
Snippets ...........................................................................................6
Updates ............................................................................................7
Help ..................................................................................................7
The Workflow ..............................................................................................8
Migration Projects ..........................................................................8
Optimization Projects ....................................................................9
Working with the Palo Alto Networks Migration Tool 3 ............................11
Main Controls ...............................................................................17
Import Another Vendors Configuration Files ...........................17
Configure Plugins ........................................................................21
Monitor Logs and Reports ..........................................................25
Manage Policies ...........................................................................27
Manage Networks, Virtual Routers, Routing, and Zones .........36
Create the Output, Generate Configuration, Push it Through
the API ...........................................................................................46
Sample Project Step-by-step guide. ......................................................54
P A L O A L T O N E T W O R K S M I G R A T I O N T O O L 3

Overview
he main objective of the Palo Alto Networks Migration Tool 3 is to assist

T network security administrators, professional consultants, or anyone working

on migration, rules optimization, security controls validation, App-ID
implementation, or deployment of converted or new configurations to
devices directly connected to the Palo Alto Networks Migration Tool 3 or
using exported XML files as needed.

The Palo Alto Networks Migration Tool 3 is derived from the successful Migration
Tool used by the Palo Alto Networks Professional Services Organization and Channel
Partners. Its an evolution of the Migration Tool into a configuration platform that
allows you to, not only migrate configurations, but enhance, optimize, add, remove or
edit elements, ultimately converting the legacy device rules into a next-generation
model by creating App-IDs based on real traffic acquired from devices being installed
or already in production. The Palo Alto Networks Migration Tool 3 is a valuable asset
for network security administrators who need or want to keep their rulebases in a
pristine state.

1
 Chapter

1
How the System Works
The Palo Alto Networks Migration Tool 3 has a database that tracks each task

I you are doing and also contains the data you would find within any Palo Alto
Networks device. The new migration tool is delivered as part of a package in a
Virtual Machine; you need a Virtual Environment to run the Palo Alto Networks
Migration Tool 3 either in MS Windows, Mac OS X, or Linux.

Your entire interaction with the tool will take place via a web interface where you are
able to restart, shutdown, clear your log settings, and restart your database.
A constant resource meter will display the CPU, RAM, and disk space utilized within
the Virtual Machine. Also the version and patches will be visible from this main panel
when you start the Palo Alto Networks Migration Tool 3.

You can load several configs, merge them into different config candidates, and then
release these new configurations into the PAN-OS 6.x using API calls or by exporting
them into a common XML file. You will be able to merge one or more candidate
configurations into a new or existing PAN-OS configuration.

You will be able to import active PAN-OS configurations, and tweak, edit, cut or
manipulate the elements, perform a multi-edit throughout the XML elements in your
present (imported) configuration file without the need to edit any code.

2
The Main Dashboard
With the Virtual Machine running, pointing your browser to the VMs IP address will
bring you to the following screen:

You will find the base of any and every project, new or existing.

Dashboard Elements
System Commands
System commands are split in two categories: System and Operations.

The System commands control the functionality of the Palo Alto Networks Migration
Tool 3 and offer two functions: Restart and Shutdown. These functions control the
application hosted by the Virtual Machine, and it sometimes might be useful to restart
the application state when you import or create a new project, or to refresh system
resources if needed.

The Operations commands control system variables such as the logs and database.
There are two functions: Clear System Logs, and Restart Database.

3
Clear System Logs resets the application logs, as well as the local system logs (not the
devices logs).

Restart Database reinitiates the database engine without requiring a reboot of the entire
system. This may be useful when a table re-index or reset is needed.

System Resources (Usage)

Usage displays the usage of resources within the Virtual Environment.

If you see high CPU usage you may have a slower performance on conversions or API
calls sending configuration to a device.
Use the refresh icon for updated statistics.

! Note
The CPU and total task performance is also related to the type
of device being used to receive the API calls.

Projects
The Projects tab is where you create or remove projects.

If you have a large number of projects in the Palo Alto Networks Migration Tool 3,
you can filter projects by Name or Tags (customer name if applicable).

4
! Note When creating or deleting filters, use the refresh button next the
Filter field to ensure that you are seeing the most up-to-date
project list.

Add New Projects

Click Add New Project and then enter a Name for the project. Optionally add a Tag
to be used as an easy search key in the future (i.e. Customer Name).
You can also import any existing App-IDs, threats signatures, URLcategories, or
regions from registered devices (Devices Tab).

Load Selected
Click Load Selected to load the selected project into the system; at this point you will
start the Migration Tool 3.

Filter
The filter will help you find, among several projects created, the one you want to load
into your system. It will filter by project Name and Tag previously created on each
project.

Remove
Click Remove to remove the selected project. Using a filter here will group your
query.

Remove All
Click Remove All to delete all projects you have in the system independently of any
filters you have selected at the moment.

5
Devices
Use the Devices tab to add devices (firewalls or Panorama) to target for migration or
to use as a data source in a Connector, or to import application signatures, threat
signatures, URLcategories, and regions when creating a new project.

Snippets
Snippets are a new and powerful feature to enable you to keep and save XML code for
reuse by the Palo Alto Networks Migration Tool 3. You will be able to create App-ID
signatures by copying them from a running device and then saving them on the system
to be reused in other projects in the future.

Use the Snippets tab on the main Dashboard to createsnippets for use throughout the
Palo Alto Networks Migration Tool 3. You can create specific Snippets for specific
PAN-OS versions from 4.0 up to 6.1, which will be updated as new feature releases are
added. You can create the following categories of Snippets:

Addresses, App-ID, AV_Profile, File_Profile, IPS_Profile, Log-Profile,

URL_Profile, Services, and Custom_Reports.

You can apply Snippets to a single policy or a group of policies.

6
To maintain the list of Snippets, use the Add, Remove (selected) or Remove All
buttons on the bottom bar. You can also select the Type of Snippet to filter on by
selecting a value from the drop-down and search for a text within the filter. If you want
to search for all Snippets, simply use All as your filter selection.

Updates
The Updates tab connects your Palo Alto Networks Migration Tool 3 directly to
conversionupdates.paloaltonetworks.com. To do this, the Virtual Machine must to be
able to resolve this name over the Internet (proper DNS configuration).
Use the Update button to retrieve regular updates.

Make sure you also have a rule on your firewall as depicted on the right side of this tab.

You may also need to configure the proxy server

settings if the Palo Alto Networks Migration
Tool is behind a proxy.

Help
The Help tab displays the content of this guide as well as updated content as new
features are added or patched by the developers.

7
 Chapter

2
The Workflow
The Palo Alto Networks Migration Tool 3 provides a simplified migration

A workflow.
In addition, the Palo Alto Networks Migration Tool 3 now also enables you
to perform configuration changes, App-ID migration, profile distribution,
response pages customization, firewall policy optimization, NAT rule
creation, and much more. Lets divide our workflow in two primary categories:
Migration Projects
Optimization Projects

Migration Projects
1. Create a new project.
2. Configure a device (when possible).
3. Import the source firewall configuration file. You can import a configuration
from a PAN-OS, Cisco, Check Point, Juniper SRX, ScreenOS, Fortinet,
Sidewinder, or Algosec device.
4. Import a clean base configuration (either from a firewall or from Panorama.
Note: If you select a configured device for your base configuration you do not
need to load a base configuration file.
5. Manage objects, services, applications, and profiles.
6. Configure and name the interfaces for the candidate configuration.
7. Manage zones, virtual routers, and virtual wires when available.
8. Manage virtual systems.
9. Prepare a final, and clean configuration to be sent to your devices, via API calls
when devices are configured or by exporting the XML.
10. Send to the device your base configuration by merging the imported
configuration from a legacy vendor, and either use API calls or regular XML
files.
Migration in the new tool is similar to how it was done in previous versions of the
Migration Tool. Although the base task is the same, new logical workflows provide
more efficient way of handling the data from one device to another. Now you can
migrate from a single device to a single target (one to one), from multiple configuration
files to a single destination (many to one), or multiple Device Groups and Templates
on a Panorama base configuration (many to many).

8
For Migration projects you can now merge configurations into one or multiple virtual
systems, or simply merge the new configuration with an existing PAN-OS
configuration and optimize the duplicated objects (different name same IP address),
services, groups, split groups with more than 500 objects into a new dynamic object,
and update all the security policies and NAT rules affected. You will be able to lock a
specific rule (or a group of rules) to avoid grouped changes that affect them. You also
have the flexibility to update one, a selected group, or all security policy rules with a
new log forwarding profile or security profiles, which improves your work efficiency
and enriches the migration task.

Optimization Projects
1. Create a new Project or load an existing one.
2. Configure a device (when possible).
3. Load the offline XML or load the device configuration from the Devices tab.
4. Manage objects, services, applications, and profiles, and remove any incorrect
elements.
5. Organize the security policy and NAT rules in the most efficient way.
6. Validate all the warnings displayed on specific rules.
7. Create a Collector and associate it with a device for log reading and
App-ID creation.
8. Check for all App-IDs that have been created and analyze the unknown traffic.
If possible create new App-IDs from the unknown traffic.
9. Send your base configuration to the device by merging the imported config
(from a legacy vendor), and either use API calls or regular XML files.

9
Following the same basic workflow of a migration project, create an optimization
project to help you clean up the security policy, make the NAT policy more efficient,
and eliminate duplicated objects.

After completing a migration project, you can still go back and create a Collector that
will use the Devices you defined on the main Dashboard. With that in place you can
collect traffic data from up to seven days ago and use the App-ID Reconciliation
option to generate Layer 7 rules for you based on real data from the logs. For the
unknown traffic you can still analyze and generate a new App-ID for each one of
them.

You can repeat this process as often as necessary to validate traffic and migrate rules
into the next-generation firewall by protecting your established security policies into
App-ID rules.

10
 Chapter

3
Working with the Palo Alto Networks
Migration Tool 3
p to this point you were introduced to the Palo Alto Networks Migration

U Tool 3 and its operation model, as well as its logic and workflow. Now lets
put it all together and go over a project lifecycle.

Lets create a migration project and import rules from a Cisco ASA (legacy
device) into our new firewall using PAN-OS. For this scenario we need to have access
to the new firewall so that we can merge the current policy with the migrated policy.
1. Create a new project and name it accordingly.

2. Click Add New Project. Enter the project Name, and a Tag that will help
you find the project later (for example, the Companys name). We are not
importing any apps or profiles just yet.
3. Click Initialize Database. You will see the new project on the Dashboard as
follows:

11
 The name and Tag represent the new project. The App-ID
Adoption meter will indicate how far this project is in
being fully converted to the next-generation firewall with all
policy rules converted to leverage App-ID.
Select the project and click Load Selected.

! Note Alternatively double-click on the project name to load it.

You may have many projects saved. It is important to keep a
good naming convention and make use of the Tag feature to help you filter (or search)
for the project or group of projects to remove without affecting other projects.
Right after creating a project you should see the following screen:

12
In this scenario we will connect to our PAN-OS device from the Palo Alto Networks
Migration Tool and migrate the legacy configuration by merging it with the current
configuration on our PAN-OS device. However we no longer have access to the
Device tab, which is on our Main Dashboard. Because we are creating the project for
the first time the system will bring us to this stage to import the legacy config and
perform other tasks. Lets Exit from this project and go back to our Main
Dashboard to configure our Device.

We could add a new device using the Import configuration from other Vendors
option, but lets go back and create it before we enter the system.
At the Main Dashboard select the Devices tab and click Add New Device.

13
To define the device from the Palo Alto Networks Device window enter a Device
Name. Enter a Hostname, which can be the DNS name of the device (if DNS is
already configured) or the host IP address. By default, the Port is set to 443 (the default
for SSL/TLS). Change if this port number if the management access to your Palo Alto
Networks device uses a different port. Select the proper Model of your Palo Alto
Networks device, give it a Description, and then enter the Username and Password
to access the firewall. Save the settings.

You should receive the following message confirming device creation.

Click OK to go back to the Main Dashboard on the Devices tab. The Device will now
display on the list of available Devices.

14
15
Double-click the new device entry (or any device in the Devices tab) to display
information about the device as well as the API key that was generated when you
added the device:

The API key is necessary to send commands via the API calls when you are ready to
add, remove, or change any objects on the device. The API key is unique to each Palo
Alto Networks device and may only be retrieved with the proper credentials.

Now that we have finished creating the project and adding our device, lets load the
project once again and continue with the workflow.

Go to the Projects tab and double-click the project you just created.

16
When the project loads a new screen will be shown with the current project statistics.

From here on we are in the system and working on the project named MyProject.

Main Controls
From left to right you will find 13 icons that carry their function on each Tool Tip
(mouse over each icon).

These Controls are:

1. Global Summary
2. Import configuration files from other vendors and a base PAN-OS config or
device
3. Configure plugins, activate features, and setup views.
4. Monitor Logs, and Reports
5. Manage Policies
6. Manage objects, addresses, services, applications, and profiles.
7. Manage Interfaces, Virtual Routers, Virtual Wires, Routing, and Zones
8. Manage Device, Virtual Systems, server profiles, and response pages
9. Create the output, generate the configuration, and push to the device via API
10. Takes a configuration Snapshot
11. Reload all (refresh your current screen)
12. Undo Load last auto saved config.
13. Exit this project and return to the Main Dashboard

Import Another Vendors Configuration Files

Continuing with our workflow lets now import the legacy configuration file from
another vendor, in our case a Cisco ASA device. Select the Cisco tab from the Import
from other Vendors command, the second icon from the top.

17
We may now choose to import a single Cisco configuration file or sets of files (a batch,
which contains several compressed Cisco configuration in a zip file) and have several
rulebases to import from our Device or multiple devices depending on our setup. For
this exercise we will import a single file by clicking Browse from the Upload File
section.

18
After you upload the file it will immediately begin importing into the Palo Alto
Networks Migration Tool as follows:

Thats the importing process taking place, and also informing you about the resources
being used by the Virtual Machine in order to complete the task. After the import
completes, the Manage Policies screen displays the imported rules.

19
! Note If you imported many config files, make sure you are working
on the proper file selected on your top right corner.

Import the Base Configuration File

or Specify a Configured Device

Import a base configuration to use as the output for the migration.

You can use a blank template created from one or more Palo Alto Networks devices,
such as a firewall or a Panorama device. You may have different clean configuration
files for each version to which you intend to migrate the candidate(s) configuration(s).

If you have configured or intend to configure a device (from the Devices tab) you can
load that device as your base configuration because you will send your imported
configuration files to it.

In the image above, we are importing a clean configuration file from a firewall running
PAN-OS 6.1.1 to be loaded as our base configuration if needed.

For the rest of our guide we will use the configured device (page 14).

20
The difference between having a base configuration and using a configured device is
that when using a configured device you must have connectivity to the device. If no
access to the configured device is available we may resume to using the base
configuration and exporting our final XML file to later be imported on the target
device (firewall or Panorama).

Configure Plugins
The next step is to configure the Log Connector profiles; these Connectors read the
logs from the configured devices (from the Device tab).

These Collectors will assist you during the migration as well as the customers SOC
engineers with their ongoing operations post migration as far as capturing real log data
for App-ID reconciliation or for proper unknown-tcp and unknown-udp analysis.
They will also enable the SOC engineers to create new App-IDs (based on Layer 3 and
Layer 4 information from the devices log).

To create a new Log Connector Profile, click Add Connector.

When you add a new Log Connector Profile you will be prompted to enter
information about the device you want to connect to. In addition, you can specify how
far back on this devices logs you want to go, from the last 60 seconds up to the last 30
days of traffic.
If you are running multiple virtual systems on the device, you must select the vsys from
which to read logs.

21
If you are creating a Log Connector Profile and pointing it to a Panorama device you
may use the Panorama for reporting. The Log Connector will read from these reports
as well.
The 3rd Party Connector option at the bottom allows you to connect to other vendors
log systems such as Syslog, Splunk, and ArcSight. This feature is not yet deployed on
version 3.0.

On the same screen where you create the Log Connector there is a drop-down menu
where you select to operate as a Panos (firewall) or Panorama. The options will
change depending on whether you plan to use a firewall or Panorama to get logs.

22
After you create the Log Connector Profile and select Panorama from the drop-down
a new icon is added to your top menu (for Panorama), which will provide you with to
left tabs: one for Device Groups and one for Templates.

Use the bottom buttons to add or remove each component on each tab.

23
Notice that when adding templates you may also prepare these objects to be Virtual
Systems ready. Choose from which operational mode you want to deploy the
template--Normal, FIPS, or CC. Select VPN Disable Mode if applicable.

24
Monitor Logs and Reports

After a successful import, a log is created to display the steps taken by the Palo Alto
Networks Migration Tool (No Action required) and which things you must do
manually (Check it manually). These statuses are easily found for each event as
follows:

25
Besides the Monitor Logs and Reports, where you may find detailed logs and
recommendation on actions, the new Palo Alto Networks Migration Tool 3.0 offers a
debug screen where you may take a look in-depth the tools logs, for debugging issues
related to your migration or to the Migration Tool 3.0 itself.

26
Manage Policies

By looking at the panel above, you will find five main command areas that you must be
aware of:

1 Vsys and Active Selection

Here you select which virtual system (vsys) to work with and which configuration file
or configuration base file you are working with at the moment.

2 Main tabs control

These are the main controls described on page 16.

3 Left Tab Policies control Security, NAT, Application Override.

Once imported, security policies are converted into this panel following PAN-OS
standards.
The same happens with NAT rules that are converted following PAN-OS
standards. In some cases NAT rules are created and the Security Policies (deriving
from these NAT policies) have their names changed and a warning sign is shown
on the referred Security Policy.
Application Override policies can be created here as well as imported from other
PAN-OS configuration files.

27
4 Bottom controls are different controls for Security Policies, NAT, and Application
Override.

Security Policy controls allow you to add new rules, remove selected rules, clone
selected policies, enable or disable selected policies, perform auto zone assignment for
the entire security policy, lock and unlock selected rules to prevent any global changes
to apply to these rules, multi-edit all selected rules, combine selected rules into the first
one, and for Panorama migration projects, convert selected rules into Pre- or Post-
Rules.

NAT Policy controls have a similar function to the Security Policy controls, with the
exception of multi-edits and combining rules into the first selected.

Application Override controls are similar to NAT Policy controls without the ability to
lock/unlock rules as well as zoning because thats not pertinent to the Application
Override policies.

5 Log Collectors selection.

The Log Collectors selection is only available at the bottom of the Security Policies
panel. They are needed for functions related to traffic logs collection in order to
properly interpret these logs and later generate App-IDs based on them.

6 Policy Filters.
In almost the same fashion we create filters on our Palo Alto Networks devices,
the Policy Filters will allow you to filter for specific Element using a specific
Operator with a provided value, you may also add more complex filters with
AND / OR statements, and have a list of active filters throughout the
devices policies.

Additional Options via context menu (Right Click)

There is also a context menu accessible by right clicking

anywhere on the Security Policy that will provide you with
several different commands or actions for the selected item, or
for the entire Security Policy loaded.
The context menu offers the following commands:
Filters, Multi-Edit, Search & Replace.
And the Sub-Menu items with the following:
Rule Actions / Combine,
App-id Adoption / Retrieve Apps (selection),

28
App-id Adoption / Retrieve Apps (all rules),
App-id Adoption / Split rules Known | Unknown,
App-id Adoption / App-id reconciliation,
App-id Adoption / Export Apps Retrieved (ZIP)
App-id Adoption / Import Apps Retrieved (ZIP)
Replace (In Rule) / Service Groups by Members
3rd Party / AlgocSec / Retrieve Docs (Selection)
3rd Party / AlgocSec / Retrieve Docs (All Rules)
3rd Party / AlgocSec / Push Docs Back (Selection)
3rd Party / AlgocSec / Push Docs Back (All Rules)
3rd Party / Checkpoint / Open Viewer
From the Advanced Options context menu, besides the App-id Adoption, and the
replace (In Rule) options there is now a powerful Search & Replace that will allow you
to find objects, groups, present on any Security Policy, NAT Policy, and App Override
Policy.
Besides to be able to locate policy elements, you may also replace them by adding all
the elements you want to replace (or remove) to a Replace List from which later you
will be able to make specific changes to each policy marked for replace, from a single
location.

Search & Replace

29
Replace

For each selected security policy you will have a detailed window where you can edit
the rule settings.

You can add new attributes to the rule manually, change the rule action, choose the
Rule Type (for example, Universal, IntraZone, and InterZone), define when to
generate logs for a session, and select or create a Log Forwarding profile.

30
You can expand the right side of the window to display extra options to add to the
selected rule or to multiple policy rules if the multi-edit button at the bottom is pressed
along with multiple policy rules (or all the policy rules) selected.

On the figure below, notice the Tag, Schedule, QoS Marking, and all security profiles
that may be selectively added to the selected policy rule(s).

In order to have the security profiles, or other objects available, you must have created
them previously from the Snippets tab. Or, if you have configured a device on the
Devices tab and have that device included in your project, select it from the command
area 1 (VSYS & Active Selection) and select the device you want to have these objects
(security profiles).

On the left side of the window, you can expand another panel with warnings for the
selected policy rule(s). These warnings will help you find changes on imported
protocols not present on the Palo Alto Networks Migration Tool 3. The database is to
be replaced by a proper App-ID (i.e. ICMP). This panel also contains warnings about
rule name changes related to NAT policies.

31
Still under Policy Management we have the capability to create filters and apply them
to our candidate configuration within the MT3.0.
These filters are created and applied using the same principal already existent on our
PAN-OS devices, except you may create several filters and combine them into a single
action filtering the entire Security, NAT, and App Override policies

32
Manage Objects, Addresses, Services, Applications, and Profiles
Here are separate Command Areas:

1 VSYS & Active Selection

As in the Policy management, here you select which vsys to work with, and what
configuration file or configuration base file you are working on at the moment.

2 Main tabs control

Same as in the Policy management, this is a constant (if not using a Connector for
Panorama).

3 Filter & Search module

Use filters and/or search by any value in the list of Addresses and on the Address
Groups.
By using the filters, you can find Invalid, Duplicated Names and Names & Values
combined, and Duplicate Value.
By filtering by the selected queries you will be able to select objects that have the same
IP address and different name for instance, or objects imported with the same name
and different IP addresses (values).
Filtering allows you to know the objects used during migration. This filtering will be
mitigated at Command Area # 5.

33
4 Left tab for all objects.
The Address tab provides control over address objects and address groups.
The Services tab has almost the same functionality as the Address tab, but for
services and services group objects.

The APP-ID tab is divided into three columns for configuring application
filters, application groups, and new App-IDs. You can filter objects and create
App-IDs based on PCAPs to create accurate signatures.

On the Content-ID tab you can access all security profiles, your connected
device, or a blank list in which to create new profiles on a device, add a new
object, then load the XML part of the new profile. After you create the profile
you can add it to policy rule(s) or to all security policy rules.

Use the Tags tab to import tags from connected devices or create new tags and
add the Tag to its intended virtual system or as Shared, which is key for the
creation of new Tags.

The Other tab is where you can edit objects you imported from devices (for example,
Log Forwarding profiles, External-Lists, and schedules). You can also create new
objects from this tab by creating them on your device and copying the XML part into
the XML field.

Each tab has the same buttons on the bottom left to allow you to add or remove the
objects you imported or created, with the exception of the address, address groups,
services and services groups that have a few more controls.

5 Bottom left bar for Addresses

In the Dynamic Bottom bar in the Address tab you will find a merge command
with distinct options: by Name, by Name & IP & Cidr, and by IP & Cidr. Address
Groups have a different set of options: by Name, by Name & Value, and by Value
(members).

These options allow you to merge objects with these characteristics. If you use the filter
(at the top) to find all duplicate objects, for instance, and then select the merge
command to merge by IP & CIDR, you will merge all address objects that have the
same IP address and CIDR, but different names into a single address object. The Palo
Alto Networks Migration Tool will then search and replace all the incidents of these
objects on security policies and NAT policies, or any other reference throughout the
rulebase, and replace them with a single name. This helps optimizing repeated objects
in a previously imported configuration file, helping you to have a cleaner and more
efficient rulebase.

34
6 Central control for used or unused objects selection/deletion

The Common Control will assist you in two instances: counting for all used objects in
the project, and removing all unused objects from the entire rulebase.

These numbers are displayed on the Global Summary window (the very first icon on
your top left Command bar).

7 Bottom right bar for Addresses Groups

As in the Addresses and Address Groups tab, the Services and Services Groups will
have the same features and purpose: to merge duplicated objects by Name, by Name
& Proto & Dport, by Protocol & Dport.

The Services Groups will have a different set of options to merge by Name, by
Name & Value, and by Value (members).

They will perform the same actions as in the Addresses tab, merging these objects and
objects groups into one, and also replacing every instance of the object throughout the
rulebase.

If you dont perform any filtering at the top before you start your merging process the
Palo Alto Networks Migration Tool will merge ALL duplicate instance according to
your criteria selection.

35
Manage Networks, Virtual Routers, Routing, and Zones
From the Manage Networks Control on the main control bar, you can prepare your
physical and logical network connections, focusing on a single virtual system or
multiple virtual systems, depending on what type of Migration/Optimization project
you are working on.

1 VSYS & Active Selection

2 Template Selections

3 Main tabs control

This is the same as in Policy management; this is a constant if not using a Connector
for Panorama.

36
4 The Left tab is for all profiles, and objects.
Interfaces may be created and edited. They contain all the options necessary for
each interface to operate.

You may now edit the interface names, which are inherited from imported
configuration files, to valid interface names (for example, ethernet1/1), and leave
these names only to the zones to be later applied to each interface.

You may now add a sub-interface by selecting representation next to the new
name (for example, ethernet1/1.X), set a Tag, assign a Virtual Router, Virtual
System and Security Zone (if already defined), along with a full set of interface
attributes.

You can also rename one or all interfaces from the imported candidate configuration.
If you are planning to send the modified interfaces into the selected device as the
output, keep in mind that the renamed interfaces here must be available on the target

37
device, for example interfaces inside on the original configuration renamed to
ethernet1/1. The destination device has no interfaces yet configured.

If you have a target interface already configured on the target device you should
rename the original interface to an available interface, or remove the target interface on
the target device if possible.

You may rename interfaces by double-clicking them, and from Interface Name drop-
down select an interface name.

Zones can be created, edited, or removed with the real interface names, for example,
Ethernet.

Naming a zone, configuring the type and attributing it to a real named interface are part
of the Zone window. The same settings from the PAN-OS devices can be added here.

38
Virtual Routers can be added, edited, or removed with the same settings selection as
the ones on a PAN-OS device.

The Virtual Router Editor allows you to establish participating interfaces, define static
routes, and define administrative distances.

39
If dynamic routing protocols are needed, you will be able to configure them on a PAN-
OS device, export the configuration to an XML file and pass the configured selection
in the Protocol tab.

40
Virtual Wires are also created, edited, and removed from the Virtual Wires tab.

Creating a Virtual Wire requires that you set the Interface Type of the interfaces
participating in this Virtual Wire to Virtual Wire. Only then the interfaces will be
available on the Virtual Wire Editor.

41
Manage Devices, Virtual Systems, and Profile Response Pages
Use the Virtual Systems tab to add, edit, or remove virtual systems.

1 VSYS & Active Selection

Select which VSYS to work with and which configuration file or configuration base file
you are working on at the moment.
2 Template Selections:

3 Main tabs control

This is the same as in the Policy management, this is a constant if not using a
Connector for Panorama.

4 Left tab Virtual Systems and Response Pages

Virtual Systems can be added, edited, or deleted.
Defining a VSYS (Virtual System) will depend on existing objects such as
interfaces, VLANs, virtual wires, virtual routers, and visible vsys names.

Use the Virtual System Editor to create or edit new virtual system.

Use the General tab to define the participating interfaces, VLANs, virtual wires,
virtual routers, and visible virtual systems. These objects have to be previously
configured on their sections or editors. These fields are drop-down controls that
need to be pre-filled with the referred object in order for you to add any of these
elements to a new or existing virtual system.

42
The second tab allows you to add or edit Resource (limits) as you would on a regular
PAN-OS device.

43
Use the Response Pages tab to edit the device response pages.

Only configuration files, pre-configured devices, or base configuration files loaded into
the Palo Alto Networks Migration Tool can be edited. Any other configurations
imported into the tool wont have any existing response pages and therefore no
information will be displayed on this tab.

You must select the file you want to work on, once imported or loaded on the control
1 VSYS & Active Selection.

Make sure you are working on the proper configuration file before trying to edit the
Response Pages.

You may select the pages inherited by the configuration file you brought in and use the
HTML editor to customize your pages.

On these HTML pages, besides the text and images, you must be aware of the
variables that are brought in as part of the code. For instance, if you are editing the
Certificate Error page, which has several variables, keep in mind that you are not seeing
themthey are embedded on the HTML source code. If you need to move these
variables around click on the Source Edit button at the top bar of the HTML editor
If you look at the HTML editor, the code exposed is the final HTML as clients will be
able to visualize the page.

44
Using the Source Edit button you can find the equivalent variable or XML node,
which is used to bring that information dynamically from the PAN-OS device.

<div id="content">
<h1>Certificate Error</h1>
<p>There is an issue with the SSL certificate of the
server you are trying to contact.</p>
<p><b>Certificate Name:</b> <certname> </certname></p>
<p><b>IP:</b> <url> </url></p>
<p><b>Issuer:</b> <issuer> </issuer></p>
<p><b>Status:</b> <status> </status></p>
<p><b>Reason:</b> <reason> </reason></p>
</div>

You may move these XML nodes around, but if you remove them, no
information will be presented from the page you are creating. Keep in mind that
these nodes need to be represented as: <nodename> </nodename> for the
proper XML parsing to take place.

45
Create the Output, Generate Configuration,
Push it Through the API
This control was created to stage the elements you have been working on to this point,
and map the content of your Source Configuration [INPUTS], which may comprise
more than one file if needed, to your Base Configuration [OUTPUT].

1 VSYS & Active Selection

Here you select which virtual system to work with, and what configuration file or
configuration base file you are working on at the moment.
2 Main tabs control

Same as in the Policy management this is a constant, if you are not using a Connector
for Panorama.

46
3 Left tab Mappings & API Output Manager
Mappings are done based on the contents of the imported or base
configuration files imported from configured devices. If you dont see a tree
structure on the INPUTS side of the screen, select a configuration file to use
as the Source for your mappings from command 1 (VSYS & Active Selection).

If no configuration files are set as your Base Config click Set Base Config to
set one.
You can also Deactivate or Remove the selected base configuration file.

By deactivating the Source Configuration file, you wont be able to move the
elements (the configuration youve already worked on in the Output.

If you remove the Source Configuration file, use the Import configuration files
command on the top menu 2 Main tabs control

and import a new Source Configuration file.

Use the API Output Manager tab to generate Atomic and Sub-Atomic API calls to
send to connected devices.

Atomic API Calls send the entire configuration generated by merging the source
configuration into the candidate configuration (OUTPUT). The Atomic calls are sent
to the connected device by groups. This action mimics the load config partial

47
command from the CLI configure mode. These API calls send the candidate
configuration to the targeted device, including all the address objects, address groups,
interfaces, shared log settings, NAT policies, PBF polices, shared response pages,
security policies, service objects, services groups, tags, virtual routers, virtual systems,
and zones in this order to maintain consistency through the process and to avoid
missing elements during the process. If you do not select an object group, the Palo
Alto Networks Migration Tool sends all object groups (in order) to the connected
device. If you want to send just part of the configuration, select the desired object
group and send the selected API calls.

Note: Some objects are dependent on others. For example, security policies require
that you add addresses and/or addresses groups first in order to avoid errors during
the process.

The Sub-Atomic API calls perform the same task as the Atomic selection and will be
bound to the same rules. However, instead of groups you must prepare all API calls
individually. If you do not select a specific call, the system sends all calls, one by one,
following the same group order as with Atomic calls.

We will have a more detailed description about API Calls in the next chapter.

The last tab on the left of this screen displays Device Usage. This is extremely valuable
when you are creating, migrating or optimizing the configuration on an existing device.
Based on the selected configuration you will see all the variables brought in from the
source configuration, the legacy device being migrated, or the new rules created for an

48
existing device in a report screen. This report will show you the recommended
platform at the bottom that would best run the candidate configuration file and it
compares this file to all Palo Alto Networks devices. Select the Platform and PAN-
OS version then click Calculate to see the candidate configuration in comparison to
the selected Platform. It will also show if you are over the default specification for each
element being used on your configuration.

This is very helpful when you need to make sure that the device you are migrating to is
capable of handling the resource consumption of the selected platform.

You may choose whether or not to deploy this configuration to the selected platform
knowing that you may have resource exhaustion if the elements are counted over the
limit for the selected platform. You may also perform an optimization and reduce the
number of elements used according to the selected (target) platform.

! Note The Palo Alto Networks Migration Tool will account 25%
more for each resource calculated giving you room to
accommodate resources more efficiently and leaving some room for the new
configuration file.

In the example above, notice that under Rules Consumption there are 295 security
rules, for the platform selected, the desired capacity is 250 rules. The System indicates
that there are 11 disabled rules and all others are enabled. With this information you
can see that the PA-200 firewall is not going to accommodate these rules, but that the
suggested VM-200 platform will.

This feature will help you resolve and avoid performance issues, and still leave room to
grow on the device.

4 Left Panel [INPUTS]

The left panel on this tab displays the file or files you imported into the Palo Alto
Networks Migration Tool, with all the modifications up to this point.

49
Expand the tree-based objects to see where the objects, policies, zones, virtual routers,
and virtual systems are stored.

5 Right Panel [OUTPUT]

To export the source configuration, expand the tree-based object then drag and drop
from the INPUTS panel to the OUTPUT (right side), into each correspondent sub-
node on the right panel (Base Configuration [OUTPUT]).

Expand each main Node on each side to drag and drop each part of the configuration
from the left to the right panel.

By expanding Network you can see the child nodes (Interfaces, Virtual Routers), which
contain the entire configuration changes you made on the Palo Alto Networks
Migration Tool to this point. Select it, and with the node still selected, drag and drop it
into the corresponding section in the right panel (the output).

50
You may have cases where you imported more than one configuration file into the
Palo Alto Networks Migration Tool and you want to bring the objects, object groups,
and services into the same destination file (OUTPUT) on the right.

From your INPUTS, Network Node drag Interfaces, Virtual Routers, and from the
vsys1 Node drag Objects, Policies, and Zones into the corresponding nodes in the
OUTPUT.

Network contains Interfaces and Virtual Routers.

Virtual systems will be numbered as they have been imported from a base
configuration file or loaded into the system by a connected device. If you are working
on Panorama configurations, a valid Device Group, and Template will be listed instead.

From your INPUTS vsys1 (or any other vsys you are working with or from a shared
child node if you are migrating from Panorama), drag Objects, and Policies, then drop
on the destination VSYS or shared Node on your OUTPUT panel.

As you may notice the elements brought from the source configuration / OUTPUT
section are now pending actions waiting for your approval in order to generate a
final configuration file or to create the necessary API calls to send into any connected

51
Palo Alto Networks device previously configured in the Palo Alto Networks Migration
Tool.

6 INPUTS controls

These buttons will allow you to remove the selected Source Configurations from the
left panel (INPUTS).
If you have multiple configuration files imported into the Palo Alto Networks
Migration Tool, you will be able to remove one or more files from the INPUTS.
Use the Set Base Config button when you have more than one
INPUT / source configuration and select the configuration to
switch to as your base.
7 OUTPUT controls

These buttons unset whichever base configuration file you have selected in the left
pane (Source Configuration / INPUTS) and reset the object migration to the starting
point giving you a chance to restart dragging & dropping objects into the OUTPUT
panel.

This allows you to go back and edit objects, policies or any elements in your source
configuration files, and return to this screen to finalize the process.
Part of the OUTPUT Controls, the MERGE button is your goal.
MERGE will run all the necessary scripts within the Palo Alto
Networks Migration Tool. MERGE will prepare the proper configuration to be either
exported to a XML file for import into a Palo Alto Networks device, or to generate
API calls to send to the connected devices within the project and imported as the
targeted device to receive these commands.

8 Generate XML and Set Output

Until now this would be the ultimate goal of a migration, after all reviews and
configuration changes. You would generate an XML file to import into a Palo Alto
Networks device. By using the Generate XML Output button, your final
configuration will generate the final XML configuration file.

The Generate XML Output will create 3 files: the XML, SET commands, and a ZIP
file containing one or more copies of XML files for the selected project.

52
9 Downloads

As a singular funcion button will list the file(s) generated from the Generate XML and
SET commands Output. The files containing a ZIP with all files, a SET commands
text file, and the XML with the merged configuration file.

53
 Chapter

4
Sample Project Step-by-step guide.

F
rom now on we will dive into the mechanics of the Palo Alto Networks
Migration Tool. You should have all the basic information about the tool
and its components.

You know what you can do by now; its time to practice and test the new
Palo Alto Networks Migration Tool 3.

If you have downloaded the Virtual Machine for the tool you should be able to access
it via https://192.168.58.143

These are the requirements for this project:

1. Migrate all interfaces, except the one for management from a Cisco ASA
Version 9.1(5).
2. Migrate all ACLs and NAT Policies.
3. Clean up unused Addresses and Service objects from the legacy configuration
file.
4. Create and apply a Security Profiles (AV, AS, Threat Prevention, and URL
Filtering).
5. Prepare an XML file as the candidate configuration file for PAN-OS 6.1.X
6. Connect a target device (PA-200 firewall). Analyze and optimize objects
accordant to PA-200 firewall capacity.
7. After the migration connected the to the target device as a Connector and
capture traffic related to each new Security Policy and create App-IDs for
these rules, leaving a copy of the rule above the current one for further analyze
separating unknown traffic.

54
Now that we have our requirements, lets get the Cisco ASA Configuration file from
our fictitious Customer (ACME) that was named as MyCiscoConfig.txt. This was
provided by the ACMEs network security team by issuing the show run command at
the Cisco ASA prompt and exporting the logs from the Terminal tool used to SSH
into the device (usually Putty).

Start the tool and access it via our web browser pointing to the IP address described in
the Virtual Machine

In this case, the address is 172.16.175.200. It should be a different subnet depending on

your Virtual Machines network settings.

After read the disclaimer, click I Accept at the bottom of the screen.

55
You may start your new project from here. However, because we are migrating from a
Cisco ASA device from our PAN-OS PA-200 device, lets configure a device before
we define our project.

From the Projects tab click Add New Project on the lower left bar. We could
search/filter for other existing projects from here if we have created and saved multiple
projects. The suggested search term would be the TAG name for each project, and the
recommended value for this field should be the Companys name, in our case ACME.
After we create a new project with the name value of MyProject and TAG value of
ACME, lets configure our device since we are already here and the Devices tab will
keep all devices youve configured.

In our requirements we learned that we would be migrating this Cisco ASA

configuration to a PA-200 device, so lets create a connection to that device from our
Devices tab in the same screen.

You could import applications, threat signatures, URL categories, and regions from an
existing source into your project. A source here would be a pre-defined device from
the Devices tab. This would bring all these elements into your project for further
tweaking and use for creating the new configuration file.

After creating the project, click the Power icon at the top-most bar in the tool. That
will close the project (not delete it) and allow us to continue with our settings.

56
In this example, we will connect to a device named JOTUNHEM, with the IP address
of 192.168.1.5, using the port 443, which is the default port. If you dont enter anything
on the Port field it will use the value of 443. Next I will select PA-200 as the model.

After a successful connection you can select the created device and check if the
connection acquired an API KEY, which will be necessary for all interaction we will
have with this device.

By clicking the Configuration, Applications, and/or Threats buttons, you will

generate an XML file containing each of these elements. The XML will be opened on a
second tab in your browser and you may download it as a file if needed. That may be
handy for later parts of the project where you want/need to create a new part of your
configuration and add it as an XML snippet on your base configuration file (Output).

! Note If you make any changes to the connected device you must
select it from the Device tab in order to reload its configuration
file and objects.
As a good practice check for new updates from the Updates tab frequently because
the Palo Alto Networks Migration Tool 3 is a live project that is under continuous
improvement, and we strive to improve in all aspects of the tool.

57
After we create our project and set up our environment we are ready to select our
project by double clicking on it from the Projects tab.

Following our requirements we should import a Cisco ASA Configuration file. Open
the Import Configuration from other vendors or from Palo Alto Networks icon
from the top bar (the second icon from left to right).

We can see our configured devices and a series of tabs for each device from where the
Palo Alto Networks Migration Tool 3 is able to import configuration.

58
Lets select the Cisco tab, and from the Upload File / Configuration field. We will
browse to our local machine for the MyCiscoConfig.txt provided by ACME.

After selecting the file, notice that the Palo Alto Networks Migration Tool 3 starts the
import process automatically. During this process, the system goes through the loaded
configuration file and interprets each ACL, NAT policies (including NATs for versions
over Cisco IOS 8.3 and Cisco Twice NATs), its configured interfaces, address objects
and groups, and service objects and groups.

After the porting process is done you will see the loaded configuration file listed in the
top right drop-down with a vsys1 in its left.

At this point the migration is done. Note that the Palo Alto Networks Migration Tool
3 is a migration tool not a translation tool.

Although most of the work has been done by the tool, professional and qualified
resources are still necessary to go over the problems inherited from the old
configuration file, or for problems introduced by the Palo Alto Networks Migration
Tool 3, such as unsupported protocols (i.e. ICMP) that need to be translated into App-
IDs manually by the person doing the migration.

59
After the system finishes the migration process, it loads the migrated legacy config, and
the first screen you will see is the Security Policies. Check also if the NATs were
imported correctly.

By analyzing the Secutiry Policy you will see there is a warning on rule 15. By clicking
on the rule we can see the Information tab hidden on the left side of each selected
rule, which shows what was done on that rule. In this case there are two warnings: one
being Security RuleID [15] is using the Protocol Name [icmp], and the second being
Security RuleID [15] is using a Service Group [AllowedICMP] but is not defined in
my DB.

These two warning messages help identify potential problems. In this case, the Palo
Alto Networks Mitration Tool 3 converted the icmp group into the App-ID icmp
and the group is no longer being used. By converting the services from a protocol like
icmp the system will always warn you to validate if that convertion was done proerly
for each rule, hence the need of a professional resource capable to identify these
changes coming from a legacy vendor to PAN-OS.

60
Now check the security policies and NAT policies for warning signs/icons or by going
to the Monitor Logs and Reports icon from the top most bar (the 4th icon from the
left).

Next check Addresses and Services as well as their groups, and clean the legacy
configuration file of unused objects and groups. If you want to continue the migration
without cleaning these objects you should consider a more like-for-like approach,
which consists of simply migrating whatever came from the legacy configuration file.
You still need to go through warnings in order to fix inhereted mistakes or problems
from the legacy configuration.

At this point we could fix zones, multi-edit several rules or simply lock unlocked rules
to prevent other changes from affecting these selected and locked policies.

There are some new mechanisms that will help on the optimization part of the security
policy, such as Combine the selected rules into the first one where you can select
one or more rules, and combine their contents into the first rule (the top most rule).
This may be useful for projects where we have target devices with limited resources,
however you must be careful combining valid traffic such as same source, and same
destination.

Use the controls at the bottom bar (the last 3 from left to right) to prepare this
candidate configuration to be used as part of a Panorama Device Group and convert
selected rules into Pre or Post-rules.

Lets choose to clean the object and services groups.

61
The objects not in use have a red bullet (icon) next to them. Clear the configuration file
by clicking on the red bullet at the bottom bar where it says Common. Do this for all
addresses and addresses groups, as well as for services and services groups.

When you select the Common Red icon with the Address bar selected it will remove all
unused objects for both addresses and addresses groups.

Confirm the removal for each type of objects.

62
Besides removing unused objects, you may also want to do some research into the
legacy configuration file and search or filter on services and addresses objects by:
Name, Invalid objects, Duplicated Names, Duplicated Names & Values, or
Duplicate Value.

This is a powerful feature that allows you to easily spot addresses and address groups
that have the same value but different names. You can then merge all duplicated
values, for instance into a single object, and then replace the security policies or NAT
policies using these duplicates with a new system-generated one for a leaner
configuration file.

After you select filter criteria, click the icon to merge the results of your filter.
You may merge by Name, by Name & IP
& CIDR, or By IP & CIDR.

These options merge the objects into one

object and update the security and NAT
policies accordingly.

On the Group Objects (right pane of

Addresses tab), you will find the same action
(merge) but with different options. You can
merge address groups by Name, by Name
& Value, or by Value (Members). That

63
will also update any reference of these groups with the new one created from the
merge, for both, security and NAT policies.

Still in the Address Groups panel (right)

you will find another icon right before the
Merge icon. The Group Handler will
transform Static groups into dynamic
address groups, or will convert groups to
addresses only.

Note that as we move along you are cleaning, organizing or re-shaping the legacy
configuration file already using PAN-OS features.

The same behavior is true for the Services tab. You will also clean the unused service
objects and unused Service Groups. After thats clean you will again start filtering by
the criteria you prefer. Usually you will filter for Invalids first and adjust any invalid
service objects such as services with ICMP as the protocol. Change it to TCP and later
convert it to an App-ID manually as needed.

After fixing or taking notes for posterior fixing on the invalid services search for
Duplicate Value, which are very common on Cisco configurations. The bottom
icons, again, will assist you with merging.
From the Service tab bottom icons on
the Services panel (left) merge the
resulting filter by Name, by Name &
Proto & Dport, or by Protocol &
Dport.

Again the action is immediate and the merge will change the name of the service
objects in all securities or NAT policies if they are present.

From the Service Object Groups (right pane), merge by

Name, by Name & Value, or by Value (Members).

64
By this point you have already removed unused objects, and merged duplicates by your
selection criteria. At this point, we are still working on the legacy configuration file, but
operating with the PAN-OS resources.

Because we have traffic logs that are based on the ACC information captured by these
logs and registered by the Palo Alto Networks device, we need to create a Connector
that will be responsible for looking into the device logs for a period of time, usually
from the last 60 seconds to the last 30 days. We will select the last 7 days to meet our
requirements.

! Note
Set up the collectors and check for traffic on a weekly basis to
create new App-ID rules as necessary or identify unknown
traffic.

The connector will have a Name value (here MyConnector). From the drop-down field
we will select the JOTUNHEM, which is the already configured device, from which
we want to extract traffic after we migrate over the new configuration.

That may happen immediately after the cutover, or a week from now. Its up to the
engineer in charge and the scope of the project. In our case, we were required to
migrate L3/L4 rules into App-IDs, so we will migrate the configuration and come back
for logs in order to achieve that. For now we will just create the Connector, which is an
important part of our project.

65
Our next step will be to configure the interfaces from the legacy configuration.

Normally when the Palo Alto Networks Migration Tool 3 migrates a Cisco
configuration, it will use their nameif values as the Interface name, and will do the
same for the zones.

We can now edit these names and make them match what we want in the target device.
Remember that if you rename an interface, that name must be available in the target
devices. For greenfield projects you wouldnt have any problems, however if we are
bringing an existing candidate configuration file into an existing PAN-OS device you
must be mindful of the interface names to avoid duplicates and the consequential
commit fails in your target device.

In our case, we have a greenfield project and all interfaces on our Palo Alto Networks
device are empty. We will rename them in order and remove the Mgmt interface.
From the Manage Networks / Interfaces tab, double-click each interface and on the
Edit Interface window select from the drop-down field (Interface Name:), the name of
the interface in the Palo Alto Networks Device, ethernet1/1, tunnel, and loopback, for
example.

66
You may change all PAN-OS aspects of an interface from here; you may even define
sub-interfaces, add Tags, determine Speed / Duplex values, but for our scenario you
will simply map each interface from the legacy configuration file accordingly.

The configuration should contain: inside = ethernet1/1, DMZ = ethernet1/2, outside

= ethernet1/3, and delete the management.

67
We will now move to the Zones tab. Remove the management zone because we no
longer have that interface configured. Select the zone you want to delete and use the
delete button on the lower most bar at the left side.

Note that the zones are also editable from here. You may set Protection Profiles if
connected to a PAN-OS device or importing a PAN-OS configuration file, add
participating interfaces for your zoning design and other common functions to Palo
Alto Networks devices.

We have what we need for now. Lets take a configuration snapshot at the top most
bar (third icon from right to left).

68
Our next steps are to start the process of generating the candidate configuration file or
sending the API calls to the connected device.

As you may have noticed there is only an INPUT file, but no OUTPUT. We must
have a base configuration file loaded or a connected device loaded in the Migration
Tool 3 in order to proceed. Go to the Import Configurations from other vendors
or Palo Alto Networks from our top most bar (second icon from left to right).

69
We may choose to load a clean PAN-OS base configuration file or double click on
the connected device (ASGARD) and load its configuration into the Migration Tool 3.

After you double-click the device or load a base configuration into your project, the
Palo Alto Networks Migration Tool 3 will import the configuration file, and take you
directly to the Manage Policies screen.

You now have two configuration files loaded into your system. Our device should be
empty and neither policies nor interfaces configured, but there will be cases where the
MERGE of configuration files will be required.

Be mindful of the interface names, virtual routers (if more than one) and policies in
general. You may merge the configuration files and bring only the objects from the
legacy into the current configuration.
You will be able to send these new elements into the current PAN-OS device via API
calls.

For now lets use our clean device as our target migration.

70
At this point we have our INPUT (Cisco Configuration file), and our OUTPUT set.
However no migration has been done yet. Lets start by dragging and dropping from
the left panel (INPUTS), each node and its child nodes to the corresponding nodes on
the right panel (OUTPUT).

! Note Make sure all child nodes were moved to the OUTPUT. Pay
attention to the zones that are part of VSYS1 in this example.

71
As you move the objects to the OUTPUT on our target device, all these elements will
be displayed as (pending), and a new configuration will be created after you click the
MERGE button in the lower right.

The MERGE function will bring all the changes made to the candidate configuration
file (Cisco ASA in this case) into the PAN-OS device.

After the MERGE is done, both panels (INPUTS & OUTPUT) will be empty.
After clicking MERGE your options are
to Generate XML & SET Output,
which will load the Downloads window
containing your merged configuration
file into PAN-OS in an XML version to
be imported, loaded, and committed into
the target PAN-OS device, a SET
commands file with all the commands in
SET format, which you may use to load
by copy and pasting (small parts at a
time) into the device while in
configuration mode, or send these
commands from a SSH connection
using a bash script for instance, and a
third file, a .ZIP file containing all the
above plus all the configuration files contained on a Panorama if that was a Panorama
migration project.

72
The second, and recommended choice, would be the API Output Manager tab.

From here, you have two steps to finalize the migration. For the first step, two choices
to interact with the target device via API Calls: Atomic, or Subatomic API calls
generation.

The Atomic API calls will include all the API calls into groups ordered for you. If you
dont click any of the groups, the system will send each group in the proper order to
the target device selected from the left drop-down (JOTUNHEM). These API calls
need to be sent in the proper order, for example objects, services before security
policies. You may select the ones you would like to send separately, and send just the
new address objects for instance.

The Subatomic API calls are generated in the same way by are more granular. You will
have one API call for every element created or modified in the system, which gives you
the granularity needed to send single address objects, security policy rules, tags, or any
element individually.

73
On both Atomic and Subatomic API calls you will find at the bottom left, a filter that
will let you select a group and search within that group for easy object manipulation
and submission to devices.

Now that we have generated our API calls (either Atomic or Subatomic) we may
proceed to Step 2. Here is where you will send all your work to the target device
(JOTUNHEM). Select the target device from the left most drop-down.

Clicking the [Step 2] Send API Requests button to enable communication with the
target device and send the API requests and receive a response from the device. If any
error occurs during this process you will receive the same error message generated at
the PAN-OS level, giving you an opportunity to correct that group when sending
Atomic calls or specific elements when sending Subatomic ones.

While submitting the API requests to the device, the expected return message from the
device is command successful. If this is not the message you see, you must to go
back to the element corresponding to the response error and correct it. You can then
go back to the API Output Manager tab and resubmit Steps 1 and 2 until all
elements return the command successful response from the target device.

74
That will be your goal, to have a clean set of API calls sent to the device with no errors.
If errors are found, that group of API requests will not be sent to your target device
and you will have a broken migration.

Now that we have fixed, prepared, and sent all our new elements via API calls to the
target device, lets try a commit on that device.

75
Not what you expected right?

The reason for the main commit error is bad planning. We went through all the formal
parts, checked all the elements, and created all the objects correctly, but we forgot a
very basic concept: capacity. Up to now we could be taken by surprise in situations like
that, but with the new Palo Alto Networks Migration Tool 3 you can check the target
devices capacity ahead of time and work around its capacity as needed or recommend
another device.

In our example, a PA-200 firewall running PAN-OS 6.1 wont support more than 250
security policies, and our Cisco ASA configuration file has 284, putting us 34 over the
devices capacity.

Unfortunately, after we send the configuration to the device we cannot go back to the
Device Usage tab because the configuration files have been already merged.
Therefore, we wont be able to take advantage of this powerful new feature.

As a recommendation, always load both the legacy configuration file and target device
or base configuration file in the Palo Alto Networks Migration Tool 3, and select from
the platform drop-down on the top right of this screen, then select your target, or
intended target platform (hardware platform or VM-Series platform). The system will
display the Recommended Platform on the bottom right +25% capacity, in
comparison to your candidate configuration. The 25% extra is placed here to add some
cushion in your projects for future objects, but you should consider a proper capacity
size depending on your project and customer needs.

As for our example you can see clearly that we have a problem, which I will solve here
by simply optimizing the rulebase and trying to reduce our rule base by 40 security
policy rules. Not that we will be running out of address groups shortly (98 out of 125
max.).

Keep in mind the proper amount of resources based on your customer environment
and make sure this is the proper device for them.

76
Now that we optimized the rulebase and reduced the number of security policy rules
by at least 40 rules, generate the API calls and send them to the target device.
You may find some rules shadowing each other, but that will be another step on the
migration.

Check if the commit was successful.

As you can see the policies (after proper optimization) were brought into the target
device successfully.

77
For validation purposes you should check if all the elements were also brought into the
target device such as service objects, addresses, and object groups.

That would conclude your migration but you still have one requirement left: to capture
traffic from the like for like migration and generate App-IDs for the new security
policy.

78
Accepting the fact that I dont have the traffic for the recently created policy yet, which
would be a common scenario where a second phase would be part of this project in
order to give the device at least 30 days of logging data, lets move to our exercise with
a log collected from another device to illustrate the process of App-ID migration.
Make sure you have a Connector configured in order to collect the log data from the
target device. From the Security Policy, right click anywhere and chose from the
context menu: App-id Adoption / Retrieve Apps (all rules).

79
That process will collect all the log information as well as the ACC information kept on
the target device from which the Palo Alto Networks Migration Tool 3 will gather its
App-ID information. The App-ID information is in the new (green) on the Security
Policies screen.

In an App-ID migration project you may find some rules already containing proper
App-ID adoption. This is great because it is your job to bring the like for like L3/L4
migration to the next level to the next-generation firewalls level only achieved by L7
inspection.

80
Lets start by segregating known from unknown traffic. A new row is added for the
same rule but a TAG is added with the Unknown Traffic information on it.

Once we click (single click) on the split unknown traffic we are presented with a new
window where we need to click Analyze Unknowns to match all unknown traffic to
its destination IP address, port, and protocol. With that information we are able to
create an Override rule and new App-ID to match this traffic (port-based only). We
may add a new rule or add this traffic to the matching rule from where it was found.

Create a new override rule and follow the process.

81
As you may have noticed you can add an existing application (from the devices
App-ID database), and create a relation between this unknown traffic to an existing
application, but that would be rare because our App-ID engine would have caught this
as a known traffic if the application already existed on our database. Create a new
App-ID to match this traffic.

The customer will define this new application, and MyNewAPP will depend on your
customers information and the categorization as well.

82
From the Advanced tab you may change or add ports, work with protocols, and
establish timeouts, in the same way you would do from PAN-OS. Note that the Palo
Alto Netwroks Migration Tool 3 brings the ports captured from the logs into this
screen.

After Saving the Custom Application we may apply it to the rule we are creating.

Note that the new App-ID created (MyNewAPP) is now part of our database and will
be sent to this device, and can be used on other rules in the future.

The security rule will be a new rule, or you can keep the original rule (found on the logs
initially). Lets choose new rule.

You now have a new Application Override rule created.

83
Add a new security policy rule using the newly created App-ID with application-default
as the Service.

Now work with the known traffic since we were able to capture our unknowns and
created one App-ID, one Application Override rule, and a new security policy rule
matching the traffic. Its important to know that the unknown traffic may be new every
week and constant monitoring these rules is required to achieve maximum protection
and real L7 inspection.

Lets look into the traffic captured and pick Facebook-base, Facebook-video,
FaceTime, and Gmail-base.

These are the applications we decided to allow in that rule.

84
The next step is to select the applications and/or dependencies we would like to bring
into the new App Adoption Rule. This is important because the system will
recommend just an application or an application and its dependencies saving you a lot
of time figuring out dependencies and allowing you to optimize App-ID rules by
having multiple dependencies added to a single rule instead of having one rule per
application to avoid too many dependencies during your implementation.
Now you may comfortably adopt applications by selecting the option you feel
confident to be the best match to your customers requirements.

After you click Add to Rule, the applications are added to your new rule and the rule
will be added as a new security policy rule in the device rulebase.

85
The result is a single rule matching the applications you selected. However, if you want
to accept and create App-ID rules for all the traffic captured from the device instead,
select App-id Adoption > App-id reconciliation to generate the necessary rules for
the entire rulebase.

After the App-ID Reconciliation process, you might see redundant rules for known
and unknown traffic found in the logs. Therefore, you must manually review the
rulebase to fine tune the proper App-ID adoption.

86
The final migrated rulebase contains both the rules that existed before the App-ID
migration, and the new rules created during the App-ID migration process.

As a good practice, clone all rules before starting the App-ID migration process, and
apply the App-ID migration above the cloned rules. This ensures a smooth transition.
With the App-ID rules above the legacy L3/L4 rules ensure full protection using the
true power of the Palo Alto Networks next-generation firewall.

87