Palo Alto Networks Migration Tool for Firewalls (First experience)

Palo Alto Networks Tool for Firewall Migration

In the last days I spent a couple of hours playing around with the Palo Alto Migration Tool. Basically, this tool is designed to automatically convert configurations from third-party firewalls into a suitable PAN configuration. While it´s obvious that a conversation can´t be done without manual corrections, I was still curious about how much help this tool really can be.


In my scenario I want to migrate from a Cisco ASA firewall to a PAN-5050. The Cisco Firewall configuration currently holds:

– 900 address objects

– 300 address groups

– 150 service objects

– 90 service groups

– 500 policies

The tool itself

Some words about the tool: First of all it´s a little bit tricky to get access to the tool. It´s not accessible via the Palo Alto community, nor you will find a public download. The best way is to contact your regional Palo Alto sales manager or engineer. The will likely send you a link for accessing the tool. However, they probably won´t give you support in using the tool as it´s originally designed for PAN partners and distributors.

The tool comes as a VMWare image based on Cent-OS. You can run it on an ESX server or just your local box in VMWare Workstation or the free player. After the first start you can log into the command line and configure the network settings. After setting the network configuration you will be able to access the VMWare via http. The GUI of the tool will remind you of the PAN Firewall´s webinterface.


What the tool does

After doing some configuration you can now import configuration files from the following manufacturer: Checkpoint, Cisco, Netscreen, Fortinet, Palo Alto, Sidewinder.

Notice: The following information is based on importing a Cisco ASA configuration.

After importing the ASA configuration as .txt file you have a split screen: On the left side you can find interfaces&zones, static routes and all objects (Addresses, Address groups, service groups, etc.). On the right side you find some logging information from the import, as well as the Security Policy Editor and a tab for NAT configuration.

On the top is a small navigation bar with a limit set of buttons: For instance you can generate a report which is giving you information about how many objects are used/unused.

 PAN Migration tool Analyzer

For me this was a good starting-point, as it gives me concrete figures on how much has to migrated.

Now you can start editing the configuration. The look&feel of the configuration is pretty much the same as it would be on the PAN itself. Here I want to give you some more detailed information on the tool´s behaviour:

–          Address objects: Adress objects from the ASA were imported in the following way: Adress objects with a subnet  mask of /32 were imported with the prefic ‘H-‘, while address objects with any subnetmask smaller then /32 were im ported with the prefix ‘N-‘ (‘H-‘ for Host, ‘N-‘ for network). Also they get a suffix with the CIDR number. Here´s an example:

ASA address object PAN address object
Name              H-
Name              N-

–          The conversation of Address and Service groups is done 1:1.

–          The conversation of services is done by adding a prefix followed by a port number. The tool is automatically creating a new service object (because PANs configuration only work based on service objects) for every service defined in the ASA config.

ASA service PAN service object
tcp 135 tcp-135
udp 255 udp-255

–          Service ranges: The tool automatically creates service objects for defined service ranges.

ASA service range definition PAN service object
udp >59999 Name:     Range-59999-65534
Protocol:  udp

–          Security policies: In the first step all rules have the same source and destination zones – however, after clicking the ‘auto assign zone’ button, all policies are matching the correct source and destination zones. There also buttons for activating, deactivating, deleting and merging rules.
The only behavior I didn´t like was the following: In the ASA config we had several rules which contained of single addresses aswell as address groups in their source or destination zone. In this case the tool is creating a new address group which is including the hosts as address objects and the address groups itself. The new created group then gets named ‘DM_INLINE_NETWORK_NUMBER’. Let me give you an example for better understanding:

ASA rule PAN rule
Destination  Address-Group-1 (address group),
Address-Group-2 (address group), (host), (host)
Service       icmp
Source Zone         Outside
Destination Zone   Inside
Source                 H-
Destination           DM_INLINE_NETWORK_1
Application            icmp

First of all, the tool is translating the IP-addresses to the according security zones. After that it creates an address object for the destination host. Then tool creates a new address group called DM_INLINE_NETWORK_1 which is containing: Address-Group-1, Address-Group-2, H-, H- The problem with that behavior is that you are facing a lot of new address groups which have consecutive numbers. There are only two ways out of that: Either you have an ASA configuration which only contains address groups or you manually correct it in the tool or on your PAN firewall after importing the configuration. This behavior is analog with service groups: Whenever there is a rule containing single services and service groups, the tool will create a new service group which contains both entries. Those groups get the Name ‘DM_INLINE_TCP_XX’.

The generation and import of the config worked – only some smaller errors were reported (like 20 rules couldn´t not be applied on the PAN- I will do some further investigation on that before I start blaming the tool). Please note that you don´t have a fully running config after the import of the generated config. As you import a clean config (included are only the police set, objects, etc.) you will have to reconfigure some things you may have configured before. For example: the interfaces (zones, IP-addresses, router), HA, Logging, Log Forward, Alerting and so on. You should really keep that in mind after importing a configuration which was generated out of the migration tool! DON`T FORGET TO CONFIGURE THE MANAGEMENT INTERFACE 😉

Bottom Line

What the tool can do for you:

–           Convert address/service objects

–           Convert address/service groups

–           Convert interfaces to zones

–           Convert static routes

–           Convert security rules (with zones and applications)

–           Check which objects are not used

What you have to do:

–           Review everything

–           Take care of address-group problem mentioned earlier

–           Configure interfaces and associate them to virtual routers and virtual systems

–           Reconfigure the basic parameters (like HA, etc.)

In my opinion, the tool is doing a great job in the preparation phase of a firewall migration project. It saves you a lot of work with migrating objects and policy rules automatically. For me it´s perfect to create a ‘basic configuration’, which can be applied on the PAN firewalls.


About sitweak
Monitoring, Network, Firewall, Mobile Security. I´m totally into that stuff!

9 Responses to Palo Alto Networks Migration Tool for Firewalls (First experience)

  1. Herman Rengifo says:

    Thank you for your comments, it’s true no tool does a 100% job of policy “conversion” but it does help to take the mundane part out of the equation. Thanks for taking the time to review the PAN tool.

  2. Ahmed Eissa says:

    where to download this tool ?

    • sitweak says:

      Hey Ahmed,
      look out for your regional Palo Alto sales manager. There´s also a couple groups on LinkedIn.
      Unfortunately there is no official download link so far. They usually submit it ‘on-demand’ when customers specifically ask for it. Feel free to contact me again in case you have no success in contacting your sales manager.

  3. roy meidan says:

    can you send me a link to download the tool please

  4. MatthewH says:

    ASDM is responsible for the DM_* groups – not the migration tool. This happens when multiple sources/destinations/services are added to an ACL entry. You can confirm this by running show running-config on the ASA.

    But it would be nice if the migration tool realised this. Creating the equivalent PAN configuration in the security policy instead of copying the DM group.

  5. Sam says:

    Did it convert VPN policies or NAT? And this tool will only convert a regular policy, not something like CBAC or zone based policies, correct? Thanks for the review, I think I might try to use this tool soon once i contact the sales rep.

  6. Rene says:

    The tool does not convert the NAT statements (only when migrating from Checkpoint, no other vendors are supported, also not in version 3 of the tool).
    I am also looking how to migrate VPNs that are now terminated on the PIX/ASA, where customers/vendors are using the Cisco VPN CLient. Any ideas how to do this?

    • sitweak says:

      Hi Rene! Unfortunately – since I switched my job – I dont have access to any Palo Alto firewalls anymore and I also dont have any copy of the migration tool. Hence, I am currently not enganged in the palo alto firewall community. I always thought the official palo alto forums were really helpful even though I recognized that the migration tool did not enjoy to much attention at the time. Long story short: I dont have any ideas on this :/

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: