Tuesday, 10 March 2026

Cisco ASA --> Palo Alto Migration steps

 Completed a smooth migration from Cisco ASA to Palo Alto firewall. Strengthened network security, improved visibility, and aligned with best practices.



Cisco ASA --> Palo Alto Migration steps
 
Phase 1: Before Downtime (Preparation)
---------------------------------------------------------
1. Backup ASA
  enable
  write memory
  show running-config
  copy running-config startup-config
  copy running-config tftp://<server-ip>/asa-backup.cfg
  show run crypto
  show run nat
  Save: running-config, startup-config, VPN configs, NAT rules
 
2. Document ASA Setup
  show version
  show interface ip brief
  show route
  show access-list
  show object-group
show run crypto
  Keep outputs in text files
 
3. Prepare Palo Alto
  configure
  set deviceconfig system ip-address <mgmt-ip> netmask <mask> default-gateway <gw>
  commit
  Verify with ping and ssh
 
4. Set up Expedition VM
  - Deploy Expedition VM
  - Assign IP and access via browser
  - Import ASA backup (asa-backup.cfg)
  - Convert ASA config → Palo Alto XML
  - Export XML file
 
Phase 2: During Downtime (Migration)
------------------------------------
1. Import Config into Palo Alto
  - WebUI → Device > Setup > Operations > Import Configuration
  - Import XML from Expedition
  - Validate configuration
 
2. Validate Palo Alto Setup
  show interface all
  show routing route
  NAT rules: Policies > NAT
  Security policies: Policies > Security
  VPNs: Reconfigure manually
 
3. Commit Configuration
  commit
  Monitor logs:
  tail follow yes mp-log traffic.log
 
4. Cutover
  - Disconnect ASA, connect Palo Alto
  - Test critical applications (web, email, ERP)
  - Monitor traffic in Monitor > Traffic
  - Keep ASA powered and cabled for rollback
 
Phase 3: After Migration (Validation)
-------------------------------------
- Test user access (internet, email, business apps)
- Verify VPN tunnels
- Check NAT translations
- Monitor logs for dropped traffic
- Document final Palo Alto configuration
 
Beginner Tips
-------------
- NAT rules differ (ASA ACL-based vs Palo Alto zone-based). Double-check translations
- VPNs usually need manual reconfiguration
- Expedition may create duplicate objects — clean them before commit
- Always keep ASA ready for rollback
-
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Why do many Palo Alto engineers open a TAC case immediately… without checking anything first?

A production issue happens. Application team says “network issue.” Users say “firewall problem.” And within minutes someone says: “Let’s ope...