fwmigration tool october 2011 1
DESCRIPTION
PalAltoTRANSCRIPT
-
Firewall Configuration Migration Tool Technical Training for OS v 1.6.1
Albert Estevez Polo
-
Migration Tool Overview
Demo of an Check Point configuration migration
Q & A
Webinar Agenda
Page 2 | Firewall Configuration Migration Training - June 2011
-
Palo Alto Networks migration toolkit offered free of charge to qualified partners to assist with migration projects
Migration Tool Introduction
Page 3 | Firewall Configuration Migration Training - June 2011
Migration Features
Configuration Migration
o Migrates Security
policies
o Migrates NAT
policies
(Check Point only)
o Address objects
(including groups)
o Service objects
(including groups)
o Route table entries
Configuration Editor
Configuration Consolidation
Migration Tool Features
o Offline security policy
editor
o Edit address objects
o Edit service objects
o Edit Zones
o Useful tool when
consolidating multiple
firewall configurations
o Merges a new
configuration into a
production firewall
configuration
-
A standard migration flow:
Migration Tool Benefits
Page 4 | Firewall Configuration Migration Training - June 2011
Network design and requirements analysis
Firewall Migration Process
Migrate the existing firewall rules and objects
Review the migrated rules and objects
Finalize the firewall configuration
Functional testing and validation
Automation saves time
Reduces migration errors
Cutover to the new firewall
1.
2.
3.
4.
5.
6.
Post cutover monitoring and policy tuning 7.
-
Supported Vendors
Supported Firewall configuration migrations
Vendor OS Versions supported
Cisco ASA/PIX/FWSM Cisco IOS
PIX OS: 6.0.x, 7.x, 8.x, ASA OS: 7.x, 8.0-8.1 IOS 11.x and newer, extended ACLs only
Juniper/NetScreen ScreenOS ver 5.x for NetScreen and SSG platforms (SRX Jun-OS configs are not supported)
Check Point FW-1 R65, R70, R71, R75 are supported
Fortinet FortiOS 3.x 4.x
Note: configurations will be converted to PAN-OS .xml format that can be directly imported into a Palo Alto Networks firewall
Page 7 | Firewall Configuration Migration Training - June 2011
-
Migration Features List
Topics
Rule Conversion Cisco IOS Cisco PIX/ASA Juniper/ NetScreen
Check Point Fortinet
Security Zone Migration
Security Policy Migration
NAT Rule Migration TBD TBD TBD TBD VPN Configuration TBD TBD TBD TBD TBD
Object Conversion
Static Routes Address Objects Address Groups Address Ranges Services Service Groups Services Ranges Page 8 | Firewall Configuration Migration Training - June 2011
-
Migration Walk-Through
Page 9 | Firewall Configuration Migration Training - June 2011
-
1. Obtain the production firewall configuration files
2. Import the firewall configuration into the migration tool
3. Review the migration logs and migrated rules and objects
4. Review and the migrated security policies
5. Correct any configuration incompatibilities and generate a PAN-OS XML configuration file
6. Import and Load the generated configuration
7. Finalize the configuration on the Palo Alto Networks firewall
Migration Steps
Page 10 | Firewall Configuration Migration Training - June 2011
-
1. Obtain the Production Firewall Configuration Files
See Appendix B on the steps to export and format Cisco, CheckPoint and Juniper/NetScreen configuration files
Prior to importing, the respective configuration files must be named using the following conventions
(note: file names are case sensitive)
Page 11 | Firewall Configuration Migration Training - June 2011
Configuration Required files
CheckPoint objects_5_0.C routes.txt PolicyName.W rulebases_5_0.fws (optional - for migrating comments)
Cisco config_cisco.txt
Juniper/NetScreen config_screenos.txt
-
2. Import the production firewall configuration file
Open the Web interface and upload the configuration
HTTP://
Page 12 | Firewall Configuration Migration Training - June 2011
-
2. Import the production firewall configuration file
Choose the source of the configuration file and a pop-up window will appear to import the config files
Page 13 | Firewall Configuration Migration Training - June 2011
-
3. Review the migrated logs and objects
Page 14 | Firewall Configuration Migration Training - June 2011
Review and edit
objects
Warning messages
and policy editor
-
3. Review the migrated logs and objects (Contd)
Page 15 | Firewall Configuration Migration Training - June 2011
The objects to review window allows for viewing and editing of the address and service objects and route entries
The route entries are used for Zone assignments in the security policies
For Check Point configs the Zones must be manually entered
For NetScreen, Fortinet and Cisco ASA configs the Zones will be learned from the configuration
Zones can be renamed as needed
-
3. Review the migrated logs and objects (Contd)
Page 16 | Firewall Configuration Migration Training - June 2011
Review the address and service objects
Note: All migrated objects are not displayed. Only objects that need to be reviewed are listed
Object values can be manually edited in the review pane by clicking on the value
-
3. Review the migration logs and warnings
Page 17 | Firewall Configuration Migration Training - June 2011
Pay particular attention to warning messages
These message are pointing so some implicit NAT rules not migrated
Also warning messages pointing to non-TCP/UDP service objects that need to be reviewed and corrected prior to generating the XML config file
-
4. Review the migrated Security Policies
Security Policy Editor menu options
Search windows can be used to search for specific address and service objects used in the security policies
Page 18 | Firewall Configuration Migration Training - June 2011
Description
Refresh Refreshes the Security Policy page to reflect any changes made to address and service
objects and zone assignments made to route entries
Auto Assign Zone Assigns the source and destination zone by referencing the route entries
Enable Enables a security policy
Disable Disables a security policy
Delete Deletes a security policy
Merge Merges security policies
Save Saves the changes (after enabling, disabling and merging policies)
-
4. Review the migrated Security Policies
Review and edit the migrated security policies
Pay attention to the Zone assignments
Page 19 | Firewall Configuration Migration Training - June 2011
Click a field in the security policy to open the security policy editing window
Edit the objects in the security policy and click Save
The window must be manually closed after editing and saving.
-
4. Review the migrated Security Policies
Security policy zone assignments
Zones are learned from the Route entries
The IPs and IP subnets are read in the security policies and compared against the route table entries to assign the Source and Destination zones in the policies
The default is to assign any for the Zone
Edit the Zone option in the Interfaces and zones window
A red hash indicates the setting has not been saved
Page 20 | Firewall Configuration Migration Training - June 2011
Edit the Zone
-
4. Review the migrated Security Policies
Security policy zone assignments (contd)
After editing the Zone settings, click Save
In the Security Policy Editor choose Auto Assign Zone to re-assign the source and destination zone in the security policy configurations
The migration software will make a best effort to assign the zones in the security policy
Page 21 | Firewall Configuration Migration Training - June 2011
Edit the Zone
Choose Auto Assign Zone to transfer the
Zones to the
security
policies
-
5. Generating a PAN-OS configuration file
Configure the management settings using the Device Config tab
Note: If importing a PAN-OS config to use the Config Editor or Config Consolidator options, the management settings will be copied from the imported PAN-OS config file
Page 22 | Firewall Configuration Migration Training - June 2011
Objects to review Device Config
-
5. Generating a PAN-OS configuration file
Generate a configuration file after reviewing and correcting the objects listed in the warning logs
Any errors will be displayed when generating the XML file
Use the Reload Data option to correct errors related to the address objects
Service and address objects can be edited to correct any errors
Page 23 | Firewall Configuration Migration Training - June 2011
-
5. Generating a PAN-OS configuration file
Create XML will generate a PAN-OS configuration file using the migrated objects and policies
Note: the version 3.x setting generates a config file that is compatible with PAN-OS 3.x and 4.0.x.
Page 24 | Firewall Configuration Migration Training - June 2011
Create XML version 3.x
-
5. Generating a PAN-OS configuration file
Review and correct any errors displayed when creating the configuration file
Common errors are address objects migrated with invalid addressed or netmasks
Corrections can be made by issuing the Reload Data function or manually editing the object
Page 25 | Firewall Configuration Migration Training - June 2011
-
5. Generating a PAN-OS configuration file
After correcting the errors, start the Create XML function
Choose L3 to maintain the Zone assignments in the security policies
The L2 option is used primarily when migrating Transparent firewall configurations from NetScreen and Cisco FWSM
The L2 configuration will replace the source and destination zones in the security policies to a default Trust
Page 26 | Firewall Configuration Migration Training - June 2011
-
5. Generating a PAN-OS configuration file
The config file is saved as a zip file
Unzip and import the XML configuration file into your Palo Alto Networks firewall
Page 27 | Firewall Configuration Migration Training - June 2011
-
6. Import and Load the configuration file
Import the migrated config file into your Palo Alto Firewall
This step assumes you have previously assigned a management IP and can access the management console via HTTPS or SSH
(this example will use HTTPS)
Page 28 | Firewall Configuration Migration Training - June 2011
-
6. Import and Load the configuration file
Load the migrated config file into your Palo Alto Firewall
-----
Do not Commit until you have thoroughly reviewed and finalized the configuration
-----
Page 29 | Firewall Configuration Migration Training - June 2011
-
7. Finalizing the Configuration
Configuration review checklist:
Configuration Review
1) Network Configure the Interfaces: Mode (L2, Vwire, L3) IP Address Zone assignment
2) Virtual-Router Default gateway Static Routes
3) Security Policies Security Policies: Destination Zone assignments Convert service port to appID policies where needed
4) NAT policies NAT Policies: Create source and destination NAT policies (as needed)
5) Custom Services Consolidate services where possible to remove duplicate and overlapping objects Review any custom services to verify the port assignments
Page 30 | Firewall Configuration Migration Training - June 2011
-
7. Finalizing the Configuration
After reviewing and finalizing the migrated configuration, commit the changes
At this stage the firewall will have a base configuration including the migrated objects and policies. Once the base configuration committed, you can now configure advanced settings such as SSL-VPN, IPSec VPN, UserID, etc Please see the PAN-OS Administrator guide or the Palo Alto Networks Knowledgebase for documentation on how to configure specific features.
Page 31 | Firewall Configuration Migration Training - June 2011
-
TOOLS Beyond Migrations
-
Tools
The new Tools section is created to help in some migrations when is not necessary to migrate all from the legacy device to your new Palo Alto Networks NextGen Device, and you want to perform some changes in the configuration or maybe delete a lot of unused Objects before to clean some rules for example.
2011 Palo Alto Networks. Proprietary and Confidential. Page 33 |
-
Migration Translator
The translator process can help you to migrate a policy where some address objects will change their name and the address, in this case you have and OLD object (based in the IP address) and needs to be changed by optionaly a new IP address or a new Name or BOTH.
Another feature that includes is automaticaly if you want to change the OLD IP address 1.1.1.1 and the OLD name is like asdf-1.1.1.1-host the tool will change the OLD IP address by the new one without to write the new name into the CSV file required to do that (translate.csv).
The CSV file must be filled with this field order (; separated)
- OLD_IP;NEW_NAME;NEW_IP
2011 Palo Alto Networks. Proprietary and Confidential. Page 34 |
-
Migration Zone Translator
In Big migrations is necessary to change the names in the new platforms by design requirements.
If the zone name is auto retrieved from the configuration like in Cisco, Juniper or Fortinet we can use this feature to say which OLD Zone name will be translated by a NEW one. And for instance change all the rules afected too.
The file must be create with the name (translate-zones.csv) and the internal config will be
- OLD_ZONE_NAME;NEW_ZONE_NAME
2011 Palo Alto Networks. Proprietary and Confidential. Page 35 |
-
Migration Split Config
In some situations when we import a configuration to the Migration Tool we get all the security policies and all the interface and zone information but we want to migrate only some zones and only the rules afected by this zones
We must to create a CSV file called (translate-zones.csv) the same if we want to use the Zone Translator and only write inside the Zones that we want to use in our migration, the rest of the zones in the configuration will be erased and all the rules afected too.
If you dont want to change the name of the zones you must fill the CSV file like this
- OLD_ZONE_NAME;OLD_ZONE_NAME
2011 Palo Alto Networks. Proprietary and Confidential. Page 36 |
-
Calculate Unused Objects
The system perform an initial check for used or not objects
But if you make changes, add / delete rules, uses another Tools like the Config Splitter the most common is that exists lots of objects that in the begining were used but not now.
Using this feature the system recheck all the objects based in the policies to know if is used or not and updates the Statistics in the Generate Report option.
2011 Palo Alto Networks. Proprietary and Confidential. Page 37 |
-
Demo Prctica Al Turrn
-
Appendix A: Downloading and Installing the Migration Server software
-
Obtaining the Migration Tool Software
The software is offered free of charge to Palo Alto Networks ACE partners. Contact your local Palo Alto Networks SE for access or request to be added to the Firewall Migration community on our Live website.
https://live.paloaltonetworks.com/index.jspa
Support is provided on a best effort basis via the following methods:
- Contacting your local Palo Alto Networks SE
- Sending an email to [email protected]
Note: Please do not contact the general Palo Alto Networks support hotline for questions related to the use or installation of the Migration software. The standard Palo Alto Networks support is not available for assistance with this software.
Page 40 | Firewall Configuration Migration Training - June 2011
-
Running the Migration Tool Software
The Migration Tool is packaged as a virtual machine image that runs on VMware:
Platform OS Versions supported
VMware Player Version 3.1.1 and newer
VMware ESX Version 3.0 and newer
Hardware requirements are dependent on the VMware platform chosen (Player or ESX)
Recommended hardware
CPU P4 or newer
RAM 1 GB
HDD 2 GB
Interface NAT and Bridged modes are supported
Page 41 | Firewall Configuration Migration Training - June 2011
-
Running the Migration Server Virtual Machine
1. Unzip the Migration Tool virtual machine onto the host machine
2. Start your VMware player and choose:
Open a Virtual Machine
3. Browse to the directory where the Migration Server files were unzipped and open the file MigrationToolVM.vmx
4. After installation, choose Play virtual machine to boot the VM
Page 42 | Firewall Configuration Migration Training - June 2011
-
Running the Migration Server (contd)
5. When prompted for the virtual machine information, choose: I copied it
6. Upon booting, the Migration Server will acquire an IP address that can be accessed locally. The IP address that is configured will be displayed in the VMWare console
Note: The default Network Adapter setting in VMware Player is to use NAT and acquire an IP address dynamically
Page 43 | Firewall Configuration Migration Training - June 2011
-
Accessing the Migration Server
7. The Migration Tool server interface can be accessed locally by opening a browser to: http://
After accessing the management console upgrade the migration software to the latest version. The upgrade process uses SSH to contact the update server, if the upgrade process fails verify your network firewall is allowing outbound SSH connections from the virtual machine.
Page 44 | Firewall Configuration Migration Training - June 2011
-
Menu Tools
FROM: Choose the firewall config to migrate (Fortinet migration support will be added in an upcoming release)
SYSTEM: Management options for log management and software reboot
SETTINGS: Used to set the environment prior to starting a migration. Options include migrating just the objects or objects+rules. Can also set the extended mode to support longer object names
UPGRADE: Initiates the upgrade of the migration software. Internet access is required to upgrade the Migration Software OS
Page 45 | Firewall Configuration Migration Training - June 2011
-
Appendix B: Exporting Existing Firewall Configurations
-
NetScreen/Juniper Migration
The file you upload must be called config_screenos.txt
You can obtain the configuration file from the WebUI: Configuration Update Config File,
From the CLI capture and save to a text file the output from get conf
Page 47 | Firewall Configuration Migration Training - June 2011
-
Cisco PIX/ASA/FWSM Migration
The file you upload must be called config_cisco.txt
Capture and save to a text file the output from show run
Page 48 | Firewall Configuration Migration Training - June 2011
-
Check Point Migration
Check Point migrations require three files:
1. objects_5_0.C
2. PolicyName.W
3. routes.txt
The name of the policy file (referred to here as PolicyName.W) will have whatever name you assigned it, but look for a .W extension associated with it in the SmartCenter/management console.
The rulebases_5_0.fws is not required but is recommended to be included for migration as it includes the object comments
There are multiple methods to find and export the files. Some options will be listed in the following slides.
Page 49 | Firewall Configuration Migration Training - June 2011
-
Check Point Migration (contd)
Export the objects_5_0.C, PolicyName.W and rulebases_5_0.fws files from the SmartCenter management console:
1. Close all SmartDashboard connections to SmartCenter
2. As a recommended precaution issue cpstop.exe to stop all Check Point services.
3. Log in to the CLI with administrator privileges or open Windows explorer for Windows installations
4. Navigate to the directory $FWDIR/conf to find the necessary files.
5. The objects_5_0.C and rulebases_5_0.fws will be named exactly. The Policy file will have the name assigned by the administrator, with a .W file extension
Page 50 | Firewall Configuration Migration Training - June 2011
-
Check Point Migration (contd)
A second option to find the necessary files is to use the find command to search.
Preferably you will want to issue the command from the Smartcenter server.
>find / -name *.W
Find the files that match the following:
-The .W file matches the policy file configured by the firewall administrator
-Export the objects and rulebases files found in the same directory where the policy file (.W) was found
Page 51 | Firewall Configuration Migration Training - June 2011
-
Check Point Migration (contd)
Generating the routes.txt file:
1. Log in to the firewall CLI
2. Run the command netstat nr > routes.txt
3. Export the routes.txt file
Page 52 | Firewall Configuration Migration Training - June 2011
-
Appendix C: Assigning an IP to the Migration Server
-
Assigning an IP Address to the Migration server
The default Vmware Player setting is to enable DHCP
Static IP assignment can also be configured using the steps below
Log into the VM console using the admin account:
Username: admin Password: paloalto
Run the setup or ifconfig utility from the CLI and follow the menu to assign an IP address to be used by the Migration software for access
Note: when using the ifconfig option the IP addresses is not saved and will be lost after a reboot. IP assignment using the setup utility is saved.
Page 54 | Firewall Configuration Migration Training - June 2011
-
Assigning an IP Address to the Migration server
Page 55 | Firewall Configuration Migration Training - June 2011