24\/7 environment: There is no \u2018after-hours\u2019 so every migration effort required significant planning.<\/li>\n<\/ol>\nSection 1: General Firewall Migration Best Practices<\/h2>\n A successful firewall migration hinges on meticulous planning, thorough execution, and diligent post-migration activities.\u00a0 There is no tool that can replace good practices and this section\u2019s intent is to prepare an engineer with skills required to save one\u2019s sanity:<\/p>\n
1. Comprehensive Prep Work:<\/strong><\/p>\n\nPre-migration Cleanup & Optimization:<\/strong>\u00a0Before you even think about moving, clean up your existing firewall. This includes analyzing rule and NAT hit-counts to identify unused or redundant policies, and performing object de-duplication to streamline configurations.\u00a0 Would you move houses without first decluttering and throwing away trash?\u00a0 If not, why would you move stale or irrelevant firewall policy?\u00a0 A good best practice is to make this something the customer is responsible for.\u00a0 Like moving, you can\u2019t declutter indefinitely, so ensure there is a timeline to which the customer is held accountable to.<\/li>\nChange Management:<\/strong>\u00a0Ideally, implement a configuration freeze on the source firewall. If not possible, establish robust change tracking to replicate any new rules or modifications across both the old and new firewalls.<\/li>\nStakeholder Engagement:<\/strong>\u00a0Identify all mission-critical applications and their key stakeholders. Their input is crucial for understanding traffic flows and validating post-migration functionality.<\/li>\nDocumentation is King:<\/strong>\n\nDevelop a detailed\u00a0Method of Procedure (MOP)<\/strong>: Outline every step, including whether you\u2019ll perform a \u2018hard\u2019 cutover or an incremental\/phased migration. Include clear time objectives.<\/li>\nConduct\u00a0Peer Reviews:<\/strong>\u00a0Have multiple eyes on your MOP and configurations.<\/li>\nCreate a\u00a0Thorough Test Plan:<\/strong>\u00a0This isn\u2019t just about testing applications; it\u2019s about testing your\u00a0test plan<\/em>\u00a0itself. Ensure it covers all critical functionalities and edge cases.<\/li>\nDesign a\u00a0Rollback Plan:<\/strong> Always have a clear strategy to revert to the previous state if issues arise.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n2. Flawless Migration Execution:<\/strong><\/p>\n\nConduct a \u2018Dry-Run\u2019:<\/strong>\u00a0If possible, simulate the migration in a test environment to identify potential issues before the actual cutover.<\/li>\nValidate ARP Tables:<\/strong>\u00a0Check ARP tables both before and after the migration to ensure proper network connectivity.<\/li>\nOptimize Critical Traffic:<\/strong>\u00a0Develop pre-filters or \u2018fastpath\u2019 rules for critical applications to ensure their performance isn\u2019t impacted.<\/li>\nPre-stage Monitoring Tools:<\/strong>\u00a0Prepare custom searches and packet captures in advance to quickly diagnose issues during the migration.<\/li>\nOn-Call Support:<\/strong>\u00a0Have application testers and owners readily available or on a dedicated call during the migration window.\u00a0 Important note: These MAY NOT be the same people.\u00a0 Often, we were given testers, who lacked any understanding of how the application worked.\u00a0 Ensure it is well documented where this experience lives.\u00a0 Source\/destination IPs & L4 ports-who knows these low-level details?<\/li>\n3. Post-Migration Activities for Stability & Optimization:<\/strong><\/p>\n\nReview Post-Migration Reports:<\/strong>\u00a0Thoroughly analyze any reports generated by migration tools to identify and address lingering issues.<\/li>\nUpdate Documentation:<\/strong>\u00a0Ensure all network diagrams, policy documents, and operational procedures are updated to reflect the new firewall configuration.<\/li>\nContinuous Monitoring:<\/strong>\u00a0Implement robust monitoring to track performance, security events, and potential anomalies.<\/li>\nTraining and Support:<\/strong>\u00a0Educate your operations team on the new platform and its management.<\/li>\nOngoing Optimization:<\/strong>\u00a0Firewall policies are not static. Regularly review and optimize rules to maintain efficiency and security posture.<\/li>\n<\/ul>\nEnd-to-End Migration Procedure (General Steps):<\/strong><\/p>\n\nDownload and launch the migration tool.<\/li>\n Export the source firewall\u2019s configuration file.<\/li>\n Review the pre-migration report.<\/li>\n Map interfaces, security zones, and interface groups.<\/li>\n Map configurations with applications.<\/li>\n Specify destination parameters and select features for migration.<\/li>\n Optimize, review, and validate the migrated configuration.<\/li>\n Push the migrated configuration to the new firewall\u2019s management center (e.g., FMC).<\/li>\n Deploy the configuration to the firewall.<\/li>\n Download and review the post-migration report.<\/li>\n Configure any additional manual items.<\/li>\n<\/ol>\nSection 2: Key Differences and Migration Strategies from Palo Alto to Cisco Next-Generation Firewalls<\/h2>\n Migrating from Palo Alto Networks to Cisco Secure Firewall brings its own set of nuances, particularly concerning identity integration, policy conversion, and platform-specific capabilities.<\/p>\n
\n Identity Coexistence During Migration:<\/strong><\/li>\n<\/ol>\nA significant challenge is ensuring user identity mappings (e.g., \u201cLisa is 10.14.10.7\u201d) are consistent across both Palo Alto and Cisco firewalls during the interim migration period.<\/p>\n
\nThe Problem:<\/strong>\u00a0Cisco needs to be aware of user-to-IP mappings that Palo Alto\u2019s User-ID agents or VPN gateways already know. Without this, traffic from identified users might be denied by the Cisco firewall because it lacks the necessary context.<\/li>\nSolutions Explored:<\/strong>\n\nDedicated ISE-PIC Deployment:<\/strong>\u00a0While attempted, using an existing ISE deployment for this purpose can be problematic, especially since PassiveID is incompatible with 802.1x Machine Authentication. Note: ISE-PIC has reached End-of-Life.<\/li>\nSyslog Forwarding:<\/strong> A viable strategy involves configuring the Palo Alto VPN firewall to forward Syslog messages containing user-to-IP mappings to Cisco ISE.<\/li>\nActive Directory Agents:<\/strong> Deploying agents on Active Directory servers or terminal servers can help both platforms gather identity information.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\nBy including a mix of syslog forwarding on the PAN VPN firewall and new Cisco agents on the customer AD servers, we were able to migrate a downstream PAN firewall to Cisco.<\/p>\n
Should users be coming from on-premise (passive authentication) or via remote-access VPN, the Cisco firewall will have a user->IP mapping to make sure the appropriate firewall policy is being matched.<\/p>\n
As of Firewall Management Center 7.6, the passive ID functionality is available directly without the need for ISE-PIC (which went EOL on 5\/5\/2025).<\/p>\n
2. Policy Conversion with the Secure Firewall Migration Tool:<\/strong><\/p>\nThe Cisco Secure Firewall migration tool is designed to assist with this transition, but understanding its capabilities and limitations is key.<\/p>\n
\n\n\nExtraction & Combination:<\/strong>\u00a0The tool can extract and combine Palo Alto configurations, identifying elements like Access Control rules, Network\/Port objects, Interfaces, Routes, and Applications.<\/li>\nFeature Selection:<\/strong>\u00a0You can select which components of the configuration (e.g., Interfaces, Routes, Access Control) to migrate.<\/li>\nApplication Mapping:<\/strong>\u00a0It\u2019s crucial to resolve any blank or invalid application mappings. In some cases, you might need to add port-based equivalents if a direct application mapping isn\u2019t available. Resources like Cisco AppID and Palo Alto\u2019s Applipedia can help.<\/li>\nBulk Actions & Optimization:<\/strong>\u00a0The tool facilitates bulk actions and allows for ACL optimization, but remember to pre-stage File and IPS policies in the Cisco Firepower Management Center (FMC).<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n \n\n\nPAN-OS Version:<\/strong>\u00a0The source Palo Alto firewall must be running PAN-OS software version 8.0 or higher for the migration tool to function correctly.<\/li>\nVSYS Migration:<\/strong>\u00a0The tool supports migration of either single or multi-vsys configurations, which are typically merged with VRFs to achieve segmentation in Cisco FTD.<\/li>\nSystem Configuration:<\/strong>\u00a0Critical system configurations, such as Platform Policies (e.g., NTP, SSH access) in FTD, are generally\u00a0not<\/em>\u00a0migrated by the tool and require manual setup.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n4. Specific Challenges and Manual Configurations:<\/strong><\/p>\nSeveral elements require manual attention or have different implementations between the two platforms:<\/p>\n
\nNAT IP and Port Oversubscription:<\/strong>\u00a0Palo Alto can handle higher levels of NAT oversubscription (e.g., 1x, 2x, 4x, 8x reuse of same address\/port). When migrating to Cisco, you often need to increase the PAT pool size to accommodate this.<\/li>\nURL Wildcards:<\/strong>\u00a0Palo Alto uses characters like\u00a0*\u00a0or\u00a0^\u00a0for URL wildcards, whereas Cisco typically supports substring matching (e.g.,\u00a0cisco.com\u00a0instead of\u00a0*.cisco.com). These need adjustment.<\/li>\nNested Object Groups:<\/strong>\u00a0Network and port object groups nested deeper than 10 levels are not supported in Cisco FMC and will need flattening.<\/li>\nIdentity Realm\/Active Directory Integration:<\/strong>\u00a0While newer versions of the migration tool (FMT 7.7+) support AD\/Realm integration, you\u2019ll often need to manually add identity to applicable rules and pre-stage the Realm and AD configurations in the FMC.<\/li>\nNAT Source Replacement:<\/strong>\u00a0Manually replace NAT source in Access Control Policy (ACP) rules with the NAT destination (i.e., swap the translated address with the original destination).<\/li>\nUnmigrated Items Requiring Manual Configuration:<\/strong>\n\nTime-based access control rules.\u00a0 <\/strong>Cisco does not currently <\/em><\/strong>support time-based access control rules.<\/li>\nIdentity-based access control rules:<\/strong>\u00a0You\u2019ll need to explicitly associate identity groups or individual identities.<\/li>\nFQDN objects:<\/strong>\u00a0Especially those starting with or containing special characters. Wildcard FQDNs often need replacement or updates.<\/li>\nURL Filtering Policies:<\/strong>\u00a0Add the respective categories as policies using URL filtering might not translate directly.<\/li>\nApplication Mapping:<\/strong>\u00a0If a rule in Palo Alto used \u201capplication default\u201d for service, it will likely be migrated as \u201cany\u201d service in Cisco, requiring manual refinement.\u00a0 In some case we added port-based equivalents.\n\n\nNegate Rules:<\/strong>\u00a0Palo Alto\u2019s \u201callow X but exclude Y\u201d logic needs to be translated into explicit \u201cdeny\u201d rules in FTD.\u00a0 Cisco does not currently <\/em><\/strong>support negate rules.\u00a0 This was accomplished by simply implementing a \u2018deny\u2019 rule in FTD.<\/li>\nDynamic Routing:<\/strong>\u00a0Requires manual configuration.\u00a0 This will not be ported via the migration tool.<\/li>\nRoute Reflector:<\/strong>\u00a0Add FTD as an eBGP peer manually.\u00a0 More specifically, cisco does not currently (as of this blog posting) support iBGP route reflector configuration.\u00a0 <\/strong>This was overcome by manually configuring a new eBGP autonomous number for the firewall.\u00a0 This also required the additional configuration of \u2018allow-as in\u2019 as there were instances where route propagation hair pinned the firewall.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n5. Partially Supported, Ignored, or Disabled Items:<\/strong><\/p>\nBe aware that certain configurations are not fully supported or are ignored during migration:<\/p>\n
\nManagement Settings (like NTP, SSH access).<\/li>\n Syslog Dynamic Routing.<\/li>\n Service Policies (these often translate to FlexConfig in FTD).<\/li>\n Remote-Access VPN reserved IP addresses (require workarounds via ISE or AD).<\/li>\n Device-Specific Site-to-Site VPN configurations.<\/li>\n Connection log settings.<\/li>\n<\/ul>\nBy adhering to general best practices and understanding these specific differences when migrating from Palo Alto to Cisco Next-Generation Firewalls, organizations can achieve a smoother, more secure, and efficient transition.<\/p>\n<\/p><\/div>\n
Migrating firewalls can be a complex undertaking, often involving intricate policies, critical applications, and the need for seamless transition. This post distills key insights from […]<\/p>\n","protected":false},"author":1,"featured_media":16589,"comment_status":"","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-16588","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/posts\/16588","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/comments?post=16588"}],"version-history":[{"count":0,"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/posts\/16588\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/media\/16589"}],"wp:attachment":[{"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/media?parent=16588"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/categories?post=16588"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/dmsretail.com\/RetailNews\/wp-json\/wp\/v2\/tags?post=16588"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}
![\"Retail](\"https:\/\/dmsretail.com\/RetailNews\/wp-content\/uploads\/2022\/05\/RETAIL-ONLINE-TRAINING-728-X-90.png\")
<\/a><\/p>![\"\"](\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/01\/Palo-Alto-1.png\")
![\"\"](\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/01\/Palo-Alto-2.png\")
![\"\"](\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/01\/Palo-Alto-3.jpg\")
![\"\"](\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/01\/Palo-Alto-4-300x226.png\")
![\"\"](\"https:\/\/blogs.cisco.com\/gcs\/ciscoblogs\/1\/2026\/01\/Palo-Alto-5.png\")