PAN MigrationTool Usersguide 310 CC

®
Palo Alto Networks
Migration Tool Version 3.1

Users Guide

Contact Information
Corporate Headquarters:
Palo Alto Networks
4401 Great America Parkway
Santa Clara, CA 95054
https://www.paloaltonetworks.com/company/contact-us.html
About this Guide

This guide takes you through the utilization of the new Palo Alto Networks Migration Tool 3. This guide is
designed for users with previous knowledge of the PAN-OS platform.
The Palo Alto Networks Migration Tool 3 replaces previous versions of the Migration Tool. Refer to the following
resources for additional information:
• For information on the additional capabilities of Palo Alto Networks firewalls and for instructions
on configuring the features on the firewall, refer to
https://www.paloaltonetworks.com/documentation.
• To provide feedback on the documentation, please write to us at:
documentation@paloaltonetworks.com.
• To access to the Community, which includes the knowledge base, discussion forums, and videos,
refer to https://live.paloaltonetworks.com.
• To contact the migration team, refer to fwmigrate@paloaltonetworks.com
• To manage your account or devices go to the support portal: support.paloaltonetworks.com
• For the latest release notes, go to the software downloads page at
https://support.paloaltonetworks.com/Updates/SoftwareUpdates.
www.paloaltonetworks.com © 2015 Palo Alto Networks. All rights reserved.

Palo Alto Networks and Palo Alto Networks Migration Tool 3 are registered trademarks of Palo Alto Networks, Inc
Revision Date: July 13, 2015
Table of Contents
How the System Works ............................................................. 2

How to Install ............................................................................. 3
Configure static IP-Address ....................................................... 3
The Login Window ..................................................................... 4
The Main Dashboard ................................................................. 5
Dashboard Elements ................................................................. 5
System Commands ......................................................................... 5
System Resources (Usage) ............................................................. 6
Projects ............................................................................................ 7
Add New Projects .................................................................................... 7
Load Selected .......................................................................................... 8
Filter ......................................................................................................... 8
Remove .................................................................................................... 8
Remove All ............................................................................................... 8
Devices ............................................................................................ 9
Snippets ........................................................................................... 9
Updates.......................................................................................... 10
Settings .......................................................................................... 12
Help................................................................................................ 14
Supported Vendors .................................................................. 15
Checkpoint ................................................................................... 15
Cisco ............................................................................................. 16
Mcafee: Sidewinder ..................................................................... 17
Juniper: screenOS ....................................................................... 17
Juniper: SRX ................................................................................ 18
Fortinet.......................................................................................... 18
Universal (CSV Files) ................................................................... 19
Palo Alto Networks ...................................................................... 21
The Project .............................................................................. 22
Dashboard .................................................................................... 24
Plugins .......................................................................................... 24
Log Connector ....................................................................................... 25
www.paloaltonetworks.com © 2015 Palo Alto Networks. All rights reserved.

Palo Alto Networks and Palo Alto Networks Migration Tool 3 are registered trademarks of Palo Alto Networks, Inc
Revision Date: July 13, 2015
User-ID Connector ................................................................................. 26
Monitor .......................................................................................... 27
Policies ......................................................................................... 29
The Security Policy Editor: ..................................................................... 30
The Advanced Options: ......................................................................... 30
Policy Filters................................................................................. 33
Objects .......................................................................................... 35
Network ......................................................................................... 38
Export............................................................................................ 49
Debug ............................................................................................ 56
The Workflow ........................................................................... 58
Migration Projects........................................................................ 58
Optimization Projects .................................................................. 59
Sample Project – Step-by-step guide. ..................................... 61
App-ID Adoption – Step-by-step guide. ................................... 86
P A L O A L T O N E T W O R K S M I G R A T I O N T O O L 3 . 1
Overview
he main objective of the Palo Alto Networks Migration Tool 3 is to assist
T network security administrators, professional consultants, or anyone working

on migration, rules optimization, security controls validation, App-ID
implementation, or deployment of converted or new configurations to devices
directly connected to the Palo Alto Networks Migration Tool 3 or using
exported XML files as needed.
The Palo Alto Networks Migration Tool 3 is derived from the successful Migration
Tool used by the Palo Alto Networks Professional Services Organization and Channel
Partners. It’s an evolution of the Migration Tool into a configuration platform that
allows you to, not only migrate configurations, but enhance, optimize, add, remove or
edit elements, ultimately converting the legacy device rules into a next-generation
model by creating App-IDs based on real traffic acquired from devices being installed
or already in production. The Palo Alto Networks Migration Tool 3 is a valuable asset
for network security administrators who need or want to keep their rule-bases in a
pristine state.
1
Chapter
1
How the System Works
The Palo Alto Networks Migration Tool 3 has a database that tracks each task
I you are doing and also contains the data you would find within any Palo Alto
Networks device. The new migration tool is delivered as part of a package in a
Virtual Machine; you need a Virtual Environment to run the Palo Alto Networks
Migration Tool 3 either in MS Windows, Mac OS X, or Linux.
Your entire interaction with the tool will take place via a web interface where you are
able to restart, shutdown, clear your log settings, and restart your database.
A constant resource meter will display the CPU, RAM, and disk space utilized within
the Virtual Machine. Also the version and patches will be visible from this main panel
when you start the Palo Alto Networks Migration Tool 3.
You can load several configurations, merge them into different configuration
candidates, and then release these new configurations into the PAN-OS (5.x, 6.x) using
API calls or by exporting them into a common XML file. You will be able to merge
one or more candidate configurations into a new or existing PAN-OS configuration.
You will be able to import active PAN-OS configurations, and tweak, edit, cut or
manipulate the elements, perform a multi-edit throughout the XML elements in your
present (imported) configuration file without the need to edit any code.
From the CLI (Command Line Interface) within the MT3.1 you may find several
commands to help with the VM configuration, Fix IP configuration, other network
configurations, and some database access as well.
The user and password are displayed on the VM once you load it and are:
user: admin,
password: paloalto (as of this version 3.1).
2
How to Install
The Migration Tool can be downloaded from the migrate community at
live.paloaltonetworks.com.
! Note https://live.paloaltonetworks.com/docs/DOC-9095
The tool is packed with TAR and GZIP so the file extension is “.tgz” This is a well-
known extension in OS like Linux or Mac but not in Windows.
! Note Windows Users: You can unzip the File with tools like 7-zip
that you can download from http://www.7-
zip.org/download.html . You need first uncompressing the GZIP and after that
unpack the TAR file. At the end you will see a new folder called:
PAN_MigrationTool_minimal.vmwarevm
Linux or Mac Users: You can execute the following command form the cli:
tar -zxvpf PanMigrationTool3i.tgz Or double-click from your X window system.
Now you can open the VM using a VMware Player version 6 or higher or VM
Workstation 10 or higher.
Minimum requirements are 1GB of RAM and one VCPU. But you can assign more
RAM or VCPU depending on how big will be the configuration you are trying to
migrate.
The performance will be highly increased if the physical disk where is placed the tool is
SSD.
More information related to the installation can be found in our community at:
https://live.paloaltonetworks.com/community/migration/content?filterID=contentst
atus[published]~objecttype~objecttype[thread]
Configure static IP-Address

The MT comes configured in DHCP-client mode. If you want to change to an static
ip-address you have to run the command (after login in the cli using the VM Console):
sudo nmtui
Then if you are not used to work with nmtui follow this instructions
http://www.krizna.com/centos/setup-network-centos-7/
3
The Login Window
With the Virtual Machine running, pointing your browser to the VM’s IP address will
bring you to the following screen: The Login Window.
Now to get access to the tool you need to authenticate first against the local database.
! Note Default username and password are admin / paloalto. This can
be changed from the GUI.
This new mechanism provides a new layer of security to prevent the access to
everybody to the tool since the tool now can be installed on a network and stay longer
because the App-Id adoption features.
We are using PHP sessions and there is a disconnection Time-out after 60 minutes of
inactivity. All the PHP code will stop to work if there is no session active. You have to
re-authenticate again to create a new Session.
This new feature only provides by now a Local Database Authentication, there is no
integration with AD or LDAP yet.
This function has the unique goal of provide authentication to get access to the tool,
but will not provide any group categorization or Role based access. All the users are
admin, even if you create new users.
The access to the tool will generate Audit Logs to know who was logged in and when
4
The Main Dashboard
The Main Dashboard provides access to your Projects, Devices, Updates, Snippets and
Settings.
The MT3.1 has added a new Section for Settings.
Dashboard Elements
System Commands
System commands are split in two categories: System and Operations.
The System commands control the functionality of the Palo Alto Networks Migration
Tool 3 and offer two functions: Restart and Shutdown. These functions control the
application hosted by the Virtual Machine, and it sometimes might be useful to restart
5
the application state when you import or create a new project, or to refresh system
resources if needed.
The Operations commands control system variables such as the logs and database.
There are three functions: Clear System Logs, Restart Database and Logout
Clear System Logs resets the application logs, as well as the local system logs (not the
devices logs). The same happens every time you restart your MT.
Restart Database reinitiates the database engine without requiring a reboot of the entire
system. This may be useful when a table re-indexes or reset is needed.
Logout: Close your current Session. You will be redirected to the Login Window again.
System Resources (Usage)

Usage displays the usage of resources within the Virtual Environment.
CPU shows you average system load, is not CPU but gives you an idea.
RAM shows the used memory and its normal to see it high because there are a lot of
cached things in the memory. Don’t worry if your used RAM consumption is high.
DISK shows you the used HD space. You can clean it by rebooting the Virtual
Machine, this cleans system logs plus the logs generated by the MT.
! Note Use the refresh icon for updated statistics.
6
Projects
The Projects tab is where you create or remove projects.
If you have a large number of projects in the Palo Alto Networks Migration Tool 3,
you can filter projects by Tags (customer name if applicable).
If the project was made to run an App-ID adoption process there is a progress bar that
will recall you in what step of the process is the project right now. 1 is you have
retrieved the apps from the Firewall, 2 is we have split the rules in Known and
Unknown apps, 3 is we have used the option to override some traffic and 4 is we have
used the reconciliation option.
! Note When creating or deleting filters, use the refresh button next the
Filter field to ensure that you are seeing the most up-to-date
project list.
Add New Projects
Click Add New Project and then enter a Name for the project. Optionally add a Tag
to be used as an easy search key in the future (i.e. Customer Name).
You can also import any existing App-IDs, threats signatures, URL Categories, or
regions from registered devices (Devices Tab). Default option will load a default list
inclided into the tool.
We recommend always importing your Firewall or Panorama into the tool to get the
exact same version of applications in the new project and what you have in your
device.
7
When we click on Initialize Database a new Database will be create to store the new
Project and the Applications, Url Categories, Regions will be loaded into it from the
Firewall selected as a Source or from an internal copy provided by the Migration Tool
3.
Load Selected
Click Load Selected to load the selected project into the system; at this point you will
start the Migration Tool 3. You can load it as well by doing a double-click over the
project you want to load.
Filter
The filter will help you find, among several projects created, the one you want to load
into your system. It will filter by project Tag previously created on each project.
Remove
Click Remove to remove the selected project. Using a filter here will group your query.
Remove All
Click Remove All to delete all projects you have in the system independently of any
filters you have selected at the moment.
8
Devices
Use the Devices tab to add devices (firewalls or Panorama) to target for migration or
to use as a data source in a “Connector,” or to import application signatures, threat
signatures, URL Categories, and regions when creating a new project.
When you import a Firewall the tool will try to generate an API key based on the
information you have provided as IP address, Username and Password.
Once the API key is generated the tool will retrieve the Applications, regions, Url
Categories and a Full configuration Backup from the Running Configuration.
! Note Import a Panorama (physical or virtual) into the tool will

automatically import all the Connected Devices to this
Panorama and will create as Devices as well.
We can Edit the Devices by double-click or selecting one and click on Edit Selected. If
we had modified the running configuration in our firewall we can edit the device and
click on Retrieve Configuration to get latest Running configuration from the device.
Snippets
Snippets are a new and powerful feature to enable you to keep and save XML code for
reuse by the Palo Alto Networks Migration Tool 3. You will be able to create App-ID
signatures by copying them from a running device and then saving them on the system
to be reused in other projects in the future.
9
Use the Snippets tab on the main Dashboard to create snippets for use throughout the
Palo Alto Networks Migration Tool 3. You can create specific Snippets for specific
PAN-OS versions from 4.0 up to 7, which will be updated as new feature releases are
added. You can create the following categories of Snippets:
• Addresses, App-ID, AV_Profile, File_Profile, IPS_Profile, Log-Profile,

URL_Profile, Services, Management Profiles, Profiles Groups and
Custom_Reports.
You can apply Snippets to a single policy or a group of policies.

To maintain the list of Snippets, use the Add, Remove (selected) or Remove All
buttons on the bottom bar. You can also select the Type of Snippet to filter on by
selecting a value from the drop-down and search for a text within the filter. If you want
to search for all Snippets, simply use All as your filter selection.
Updates
The Updates tab allows you to Upgrade the version in your Migration Tool 3. There
are 3 different ways to achieve that
1. Direct Internet access: connects your Palo Alto Networks Migration Tool 3
directly to conversionupdates.paloaltonetworks.com. To do this, the Virtual
Machine must to be able to resolve this name over the Internet (proper DNS
configuration), The connection is established by App-ID paloalto-updates and
service is 443/tcp.
10
2. Proxy Settings: You can configure Proxy
Settings if you are behind one by selecting
on “Set Proxy Settings”
3. Off line Updates: The Migration Tool 3 can be updated using bundle files
provided from our Community at
https://live.paloaltonetworks.com/docs/DOC-9502 . To use this capability
you have to run minimum version 3.0.2. The instructions are simple, just
download the bundle for the version you want to upgrade, unzip and load it
into the tool by selecting the option “import bundle (offline)”.
! Note Every time you click on the tab “Updates” the tool check for
the proper DNS resolution and if it can establish a connection
to the port 443 at the conversionupdates.paloaltonetworks.com address. If one of this
checks fail the Update button will remain disabled.
! Note To keep informed when a new release is available you can

“follow” the document
https://live.paloaltonetworks.com/docs/DOC-9173 then you will get an email every
time a fix is released.
11
Settings
There are three Options here:
Users: From here we can change the password for the user admin or to create new
users. All this users are used to login into the Tool using the WebUI.
Double-Click to Edit an existing User. We can disable or change the password for all
the users but the admin.
System: By now this option is used to Setup the Data and Time in our VM. We can
assign our Time zone as well. This will be key in order to use the Cron jobs.
Click on Edit to configure the Time and the Time zone.
Cron Jobs: Tasks can be scheduled to be executed periodically or just once based on
date and time. There are different types of tasks that can be created from the Migration
Tool 3.
12
Task Type: App-id Adoption
The schedule of this tasks will help us in the App-ID adoption process to retrieve the
applications for example every Sunday night at 00:00 for the last week. With this when
we arrive on Monday we have to work only with the output without to waste time
generating all this reports because they are already created at night.
The Task needs to know the Project, the Log Connector, when we want to execute the
task and we can configure if we want to create the reports only for the selected rules.
The changes are applied as soon we save the Task. Only if the task is disabled will not
be applied.
13
Help
The Help tab displays the URL for the online Community.
https://live.paloaltonetworks.com/migrate
14
Chapter
2
Supported Vendors
he Palo Alto Networks Migration Tool 3 provides a list of supported vendors
T from where we can migrate to our Next-Gen configurations. The current list
of these vendors is:
1. Checkpoint
2. Cisco ASA / FWSM
3. Mcafee Sidewinder
4. Juniper ScreenOS
5. Juniper SRX
6. Fortinet
7. Palo Alto Networks
8. Universal (CSV files)
9. AlgoSec (This case is explained here
https://live.paloaltonetworks.com/docs/DOC-9578 )
Checkpoint
Supported Versions Supported Objects Not Supported yet
From 4.1 to R77 þ Services ý IPSEC VPN

þ Services Groups ý Dynamic Obj. Nat
þ Address ý Schedules
þ Address Groups ý Application Blade
þ Security Rules
þ Nat Rules
þ Exclusion Groups
þ Zones
15
þ Interfaces
þ Static Routes
To understand what options we have to active when we migrate from Checkpoint

please read this document first: https://live.paloaltonetworks.com/docs/DOC-9418
Caveats:
Exclusion groups will be replaced by a group containing the IP-Ranges that covers
the objects included less the objects excluded.
Show the Checkpoint Configuration as is shown in the Smart-GUI:

From any Security Rule right-click with your mouse to see an Advanced Menu then
select 3rd Party -> Checkpoint -> Open Viewer. This will open a new window
containing the checkpoint configuration useful if you want to compare with 2 screens
the original configuration and what you got loaded into the Migration Tool 3.
Important to import a routes.txt file containing the output from the command “netstat
–nr” executed in the firewall that we are trying to migrate. This will help the tool to
calculate the zones.
Cisco
ASA up to 8.2 þ Services ý IPSEC VPN

þ Services Groups ý Nat Rules
þ Address Groups
þ Zones
þ Interfaces
þ Static Routes
ASA 8.3 and higher þ Services ý IPSEC VPN
þ Services Groups ý Schedules
þ Address
16
þ Nat Rules
þ Zones
þ Interfaces
þ Static Routes
Caveats
Only access-lists with an access-group associated in the config will be migrated. The
tool will calculate the zones based on how the access-groups were applied to the
interface or IN or OUT.
If your configuration has groups called DM_INLINE there is an option in the

Advanced Menu (right click on a Security Rule) to replace those Objects by the
Members.
Mcafee: Sidewinder
From 7 to 8 þ Services ý IPSEC VPN

þ Applications
þ Zones
þ Interfaces
þ Static Routes
Juniper: screenOS
Up to 6.3 þ Services ý IPSEC VPN

þ Address
þ Nat Rules
17
þ Zones
þ Interfaces
þ Static Routes
Juniper: SRX
Junos 12 þ Services ý IPSEC VPN

þ Zones
þ Interfaces
þ Static Routes
Fortinet
From 3 to 5 þ Services ý IPSEC VPN

þ Address
þ Nat Rules
þ Vdoms
þ Zones
þ Interfaces
þ Static Routes
18
Universal (CSV Files)
Semi-colon delimited þ Services

fields, support for þ Services Groups
fields with multiple þ Address
values delimited by þ Address Groups
comma. þ Security Rules
þ Interfaces
þ Static Routes
þ Zones
þ Regions
This option allows you to import objects from everywhere, if you have a legacy firewall
not supported by the current Migration Tool 3 and you are able to export the
configuration in CSV files then you are good to import those files now.
Once you import one of the supported object types then you can map the columns
with the field type.
Example:
Address CSV File

Addr1000;host;10.1.1.51;255.255.255.255;forest green;;;;"admin server "
gated_224;net;224.0.0.0;255.255.255.0;sienna;;;;"Required for GateD to Operate"
! Note Remember before import anything using the Universal CSV

importer we need one configuration already loaded into the
Migration Tool 3.
Import Address CSV File Steps:
1. From your project go to the Import Tab (green) and click on CSV (right)
2. Select Address in “Object To Import”. Upload the file by click on “Browse”
3. If the file has been uploaded correctly you will see the content under Data
Preview.
19
4. Now its time to Map the Field type with the columns loaded. From the right
Panel Column Mapping double-click on each column to map the type.
We have decided to map the columns like this:
5. Click on Import Data. And see the results going to the Objects Tab
The Tags have been created and attached to each Address.
20
Caveats:
Importing Security Rules: If you want to import zones and they are not already
created in the Migration Tool 3 they will automatically created. The same will happens
with Tags.
Importing Static Routes / Interfaces: We need to select the proper Template and
Virtual Router before to Import the routes.
Import always in Order: First import the Address and Services, then the Groups
(services and address), Zones, Interfaces, Static Routes and finally the Security Policy.
Palo Alto Networks

The Migration Tool 3 supports PanOS version from 4.1 to 6.1.
PanOS 7.0 is not fully supported but to use it to import Policies and Objects into the
tool to be used for the App-ID Adoption Process will work. The API calls are the
same and the configuration for Rules and Objects are almost the same. Try to use only
the API Calls to export the changes instead of generate a full XML file, the pieces of
code added in 7.0 will not be added to the output XML file.
21
Chapter
3
The Project
Fter we create a new project the tool will redirect us inside it. From here a
A new Panels are shown. Let’s describe it first to get more familiar with the
Tool.
The tab at the top left tries to follow the same order that we have in our Firewalls or
Panorama more or less.
From Left to right:
22
• Dashboard: Provides some information regarding the projects, useful to see if
there are Invalid Objects, Duplicated Names, Unused Objects and how many
Security Rules we have working in App-ID. This panel shows us as well what
is minimum Platform we need to fit the amount of Rules and Objects.
• Import: Here we will find the List of Vendors from where we can import, we
will find here the Snippets as well to be imported into our project.
• Plugins: From here we can add the Log Connectors to be used in the App-ID
adoption Process
• Monitor (here starts the same options that we have in PanOS): Logs generated
in the importation process and the Audit Logs generated by the login window.
We can generate PDF reports from here.
• Policies.
• Objects.
• Network
• Device
• Device Group (Hidden only shown when a Panorama is loaded and selected
as a Base Configuration)
• Export: This is where we have to go at the end of the migration to generate the
XML configuration or the proper API calls.
• Diskette or Save: Take a Full Project snapshot. The Snapshot will be saved
with the date and time as a name. We can reload Snapshots when we need.
• Reload: This will reload the whole database.
• Warning or UNDO button: Undo the last change.
• Logout or Exit: This will exit from the Project and move us back to the Main
Window.
Source and Vsys/Device Group
The First Combo where the devices icon is displayed selects the Virtual System or the
Device Group for the next combo box that shows the SOURCE or configuration
where we want to apply the changes.
Let’s take a look closer to those options. First we need to import a Base Configuration
into our project to have data inside.
23
Dashboard
The Dashboard is compound by different elements, Applications Statistics, Project

Statistics, App-id Adoption (how many rules we have in App-ID instead of only ports)
and Recommended Platform.
All the information shown here is based on what we have selected from the Source
and Vsys. If we select Source equal All and Vsys equal all we will see the whole
database aggregated, but we can select only one Source and all the VSYS to see only
the statistics for that configuration only.
Project Statistics: Important to review there is no Duplicated on Invalids here.
Plugins
This area is used to add Connector. We have two types of Connectors right now:
1. Log Connectors (Used for App-ID and User-ID Adoption process)
2. UserID Connectors (Used to retrieve Groups and Users from a Device)
24
Log Connector
When we create a Log Connector we are telling to the MT3 from where we have to
retrieve the dynamic custom reports and the period of time we will use to anaylize the
information.
If we only have a Firewall then we select the

Firewall (previously added to our Devices section)
and that’s it.
In the case we have Panorama in place and all our

firewalls are sending the logs to Panorama is much
better to retrieve the dynamic custom reports from
Panorama instead from the Firewall. To achieve
that we have still to select what is the firewall who
is generating the logs and then select from “Uses
Panorama for Reporting?” our Panorama
(previously added in the Device section). This
configuration at the end is generating the API calls
agains the Panorama IP address but is filtering by
the Serial number from the selected Firewall.
25
User-ID Connector
The User-ID Connector will Import the Groups and Users from one of our Devices.
This will be used to calculate the minimum number of groups we need to add to a rule
after we import the users with the User-ID Adoption process and to be able to use the
users in new Security Rules when we want to add a new user to a rule we can search by
our users and groups from the Security Rule Edit Window.
When we add a new User-ID

Connector we need to replace the
default name <NEW> by a new
one, then select from what Device
we will retrieve the User Group list
by clicking on “Retrieve Groups”
By default all the Groups imported

will be disabled. Enable the groups
you want to show into your
migration tool.
Only the Enabled groups will be

eligible to import the Users inside.
After Enable the groups click on

“Retrieve Users” to import the users
for the enabled Groups. This
process can take some time. A new
API call will be generated by each
Group.
At the end of the process you have

to Attach the User-ID Connector in
the bottom bar under your Security Rules to apply this Users and Groups to your
Project.
From this moment if we open a Rule to edit, we can add a new user and type to search
a user or a group, we need to type minimum 2 characters to start the search
26
Monitor
Here we can find two types of logs. Migration Logs and Audit Logs.
The Migration Logs are generated at the importation time, or when we execute some
tasks from the tool. Some logs ask for take actions, so if you manually fix some task
you can select that and click on Fixed to recall you that was fixed. The task will be
shown as a strikethrough text.
27
We can generate PDF Reports by selecting the button “Generate Report” with the
whole list of logs from the Migration and a chart with the recommended Platform as
well like in this example:
28
Policies
This Tab will show us the 3 different policies that we can see and modify from the
Migration Tool 3. The security rules can be modified. The Nat Rules can be modified.
The application Override rules cannot be modified. The other kind of rules if you
are importing a configuration from a Palo Alto Networks Firewall are stored in the
database but now shown from the GUI.
When we select the tab Policies the Security rules are automatically shown and the
bottom bar is updated to show you only the options regarding the Security Rules. If we
select the Nat rules the bottom bar will change as well. This happens with all the
different tabs into the Migration Tool 3.
29
The Security Policy Editor:
The bottom bar shown when the Security Rules are selected is the following:
• The Plus button allows us to add a new Rule.

• The Clone button. We can select if we want to clone the selected rules above
or below each one.
• Remove the selected rules.
• Enable the selected rules
• Disable the selected rules
• Run the Auto-Zone Assign Function.
• Lock the selected rules. This prevents any change in the zones by the Auto-
Zone assign function.
• Unlock selected rules. Allow to the Auto-Zone assign to change the Zones.
• Multi Edit opens the Policy Editor window and all the changes made in the
editor will be applied to all the selected rules.
• Convert to Shared Rule. Transform the rule as a SHARED rule when we are
in a Panorama configuration and migrate all the objects in the rule to the
SHARED space as well, address, services, etc.
• Combine Rules. This will combine the selected rules in only one. The
parameters for the new rule will be captured from the first selected rule (action,
log settings, negated source or destination, name, etc. All the other objects like
source, destination and applications will be combined to capture them all
without duplicates.
• Convert to PRE-Rule (Applies when the configuration is from Panorama).
• Convert to POST-Rule (Applies when the configuration is from Panorama).
• The Log Connector assignment. This is used to

bind a Security Policy with a Log Connector to retrieve App-
ID and User-ID.
The Advanced Options:
By clicking over one Security rule a new menu will show up.
• Add to Filters: Add the selected name to the Filter’s Panel.

• Search & Replace: Open the Window to search and check
where a object is used.
• Rule Actions: Here there is another menu to Combine the
selected rules and enable or disable the properties “Log Start” and
“Log End”
30
• Rule Names: Options to Remove the Rule Names, rename the empty rule
names with Rule X and in case of duplicated Rule Names fix it adding a prefix
at the end.
• App-ID Adoption: All the options we need to retrieve the applications from
the logs using the Palo Alto Networks APIs. This requires a Log Connector
assigned to the Security rule.
• User-ID Adoption: All the options needed to retrieve the Users from the logs
using the Palo Alto Networks APIs. This requires a Log Connector assigned to
the Security rule.
• Replace (In Rule): We can replace inside the selected rules:
o Service Groups by the Members
o DM_INLINE by Members: This useful when we import a CISCO
ASA config where are used some groups named like DM_INLINE,
this function will replace from the services, source and destination the
groups by the members.
• 3rd Party Options:
o AlgoSec: Features that will help to retrieve the Documentation fields
from AlgoSec Firewall Analyzer.
o Checkpoint: From here we can open a Checkpoint viewer for the
objects and security policies based in web.
• Add to Cron Jobs: Add the Selected Rules to one Cron Job to reduce the
scope of the reports generation to only the selected rules instead of All Rules.
Hidden Columns: We can add more columns to the Security Policy Grid doing this:
31
Edit a Security Rule: Double Click in one Rule to Edit or select some rules and click on
“Multi Edit” to edit them all.
There are two panels hidden, one is on the left and expands by clicking on the warning
icon, the other shows up when we click on “Next-Gen Features”:
32
The information panel contains warnings or errors we found in the migration process.
A warning is displays from the Security Rules view.
Policy Filters
There is a hidden Panel at the right side in the Security Rules tab called Policy Filters.
Click on that panel to show all the options.
The first Option inside the Panel is the Filters: We can add filters to reduce the
number of Rules or search for elements inside rules to reduce the scope of the rules
shown.
The second Option is the Consolidation: Useful to search by rules that are seen
more than once based on custom parameters, like show the rules that have the same
destination and service or the same source and destination for example.
We can chain the two options, first we can filter the rules and then search by rules that
can be combined because they share something.
1. Select the name from the Security Rule to add the Filter
33
2. Select Consolidation and search rules that shared the same source and
destination.
3. Click in Case 1 to see the 2 rules. Now Select the first Rule and then select the
second rule, click in the bottom bar the button for combine and combine the 2
rules.
This is the new rule after combine that has everything from both rules, in this case
we have merged the services.
34
If a Filter is Active you will see in the Panel. . There are
independent Filters for Security Rules and for Nat Rules.
To Remove the filters select them and click on Clean at the bottom bar inside the
Filter’s Panel. .
Objects
From this panel we can manage the Address, Services, Applications, Tags and other
Objects.
Address and Address Groups bottom bar
The objects located at the left side are related to the Address. The middle ones are
common for all the Objects and the right side objects are related to the Address
Groups
Let’s start by the Common Buttons:
• The Green Balloon: This starts the process to re-calculate all the Used Objects.
What does mean Used Objects in the Migration Tool 3? The tool will search if
the Objects are used in any of this policies:
o Security Rules
o Nat Rules
o Application Override Rules
Only on this Rule-sets. The process affects as well to the groups and their
members and this is recursive.
You can use the button after use the Search & Replace function to recalculate
if the replaced objects now are Unused.
! Note Since the Migration Tool 3 is not managing other Palo Alto
35
Networks Policies we are not controlling if the objects are used there. Be
careful if you are importing a Palo Alto Networks configuration into the tool
and you want to remove the unused Objects maybe some of them are used in
the configuration but for the Migration Tool 3 looks that they are not used.
This feature is useful when you migrate from other vendors.
• The Red Balloon: This will remove all the Unused Objects (Address, Services
and Groups). The unused objects have the red balloon assigned like in the
picture:
Address And Address Groups Common Buttons:
• Add a New Address. It will be placed as a first Object. Double click on it to

Edit.
• Clone Address: This will clone the selected Address into the Selected
Vsys/DeviceGroup
! Note If we select “Shared” the objects will be cloned and moved to

the Shared and they will keep the same name. If we select to
clone in the same Vsys the object will be cloned with the prefix “Cl-” at the
beginning.
• Remove Selected Objects. Only Unused objects can be removed to avoid

unexpected changes in the configuration.
• Convert the Selected Address as a Shared Address. This will update all
the Rules and Groups with the new Shared Object.
36
! Note If you try to convert and address to shared address and the
shared address already exists with the same name but different
value the object will be created but then you will have two objects with the
same name but different values. Fix it manually then.
• Merge: We can Merge automatically Objects by:

o Name
o Name, IP and Cidr
o IP and Cidr
To preview what objects are Duplicated by this options we can use the Filters
first:
! Note If we want to reduce the scope of the Merge function we can

search by any specific text in the search textbox. The Merge will
act only in the objects affected by the search. By Selecting the objects via Checkbox
will not have any function. The checkbox are only to Remove or Clone Address.
Address Groups Buttons:
• Transform: We can do some actions with the Address Groups:

o Static To Dynamic: This will convert a regular static group as a
Dynamic Address Group. The process will create a new TAG
with the group name and automatically will TAG all the members
with the new TAG. Then the group will search by the same TAG.
(Useful when you want to transform something static into a
dynamic thing and useful to replace objects with more than 500
members)
o Fix >500 Members: There is a limitation in PanOS that doesn’t
allow us to have more than 500 members in one group. But we
can have a Group where other groups are inside and each one of
this groups can store 500 members. For example if we have 600
members in GroupMain the function will remove the 600
37
members and start to create groups of 500 members each until we
reach the 600. At the end we will have under the GroupMain 2
other groups Group1 with the first 500 members and a second
groupd Group2 with the other 100. Now we have a GroupMain
with only 2 members in.
! Note The same applies to Services and Services Groups.
App-ID:
You can add Custom Applications into the Tool. We can add in XML format the
Signature. Only Custom Applications that are not used in Security or Application
Override policies can be removed.
! Note Application Filters and Groups are shown but they are not
editable yet.
Network
From the Manage Networks Control on the main control bar, you can prepare your
physical and logical network connections, focusing on a single virtual system or
multiple virtual systems, depending on what type of Migration/Optimization project
you are working on.
38
1 VSYS & Active Selection
2 Template Selections
3 Main tabs control
This is the same as in Policy management; this is a constant if not using a Connector
for Panorama.
39
4 The Left tab is for all profiles, and objects.
Interfaces may be created and edited. They contain all the options necessary for
each interface to operate.
You may now edit the interface names, which are inherited from imported
configuration files, to valid interface names (for example, ethernet1/1), and leave
these names only to the zones to be later applied to each interface.
You may now add a sub-interface by selecting representation next to the new
name (for example, ethernet1/1.X), set a Tag, assign a Virtual Router, Virtual
System and Security Zone (if already defined), along with a full set of interface
attributes.
You can also rename one or all interfaces from the imported candidate configuration.
If you are planning to send the modified interfaces into the selected device as the
40
output, keep in mind that the renamed interfaces here must be available on the target
device, for example interfaces inside on the original configuration renamed to
ethernet1/1. The destination device has no interfaces yet configured.
If you have a “target” interface already configured on the “target” device you should
rename the original interface to an available interface, or remove the target interface on
the “target” device if possible.
You may rename interfaces by double-clicking them, and from Interface Name drop-
down select an interface name.
Zones can be created, edited, or removed with the real interface names, for example,
Ethernet.
41
Naming a zone, configuring the type and attributing it to a real named interface are part
of the Zone window. The same settings from the PAN-OS devices can be added here.
Virtual Routers can be added, edited, or removed with the same settings selection as
the ones on a PAN-OS device.
The Virtual Router Editor allows you to establish participating interfaces, define static
routes, and define administrative distances.
42
If dynamic routing protocols are needed, you will be able to configure them on a PAN-
OS device, export the configuration to an XML file and pass the configured selection
in the Protocol tab.
43
Virtual Wires are also created, edited, and removed from the Virtual Wires tab.
Creating a Virtual Wire requires that you set the Interface Type of the interfaces
participating in this Virtual Wire to Virtual Wire. Only then the interfaces will be
available on the Virtual Wire Editor.
44
Device
Use the Virtual Systems tab to add, edit, or remove virtual systems.
Select which VSYS to work with and which configuration file or configuration base file
you are working on at the moment.
2 Template Selections:
3 Main tabs control
This is the same as in the Policy management, this is a constant if not using a
Connector for Panorama.
4 Left tab Virtual Systems and Response Pages
Virtual Systems can be added, edited, or deleted.

Defining a VSYS (Virtual System) will depend on existing objects such as
interfaces, VLANs, virtual wires, virtual routers, and visible vsys names.
Use the Virtual System Editor to create or edit new virtual system.
45
Use the General tab to define the participating interfaces, VLANs, virtual wires, virtual
routers, and visible virtual systems. These objects have to be previously configured on
their sections or editors. These fields are “drop-down” controls that need to be pre-
filled with the referred object in order for you to add any of these elements to a new or
existing virtual system.
The second tab allows you to add or edit Resource (limits) as you would on a regular
PAN-OS device.
46
Use the Response Pages tab to edit the device response pages.
Only configuration files, pre-configured devices, or base configuration files loaded into
the Palo Alto Networks Migration Tool can be edited. Any other configurations
imported into the tool won’t have any existing response pages and therefore no
information will be displayed on this tab.
You must select the file you want to work on, once imported or loaded on the control
1 VSYS & Active Selection.
Make sure you are working on the proper configuration file before trying to edit the
Response Pages.
You may select the pages inherited by the configuration file you brought in and use the
HTML editor to customize your pages.
On these HTML pages, besides the text and images, you must be aware of the
variables that are brought in as part of the code. For instance, if you are editing the
Certificate Error page, which has several variables, keep in mind that you are not seeing
them—they are embedded on the HTML source code. If you need to move these
variables around click on the “Source Edit” button at the top bar of the HTML editor
If you look at the HTML editor, the code exposed is the final HTML as clients will be
able to visualize the page.
47
Using the Source Edit button you can find the equivalent variable or XML node,
which is used to bring that information dynamically from the PAN-OS device.
<div id="content">
<h1>Certificate Error</h1>
There is an issue with the SSL certificate of the
server you are trying to contact.
Certificate Name: <certname> </certname>
IP: <url> </url>
Issuer: <issuer> </issuer>
Status: <status> </status>
Reason: <reason> </reason>
</div>
You may move these XML nodes around, but if you remove them, no
information will be presented from the page you are creating. Keep in mind that
these nodes need to be represented as: <nodename> </nodename> for the
proper XML parsing to take place.
48
Export
This control was created to stage the elements you have been working on to this point,
and map the content of your Source Configuration [INPUTS], which may comprise
more than one file if needed, to your Base Configuration [OUTPUT].
Here you select which virtual system to work with, and what configuration file or
configuration base file you are working on at the moment.
2 Main tabs control
Same as in the Policy management this is a constant, if you are not using a Connector
for Panorama.
49
3 Left tab Mappings & API Output Manager
Mappings are done based on the contents of the imported or base

configuration files imported from configured devices. If you don’t see a tree
structure on the INPUTS side of the screen, select a configuration file to use
as the Source for your mappings from command 1 (VSYS & Active Selection).
If no configuration files are set as your Base Config click Set Base Config to
set one.
You can also Deactivate or Remove the selected base configuration file.
By deactivating the Source Configuration file, you won’t be able to move the
elements (the configuration you’ve already worked on in the Output.
If you remove the Source Configuration file, use the Import configuration files
command on the top menu 2 Main tabs control and import a new Source
Configuration file.
Use the API Output Manager tab to generate Atomic and Sub-Atomic API calls to
send to connected devices.
50
Atomic API Calls send the entire configuration generated by merging the source
configuration into the candidate configuration (OUTPUT). The Atomic calls are sent
to the connected device by “groups.” This action mimics the “load config partial”
command from the CLI configure mode. These API calls send the candidate
configuration to the targeted device, including all the address objects, address groups,
interfaces, shared log settings, NAT policies, PBF polices, shared response pages,
security policies, service objects, services groups, tags, virtual routers, virtual systems,
and zones in this order to maintain consistency through the process and to avoid
missing elements during the process. If you do not select an object group, the Palo
Alto Networks Migration Tool sends all object groups (in order) to the connected
device. If you want to send just part of the configuration, select the desired object
group and send the selected API calls.
Note: Some objects are dependent on others. For example, security policies require
that you add addresses and/or addresses groups first in order to avoid errors during
the process.
The Sub-Atomic API calls perform the same task as the Atomic selection and will be
bound to the same rules. However, instead of groups you must prepare all API calls
individually. If you do not select a specific call, the system sends all calls, one by one,
following the same group order as with Atomic calls.
51
We will have a more detailed description about API Calls in the next chapter.
The last tab on the left of this screen displays Device Usage. This is extremely valuable
when you are creating, migrating or optimizing the configuration on an existing device.
Based on the selected configuration you will see all the variables brought in from the
source configuration, the legacy device being migrated, or the new rules created for an
existing device in a report screen. This report will show you the recommended
platform at the bottom that would best run the candidate configuration file and it
compares this file to all Palo Alto Networks devices. Select the Platform and PAN-
OS version then click Calculate to see the candidate configuration in comparison to
the selected Platform. It will also show if you are over the default specification for each
element being used on your configuration.
This is very helpful when you need to make sure that the device you are migrating to is
capable of handling the resource consumption of the selected platform.
You may choose whether or not to deploy this configuration to the selected platform
knowing that you may have resource exhaustion if the elements are counted over the
limit for the selected platform. You may also perform an optimization and reduce the
number of elements used according to the selected (target) platform.
! Note The Palo Alto Networks Migration Tool will account 25%
more for each resource calculated giving you room to
accommodate resources more efficiently and leaving some room for the new
configuration file.
In the example above, notice that under Rules Consumption there are 295 security
rules, for the platform selected, the desired capacity is 250 rules. The System indicates
that there are 11 disabled rules and all others are enabled. With this information you
can see that the PA-200 firewall is not going to accommodate these rules, but that the
suggested VM-200 platform will.
52
This feature will help you resolve and avoid performance issues, and still leave room to
grow on the device.
4 Left Panel [INPUTS]
The left panel on this tab displays the file or files you imported into the Palo Alto
Networks Migration Tool, with all the modifications up to this point.
Expand the tree-based objects to see where the objects, policies, zones, virtual routers,
and virtual systems are stored.
5 Right Panel [OUTPUT]
To export the source configuration, expand the tree-based object then drag and drop
from the INPUTS panel to the OUTPUT (right side), into each correspondent sub-
node on the right panel (Base Configuration [OUTPUT]).
53
Expand each main Node on each side to drag and drop each part of the configuration
from the left to the right panel.
By expanding Network you can see the child nodes (Interfaces, Virtual Routers), which
contain the entire configuration changes you made on the Palo Alto Networks
Migration Tool to this point. Select it, and with the node still selected, drag and drop it
into the corresponding section in the right panel (the output).
You may have cases where you imported more than one configuration file into the
Palo Alto Networks Migration Tool and you want to bring the objects, object groups,
and services into the same destination file (OUTPUT) on the right.
From your INPUTS, Network Node drag Interfaces, Virtual Routers, and from the
vsys1 Node drag Objects, Policies, and Zones into the corresponding nodes in the
OUTPUT.
Network contains Interfaces and Virtual Routers.
Virtual systems will be numbered as they have been imported from a base
configuration file or loaded into the system by a connected device. If you are working
on Panorama configurations, a valid Device Group, and Template will be listed instead.
From your INPUTS vsys1 (or any other vsys you are working with or from a shared
child node if you are migrating from Panorama), drag Objects, and Policies, then drop
on the destination VSYS or shared Node on your OUTPUT panel.
54
As you may notice the elements brought from the source configuration / OUTPUT
section are now “pending” actions waiting for your approval in order to generate a
final configuration file or to create the necessary API calls to send into any connected
Palo Alto Networks device previously configured in the Palo Alto Networks Migration
Tool.
6 INPUTS controls
These buttons will allow you to remove the selected Source Configurations from the
left panel (INPUTS).
If you have multiple configuration files imported into the Palo Alto Networks
Migration Tool, you will be able to remove one or more files from the INPUTS.
Use the Set Base Config button when you have more than one
INPUT / source configuration and select the configuration to
switch to as your base.
7 OUTPUT controls
These buttons unset whichever base configuration file you have selected in the left
pane (Source Configuration / INPUTS) and reset the object migration to the starting
point giving you a chance to restart dragging & dropping objects into the OUTPUT
panel.
This allows you to go back and edit objects, policies or any elements in your source
configuration files, and return to this screen to finalize the process.
Part of the OUTPUT Controls, the MERGE button is your goal.
MERGE will run all the necessary scripts within the Palo Alto
Networks Migration Tool. MERGE will prepare the proper configuration to be either
exported to a XML file for import into a Palo Alto Networks device, or to generate
API calls to send to the connected devices within the project and imported as the
“targeted” device to receive these commands.
8 Generate XML and Set Output
Until now this would be the ultimate goal of a migration, after all reviews and
configuration changes. You would generate an XML file to import into a Palo Alto
Networks device. By using the Generate XML Output button, your final
configuration will generate the final XML configuration file.
The Generate XML Output will create 3 files: the XML, SET commands, and a ZIP
file containing one or more copies of XML files for the selected project.
55
9 Downloads
As a singular funcion button will list the file(s) generated from the Generate XML and
SET commands Output. The files containing a ZIP with all files, a SET commands
text file, and the XML with the merged configuration file.
Debug
Besides the Monitor Logs and Reports, where you may find detailed logs and
recommendation on actions, the new Palo Alto Networks Migration Tool 3.0 offers a
debug screen where you may take a look in-depth the tool’s logs, for debugging issues
related to your migration or to the Migration Tool 3 itself.
The Logs generated by the Web Server show the errors found on the php scripts, to
see those logs just point web browser to https://<migrationtool>/debug
56
Another Debug Window for the API calls has been introduced in Migration Tool 3.1
To Get access point your browser to Error! Hyperlink reference not valid.
The Api calls are shown in the debug window without the parameter Key to avoid to
show the API key to everyone.
The API calls are actionable (html links) so if you click in one call and add the
parameter “key=asdasdasdas” and your key you be able to see the same output that the
tool is trying to get.
57
Chapter
4
The Workflow
The Palo Alto Networks Migration Tool 3 provides a simplified migration
A workflow.
In addition, the Palo Alto Networks Migration Tool 3 now also enables you
to perform configuration changes, App-ID migration, profile distribution,
response pages customization, firewall policy optimization, NAT rule
creation, and much more. Let’s divide our workflow in two primary categories:
• Migration Projects
• Optimization Projects
Migration Projects
1. Create a new project.

2. Configure a device (when possible).
3. Import the source firewall configuration file. You can import a configuration
from a PAN-OS, Cisco, Check Point, Juniper SRX, ScreenOS, Fortinet,
Sidewinder or CSV file.
4. Import a clean base configuration (either from a firewall or from Panorama.
Note: If you select a configured device for your base configuration you do not
need to load a base configuration file.
5. Manage objects, services, applications, and profiles.
6. Configure and name the interfaces for the candidate configuration.
7. Manage zones, virtual routers, and virtual wires when available.
8. Manage virtual systems.
9. Prepare a final, and clean configuration to be sent to your devices, via API calls
when devices are configured or by exporting the XML.
10. Send to the device your base configuration by merging the imported
configuration from a legacy vendor, and either use API calls or regular XML
files.
58
Migration in the new tool is similar to how it was done in previous versions of the
Migration Tool. Although the base task is the same, new logical workflows provide
more efficient way of handling the data from one device to another. Now you can
migrate from a single device to a single target (one to one), from multiple configuration
files to a single destination (many to one), or multiple Device Groups and Templates
on a Panorama base configuration (many to many).
For Migration projects you can now merge configurations into one or multiple virtual
systems, or simply merge the new configuration with an existing PAN-OS
configuration and optimize the duplicated objects (different name same IP address),
services, groups, split groups with more than 500 objects into a new dynamic object,
and update all the security policies and NAT rules affected. You will be able to lock a
specific rule (or a group of rules) to avoid grouped changes that affect them. You also
have the flexibility to update one, a selected group, or all security policy rules with a
new log forwarding profile or security profiles, which improves your work efficiency
and enriches the migration task.
Optimization Projects
1. Create a new Project or load an existing one.

2. Configure a device (when possible).
3. Load the offline XML or load the device configuration from the Devices tab.
4. Manage objects, services, applications, and profiles, and remove any incorrect
elements.
5. Organize the security policy and NAT rules in the most efficient way.
6. Validate all the warnings displayed on specific rules.
7. Create a Collector and associate it with a device for log reading and
App-ID creation.
8. Check for all App-IDs that have been created and analyze the unknown traffic.
If possible create new App-IDs from the unknown traffic.
9. Send your base configuration to the device by merging the imported config
(from a legacy vendor), and either use API calls or regular XML files.
Following the same basic workflow of a migration project, create an optimization

project to help you clean up the security policy, make the NAT policy more efficient,
and eliminate duplicated objects.
After completing a migration project, you can still go back and create a Collector that
will use the Devices you defined on the main Dashboard. With that in place you can
collect traffic data from up to seven days ago and use the App-ID Reconciliation
option to generate Layer 7 rules for you based on real data from the logs. For the
unknown traffic you can still analyze and generate a new App-ID for each one of
them.
59
You can repeat this process as often as necessary to validate traffic and migrate rules
into the next-generation firewall by protecting your established security policies into
App-ID rules.
60
Chapter
5
Sample Project – Step-by-step guide.
F
rom now on we will dive into the mechanics of the Palo Alto Networks
Migration Tool. You should have all the basic information about the tool
and its components.
You know what you can do by now; it’s time to practice and test the new
Palo Alto Networks Migration Tool 3.
If you have downloaded the Virtual Machine for the tool you should be able to access
it via https://192.168.58.143
These are the requirements for this project:

1. Migrate all interfaces, except the one for management from a Cisco ASA
Version 9.1(5).
2. Migrate all ACLs and NAT Policies.
3. Clean up unused Addresses and Service objects from the legacy configuration
file.
4. Create and apply a Security Profiles (AV, AS, Threat Prevention, and URL
Filtering).
5. Prepare an XML file as the candidate configuration file for PAN-OS 6.1.X
6. Connect a target device (PA-200 firewall). Analyze and optimize objects
accordant to PA-200 firewall capacity.
7. After the migration connected the to the target device as a Connector and
capture traffic related to each new Security Policy and create App-IDs for
these rules, leaving a copy of the rule above the current one for further analyze
separating unknown traffic.
61
Now that we have our requirements, let’s get the Cisco ASA Configuration file from
our fictitious Customer (ACME) that was named as MyCiscoConfig.txt. This was
provided by the ACME’s network security team by issuing the ‘show run’ command at
the Cisco ASA prompt and exporting the logs from the Terminal tool used to SSH
into the device (usually Putty).
Start the tool and access it via our web browser pointing to the IP address described in
the Virtual Machine
In this case, the address is 172.16.175.200. It should be a different subnet depending on

your Virtual Machine’s network settings.
After read the disclaimer, click I Accept at the bottom of the screen.
62
You may start your new project from here. However, because we are migrating from a
Cisco ASA device from our PAN-OS PA-200 device, let’s configure a device before
we define our project.
From the Projects tab click Add New Project on the lower left bar. We could
search/filter for other existing projects from here if we have created and saved multiple
projects. The suggested search term would be the TAG name for each project, and the
recommended value for this field should be the Company’s name, in our case ACME.
After we create a new project with the name value of “MyProject” and TAG value of
ACME, let’s configure our device since we are already here and the Devices tab will
keep all devices you’ve configured.
In our requirements we learned that we would be migrating this Cisco ASA

configuration to a PA-200 device, so let’s create a connection to that device from our
Devices tab in the same screen.
You could import applications, threat signatures, URL categories, and regions from an
existing source into your project. A source here would be a pre-defined device from
the Devices tab. This would bring all these elements into your project for further
tweaking and use for creating the new configuration file.
After creating the project, click the Power icon at the top-most bar in the tool. That
will close the project (not delete it) and allow us to continue with our settings.
63
In this example, we will connect to a device named JOTUNHEM, with the IP address
of 192.168.1.5, using the port 443, which is the default port. If you don’t enter anything
on the Port field it will use the value of 443. Next I will select PA-200 as the model.
After a successful connection you can select the created device and check if the
connection acquired an API KEY, which will be necessary for all interaction we will
have with this device.
By clicking the Configuration, Applications, and/or Threats buttons, you will

generate an XML file containing each of these elements. The XML will be opened on a
second tab in your browser and you may download it as a file if needed. That may be
handy for later parts of the project where you want/need to create a new part of your
configuration and add it as an XML snippet on your base configuration file (Output).
! Note If you make any changes to the connected device you must
select it from the Device tab in order to reload its configuration
file and objects.
As a good practice check for new updates from the Updates tab frequently because
the Palo Alto Networks Migration Tool 3 is a live project that is under continuous
improvement, and we strive to improve in all aspects of the tool.
After we create our project and set up our environment we are ready to select our
project by double clicking on it from the Projects tab.
64
Following our requirements we should import a Cisco ASA Configuration file. Open
the Import Configuration from other vendors or from Palo Alto Networks icon
from the top bar (the second icon from left to right).
We can see our configured devices and a series of tabs for each device from where the
Palo Alto Networks Migration Tool 3 is able to import configuration.
65
Let’s select the Cisco tab, and from the Upload File / Configuration field. We will
browse to our local machine for the MyCiscoConfig.txt provided by ACME.
After selecting the file, notice that the Palo Alto Networks Migration Tool 3 starts the
import process automatically. During this process, the system goes through the loaded
configuration file and interprets each ACL, NAT policies (including NATs for versions
over Cisco IOS 8.3 and Cisco Twice NATs), its configured interfaces, address objects
and groups, and service objects and groups.
After the porting process is done you will see the loaded configuration file listed in the
top right drop-down with a “vsys1” in its left.
At this point the migration is done. Note that the Palo Alto Networks Migration Tool
3 is a migration tool not a translation tool.
Although most of the work has been done by the tool, professional and qualified
resources are still necessary to go over the problems inherited from the old
configuration file, or for problems introduced by the Palo Alto Networks Migration
Tool 3, such as unsupported protocols (i.e. ICMP) that need to be translated into App-
IDs manually by the person doing the migration.
66
After the system finishes the migration process, it loads the migrated legacy config, and
the first screen you will see is the Security Policies. Check also if the NATs were
imported correctly.
By analyzing the Secutiry Policy you will see there is a warning on rule 15. By clicking
on the rule we can see the Information tab hidden on the left side of each selected
rule, which shows what was done on that rule. In this case there are two warnings: one
being “Security RuleID [15] is using the Protocol Name [icmp]”, and the second being
“Security RuleID [15] is using a Service Group [AllowedICMP] but is not defined in
my DB.”
These two warning messages help identify potential problems. In this case, the Palo
Alto Networks Mitration Tool 3 converted the icmp group into the App-ID “icmp”
and the group is no longer being used. By converting the services from a protocol like
icmp the system will always warn you to validate if that convertion was done proerly
for each rule, hence the need of a professional resource capable to identify these
changes coming from a legacy vendor to PAN-OS.
67
Now check the security policies and NAT policies for warning signs/icons or by going
to the Monitor Logs and Reports icon from the top most bar (the 4th icon from the
left).
Next check Addresses and Services as well as their groups, and clean the legacy
configuration file of unused objects and groups. If you want to continue the migration
without cleaning these objects you should consider a more “like-for-like” approach,
which consists of simply migrating whatever came from the legacy configuration file.
You still need to go through warnings in order to fix inhereted mistakes or problems
from the legacy configuration.
At this point we could fix zones, multi-edit several rules or simply lock unlocked rules
to prevent other changes from affecting these selected and locked policies.
There are some new mechanisms that will help on the optimization part of the security
policy, such as Combine the selected rules into the first one where you can select
one or more rules, and combine their contents into the first rule (the top most rule).
This may be useful for projects where we have target devices with limited resources,
however you must be careful combining valid traffic such as same source, and same
destination.
Use the controls at the bottom bar (the last 3 from left to right) to prepare this
candidate configuration to be used as part of a Panorama Device Group and convert
selected rules into Pre or Post-rules.
Let’s choose to clean the object and services groups.
68
The objects not in use have a red bullet (icon) next to them. Clear the configuration file
by clicking on the red bullet at the bottom bar where it says “Common.” Do this for all
addresses and addresses groups, as well as for services and services groups.
When you select the Common Red icon with the Address bar selected it will remove all
unused objects for both addresses and addresses groups.
Confirm the removal for each type of objects.
69
Besides removing unused objects, you may also want to do some research into the
legacy configuration file and search or filter on services and addresses objects by:
Name, Invalid objects, Duplicated Names, Duplicated Names & Values, or
Duplicate Value.
This is a powerful feature that allows you to easily spot addresses and address groups
that have the same value but different names. You can then merge all duplicated
values, for instance into a single object, and then replace the security policies or NAT
policies using these duplicates with a new system-generated one for a leaner
configuration file.
After you select filter criteria, click the icon to merge the results of your filter.
You may merge by Name, by Name & IP
& CIDR, or By IP & CIDR.
These options merge the objects into one

object and update the security and NAT
policies accordingly.
On the Group Objects (right pane of

Addresses tab), you will find the same action
(merge) but with different options. You can
merge address groups by Name, by Name
& Value, or by Value (Members). That
70
will also update any reference of these groups with the new one created from the
merge, for both, security and NAT policies.
Still in the Address Groups panel (right)

you will find another icon right before the
Merge icon. The Group Handler will
transform Static groups into dynamic
address groups, or will convert groups to
addresses only.
Note that as we move along you are cleaning, organizing or re-shaping the legacy
configuration file already using PAN-OS features.
The same behavior is true for the Services tab. You will also clean the unused service
objects and unused Service Groups. After that’s clean you will again start filtering by
the criteria you prefer. Usually you will filter for “Invalids” first and adjust any invalid
service objects such as services with ICMP as the protocol. Change it to TCP and later
convert it to an App-ID manually as needed.
After fixing or taking notes for posterior fixing on the invalid services search for
“Duplicate Value,” which are very common on Cisco configurations. The bottom
icons, again, will assist you with merging.
From the Service tab bottom icons on
the Services panel (left) merge the
resulting filter by Name, by Name &
Proto & Dport, or by Protocol &
Dport.
Again the action is immediate and the merge will change the name of the service
objects in all securities or NAT policies if they are present.
From the Service Object Groups (right pane), merge by

Name, by Name & Value, or by Value (Members).
71
By this point you have already removed unused objects, and merged duplicates by your
selection criteria. At this point, we are still working on the legacy configuration file, but
operating with the PAN-OS resources.
Because we have traffic logs that are based on the ACC information captured by these
logs and registered by the Palo Alto Networks device, we need to create a “Connector”
that will be responsible for looking into the device logs for a period of time, usually
from the last 60 seconds to the last 30 days. We will select the last 7 days to meet our
requirements.
! Note
Set up the collectors and check for traffic on a weekly basis to
create new App-ID rules as necessary or identify unknown
traffic.
The connector will have a Name value (here MyConnector). From the drop-down field
we will select the JOTUNHEM, which is the already configured device, from which
we want to extract traffic after we migrate over the new configuration.
That may happen immediately after the cutover, or a week from now. It’s up to the
engineer in charge and the scope of the project. In our case, we were required to
migrate L3/L4 rules into App-IDs, so we will migrate the configuration and come back
for logs in order to achieve that. For now we will just create the Connector, which is an
important part of our project.
72
Our next step will be to configure the interfaces from the legacy configuration.
Normally when the Palo Alto Networks Migration Tool 3 migrates a Cisco
configuration, it will use their “nameif” values as the Interface name, and will do the
same for the zones.
We can now edit these names and make them match what we want in the target device.
Remember that if you rename an interface, that name must be available in the target
devices. For greenfield projects you wouldn’t have any problems, however if we are
bringing an existing candidate configuration file into an existing PAN-OS device you
must be mindful of the interface names to avoid duplicates and the consequential
commit fails in your target device.
In our case, we have a greenfield project and all interfaces on our Palo Alto Networks
device are empty. We will rename them in order and remove the Mgmt interface.
From the Manage Networks / Interfaces tab, double-click each interface and on the
Edit Interface window select from the drop-down field (Interface Name:), the name of
the interface in the Palo Alto Networks Device, ethernet1/1, tunnel, and loopback, for
example.
73
You may change all PAN-OS aspects of an interface from here; you may even define
sub-interfaces, add Tags, determine Speed / Duplex values, but for our scenario you
will simply map each interface from the legacy configuration file accordingly.
The configuration should contain: inside = ethernet1/1, DMZ = ethernet1/2, outside

= ethernet1/3, and delete the management.
74
We will now move to the Zones tab. Remove the management zone because we no
longer have that interface configured. Select the zone you want to delete and use the
delete button on the lower most bar at the left side.
Note that the zones are also editable from here. You may set Protection Profiles if
connected to a PAN-OS device or importing a PAN-OS configuration file, add
participating interfaces for your zoning design and other common functions to Palo
Alto Networks devices.
We have what we need for now. Let’s take a configuration snapshot at the top most
bar (third icon from right to left).
75
Our next steps are to start the process of generating the candidate configuration file or
sending the API calls to the connected device.
As you may have noticed there is only an INPUT file, but no OUTPUT. We must
have a base configuration file loaded or a connected device loaded in the Migration
Tool 3 in order to proceed. Go to the Import Configurations from other vendors
or Palo Alto Networks from our top most bar (second icon from left to right).
76
We may choose to load a “clean” PAN-OS base configuration file or double click on
the connected device (ASGARD) and load its configuration into the Migration Tool 3.
After you double-click the device or load a base configuration into your project, the
Palo Alto Networks Migration Tool 3 will import the configuration file, and take you
directly to the Manage Policies screen.
You now have two configuration files loaded into your system. Our device should be
empty and neither policies nor interfaces configured, but there will be cases where the
MERGE of configuration files will be required.
Be mindful of the interface names, virtual routers (if more than one) and policies in
general. You may merge the configuration files and bring only the objects from the
legacy into the current configuration.
You will be able to send these new elements into the current PAN-OS device via API
calls.
For now let’s use our clean device as our target migration.
77
At this point we have our INPUT (Cisco Configuration file), and our OUTPUT set.
However no migration has been done yet. Let’s start by dragging and dropping from
the left panel (INPUTS), each node and its child nodes to the corresponding nodes on
the right panel (OUTPUT).
! Note Make sure all child nodes were moved to the OUTPUT. Pay
attention to the zones that are part of VSYS1 in this example.
78
As you move the objects to the OUTPUT on our target device, all these elements will
be displayed as “(pending),” and a new configuration will be created after you click the
MERGE button in the lower right.
The MERGE function will bring all the changes made to the candidate configuration
file (Cisco ASA in this case) into the PAN-OS device.
After the MERGE is done, both panels (INPUTS & OUTPUT) will be empty.
After clicking MERGE your options are
to Generate XML & SET Output,
which will load the Downloads window
containing your merged configuration
file into PAN-OS in an XML version to
be imported, loaded, and committed into
the target PAN-OS device, a SET
commands file with all the commands in
SET format, which you may use to load
by copy and pasting (small parts at a
time) into the device while in
configuration mode, or send these
commands from a SSH connection
using a bash script for instance, and a
third file, a .ZIP file containing all the
above plus all the configuration files contained on a Panorama if that was a Panorama
migration project.
79
The second, and recommended choice, would be the API Output Manager tab.
From here, you have two steps to finalize the migration. For the first step, two choices
to interact with the target device via API Calls: Atomic, or Subatomic API calls
generation.
The Atomic API calls will include all the API calls into groups ordered for you. If you
don’t click any of the groups, the system will send each group in the proper order to
the target device selected from the left drop-down (JOTUNHEM). These API calls
need to be sent in the proper order, for example objects, services before security
policies. You may select the ones you would like to send separately, and send just the
new address objects for instance.
The Subatomic API calls are generated in the same way by are more granular. You will
have one API call for every element created or modified in the system, which gives you
the granularity needed to send single address objects, security policy rules, tags, or any
element individually.
80
On both Atomic and Subatomic API calls you will find at the bottom left, a filter that
will let you select a group and search within that group for easy object manipulation
and submission to devices.
Now that we have generated our API calls (either Atomic or Subatomic) we may
proceed to Step 2. Here is where you will send all your work to the target device
(JOTUNHEM). Select the target device from the left most drop-down.
Clicking the [Step 2] Send API Requests button to enable communication with the
target device and send the API requests and receive a response from the device. If any
error occurs during this process you will receive the same error message generated at
the PAN-OS level, giving you an opportunity to correct that group when sending
Atomic calls or specific elements when sending Subatomic ones.
While submitting the API requests to the device, the expected return message from the
device is “command successful.” If this is not the message you see, you must to go
back to the element corresponding to the response error and correct it. You can then
go back to the API Output Manager tab and resubmit Steps 1 and 2 until all
elements return the “command successful” response from the target device.
81
That will be your goal, to have a clean set of API calls sent to the device with no errors.
If errors are found, that group of API requests will not be sent to your target device
and you will have a broken migration.
Now that we have fixed, prepared, and sent all our new elements via API calls to the
target device, let’s try a commit on that device.
82
Not what you expected right?
The reason for the main commit error is bad planning. We went through all the formal
parts, checked all the elements, and created all the objects correctly, but we forgot a
very basic concept: capacity. Up to now we could be taken by surprise in situations like
that, but with the new Palo Alto Networks Migration Tool 3 you can check the target
device’s capacity ahead of time and work around its capacity as needed or recommend
another device.
In our example, a PA-200 firewall running PAN-OS 6.1 won’t support more than 250
security policies, and our Cisco ASA configuration file has 284, putting us 34 over the
device’s capacity.
Unfortunately, after we send the configuration to the device we cannot go back to the
Device Usage tab because the configuration files have been already merged.
Therefore, we won’t be able to take advantage of this powerful new feature.
As a recommendation, always load both the legacy configuration file and target device
or base configuration file in the Palo Alto Networks Migration Tool 3, and select from
the platform drop-down on the top right of this screen, then select your target, or
intended target platform (hardware platform or VM-Series platform). The system will
display the “Recommended Platform” on the bottom right +25% capacity, in
comparison to your candidate configuration. The 25% extra is placed here to add some
cushion in your projects for future objects, but you should consider a proper capacity
size depending on your project and customer needs.
As for our example you can see clearly that we have a problem, which I will solve here
by simply optimizing the rulebase and trying to reduce our rule base by 40 security
policy rules. Not that we will be running out of address groups shortly (98 out of 125
max.).
Keep in mind the proper amount of resources based on your customer environment
and make sure this is the proper device for them.
83
Now that we optimized the rulebase and reduced the number of security policy rules
by at least 40 rules, generate the API calls and send them to the target device.
You may find some rules shadowing each other, but that will be another step on the
migration.
Check if the commit was successful.
As you can see the policies (after proper optimization) were brought into the target
device successfully.
84
For validation purposes you should check if all the elements were also brought into the
target device such as service objects, addresses, and object groups.
That would conclude your migration but you still have one requirement left: to capture
traffic from the “like for like” migration and generate App-IDs for the new security
policy.
85
Chapter
6
App-ID Adoption – Step-by-step guide.
W
ith the new Migration Tool 3.1 the App-ID Adoption process has
been enhanced and enriched quite a lot. Now this process can be
scheduled being executed when the workload in the firewall or
Panorama is low for example.
Before start check the Date and Time in your Migration Tool 3 is correct. If is not
correct please fix it from the Main Panel under Settings and then in System.
The Goal we want to achieve is load the running configuration from one firewall from
Palo Alto Networks that is running in Layer4 (with services and without Applications
in the Security Rules) and replace the max number of these services by Applications
without break the network with the change.
The Base of this process remains in the Firewall or Panorama Logs. You must know
that even if you are only allowing services in your Next-Gen Firewall form Palo Alto
Networks the device is always classifying the traffic in Applications and this
information is stored on the device in the traffic logs.
! Note This procedure only applies to Palo Alto Networks devices.
We will focus now to Migrate to Layer7 a configuration from a Firewall:
1. The first step is to import your production firewall configuration into the
Migration Tool 3.
• From the Main Panel go to Devices and click “Add Device”

• Add a name for your Firewall, IP-Address, port, model and username and
password (admin rights to execute operational commands as well).
86
• Click on Save and wait until the
message “The Device has been
added” shows up.
• If you can’t see this message
please double check your ip-
address and port or open the
debug window for the API at
https://<migrationtool>/debu
g/api.php
2. Create a new Project and assign your firewall in the source combo box. This
will create a new empty database with the same App-ID version and url
categories you have in the firewall. Click on Initialize Database.
3. Now we are in our Project we have to import the Configuration. Let’s go to

the green Tab (Import) and double click over the Firewall located under the
Device List view.
87
4. Select the Rules from your Security Policy that want to convert into
Applications. After select them click on “Clone” and select “Below”. This will
create a new rule with the name “cl-“ and the original Rule name. We have to
keep these names without to change them until we finish the whole process.
5. Time to Create the Log Connector. From the bottom bar (right side) click on
the plus button and create a new one. Assign a Name, Select the Firewall and
the Time period to analyze.
! Note Its important the first time we run the process to use the
longest time period possible. Use custom to select more time.
In the case that the logs were stored in Panorama we

need to Add Panorama first as a Device and then
attach it in the combo box where says “Uses Panorama
for Reporting?”. In this case the API calls will be
generated agains the Panorama but the tool will use the
serial number from the selected firewall to filter only by
the logs generated by the firewall and no other from
the same Device Group.
At the time to save the Log Connector the tool will

automatically assign to the Security Policy. You can see
in the bottom bar (right side).
88
6. Select the Rules from where we want to retrieve the Applications seen by our
firewall. Right click with your mouse over one Security rule to show the
Advanced Menu. Select App-ID Adoption, enter inside and select the Retrieve
Apps (Selection)
! Note With this step we have retrieved all the applications seen by
each Rule. Its possible to find some Unknown Traffic. Let’s get
the Unknown traffic on a separate rule.
7. From the Advanced Options menu in App-ID Adoption select Split Rules
Known | Unknown. This will create new Rules above the Rules from where
we found unknown. We can do 2 things with the unknown, Create
Application Overrides Rules or remove it, if we remove it we will not migrate
89
this traffic at the end of the process. The new Rule comes with the TAG
“Unknown Traffic”
8. We want to Override one of the Unknown-tcp we have found because is our

Internal Application “app1”. Click on the Unknown-tcp Application. A new
window will show up. To Understand which are the Server where the
unknown traffic was generated click on “Analyze Unknown”. This will
generate API Calls to retrieve it from the Log Connector.
9. Select the unknown Application by the port that we want to Override. And
select the Servers you know are the ones that are hosting the “app1”. Click on
“Create App-Override Rule”. In the new Window Opened Assign a name for
the Application Override Rule. Then if “app1” is not defined in the tool click
on NEW to create a new Application. Be noticed that in the Advanced tab
when we create the new application the default port has been filled
90
automatically. Click Save when finish. Select the “app1” from the list. Choose
between to create a new Rule to manage the new App1 or to add App1 to our
original Rule. Click on Add to finish
Selecting create a new rule this will be the result:
A new Application Override has been created:
A new Security Rule has been created:
Both with the TAG “App Override”.
10. We can now select the rule with the unknown and remove it if we don’t want
to override anything else.
91
Let’s Work with the Rules with Known Traffic now
11. Click in one of the Applications from the Column App-ID via LOG. A new
window is opened.
! Note This new Window will helps us to identify similar applications,

by technology, subcategory or by the port in the case we found
too many applications in the same rule and want to split this rules in others with less
rules inside.
The Left Panel called “Applications” shows the unique applications and when was
the first time we seen it. In this example we have only one based on Date and Time.
If we run the process “Retrieve Apps” again and we found the same applications no
applications will be shown under the new Data Time. Only the new ones from this
moment will be shown.
All the Charts will be recalculated as soon we start to select applications or if we start to
Filter from the Filters located at the Top.
12. Let’s create a new Rule to have only the Rules where the Subcategory is
“Software-Updates”. Filter form Subcategory and Select it. The charts will be
updated. And the Applications list as well. Select them all and click on “Create
Security Rule”
92
13. Assign a name for the new Rule “Software Updates” and put the Action to
Allow. Select all the Applications and click on Recommended and then click
on Add to the Rule. Click on Add and Save
93
! Note The new rule has been created and added to your rule-set and
the applications have been removed from the list. So we can
continue creating new rules from the one we have retrieved the apps until the
applications that remain in the green column are the ones we want to keep in the
existing rule.
14. To finish the process click on “App-ID Reconciliation (Selection) to move all
the applications from the green column to the Applications column.
! Note In the case you have services in the rule the Reconciliation
process will try to see if we found applications in all the ports
opened by your services, in the case some of those ports were not used by any of the
applications seen a new rule with the ports used and the applications will be created
and the original rule will remain with the unused ports ( no applications seen through
them)
Now we have to go to the red tab (Export) and generate the XML configuration file to
get the changes or use the API Output Manager to send only the new Rules, Address,
Custom Applications and Tags to our Firewall.
Let’s use the API Output Manager. Generate Atomic Calls by clicking on “[step 1]
Generate API Requests”, select the Firewall at the bottom bar, Select Address (because
94
we added to override the app1), Security Rules, Applications and Tags. Click on “[step
2] Send Api Requests”. Check that the output from the Firewall is all “command
succeed”.
If you don’t want to replace the whole Rule-set we can send only the new rules added
and modified. Select SubAtomic and click on Step 1 to generate again the Api calls. In
this case select the rules and the Order since the new rules by default will be
stored at the end of your current rule-set.
15. If in the firewall everything looks good click on Commit to apply the changes.
Now we start to cover almost the 60-70% of the applications you currently use in your
network (if the time frame analyzed was long enough) but probably there are many
applications that we didn’t see it because nobody was using yet.
95
We want to achieve and see the 100% of the applications and here is where we have to
run again this process next week for example.
Scheduling the App-ID retrieve Applications by using Cron Jobs.
From the Main Panel we can go to Settings and then click on the tab “CronJobs”.
Create a new Job “App-ID Adoption”.
Edit and fill the form:
We can run the reports only for a selection of rules. Enter in Selected Rules and add it.
Or from the same Rule open the Advanced Options and select the Add to Cronjobs
and select your Job. Click on Save to Activate the Job (Remember to setup the date
and time properly first)
How we cloned the Rules at the beginning of the process and ended with the
reconciliation the rules that are still in layer4 are the Cloned ones. Its really important to
keep the same names until we finish 100% the process.
When the process automatically starts the tool collects again the reports and stores it in
the database. When you open again the project the new applications seen in the layer4
rule will appear:
96
! Note In this example we seen now in the layer4 rule the application
ssl running in a non-default port. We have to create a new rule
to allow the ssl on that port since our rule now is working with the service
“application-default” and the reconciliation process will move the new applications
from the Rule called “Cl-xxx” to the rule called exactly the same but without the “Cl-”,
this will speed up the process but we need to keep an eye to this things.
We want battle.net added to our list, first take a look into them by clicking in one
(because is nice J)
Select the SSL port click on Create Security Rule, Assign a name for the rule, allow the
traffic, click on recommended and add to the rule.
97
Then Save the Rule and create the service port (here was tcp/5228) and assign it to the
rule
Last step is again to click form the Advanced Options menu to App-ID Reconciliation
(Selection) and the battle.net app will automatically import into the “Outbound” rule
leaving this rule “Cl-Outbound” without any application to continue capturing the
missing applications.
! Note After reconciliate the logs from the table App-Id via log are
removed. You can remove those logs by selection or all by
selecting in Advanced Options menu the Remove App-ID via LOG.
The report Generation from the Advanced Options menu only will generate reports
when you have something in the column Application via LOG
98
Report Example:
99
Chapter
7
User-ID Adoption – Step-by-step guide.
I
n the new Migration Tool 3.1 we have introduced the User-ID Adoption
process. This process can be scheduled as well as the App-ID Adoption tasks
as well.
Before start check the Date and Time in your Migration Tool 3 is correct. If is not
correct please fix it from the Main Panel under Settings and then in System.
The Goal we want to achieve is load the running configuration from one firewall from
Palo Alto Networks that is running without User-ID in the Security Rules and start to
work with the users we have seen in the logs without break the network with the
changes. Its important before to run this process that the Palo Alto Networks Firewall
was properly configured to start to see Users in the logs.
This procedure only applies to Palo Alto Networks devices.
! Note
We will focus now to Migrate our Security Rules with
User-ID:
1. The first step is to import your production firewall configuration into the
Migration Tool 3.
• From the Main Panel go to Devices and click “Add Device”

• Add a name for your Firewall, IP-Address, port, model and username and
password (admin rights to execute operational commands as well).
• Click on Save and wait until the message “The Device has been added”
shows up.
100
• If you can’t see this message please double check your ip-address and port
or open the debug window for the API at
https://<migrationtool>/debug/api.php
2. Create a new Project and assign your firewall in the source combo box. This
will create a new empty database with the same App-ID version and url
categories you have in the firewall. Click on Initialize Database.
3. Now we are in our Project we have to import the Configuration. Let’s go to

the green Tab (Import) and double click over the Firewall located under the
Device List view.
4. Select the Rules from your Security Policy that we want to activate the User-
ID. After select them click on “Clone” and select “Below”. This will create a
new rule with the name “cl-“ and the original Rule name. We have to keep
these names without to change them until we finish the whole process.
101
5. Time to Create the Log Connector. From the bottom bar (right side) click on
the plus button and create a new one. Assign a Name, Select the Firewall and
the Time period to analyze.
! Note Its important the first time we run the process to use the
longest time period possible. Use custom to select more time.
In the case that the logs were stored in Panorama we

need to Add Panorama first as a Device and then
attach it in the combo box where says “Uses Panorama
for Reporting?”. In this case the API calls will be
generated against the Panorama but the tool will use
the serial number from the selected firewall to filter
only by the logs generated by the firewall and no other
from the same Device Group.
At the time to save the Log Connector the tool will

automatically assign to the Security Policy. You can see
in the bottom bar (right side).
Let’s Import the Groups and Users from your firewalls by creating a new User-ID
connector. Enable the Groups we want to use from the MT3.1 and then retrieve the
Users for those Groups. After this process attach the User-ID connector to your
Security Rules.
This process is not mandatory but will help a lot to reduce the number of the users
found and possible be replaced by groups. No one wants to manage a Security Rule
with 200 users inside. Its much better to work with Groups instead.
6. Select the Rules we want to retrieve the Users and right click in one of them to
show the Advanced Options Menu, then click on User-ID Adoption ->
Retrieve Users (Selection)
102
The Users can be shown in the new column User-ID via LOG.
7. Click in one of the users from the new column User-ID via LOG to see the
window from where we can work with the new User-ID information
The Left Panel shows the Users seen in the Logs. You can select them if you want
to use it in the Rule.
The Recommended Panel will calculate based in the selected users what is the
minimum number of groups and users will cover the same users we have selected
103
from the left panel. We can Select here the Recommended Users and Groups that
we want to use in the Rule.
There is a combo-box called “Add Selection to the Rule” here we will select if the
users we want to add to the Rule will be from the left Panel “users selection” or the
“recommended”. You have to select something before to click on the “Add”
button.
There is another option that we can use here under the caption “Export Groups
via API”. Using the same process we have followed to select the users or the
recommended users and groups we can assign a Name for a New group click on
the refresh button and this will generate a User-ID API call to create this group in
the Firewall selected from the device combo-box below the API Call.
We can then replace in our Rule the users by the new Group created using the API
Call by selecting the checkbox “Replace Retrieved users by”. You can keep the
API Call for the future. We don’t recommend using this in Production but at some
point could be useful to create a TEMP group in our Firewall using the APIs while
we create the final group in our Active Directory or Ldap.
Click on “Send API Call & Update Groups DB” to send the group to the selected
firewall and to add the group in our Database inside the Migration Tool 3.1
104

PAN MigrationTool Usersguide 310 CC

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

PAN MigrationTool Usersguide 310 CC

Uploaded by

Copyright:

Available Formats

®

Palo Alto Networks

Migration Tool Version 3.1

About this Guide

www.paloaltonetworks.com © 2015 Palo Alto Networks. All rights reserved.

How the System Works ............................................................. 2

www.paloaltonetworks.com © 2015 Palo Alto Networks. All rights reserved.

T network security administrators, professional consultants, or anyone working

tar -zxvpf PanMigrationTool3i.tgz Or double-click from your X window system.

Configure static IP-Address

The MT3.1 has added a new Section for Settings.

System Resources (Usage)

! Note Use the refresh icon for updated statistics.

Add New Projects

! Note Import a Panorama (physical or virtual) into the tool will

• Addresses, App-ID, AV_Profile, File_Profile, IPS_Profile, Log-Profile,

You can apply Snippets to a single policy or a group of policies.

! Note To keep informed when a new release is available you can

There are three Options here:

Click on Edit to configure the Time and the Time zone.

Supported Versions Supported Objects Not Supported yet

From 4.1 to R77 þ Services ý IPSEC VPN

To understand what options we have to active when we migrate from Checkpoint

Show the Checkpoint Configuration as is shown in the Smart-GUI:

Supported Versions Supported Objects Not Supported yet

ASA up to 8.2 þ Services ý IPSEC VPN

If your configuration has groups called DM_INLINE there is an option in the

Supported Versions Supported Objects Not Supported yet

From 7 to 8 þ Services ý IPSEC VPN

Supported Versions Supported Objects Not Supported yet

Up to 6.3 þ Services ý IPSEC VPN

Supported Versions Supported Objects Not Supported yet

Junos 12 þ Services ý IPSEC VPN

Supported Versions Supported Objects Not Supported yet

From 3 to 5 þ Services ý IPSEC VPN

Supported Versions Supported Objects Not Supported yet

Semi-colon delimited þ Services

Address CSV File

! Note Remember before import anything using the Universal CSV

Import Address CSV File Steps:

2. Select Address in “Object To Import”. Upload the file by click on “Browse”

We have decided to map the columns like this:

The Tags have been created and attached to each Address.

Palo Alto Networks

From Left to right:

Source and Vsys/Device Group

The Dashboard is compound by different elements, Applications Statistics, Project

Project Statistics: Important to review there is no Duplicated on Invalids here.

If we only have a Firewall then we select the

In the case we have Panorama in place and all our

When we add a new User-ID

By default all the Groups imported

Only the Enabled groups will be

After Enable the groups click on

At the end of the process you have

• The Plus button allows us to add a new Rule.

• The Log Connector assignment. This is used to

The Advanced Options:

• Add to Filters: Add the selected name to the Filter’s Panel.

Address and Address Groups bottom bar

Let’s start by the Common Buttons:

o Application Override Rules

Address And Address Groups Common Buttons:

• Add a New Address. It will be placed as a first Object. Double click on it to