Migrating Palo Alto Networks Firewall to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator

Select Source Configuration

You can migrate configurations from your Palo Alto Networks firewall by choosing Palo Alto Networks (6.1+) in the Source Firewall Vendor drop-down and manually uploading the derived configuration file to Firewall Migration Tool.

Select Target

In the Select Target page, the cloud-delivered Firewall Management Center provisioned on your CDO tenant is selected by default, and the threat defense devices managed by that management center are listed. You can choose the threat defense device you wish to migrate the configuration to, and proceed with the migration.

Note that the threat defense devices listed are displayed either as In Use or Available based on whether the device is being used in another migration instance. However, you can perform an override by clicking Change Device Status, selecting the device from the In Use list, and clicking Continue, which will make the device available for being selected as the target. Choosing Proceed without FTD pushes only NAT objects, ACLs, and port objects to the cloud-delivered Firewall Management Center. For more information about the commonly used ASA features and their equivalent threat defense features, see Cisco Secure Firewall ASA to Threat Defense Feature Mapping guide.


Changing the device status from In Use to Available impacts the ongoing migration instance that is using the device already. We recommend that you exercise caution when doing this.

To perform the migration with more detailed steps, continue to Export the Check Point Configuration Files in Migrating Check Point Firewall to Secure Firewall Threat Defense with the Migration Tool book.



Cisco Defense Orchestrator

Log in to your CDO tenant, navigate Tools & Services > Firewall Migration Tool, and click the blue plus button to start provisioning a new migration instance.

Cisco Defense Orchestrator

Launch the migration instance from CDO and choose Palo Alto Networks (6.1+).

Palo Alto Networks Firewall

Export the Configuration File: To export the configuration from Palo Alto Networks Firewall, see Export the Configuration from Palo Alto Networks.

Secure Firewall Migration Tool

Specify the destination parameters for the migration.

Secure Firewall Migration Tool

Navigate to where you downloaded the pre migration report and review the report. For detailed steps, see Review the Pre-Migration Report.

Secure Firewall Migration Tool

To ensure that the PAN configuration is migrated correctly, map the PAN interfaces to the appropriate threat defense interface objects, security zones, and interface groups. For detailed steps, see Map PAN Firewall Configurations with Secure Firewall Management Center Threat Defense Interfaces.

Secure Firewall Migration Tool

Map the PAN interfaces to the appropriate security zones, see Map PAN interfaces to security zones for detailed steps.

Secure Firewall Migration Tool

You can map PAN configuration to the corresponding target applications; see Map Configurations with Applications for detailed steps.

Secure Firewall Migration Tool

Optimize and review the configuration carefully and validate that it is correct and matches how you want to configure the threat defense device. For detailed steps, see Optimize, Review and Validate the Configuration to be Migrated.

Secure Firewall Migration Tool

This step in the migration process sends the migrated configuration to management center and allows you to download the post-migration report. For detailed steps, see Push the Migrated Configuration to Cloud-Delivered Firewall Management Center.

Local Machine

Navigate to where you downloaded the post migration report and review the report. For detailed steps, see Review the Post-Migration Report and Complete the Migration.

Cloud-Delivered Firewall Management Center

Deploy the migrated configuration from the management center to threat defense.