fwmigration tool october 2011 1

Firewall Configuration Migration Tool Technical Training for OS v 1.6.1

Albert Estevez Polo

[email protected]

Migration Tool Overview

Demo of an Check Point configuration migration

Q & A

Webinar Agenda

Page 2 | Firewall Configuration Migration Training - June 2011

Palo Alto Networks migration toolkit offered free of charge to qualified partners to assist with migration projects

Migration Tool Introduction


Migration Features

Configuration Migration

o Migrates Security

policies

o Migrates NAT

policies

(Check Point only)

o Address objects

(including groups)

o Service objects

(including groups)

o Route table entries

Configuration Editor

Configuration Consolidation

Migration Tool Features

o Offline security policy

editor

o Edit address objects

o Edit service objects

o Edit Zones

o Useful tool when

consolidating multiple

firewall configurations

o Merges a new

configuration into a

production firewall

configuration

A standard migration flow:

Migration Tool Benefits


Network design and requirements analysis

Firewall Migration Process

Migrate the existing firewall rules and objects

Review the migrated rules and objects

Finalize the firewall configuration

Functional testing and validation

Automation saves time

Reduces migration errors

Cutover to the new firewall

1.

2.

3.

4.

5.

6.

Post cutover monitoring and policy tuning 7.

Supported Vendors

Supported Firewall configuration migrations

Vendor OS Versions supported

Cisco ASA/PIX/FWSM Cisco IOS

PIX OS: 6.0.x, 7.x, 8.x, ASA OS: 7.x, 8.0-8.1 IOS 11.x and newer, extended ACLs only

Juniper/NetScreen ScreenOS ver 5.x for NetScreen and SSG platforms (SRX Jun-OS configs are not supported)

Check Point FW-1 R65, R70, R71, R75 are supported

Fortinet FortiOS 3.x 4.x

Note: configurations will be converted to PAN-OS .xml format that can be directly imported into a Palo Alto Networks firewall


Migration Features List

Topics

Rule Conversion Cisco IOS Cisco PIX/ASA Juniper/ NetScreen

Check Point Fortinet

Security Zone Migration

Security Policy Migration

NAT Rule Migration TBD TBD TBD TBD VPN Configuration TBD TBD TBD TBD TBD

Object Conversion

Static Routes Address Objects Address Groups Address Ranges Services Service Groups Services Ranges Page 8 | Firewall Configuration Migration Training - June 2011

Migration Walk-Through


1. Obtain the production firewall configuration files

2. Import the firewall configuration into the migration tool

3. Review the migration logs and migrated rules and objects

4. Review and the migrated security policies

5. Correct any configuration incompatibilities and generate a PAN-OS XML configuration file

6. Import and Load the generated configuration

7. Finalize the configuration on the Palo Alto Networks firewall

Migration Steps


1. Obtain the Production Firewall Configuration Files

See Appendix B on the steps to export and format Cisco, CheckPoint and Juniper/NetScreen configuration files

Prior to importing, the respective configuration files must be named using the following conventions

(note: file names are case sensitive)


Configuration Required files

CheckPoint objects_5_0.C routes.txt PolicyName.W rulebases_5_0.fws (optional - for migrating comments)

Cisco config_cisco.txt

Juniper/NetScreen config_screenos.txt

2. Import the production firewall configuration file

Open the Web interface and upload the configuration

HTTP://


2. Import the production firewall configuration file

Choose the source of the configuration file and a pop-up window will appear to import the config files


3. Review the migrated logs and objects


Review and edit

objects

Warning messages

and policy editor

3. Review the migrated logs and objects (Contd)


The objects to review window allows for viewing and editing of the address and service objects and route entries

The route entries are used for Zone assignments in the security policies

For Check Point configs the Zones must be manually entered

For NetScreen, Fortinet and Cisco ASA configs the Zones will be learned from the configuration

Zones can be renamed as needed

3. Review the migrated logs and objects (Contd)


Review the address and service objects

Note: All migrated objects are not displayed. Only objects that need to be reviewed are listed

Object values can be manually edited in the review pane by clicking on the value

3. Review the migration logs and warnings


Pay particular attention to warning messages

These message are pointing so some implicit NAT rules not migrated

Also warning messages pointing to non-TCP/UDP service objects that need to be reviewed and corrected prior to generating the XML config file

4. Review the migrated Security Policies

Security Policy Editor menu options

Search windows can be used to search for specific address and service objects used in the security policies


Description

Refresh Refreshes the Security Policy page to reflect any changes made to address and service

objects and zone assignments made to route entries

Auto Assign Zone Assigns the source and destination zone by referencing the route entries

Enable Enables a security policy

Disable Disables a security policy

Delete Deletes a security policy

Merge Merges security policies

Save Saves the changes (after enabling, disabling and merging policies)


Review and edit the migrated security policies

Pay attention to the Zone assignments


Click a field in the security policy to open the security policy editing window

Edit the objects in the security policy and click Save

The window must be manually closed after editing and saving.


Security policy zone assignments

Zones are learned from the Route entries

The IPs and IP subnets are read in the security policies and compared against the route table entries to assign the Source and Destination zones in the policies

The default is to assign any for the Zone

Edit the Zone option in the Interfaces and zones window

A red hash indicates the setting has not been saved


Edit the Zone


Security policy zone assignments (contd)

After editing the Zone settings, click Save

In the Security Policy Editor choose Auto Assign Zone to re-assign the source and destination zone in the security policy configurations

The migration software will make a best effort to assign the zones in the security policy


Edit the Zone

Choose Auto Assign Zone to transfer the

Zones to the

security

policies

5. Generating a PAN-OS configuration file

Configure the management settings using the Device Config tab

Note: If importing a PAN-OS config to use the Config Editor or Config Consolidator options, the management settings will be copied from the imported PAN-OS config file


Objects to review Device Config


Generate a configuration file after reviewing and correcting the objects listed in the warning logs

Any errors will be displayed when generating the XML file

Use the Reload Data option to correct errors related to the address objects

Service and address objects can be edited to correct any errors



Create XML will generate a PAN-OS configuration file using the migrated objects and policies

Note: the version 3.x setting generates a config file that is compatible with PAN-OS 3.x and 4.0.x.


Create XML version 3.x


Review and correct any errors displayed when creating the configuration file

Common errors are address objects migrated with invalid addressed or netmasks

Corrections can be made by issuing the Reload Data function or manually editing the object



After correcting the errors, start the Create XML function

Choose L3 to maintain the Zone assignments in the security policies

The L2 option is used primarily when migrating Transparent firewall configurations from NetScreen and Cisco FWSM

The L2 configuration will replace the source and destination zones in the security policies to a default Trust



The config file is saved as a zip file

Unzip and import the XML configuration file into your Palo Alto Networks firewall


6. Import and Load the configuration file

Import the migrated config file into your Palo Alto Firewall

This step assumes you have previously assigned a management IP and can access the management console via HTTPS or SSH

(this example will use HTTPS)


6. Import and Load the configuration file

Load the migrated config file into your Palo Alto Firewall

-----

Do not Commit until you have thoroughly reviewed and finalized the configuration

-----


7. Finalizing the Configuration

Configuration review checklist:

Configuration Review

1) Network Configure the Interfaces: Mode (L2, Vwire, L3) IP Address Zone assignment

2) Virtual-Router Default gateway Static Routes

3) Security Policies Security Policies: Destination Zone assignments Convert service port to appID policies where needed

4) NAT policies NAT Policies: Create source and destination NAT policies (as needed)

5) Custom Services Consolidate services where possible to remove duplicate and overlapping objects Review any custom services to verify the port assignments


7. Finalizing the Configuration

After reviewing and finalizing the migrated configuration, commit the changes

At this stage the firewall will have a base configuration including the migrated objects and policies. Once the base configuration committed, you can now configure advanced settings such as SSL-VPN, IPSec VPN, UserID, etc Please see the PAN-OS Administrator guide or the Palo Alto Networks Knowledgebase for documentation on how to configure specific features.


TOOLS Beyond Migrations

Tools

The new Tools section is created to help in some migrations when is not necessary to migrate all from the legacy device to your new Palo Alto Networks NextGen Device, and you want to perform some changes in the configuration or maybe delete a lot of unused Objects before to clean some rules for example.

2011 Palo Alto Networks. Proprietary and Confidential. Page 33 |

Migration Translator

The translator process can help you to migrate a policy where some address objects will change their name and the address, in this case you have and OLD object (based in the IP address) and needs to be changed by optionaly a new IP address or a new Name or BOTH.

Another feature that includes is automaticaly if you want to change the OLD IP address 1.1.1.1 and the OLD name is like asdf-1.1.1.1-host the tool will change the OLD IP address by the new one without to write the new name into the CSV file required to do that (translate.csv).

The CSV file must be filled with this field order (; separated)

- OLD_IP;NEW_NAME;NEW_IP


Migration Zone Translator

In Big migrations is necessary to change the names in the new platforms by design requirements.

If the zone name is auto retrieved from the configuration like in Cisco, Juniper or Fortinet we can use this feature to say which OLD Zone name will be translated by a NEW one. And for instance change all the rules afected too.

The file must be create with the name (translate-zones.csv) and the internal config will be

- OLD_ZONE_NAME;NEW_ZONE_NAME


Migration Split Config

In some situations when we import a configuration to the Migration Tool we get all the security policies and all the interface and zone information but we want to migrate only some zones and only the rules afected by this zones

We must to create a CSV file called (translate-zones.csv) the same if we want to use the Zone Translator and only write inside the Zones that we want to use in our migration, the rest of the zones in the configuration will be erased and all the rules afected too.

If you dont want to change the name of the zones you must fill the CSV file like this

- OLD_ZONE_NAME;OLD_ZONE_NAME


Calculate Unused Objects

The system perform an initial check for used or not objects

But if you make changes, add / delete rules, uses another Tools like the Config Splitter the most common is that exists lots of objects that in the begining were used but not now.

Using this feature the system recheck all the objects based in the policies to know if is used or not and updates the Statistics in the Generate Report option.


Demo Prctica Al Turrn

Appendix A: Downloading and Installing the Migration Server software

Obtaining the Migration Tool Software

The software is offered free of charge to Palo Alto Networks ACE partners. Contact your local Palo Alto Networks SE for access or request to be added to the Firewall Migration community on our Live website.

https://live.paloaltonetworks.com/index.jspa

Support is provided on a best effort basis via the following methods:

- Contacting your local Palo Alto Networks SE

- Sending an email to [email protected]

Note: Please do not contact the general Palo Alto Networks support hotline for questions related to the use or installation of the Migration software. The standard Palo Alto Networks support is not available for assistance with this software.


Running the Migration Tool Software

The Migration Tool is packaged as a virtual machine image that runs on VMware:

Platform OS Versions supported

VMware Player Version 3.1.1 and newer

VMware ESX Version 3.0 and newer

Hardware requirements are dependent on the VMware platform chosen (Player or ESX)

Recommended hardware

CPU P4 or newer

RAM 1 GB

HDD 2 GB

Interface NAT and Bridged modes are supported


Running the Migration Server Virtual Machine

1. Unzip the Migration Tool virtual machine onto the host machine

2. Start your VMware player and choose:

Open a Virtual Machine

3. Browse to the directory where the Migration Server files were unzipped and open the file MigrationToolVM.vmx

4. After installation, choose Play virtual machine to boot the VM


Running the Migration Server (contd)

5. When prompted for the virtual machine information, choose: I copied it

6. Upon booting, the Migration Server will acquire an IP address that can be accessed locally. The IP address that is configured will be displayed in the VMWare console

Note: The default Network Adapter setting in VMware Player is to use NAT and acquire an IP address dynamically


Accessing the Migration Server

7. The Migration Tool server interface can be accessed locally by opening a browser to: http://

After accessing the management console upgrade the migration software to the latest version. The upgrade process uses SSH to contact the update server, if the upgrade process fails verify your network firewall is allowing outbound SSH connections from the virtual machine.


Menu Tools

FROM: Choose the firewall config to migrate (Fortinet migration support will be added in an upcoming release)

SYSTEM: Management options for log management and software reboot

SETTINGS: Used to set the environment prior to starting a migration. Options include migrating just the objects or objects+rules. Can also set the extended mode to support longer object names

UPGRADE: Initiates the upgrade of the migration software. Internet access is required to upgrade the Migration Software OS


Appendix B: Exporting Existing Firewall Configurations

NetScreen/Juniper Migration

The file you upload must be called config_screenos.txt

You can obtain the configuration file from the WebUI: Configuration Update Config File,

From the CLI capture and save to a text file the output from get conf


Cisco PIX/ASA/FWSM Migration

The file you upload must be called config_cisco.txt

Capture and save to a text file the output from show run


Check Point Migration

Check Point migrations require three files:

1. objects_5_0.C

2. PolicyName.W

3. routes.txt

The name of the policy file (referred to here as PolicyName.W) will have whatever name you assigned it, but look for a .W extension associated with it in the SmartCenter/management console.

The rulebases_5_0.fws is not required but is recommended to be included for migration as it includes the object comments

There are multiple methods to find and export the files. Some options will be listed in the following slides.


Check Point Migration (contd)

Export the objects_5_0.C, PolicyName.W and rulebases_5_0.fws files from the SmartCenter management console:

1. Close all SmartDashboard connections to SmartCenter

2. As a recommended precaution issue cpstop.exe to stop all Check Point services.

3. Log in to the CLI with administrator privileges or open Windows explorer for Windows installations

4. Navigate to the directory $FWDIR/conf to find the necessary files.

5. The objects_5_0.C and rulebases_5_0.fws will be named exactly. The Policy file will have the name assigned by the administrator, with a .W file extension



A second option to find the necessary files is to use the find command to search.

Preferably you will want to issue the command from the Smartcenter server.

>find / -name *.W

Find the files that match the following:

-The .W file matches the policy file configured by the firewall administrator

-Export the objects and rulebases files found in the same directory where the policy file (.W) was found



Generating the routes.txt file:

1. Log in to the firewall CLI

2. Run the command netstat nr > routes.txt

3. Export the routes.txt file


Appendix C: Assigning an IP to the Migration Server

Assigning an IP Address to the Migration server

The default Vmware Player setting is to enable DHCP

Static IP assignment can also be configured using the steps below

Log into the VM console using the admin account:

Username: admin Password: paloalto

Run the setup or ifconfig utility from the CLI and follow the menu to assign an IP address to be used by the Migration software for access

Note: when using the ifconfig option the IP addresses is not saved and will be lost after a reboot. IP assignment using the setup utility is saved.


Assigning an IP Address to the Migration server


fwmigration tool october 2011 1

Documents

migration logs

new configuration

generated configuration

migration walkthrough

new firewall

migration tool benefits

migration errors cutover

standard migration flow