®
Palo Alto Networks
Migration Tool Version 3.2
What’s new
Contact Information
Corporate Headquarters:
Palo Alto Networks
4401 Great America Parkway
Santa Clara, CA 95054
https://www.paloaltonetworks.com/company/contact-us.html
About this Guide
This guide takes you through the utilization of the new Palo Alto Networks Migration Tool
3. This guide is designed for users with previous knowledge of the PAN-OS platform.
The Palo Alto Networks Migration Tool 3 replaces previous versions of the Migration Tool.
Refer to the following resources for additional information:
• For information on the additional capabilities of Palo Alto Networks
firewalls and for instructions on configuring the features on the firewall,
refer to https://www.paloaltonetworks.com/documentation. • To provide feedback on the documentation, please write to us at:
[email protected]. • To access to the Community, which includes the knowledge base,
discussion forums, and videos, refer to https://live.paloaltonetworks.com. • To contact the migration team, refer to [email protected]
• To manage your account or devices go to the support portal:
support.paloaltonetworks.com
• For the latest release notes, go to the software downloads page at
https://support.paloaltonetworks.com/Updates/SoftwareUpdates. P A L O
A L T O
N E T W O R K S
M I G R A T I O N
T O O L
3 . 2
What’s new in Migration Tool 3.2:
•
MT-­‐36 Snapshots: Assign a Name: Save Named Configuration Snapshot:
-­‐ Assign a new name for your snapshot or select one from the list. If you select one previously created this will be overridden -­‐ If you leave the name in blank the system will automatically generate one based on the Project name and the current date time. Load Named Configuration Snapshot:
-­‐ Select the name of the snapshot to be loaded: §
MT-­‐58 Address-­‐Groups/Services-­‐Groups: Convert Group with one member To Address/Services 1
-­‐ There is a new filter that allows you to filter by “Groups with one member”. -­‐ We can select from the filtered groups how many of them we want to replace by their members or if we don’t select any group the action will be executed on all the filtered groups. The scope of the change will affect to Security, Nat and Application override policies and Groups. Ø Example: Group to Address: After filter is selected 2
After “Group to Address” has been executed. Ø Example: Group to Service After filter is selected After “Group to Service” has been executed. This is the security policy before the changes: 3
This is the security policy after the changes: -­‐
MT-­‐73 Dashboard: Enable link to Objects The Dashboard has been enhanced to allow you to select the numbers from the grid on Project Statistics and then go directly to that object with the filter
selected.
-­‐
For example: If we click on Not used Address: 4
-­‐
For example: Duplicated Address Groups: §
MT-­‐74 User-­‐ID Added Section in Objects. Added a new User-ID Section in Objects with the relation between groups and users. This requires creating a User-Id connector and retrieving the groups
and users previously.
-­‐
New filters have been created here like search by “Groups without Members”: 5
-­‐
When we select a group from the Users Groups Grid the tool will show you the users that are part of that group under the Users Grid: -­‐
We can Search by name to filter the output: 6
§
MT-­‐71 App-­‐ID Custom Enable Add/Edit The App-­‐ID panel has been dramatically enhanced since previous version. Added Filter and search capabilities. Added button to convert the selected applications as a Shared Applications. Show only Custom applications only has been added as well as an option in the bottom bar. All Applications: 7
Only Custom Applications:
MT-­‐78 App-­‐ID Added Filters and Groups In 3.2 the MT can natively read the application filters and groups, in the past we were only reading the names and storing the xml content and you were not able to modify from the MT. Applications and filters can be merged, cloned, edit or even convert to shared filters or groups. Applications Filters: §
8
9
Applications Groups: 10
§
-­‐
MT-­‐115 Added Prefix/Suffix/Replace to objects / Replace Members Prefix / Suffix: Search in the selected Objects by Name and then add a Prefix and/or Suffix to the selected objects or to all the results. If you want to apply the Prefix/Suffix to all the objects on a vsys just leave the search field empty and then select All Results. You can add a prefix or a suffix or both at the same time. If you choose Selection you have to select from the panels the objects you want. 11
Ø Example: Add Prefix: “g-­‐“, and Suffix: “-­‐suffix”, in Objects Address when Name contains Barcelona in All Results: 12
Ø Example: Add Prefix: “Group-­‐“ only in selection Services-­‐Groups: 13
Result:
-­‐
Replace: We can do a string replace to change one string to another on the selected Objects. First search by a pattern string, this can be a name or IP address for the address and then replace by a new pattern. Select IP Address only for Address Objects. 14
Ø Example: Replace “AG” in Name in Objects Address Groups by “Address-­‐Group” in All Results: 15
Result:
Ø Example: Replace “172.1.2.” in IP Address in Objects Address by “195.5.5.” in Selection Address: 16
Result: -­‐
Replace Members: add, remove and replace members in all groups or on selected groups. Filter by an string to locate address-­‐groups names. Then you can remove, replace members from those groups. 17
Ø Example: Replace member “Address1” by member “g-­‐AddressBarcelona-­‐suffix” in All Results (All groups because the filter is empty): 18
19
Ø Example: Replace “Address1” by member “g-­‐AddressBarcelona-­‐suffix”. Add member “1.1.1.2” in selected groups. 20
§
MT-­‐129 Interfaces. If the type is aggregated-­‐ethernet show asX instead to aggregated-­‐ethernet. 21
§
MT-­‐130 Interfaces. Convert from one type to another Ex Ethernet to aggregated-­‐
Ethernet. Now its possible to remap an interface and at the same time change the type of that interface. Useful when a Ethernet interface needs to be created as a aggregated-­‐
ethernet. Just by selecting the interface name to one of the “aeX” the interface will be changed to aggregated-­‐ethernet. The same happens in the other way. •
Example: Convert ethernet1/3 to aggregated-­‐ethernet ae2 22
§
MT-­‐139 Added Policy Filters: Invalid, Disabled rules, duplicated Rule Name and Description Added new (Predefined) filters to Security and Nat Policies: Security: -­‐ Invalid: when name is empty. -­‐ Disabled. -­‐ Duplicated Name: when two or more rules have the same name. Nat: -­‐ Invalid: (Name OR Destination Zone are empty). -­‐ Disabled. -­‐ Duplicated Name: when two or more rules have the same name. 23
Ø Example: Invalid Security Rules: Ø Example: Disabled Security Rules: 24
Ø Example: Duplicated Security Rules: MT-­‐141 Add objects to groups by selecting address/services from the grid. Add selection address, services or applications (members) to the selected group. Ø Members Address to Address-­‐Groups: §
25
Ø Members Services to ServicesGroups: 26
Ø Members Applications to Applications-­‐Groups: 27
§
MT-­‐156 combine Nat Rules: Now rules that have the same translation parameters and have the same destination Zone can be
combined. This is useful when you have some Nat rules where the Source is different from another
rule but they share the rest of the parameters for example. The first rule selected will be the one from
we will merge the others on that position.
28