Scribd
Upload
742 views4 pages

Cisco ASA To Palo Alto Firewall Migration Checklist

The document outlines a comprehensive checklist for migrating from a Cisco ASA firewall to a Palo Alto firewall, divided into five phases: Preparation, Configuration Migration, Deployment and Testing, Cutover and Validation, and Post-Migration. Each phase includes specific actions, tips, and memory aids to ensure a smooth transition, such as reviewing configurations, documenting the network, and validating the new setup. Key steps include using the Expedition tool for configuration import and cleanup, testing in a lab environment, and training the team on the new system.

Uploaded by

vinayntwk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
742 views4 pages

Cisco ASA To Palo Alto Firewall Migration Checklist

The document outlines a comprehensive checklist for migrating from a Cisco ASA firewall to a Palo Alto firewall, divided into five phases: Preparation, Configuration Migration, Deployment and Testing, Cutover and Validation, and Post-Migration. Each phase includes specific actions, tips, and memory aids to ensure a smooth transition, such as reviewing configurations, documenting the network, and validating the new setup. Key steps include using the Expedition tool for configuration import and cleanup, testing in a lab environment, and training the team on the new system.

Uploaded by

vinayntwk
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

Cisco ASA to Palo Alto Firewall Migration Checklist

Phase 1: Preparation

• [ ] Review Cisco ASA configuration (show running-config).

• [ ] Document network topology (interfaces, zones, VLANs, VPNs).

• [ ] Back up ASA configurations securely.

• [ ] Install Expedition tool on Ubuntu server.

• [ ] Schedule maintenance window and issue change freeze.

Phase 2: Configuration Migration

• [ ] Import ASA config into Expedition.

• [ ] Clean up unused objects and duplicate rules in Expedition.

• [ ] Map ASA interfaces and security zones to Palo Alto equivalents.

• [ ] Review Expedition’s pre-migration report and OK, here is the detailed, simple, and easy-to-
remember step-by-step process for migrating from a Cisco ASA firewall to a Palo Alto Networks Next-
Generation Firewall (NGFW), along with tips and memory aids to help you retain the process. The
migration leverages Palo Alto’s Expedition tool to streamline the transition.

Step-by-Step Process for Cisco ASA to Palo Alto Firewall Migration

Phase 1: Preparation

Goal: Understand your current setup and gather resources for a seamless migration.

1. Understand Your Cisco ASA Configuration

o Action: Review interfaces, security zones, NAT rules, ACLs, VPNs, and routing.

o How: Log into ASA via CLI or ASDM, run show running-config, and save as asa_config.txt.

o Memory Aid: Think of this as taking a "snapshot" of your ASA’s brain.

o Tip: Use a best practices tool to identify unused objects or issues.

2. Document Your Network

o Action: Map network schemas, VLANs, IP addresses, and connections.

o How: Use diagramming tools or spreadsheets.

o Memory Aid: Draw a "treasure map" of your network.

o Tip: Note special configurations like VPNs or HA setups.

3. Backup ASA Configurations

o Action: Save all ASA configs (NAT, ACLs, objects, VPNs).


o How: Use show running-config or ASDM backup, store securely.

o Memory Aid: Like saving a game before a boss fight.

o Tip: Verify backup integrity with multiple copies.

4. Install the Expedition Tool

o Action: Set up Palo Alto’s migration tool.

o How: Download from Palo Alto support portal, install on Ubuntu (8GB RAM, 4 CPUs).

o Memory Aid: Expedition is your "translator" for Cisco-to-Palo configs.

o Tip: Check ASA and PAN-OS version compatibility.

5. Plan for Minimal Downtime

o Action: Schedule a maintenance window and freeze network changes.

o How: Choose a low-traffic period, coordinate with stakeholders.

o Memory Aid: Hit the "pause button" on your network.

o Tip: Communicate the window to users.

Phase 2: Configuration Migration

Goal: Translate and import ASA configs to Palo Alto using Expedition.

6. Import ASA Configuration into Expedition

o Action: Load ASA config into Expedition.

o How: Create a new project in Expedition, import asa_config.txt.

o Memory Aid: Expedition converts your ASA “recipe” to Palo Alto’s format.

o Tip: Use more system:running-config for clear-text VPN keys.

7. Clean Up Configurations

o Action: Remove unused objects, merge duplicates, refine policies.

o How: Use Expedition’s ML modules, adjust for App-ID/User-ID.

o Memory Aid: Declutter your “config closet.”

o Tip: Convert 5-tuple rules to app-based rules for better security.

8. Map Interfaces and Zones

o Action: Align ASA interfaces/zones to Palo Alto’s.

o How: Map interfaces (e.g., GigabitEthernet0/0 to ethernet1/1) and zones in Expedition.

o Memory Aid: Match puzzle pieces for interfaces and zones.

o Tip: Verify VLANs and physical connections.


9. Review Pre-Migration Report

o Action: Check for unsupported configs or errors.

o How: Review Expedition’s report, resolve issues manually.

o Memory Aid: A “health check-up” for your migration.

o Tip: Save the report for reference.

Phase 3: Deployment and Testing

Goal: Deploy and verify the configuration.

10. Export Configuration to Palo Alto

o Action: Transfer configs to Palo Alto or Panorama.

o How: Export as XML or SET, import to new device group/template in Panorama.

o Memory Aid: Upload the “blueprint” to your new firewall.

o Tip: Use new device groups/templates in Panorama to avoid conflicts.

11. Test in a Lab Environment

o Action: Validate configs in a non-production setup.

o How: Load configs on a test firewall, simulate traffic, compare logs.

o Memory Aid: A “dress rehearsal” for your firewall.

o Tip: Test incrementally (connectivity, policies, VPNs).

12. Deploy in Parallel (Optional)

o Action: Monitor traffic with Palo Alto inline.

o How: Use Virtual Wire mode, log intrazone traffic.

o Memory Aid: Palo Alto as a “silent observer.”

o Tip: Plan NAT migration for cutover, as vWire limits PAT.

Phase 4: Cutover and Validation

Goal: Switch to Palo Alto and confirm functionality.

13. Execute the Cutover

o Action: Replace ASA with Palo Alto.

o How: Shut down ASA interfaces, activate Palo Alto’s, verify IPs/VLANs.

o Memory Aid: “Flip the switch” to go live.

o Tip: Keep ASA as a fallback for rollback.

14. Validate the Configuration


o Action: Test services, policies, and connectivity.

o How: Check apps, VPNs, logs in Palo Alto GUI/Panorama.

o Memory Aid: Run a “final exam” for your firewall.

o Tip: Engage users to test critical apps.

15. Optimize Post-Migration

o Action: Enhance configs with Palo Alto features.

o How: Enable App-ID/User-ID, add security profiles.

o Memory Aid: Upgrade your firewall’s “superpowers.”

o Tip: Run a Best Practices Assessment (BPA).

Phase 5: Post-Migration

Goal: Document and support the new setup.

16. Document the Migration

o Action: Record steps, configs, and issues.

o How: Create a report with Expedition reports and network diagrams.

o Memory Aid: Write a “mission log.”

o Tip: Store docs centrally.

17. Train Your Team

o Action: Educate on Palo Alto and Panorama.

o How: Use CBT Nuggets or Palo Alto docs.

o Memory Aid: Teach your crew to pilot the “new spaceship.”

o Tip: Join LIVEcommunity for support.

18. Monitor and Support

o Action: Watch for performance/security issues.

o How: Use Panorama/GUI for logs and alerts.

o Memory Aid: Set up a “security camera.”

o Tip: Contact fwmigrate@paloaltonetworks.com for help.

You might also like