Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5744
Views
15
Helpful
15
Replies

Migrating from Palo Alto to Firepower

Mike Wagner
Level 1
Level 1

‎02-23-2017 07:22 AM - edited ‎03-12-2019 01:58 AM

Hi All,

Over two years ago we replaced an aging ASA 5550 with a Palo Alto PA-5050.  Palo Alto had a nice conversion tool that I was able to use to migrate the config from our ASA to the PA.  Fast forward two years, and long story short, the Palo Alto gave us a lot of problems.  Our maintenance was up, and we were outgrowing the device, so we purchased a Firepower 4110 knowing that Cisco had upped their game with the NGFW.

Now I'm stuck with 700+ NAT entries and 700+ ACLs in the PA that I need to migrate to the Firepower.  I have the FTD provisioned, and my FMCv VM registered, and I'm able to start configuring rules.

Is there a way to mass import rules to the Firepower?  I can pull them easily from the CLI on the PA.  They're in XML format.  My zones are the same, obviously I would have to create ports possibly.  

Any guidance is greatly appreciated!

-Mike

1 person had this problem
Labels:
0 Helpful
15 Replies 15

Marvin Rhoads
Hall of Fame
Hall of Fame

‎02-23-2017 08:42 AM

Congratulations on coming back from the Dark Side.

Unfortunately there's no such tool that I know of - even internal Cisco or partner-accessible.

0 Helpful

Mike Wagner
Level 1
Level 1
In response to Marvin Rhoads

‎02-23-2017 08:44 AM

That's a bit of a bummer :(   And there is currently no CLI for Firepower that allows adding threat defense rules?

0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to Mike Wagner

‎02-24-2017 05:32 AM

Well... you could automate it to a certain degree. FMC has a REST API which you could use to 

1) import your policy

2) create network / service objects & group objects

3) create interface configuration

Unfortunetly NAT Policy is not yet exposed via the REST Interface but you could use the ASA REST interface to dump your nat configuration into a virtual asa and then use the firepower migration tool to get your nat rules from the asa into FMC.

I know thats not very satisfying but migrating 700 rules, 700 nat rules and prob. 1000 objects by hand is destined to lead to fat finger mistakes.

If you have any questions let me know...

0 Helpful

Mike Wagner
Level 1
Level 1
In response to Oliver Kaiser

‎02-24-2017 05:49 AM

Kaisero,

Thank you for the input!  I'll do some reading on the REST API.  I agree, my biggest worry is human error.  I created 10 custom rules I knew I would have to do manually regardless, and I made mistakes on a couple of them.  I can't imagine entering 1,400 policies by hand and not making a handful of mistakes, if not more.  

Is it easy to get a trial ASA VM from Cisco?  

Thanks!

-Mike

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Mike Wagner

‎02-24-2017 06:01 AM

Mike,

The ASAv can be downloaded and run in unlicensed mode with the restriction that you are limited to 100 Kbps throughput. 

Mike Wagner
Level 1
Level 1
In response to Marvin Rhoads

‎02-24-2017 06:02 AM

Thanks Marvin!

0 Helpful

csco11552159
Level 5
Level 5
In response to Mike Wagner

‎04-04-2017 10:51 AM

i have same question when i did my PoC with Cisco FTD. We got like 5000+ firewall rules and 10K+ objects....... without a good automation tool, it is mission impossible.

Hope cisco can realize the problems and develop some tools for help. Otherwise, customers wont move to Cisco. On Palo alto and Fortinet side, they have tool to do it ..... much easier for customers. 

0 Helpful

#Mat
Level 6
Level 6
In response to Mike Wagner

‎05-15-2017 05:30 PM

Hi Mike. Were you able to do the migration? I have the same migration and I am a bit worry...

Regards!

.
0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to Mike Wagner

‎02-24-2017 06:05 AM

I have gone through a similar project recently and without automation we would have been doomed. :) (keep in mind that the policy might even change during the migration since it will take some time to migrate)

Getting an ASA VM from Cisco shouldnt be an issue if you migrate from PAN to Cisco. Just hit up your local VAR or Cisco SE and ask them for the download link to get the OVA.

Maybe you already have the entitlement to download it (asav971.zip):

https://software.cisco.com/download/release.html?mdfid=286119613&softwareid=280775065&release=9.7.1&relind=AVAILABLE&rellifecycle=&reltype=latest

0 Helpful

Mike Wagner
Level 1
Level 1

‎02-24-2017 06:10 AM

Thanks All!  So, I'm thinking at this point, maybe my best option is to spin up the virtual ASA, migrate ACL's and NAT rules, then use the FMCv tool to migrate the config from the virtual ASA.

I've done scripting in the past, but never anything using a REST API to migrate from one device to another.  Sounds like an adventure!   Hopefully I can put something together to help future people with this issue.

0 Helpful

Marvin Rhoads
Hall of Fame
Hall of Fame
In response to Mike Wagner

‎02-24-2017 06:23 AM

Please keep us posted on how it works out for you. It would be an interesting case study. 

0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to Mike Wagner

‎02-26-2017 06:47 AM

You can take a look at my repo for using the rest interface of asa / firepower. I used this tool to migrate checkpoint objects to firepower... hope it will help you get started: https://github.com/kaisero/fum

regards

Oliver

0 Helpful

Mike Wagner
Level 1
Level 1
In response to Oliver Kaiser

‎02-27-2017 06:13 AM

Oliver,

That definitely looks like it would be helpful.  I need to brush up on my scripting skills.  

You're probably not available for hire, are you?  ;)

-Mike

0 Helpful

Oliver Kaiser
Level 7
Level 7
In response to Mike Wagner

‎03-09-2017 01:47 AM

Hi Mike,

My company is always happy to help. ;) - If you need anything specific just let me know.

regards

Oliver

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card