5/18/2015

Migration Tool 3.0

Albert Estevez
Solutions Architect
Business Development

First Contact with the Migration Tool ?

 What is?
 Is a free Tool provided by Palo Alto Networks.
 Helps to migrate from other firewall vendors to Palo Alto Networks.
 Reduces the Migration time and the possible errors introduced by humans.

 Who can use it?

 All the Palo Alto Networks employees can.
 All our Certified Partners.
 After Ignite, every single customer, partner or SE. Yes everybody!

 Who will support it?

 Is not supported by Palo Alto Networks support. Is not one of our products.
 The support relies on a Community. Partners, SE, customers will help people with
questions.
 Business Development has a Team of people to provide documentation, hotfixes and
new features.

2 | ©2015, Palo Alto Networks. Confidential and Proprietary.

1
 5/18/2015

First Contact with the Migration Tool ?

 This Migration Tool will help me to sell?
 In some cases the tool helps in the pre-sales stage. Showing your customer that
we can import their policies into the Migration Tool before to buy helps to
understand that the migration process will be something doable and easy.
 The Migration Tool helps understanding what platform I have to offer based on
objects and rules capacity and not only in performance.

 Can this Migration Tool make our product stickier on our customers?
 One of the most interesting features is the ability to reduce the time that the
customer needs to move the security policies from Layer4 (services) to Layer7
(app-id). Doing this we are making the replacement of our systems harder since we
have configured all the rules with our App-id.
 This process will help to sell more in the account once they have embraced App-id,
User-id and Content-id.

3 | ©2015, Palo Alto Networks. Confidential and Proprietary.

What’s New on 3.0?

 All the GUI has been generated from scratch to be more compliant with our color standards
and follow MVC development principles. The usability of the tool its always in first place.

 Most important
 Cisco ASA NATS
 Netscreen NATS, Multi-Vsys
 Fortinet NATS, Multi-Doms
 Automatic fix between Nats and Security Rules. (Ip Address and Zones)
 Support for Networking (Virtual-Routers, Interfaces, Static Routing) all vendors
 New AutoZone Assign. More options to cover “any”
 App-id Adoption
 Panorama Templates
 Response Pages Customization
 Backups and Restore points. Auto Save.
 XML-API Output Manager. Atomic / Subatomic
 Device Usage Statistics

4 | ©2014, Palo Alto Networks. Confidential and Proprietary.

2
 5/18/2015

Migration Tool 3.0

New Framework

Devices
 Using XML-API import Devices or Panorama

 If a Panorama is imported all the connected devices

are imported as well.

 The MT3 will download the app-id, threats and url

databases.

6 | ©2014, Palo Alto Networks. Confidential and Proprietary.

3
 5/18/2015

Projects
 Each project is stored on it’s own
database.

 Can be tagged by “Customer

Name” for example. Filter by Tag

 Can import the app-id, url and

threats database from a Device.

7 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Snippets
 Small pieces of PanOS XML code to be
re-used on projects.

 Supported Snippets
 Custom App-id
 Security Profiles
 Log Forwarding Profiles
 Custom Reports

8 | ©2014, Palo Alto Networks. Confidential and Proprietary.

4
 5/18/2015

Updates
 Via HTTPS
 Connectivity health checks
 Update Server Information
 conversionupdates.paloalto
networks.com
 If a palo alto networks
Firewall is deployed you
need to allow paloalto-
updates

 Proxy Settings

9 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Migration Tool 3.0

New Features

5
 5/18/2015

Auto Zone Assign

 This feature helps when you are migrating a firewall that is not using zones in
the security rules definition.

 Select what Rules we want to process

 All Rules
 Selected
 If tag equal to

 Select what zones to calculate

 Override or replace
 If the Zone = “any” replace by
 If the Zone = “zone1” replace by “zone2”

11 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Customizing Response Pages

 Fully customize the look and feel and content

12 | ©2014, Palo Alto Networks. Confidential and Proprietary.

6
 5/18/2015

Device Usage

• Compare your
objects database
against the
Maximum
capacity for your
platform and
know in advance
when you will
reach the limits.

13 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Output Generation
 We have 3 different ways to generate the Output. All the Output will come
from the Base Configuration. All changes made to this Base configuration will
be reflected in the Output.
 XML file
 XML-API Calls
 SET Commands File

 To Generate XML file and

Set Commands click on the green
Button.

14 | ©2014, Palo Alto Networks. Confidential and Proprietary.

7
 5/18/2015

API Output Manager

 We can generate Atomic or
Subatomic XML-API Calls
 Atomic. One call per element
group. Like one unique call to
push all the security Rules
 Subatomic: One call per single
element. Unique call by
individual Rules.
 Click on [step 1]

 Select the Device where it will

send the changes and click on
[step 2]

 Order is important

15 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Migration Tool 3.0

App-id adoption helper

8
 5/18/2015

Overview
A high number of our customers are still working with services in L4 instead to use our
powerful app-id signatures. Usually is because the process to migrate from L4 to L7 is
painful and not all our partners have the knowledge to do it.

Is for this reason the new Migration Tool 3.0 will help them to run through all the steps
needed to do it minimizing all the collateral issues that this process can create.

The MT3 will help to retrieve from the logs what app-id we have seen by rule and will help us
to identify the unknown traffic and in some situations this unknown traffic we will transform in
custom signatures via application override or helping with the process to create a new
custom application signature reducing the time and knowledge to do it.

17 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Import your Palo Alto Networks Devices

• Enter in the Tab Called

Devices

• Click on Add New Devices

• Fill fields and click Save

• Save button will retrieve

App-id database, url cats
And the configuration

18 | ©2014, Palo Alto Networks. Confidential and Proprietary.

9
 5/18/2015

Create the Project

• Select Tab Projects

• Click Add New Project
• Fill the fields with
• Project name
• Tag or Filter
• Source: From what
device we will get the
app-id database.
• Initialize Database to
create the Project.

19 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Import your Device into the Project

• Click at the top bar

the Green tab
(Import)
• Palo Alto Devices are
selected by default
• Double-click to import
the device into the
project

20 | ©2014, Palo Alto Networks. Confidential and Proprietary.

10
 5/18/2015

Clone the Rules to be migrated to App-ID

• Select vsys1 from the top

bar
• Select the Rules and click
on the orange button Clone
and select Below to create
the rules under the selected

• The new rules will be

created with the same
name but with a prefix “Cl-
”

21 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Create a Log Connector

• Select the 3rd tab (labs)
• Click Add Connector
• Fill fields:
• Name
• Device who has
generated the logs
• Period of time to
generate the reports
• From what Vsys
• Panorama in case
your firewall is
sending the logs to
panorama
• Save
22 | ©2014, Palo Alto Networks. Confidential and Proprietary.

11
 5/18/2015

Retrieve App-ID (All or Selected Rules only)

• Go to Policies
• Right-Click on your
mouse over some rule.
• Select App-id Adoption
• Select Retrieve Apps.
• Selected
• All Rules
• A new column will show
up with the App-ID seen

23 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Split Rules between Known and Unknown App-IDs

• Right-Click over a rule

• Select App-id Adoption
• Click Split Rules
Known/Unknown

• A new rules with the tag

Unknown traffic will be
created

24 | ©2014, Palo Alto Networks. Confidential and Proprietary.

12
 5/18/2015

Analyze the Unknown

• Click on one of the unknown applications

• A new window will shows up

• If you want to know what servers
were generating this traffic click on
Analyze

• Select the Unknown plus the

Servers you want to Override.
• Click on Create App-override Rule

25 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Analyze the Unknown

• Assign a name for the Application
Override Rule
• Create a new Custom Application by
clicking on NEW or select one
application form the Application
combo-box
• Custom App. Add name and
properties. Default port has been
added under Advanced
• Security Rule:
• Select New rule to keep track
on this new app
• Select Original rule to add the
new custom app into the
original rule

26 | ©2014, Palo Alto Networks. Confidential and Proprietary.

13
 5/18/2015

Analyze Known Apps - Expand

• Click over a known
application from
column App-id via
Log
• Select Applications
• Create Security Rule
• Assign Name and
Action
• Select Apps and
Click on Add to Rule
• Review And Save
• New Rule added
before the original

27 | ©2014, Palo Alto Networks. Confidential and Proprietary.

Contact Us
 Send an email to fwmigrate@paloaltonetworks.com

 Intranet Place
https://intranet.paloaltonetworks.com/community/business_development/proje
cts/smart-workbench-migration-tool-30

29 | ©2014, Palo Alto Networks. Confidential and Proprietary.

14