Migrating Palo Alto Networks Firewall to Secure Firewall Threat Defense with the Firewall Migration Tool in Cisco Defense Orchestrator
Select Source Configuration
You can migrate configurations from your Palo Alto Networks firewall by choosing Palo Alto Networks (6.1+) in the Source Firewall Vendor drop-down and manually uploading the derived configuration file to Firewall Migration Tool. To read about the Palo Alto Networks firewall configurations that are supported for migration and the limitations around them, see Guidelines and Limitations in the Migrating Palo Alto Networks Firewall to Secure Firewall Threat Defense with the Migration Tool book.
Select Target
In the Select Target page, the cloud-delivered Firewall Management Center provisioned on your CDO tenant is selected by default, and the threat defense devices managed by that management center are listed. You can choose the threat defense device you wish to migrate the configuration to, and proceed with the migration.
Note that the threat defense devices listed are displayed either as In Use or Available based on whether the device is being used in another migration instance. However, you can perform an override by clicking Change Device Status, selecting the device from the In Use list, and clicking Continue, which will make the device available for being selected as the target. Choosing Proceed without FTD pushes only NAT objects, ACLs, and port objects to the cloud-delivered Firewall Management Center. For more information about the commonly used ASA features and their equivalent threat defense features, see Cisco Secure Firewall ASA to Threat Defense Feature Mapping guide.
Caution | Changing the device status from In Use to Available impacts the ongoing migration instance that is using the device already. We recommend that you exercise caution when doing this. |
To perform the migration with more detailed steps, continue to Export the Check Point Configuration Files in Migrating Check Point Firewall to Secure Firewall Threat Defense with the Migration Tool book.
|
Workspace |
Steps |
|
|---|---|---|
|
|
Cisco Defense Orchestrator |
Log in to your CDO tenant, navigate , and click the blue plus |
|
|
Cisco Defense Orchestrator |
Launch the migration instance from CDO and choose Palo Alto Networks (6.1+). |
|
|
Palo Alto Networks Firewall |
Export the Configuration File: To export the configuration from Palo Alto Networks Firewall, see Export the Configuration from Palo Alto Networks. |
|
|
Secure Firewall Migration Tool |
|
|
|
Secure Firewall Migration Tool |
Navigate to where you downloaded the pre migration report and review the report. For detailed steps, see Review the Pre-Migration Report. |
 |
Secure Firewall Migration Tool |
To ensure that the PAN configuration is migrated correctly, map the PAN interfaces to the appropriate threat defense interface objects, security zones, and interface groups. For detailed steps, see Map PAN Firewall Configurations with Secure Firewall Management Center Threat Defense Interfaces. |
|
|
Secure Firewall Migration Tool |
Map the PAN interfaces to the appropriate security zones, see Map PAN interfaces to security zones for detailed steps. |
|
|
Secure Firewall Migration Tool |
You can map PAN configuration to the corresponding target applications; see Map Configurations with Applications for detailed steps. |
|
|
Secure Firewall Migration Tool |
Optimize and review the configuration carefully and validate that it is correct and matches how you want to configure the threat defense device. For detailed steps, see Optimize, Review and Validate the Configuration to be Migrated. |
|
|
Secure Firewall Migration Tool |
This step in the migration process sends the migrated configuration to management center and allows you to download the post-migration report. For detailed steps, see Push the Migrated Configuration to Cloud-Delivered Firewall Management Center. |
|
|
Local Machine |
Navigate to where you downloaded the post migration report and review the report. For detailed steps, see Review the Post-Migration Report and Complete the Migration. |
|
|
Cloud-Delivered Firewall Management Center |
Deploy the migrated configuration from the management center to threat defense. |
button to start provisioning a new migration instance.
