Palo AltoMigrationFirewalls

Best Practices for Palo Alto Firewall Migration

December 20, 2023
12 min read
Best Practices for Palo Alto Firewall Migration

Best Practices for Palo Alto Firewall Migration

Migrating from legacy firewalls to Palo Alto Networks requires careful planning and execution. Having completed multiple enterprise migrations, I've compiled this comprehensive guide to help ensure a smooth transition.

Pre-Migration Assessment

1. Document Current Environment

Before touching any configuration:

  • Export all existing firewall rules
  • Document network topology
  • Identify critical applications and their traffic patterns
  • Map out all VPN connections
  • List all NAT policies

2. Traffic Analysis

Use tools like Wireshark or your existing firewall's logging to understand:

  • Top applications by bandwidth
  • Peak traffic times
  • Unusual or legacy protocols
  • External connections and dependencies

Migration Tools

Expedition Tool

Palo Alto's Expedition tool automates much of the migration process:

  1. Configuration Import: Supports Cisco ASA, Check Point, Fortinet, and others
  2. Policy Optimization: Identifies redundant or shadowed rules
  3. Best Practice Checks: Validates configuration against security standards

Manual Configuration Export

For Cisco ASA:

bash
# Export running configuration
enable
show running-config > asa-config.txt

# Export access lists
show access-list > asa-acls.txt

# Export NAT configuration
show nat > asa-nat.txt

Policy Optimization

One of the biggest advantages of migration is the opportunity to clean up years of accumulated rules.

Rule Consolidation

Before migration:

Rule 1: Allow 10.0.1.0/24 to 192.168.1.10 tcp/80
Rule 2: Allow 10.0.1.0/24 to 192.168.1.10 tcp/443
Rule 3: Allow 10.0.2.0/24 to 192.168.1.10 tcp/80
Rule 4: Allow 10.0.2.0/24 to 192.168.1.10 tcp/443

After optimization:

Rule 1: Allow 10.0.0.0/16 to 192.168.1.10 tcp/80,443

Application-Based Rules

Leverage Palo Alto's App-ID instead of port-based rules:

# Instead of: Allow any to any tcp/443
# Use: Allow any to any application ssl, web-browsing

Implementation Strategy

Parallel Deployment

The safest approach is running both firewalls in parallel:

  1. Week 1-2: Deploy Palo Alto in monitoring mode
  2. Week 3-4: Configure policies and test with non-critical traffic
  3. Week 5-6: Gradually migrate production traffic
  4. Week 7+: Decommission legacy firewall

Configuration Checklist

yaml
Pre-Deployment:
  - [ ] Management interface configured
  - [ ] Licenses activated
  - [ ] Dynamic updates scheduled
  - [ ] Admin accounts created
  - [ ] Backup schedule configured

Network Configuration:
  - [ ] Zones defined
  - [ ] Interfaces configured
  - [ ] Virtual routers set up
  - [ ] Static routes added
  - [ ] OSPF/BGP configured (if applicable)

Security Policies:
  - [ ] Security rules migrated
  - [ ] NAT policies configured
  - [ ] Application overrides (if needed)
  - [ ] Security profiles attached
  - [ ] Logging enabled

VPN Configuration:
  - [ ] IKE gateways configured
  - [ ] IPSec tunnels established
  - [ ] GlobalProtect deployed (if applicable)
  - [ ] VPN monitoring enabled

Testing Procedures

Functional Testing

  1. Connectivity Tests

    • Verify all allowed traffic flows
    • Confirm blocked traffic is denied
    • Test NAT translations

  2. Application Testing

    • Test critical business applications
    • Verify SSL decryption (if enabled)
    • Check application identification accuracy

  3. VPN Testing

    • Establish all site-to-site tunnels
    • Test remote access VPN
    • Verify failover scenarios

Performance Testing

Monitor these metrics during migration:

- Session count
- Throughput (Mbps)
- CPU utilization
- Memory usage
- Threat logs

Common Pitfalls

1. Incomplete NAT Migration

Legacy firewalls often have complex NAT configurations. Document every NAT rule and test thoroughly.

2. Application Identification Issues

Some applications may not be correctly identified initially. Use custom App-ID or application overrides:

# Create custom application
set application custom-app category business-systems
set application custom-app subcategory database
set application custom-app technology client-server
set application custom-app default port tcp/1521

3. Certificate Issues

SSL decryption requires proper certificate management:

  • Import trusted CA certificates
  • Configure SSL forward proxy certificates
  • Set up certificate pinning exceptions

Post-Migration

Monitoring and Tuning

First 30 days are critical:

  1. Daily Reviews

    • Check threat logs
    • Review denied traffic
    • Monitor performance metrics

  2. Weekly Optimization

    • Adjust security profiles
    • Fine-tune application identification
    • Update security policies based on traffic patterns

  3. Monthly Audits

    • Review unused rules
    • Update documentation
    • Validate backup procedures

Conclusion

A successful Palo Alto migration requires thorough planning, careful execution, and continuous monitoring. Take advantage of the migration to not just replicate your old configuration, but to implement security best practices and optimize your policies.

Remember: migration is not just about moving configuration—it's an opportunity to improve your security posture and operational efficiency.