0% found this document useful (0 votes)

75 views114 pages

Expedition 2.x Getting - Started - Guide - 20231204

The Expedition 2.0 Getting Started Guide provides comprehensive instructions for installing and using the Expedition tool, including setup via Docker and available features. It outlines the architecture of Expedition 2, detailing its components such as the API, RabbitMQ, and database containers. Additionally, the guide includes troubleshooting tips, contact information, and links to community resources for further assistance.

Uploaded by

ken.vandenbranden

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

75 views114 pages

Expedition 2.x Getting - Started - Guide - 20231204

Uploaded by

ken.vandenbranden

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 114

Palo Alto Networks, Inc.

www.paloaltonetworks.com
© 2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be
found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their
respective companies.
Revision Date: May,26th, 2023
Expedition 2.0 Getting Started Guide

Contact Information

Corporate Headquarters:

2
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054

About the Documentation

● For the most recent version of this guide, visit the Expedition Live Community Documentation portal
https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migration_tool
● Have feedback or questions for us? Leave a comment in the Expedition portal on Expedition 2
section, or write to us at [email protected]

© 2022-2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our
trademarks can be found at www.paloaltonetworks.com/company/ trademarks.html. All other marks mentioned herein
may be trademarks of their respective companies.

Last Revised
May, 30th 2023

Policy Manipulations

3
Table of Contents
About This Guide 7
Terminology 7
Expedition 2 Architecture 8
Installation 11
Install Docker Desktop 11
Setup the Expedition Container 11
Verify Expedition container is up and running 13
Update your expedition container when there is a new release 14
Available Features 16
GUI Features 17
Login 17
DASHBOARD 19
PROJECTS 21
Create a Project 21
Import Configuration in the project 23
View Configuration in the project 25
Import and Export Expedition Project 28
Capture a Snapshot of the project 31
Delete Project 33
DEVICES 34
Create a new PAN-OS Device 34
Retrieve running configuration from the PAN-OS device 37
Delete the PAN-OS device 39
Migration Workflow through GUI 40
Start a new migration 41
Select the type of PAN-OS base configuration 41
Import the Vendor Configuration 42
Load the converted configuration into the project 43
Review the project dashboard 44
Address any warnings that appear 44
Review Invalid objects 46
Remove unused objects (Optional) 46
Merge duplicate objects 46
Import a Base configuration (Palo Alto Networks configuration from the device that you are
migrating to) 46

4
Merge the migrated config with the base configuration 47
Download the merged Output in your preferred format (XML, SET Commands) 53
Load generated output onto PAN-OS device 53
Machine Learning Analysis 54
Overview 54
ML Container Token 55
Get the log files into ML Container 55
Enable Log Processing 57
Log Connector Settings 58
Enable Rule Enrichment or Rule Suggestion for a Security Policy 60
Perform Rule Enrichment Analysis 60
Perform Rule Suggestion analysis 63
Agents & Jobs 65
Audit 66
Object Manipulation 66
Expedition objects icons 68
Drag & Drop to add members of the group object 69
Clipboard 70
Policy Manipulation 74
Bulk Change to apply security profiles Group 75
Networks 76
GUI limitations 77
Parser and Migration-related Features 78
Available Parser Vendor Matrix 78
PANser Web Service 80
API Features 82
Available API Features 82
API Documentation and Testing 83
Expedition-API-Scripts Container for sample jupyter notebook scripts 86
Setup Expedition-API-Scripts container 86
Available sample jupyter notebook scripts in Expedition-API scripts container 86
Testing sample jupyter notebook scripts in Expedition-API-Script container 92
Filter 94
Filter Types 95
Single Filter 95

Policy Manipulations

5
Predefined Filters 99
Operations filters 102
Accessing Filter on GUI 103
Clean up Invalid Objects 106
Remove Unused Objects 107
Merge Duplicate Objects 110
Access Expedition Project related files via File manager or Finder 112
Report Bugs and Improvements 113
Known Issues 113
FAQ 114

6
About This Guide

Thank you for your interest and help to improve Expedition 2 ! We are excited about this new version
of the Expedition tool, and looking forward to your participation as we continue to refine the tool.

Through this guide, you will discover available features in Expedition 2 and the features that are in
the roadmap. The guide will also help you to get started with the tool, to download and install the
Expedition container and start testing the tool.

Terminology

The following are a list of terms that may be found when reading this documentation and when
consuming the Expedition features.

Term Description

API An application programming interface (API) is a connection between computers

or between computer programs. It is a type of software interface, offering a
service to other pieces of software.
Expedition offers an API that can be consumed via scripts (in python, PHP, C++,
etc.) and through the Expedition web UI.

PANObject Any object that can be found in a PANOS configuration, including objects (e.g.
addresses, tags), policies (e.g. security rules, application override), network (e.g.
VLANs, VPNs),

Trash Expedition does not fully delete objects from the projects when the DELETE API
action is submitted. Instead, objects are moved to a trash space so it offers a

Policy Manipulations

7
Term Description

chance to restore them if necessary, identify which objects are going to be

removed from a project or allow generating reports on the deleted objects.

Expedition 2 Architecture

The Expedition 2 container image consists of a set of individual containers (see Figure 1) that interact
between each other, being the expedition-api the orchestrator for all workflow interactions. In the
current version Expedition 2.0, the following packages, services and version should be found:

● Expedition-API:
Container is intended to provide a RESTful API that can be consumed by your scripting language
of choice and to present the UI (HTML/JS). The back-end API is developed using the Laravel PHP
framework and served via Apache 2. Also running one or more PHP Agent(s) to support
asynchronous requests that help with the execution of automated tasks and multi-processing
actions. The agents also consume the API and communications with them are performed via
RabbitMQ.

○ Services installed:
■ Apache/2.4.53
■ PHP/7.4.29
○ API (Laravel) logs path:
■ /var/www/html/expedition-api/storage/logs
○ Some configuration files are stored in volumes on the host.

● RabbitMQ:
Container to provide the RabbitMQ service for asynchronous requests. Communications are
performed between web service API calls and PHP agents. Stopping this service will prevent
agents from receiving messages for the execution of blocking or long lasting tasks, such as
downloading configuration files from a PANOS device, doing reverse DNS resolutions,
autoprocessing CSV traffic log files, among others.

○ Services installed:
■ RabbitMQ/3.8

● Expedition-db:

8
Container intended to provide a RDBMS as storage for the application data. Stopping this
container will block all Expedition’s functionalities, as it would interrupt authentication, access to
project information, or auditing.

○ DB files are stored as volumes on the host.

○ Services installed:
■ Maria DB ver. 10.8.2
○ Databases:
■ Projects databases (as exp_XX). A project is a collection of information related to a
specific migration to a device. Each project is stored on a dedicated database within
the same RDBMS.
■ Authentication and authorization database (as pandbRBAC). Database to store
application information such as users, grants and others.
■ Other databases. Additional databases that may be used to contain global values,
such as device capacities, etc.

● Expedition-parsers:
Container intended to provide the parser library and workflows to migrate from third party
vendors to Palo Alto Networks configurations. This container includes mappings for specific
service to configuration conversions when those are not TCP or UDP protocols.

Not directly available to be consumed by the user, but by the Expedition-API container when
migrations are being requested. This container does not expose an API.

This container does not have persistence, therefore all data generated is only available during the
container lifecycle.

○ Services installed:
■ Apache/2.x
■ PHP/7.0

● Expedition-parsers-db:
Helper container for the expedition-parser container to store temporal data needed for parsing
vendor configs. After a migration, the databases are wiped.

○ Without persistence so all data generated is available during the container lifecycle.
○ Services installed:
■ Maria DB ver. 10.2
○ Databases:
■ Projects DB. A project is a collection of information related to a specific migration to a
device. Each project is stored on a dedicated database within the same RDBMS. The
databases resemble the structure used by parsers in Expedition 1.

Policy Manipulations

9
■ PANDBRAC DB. Database to store information required for the migration scripts,
such as name of the project under migration, version of the PANOS target device, and
user controls.

Fig 1. Expedition 2 Architecture diagram showing the different containers and shared volumes

10
Installation

Install Docker Desktop

As Expedition 2 is offered as a container (and dependencies), it would be necessary to have a docker

engine running in your environment.

This document provides instructions on how to utilize Expedition with Docker desktop, although it is
possible to use any docker engine.

Please refer to https://docs.docker.com/desktop/ for details on how to install docker desktop on your
platform or contact your IT Support to help you setting Expedition on a container hosting site.

The Expedition team does not provide support on creating a docker capable environment.

Setup the Expedition Container

Ensure the Docker Desktop is up and running before proceeding with the following steps to setup
the Expedition Container:

1. Access the Google Drive location shared with you, folder install from Release X.Y.Z.

2. Download the following files from the install folder and place them in your workspace, for
example: (for example: Expedition2-Release1 folder):
○ .env
○ docker-compose.yml
○ README.md

3. Download the Expedition Images file, images.zip based on your architecture:

○ For Apple M1 chipset, download m1_images/image.zip file

Policy Manipulations

11
○ For Windows, Intel MAC and others: download intel_images/image.zip file

4. Unzip the downloaded image.zip file in your workspace. The unzip will create a folder named
images containing all Expedition2 images. The file structure should look like the following
screenshot:

5. .env is a hidden file, make sure your file system can display hidden files. Edit the .env file and
update the following two variables:

● MYSQL_ROOT_PASSWORD=
Add your desired password for accessing the Expedition databases. This password could not
be changed later and will be used to encrypt your database. For example, if the desire
password is "paloalto" , update the line to :MYSQL_ROOT_PASSWORD=paloalto

● EXPEDITION2_UI_PORT=443
The Expedition GUI runs on port 443 by default , if you need to change the port # , update the
value accordingly.

6. Open a Command Line Interface( CLI), navigate to the Expedition2-Release1 folder and
execute the following commands: (pay attention to the image name, if you have newer images,
change the file name accordingly in the below command) :

docker load -i images/intel_images/expedition-db_1_0_0.tar;

docker load -i images/intel_images/expedition-api_1_1_0.tar;
docker load -i images/intel_images/expedition-parsers-db_1_0_0.tar;
docker load -i images/intel_images/expedition-parsers_1_0_0.tar

NOTE: On Apple M1 chipset, replace intel_images with m1_images in the above command

12
7. Run the Expedition 2 container using the below command:
docker-compose up -d
8. Wait for one minute , open Google Chrome and access the UI using the following URL:
https://localhost:443(default credentials are: admin/paloalto)
9. To access the Swagger API definition for API purposes, use the following URL:
https://localhost/api/v1/documentation

Verify Expedition container is up and running

Once the expedition-container is up and running, you should see running status on all of the
below 5 sub containers:

expedition-rabbitmq

expedition-db

expedition-parsers-db

expedition-api

expedition-parsers

Policy Manipulations

13
Update your expedition container when there is a new release

Below are the steps to update your expedition container when there is a new release on the docker
images:

1. Access the Google Drive location shared with you, folder update from Release X.Y.Z.

2. Download the following files from the update folder and place them in your workspace, for
example: (for example: Expedition2-Release1 folder):

○ docker-compose.yml
○ README.md

3. Download the Expedition Images file, images.zip based on your architecture:

○ For Apple M1 chipset, download m1_images/image.zip file

14
○ For Windows, Intel MAC and others: download intel_images/image.zip file

4. Unzip the downloaded image.zip file in your workspace. The unzip will create a folder named
images containing the updated Expedition2 images.

5. Stop the container by going to docker desktop GUI, click on the button to stop the
expedition container.

6. In command line (CLI), go inside the expedition2-release1 folder, issue below command to
update the images: (If there are multiple updated images , you will need to issue the same
command for other images as well, just replace the image name in the command )

$ docker load -i images/expedition-api_1_1_0.tar

7. Issue below command to restart the expedition container:

$docker-compose up -d

8. In Docker Desktop, verify all components of the expedition container are up and running

Policy Manipulations

15
Available Features

We recognize that participating in the testing phase of Expedition Beta requires effort and is a
valuable contribution to the Expedition team. Your input helps enhance the tool, accelerates the
identification of potential issues and missing features, and ultimately improves the overall user
experience.

Before you embark on a project expecting final results, it is crucial to understand the tool's current
features. This section outlines the available features in the tool, as well as the functionalities planned
for future releases.

As a tester, evaluate the tool's impact on your current configuration projects and consider how
upcoming features may expedite future projects. If you identify features that have not yet been
implemented or listed for future releases, we encourage you to report these as Feature Requests
through the channels specified in the Report Bugs and Improvements section.

The following features are ready to be testing:

16
GUI Features

Note: We are still working on improving the stability of the user interface, and while it is functional, there
may be some limitations and issues that we are working to address.

Once the container is up and running, you can access Expedition either through scripts that
utilize the API or the provided JavaScript UI. By default, the Expedition UI can be accessed via
a web browser on TCP port 443. If you are running the Expedition API on your desktop and
haven't mapped the web-service port to a different one than TCP/443, you can access the UI
using the following URL: https://localhost

Policy Manipulations

17
The Expedition web-service includes a self-signed SSL certificate. As a result, when accessing
Expedition for the first time using Google Chrome, you may encounter a "Your connection is
not private" warning message. To bypass this warning, simply type "thisisunsafe" on the
screen. Although your typing will not be visible on the UI, Chrome will register the keystrokes
and understand that you are willing to proceed with accessing a self-signed site.

● Login with default Expedition credentials.

18
username=”admin”
password=”paloalto”

DASHBOARD

Let’s explore the Dashboard’s main feature by navigating to Main screen-> Dashboard

Policy Manipulations

19
1. Get Started: This panel provides shortcuts for specific tasks, such as:
● Create a new project: Clicking the shortcut takes you to the project window.
● Import a new PAN-OS device: Clicking the shortcut takes you to the device window.
2. Continue where you left off:

This section lists shortcuts to projects you were previously working on. Click on Open Project:
{your project name}" to access the project.
3. Projects by Tag:

This section displays the number of projects grouped by tag information. For example, if you
have tagged all your Checkpoint >= R80 migrations as cp-r80 and have four projects with
that tag, hovering your mouse over the tag info will display cp-r80-4

4. Projects by User:

This section shows the number of users assigned to specific projects. The view may be limited
to projects you have the rights to participate in.

5. User workload sharing: This panel features three tabs:

● User Availability : Gain insights on the number and percentage of users assigned to
projects, as well as the number of projects each user is working on.
● User Rights: Obtain insights on the number and percentage of users in each of the
three different Expedition system roles: Super Users, Administrators, and Users.
● Last User Login: Access insights on the login activity of Expedition users, identifying
users who have:

.connected during this week

.connected during this month

20
.have not been active during the last 30 days

PROJECTS

The PROJECTS tab takes you to the project window where you can create , edit, delete
projects . Double clicking a project opens it. Let’s go over some use cases:

Create a Project

In Expedition each project has its own database, and you can create as many projects as you
want. To create a new project follow these steps::

Navigate to the PROJECTS tab and click on located on the top right.

In the extended view window that appears, assign a name to your project (project names must have
at least 5 characters)

Policy Manipulations

21
Click to create the project.

● Optional steps during project creation:

○ Provide a description of the project in the Description field.
○ Assign a Tag to the project, for example: assign all your PAN-OS projects with the tag
“paloalto”.
○ Set user permissions for the project. By default , all project are created with admin
role permissions (Read/Write permissions to the project)
○ Assign a specific PAN-OS device to the project in the Device Access tab by checking
the checkbox in front of the device.

22
Import Configuration in the project

● To access a project, double click on the project name. If the project is already
associated with a configuration , the configuration file dropdown will display the
config name for you to select.

● If no configuration is associated with the project, you will see no config selected
next to the configuration selection drop down

● To import an configuration, click the NEW CONFIGURATION tab to either start a new
migration or import a PAN-OS configuration:

Policy Manipulations

23
If you are working on a 3rd party vendor migration project, select START A NEW
MIGRATION. Refer to the Migration Workflow section for more detailed steps.

If you already have a PAN-OS config , and would like to view or refine the pan-os
configuration, there are two ways to import the configuration:

1. Select IMPORT PANOS CONFIGURATION-> IMPORT XML FILES to load the

configuration into the project

2. If you have retrieved the configuration from the PAN-OS device as per the steps in the
DEVICES section, select IMPORT FROM A PANOS DEVICE. Double-click the device to
import the configuration, if you do not see any device in the list , you likely haven’t
assigned the device to the project. Please review the steps on Assigning a PAN-OS
device to the project

24
View Configuration in the project

Once the configuration is selected, you can select the configuration with specific
device group, virtual system, or template you want to view and click on APPLY
CHANGES.

Expedition will load the configuration into the project and direct you to the project
dashboard, which displays the statistics of your configuration:

● Graphic Summary: consist of three charts:

○ Objects and Policies by Device Group: Displays the number of objects,
policies, and networks per device group(vsys).
○ Used vs Unused objects: Displays the number of used and unused objects.
○ Issues per Device Group: Displays issues per device group(vsys.)

Policy Manipulations

25
● SUMMARY TOTAL: A table displaying the total number of objects across all device
groups/vsys.

● SUMMARY BY DEVICE GROUP: A table displaying the total number of objects per
device group/vsys , broken down into individual devices group/vsys. Click + to expand
individual device groups( vsys) or - to collapse specific device groups/vsys.

26
● To view objects and rules, navigate to different tabs. For example, click on OBJECTS ->
Address to view address and address-group objects

You can view objects in the left panel and group objects in the right panel, as shown in the
screenshot.

The same concept applies to other tabs. To view security rules and NAT rules, click on
POLICIES and select either Security or NAT to view corresponding rulesets.

Policy Manipulations

27
For details on actions you can perform on objects and policies, please refer to the sections:

● Object Manipulations
● Policy Manipulations

Import and Export Expedition Project

From the tab IMPORT/EXPORT you can export and import the current Project This is
useful when you want to create a full backup of Expedition or import it into another
instance.

Import a Project:

To Import a project, follow these steps:

1. Create a new Project, assign a NAME , and click on .

28
2. Highlight the project , in the Extended view window, click on the button , then

click on the button to select the file from your desktop. Once the file is

completely uploaded, click on the to save the project .

Policy Manipulations

29
Export a Project:

To export a project, follow this step:

Highlight the project. In the Extended view window , click on the button and
the export project will be downloaded to your local machine with name EXP_xx.zip. You can
then share this exported project.

30
Capture a Snapshot of the project

Expedition 2 introduces two types of snapshots:

Policy Manipulations

31
1. Automatic snapshot:
Expedition automatically takes snapshots during significant changes in the project, such as:
● Before importing a configuration
● Bulk changes to objects or rules
● Moving objects and rules
● Deleting objects and rules
● Before merging vendor-converted config and source configuration

2. Manual snapshot:
Similar to Expedition 1.x, you can take a manual snapshot whenever you desire. To create
manual snapshot, follow these steps:

a. Click SNAPSHOTS icon.

b. Enter Name of the snapshot and description , then click CREATE.

32
In the snapshot window, you can manage snapshots by:

● Loading a snapshot: Select a specific snapshot and click the "load" icon.

● Deleting a snapshot: Select the snapshot and click the icon.

By using these snapshot features, you can better manage your configurations and maintain a history
of changes, allowing you to revert to previous states if needed.

Delete Project

Follow below steps to delete projects:

1. Select the projects you would like to delete , then click on the button to
remove the projects, you can select multiple projects at once:

2. Confirmation window will pop up asking for your confirmation:

Policy Manipulations

33
3. Click on the button to confirm project deletions.

By following these steps, you can delete one or multiple projects from Expedition.
Remember to double-check your selections before confirming the deletion, as this action
cannot be undone.

DEVICES

The DEVICES tab in Expedition allows you to add your Palo Alto Networks devices and import
your Palo Alto Networks firewalls and Panorama configuration to Expedition, enabling you to use
them as a base configuration for making improvements or merge with vendor-converted
configuration.

Create a new PAN-OS Device

Expedition supports all Pan-OS versions since version 4.0 up to 11.0. Let’s follow an example on
how to create a new Device and import the configuration and securely store it on Expedition.

● Add a new Device by navigating to DEVICE , clicking on the CREATE A NEW DEVICE button
located on the top-right from the panel.

34
● In the information tab, enter below informations as required:
○ Device Name: It’s the name you want to call your firewall
○ Model: Palo Alto Networks device model
○ Hostname/IP: IP or name used to connect to your firewall, if it’s a name Expedition needs to
know how to resolve it, check the DNS used by Expedition it's the right one. You can check
from the CLI

$ sudo cat /etc/resolv.conf

○ Port: where the management is running, by default 443

○ Serial #: This field is required and will be used as an Index to use the right one.
○ Serial # HA: In case this firewall or Panorama is part of a Cluster you can set the HA serial. This
will matter for the Machine Learning module which will be explained in another chapter of
this document. (Optional)

Policy Manipulations

35
● After entering all the required info, click on the to add the device first.
● Once the Device has been created and listed from the Devices view we have to edit and add the
credentials to retrieve the contents like applications database, system information and the
configuration. Select the device and expand the extended view on the right to edit it , click on the +
to expand the Authentication section :

● Click the ADD NEW API KEYS purple button, this will bring up a sub window, let’s select Role & API
Keys to add firewall login credentials and Expedition will make a request to the firewall to generate a
new API key.
○ Role and Apply all Roles: When you add a new API Key this can be attached to a Role inside
Expedition, that means when you have a user from Expedition with Role admin inside one
Project and that user tries to push changes using API Keys Expedition will use the API Key
based on the user’s Role in this example admin. If you didn’t add an API key to the admin role
that user will be unable to send any API Call out. For small environments where you will have
only one user and it will be admin there is no need to check the Apply all Roles and keep that
key only attached to the admin Role.

● Notice the generated API Key will be valid as long as the user doesn't change the password from the
firewall. Click on the SAVE KEYS to add a new API Keys

36
● Once the API keys are successfully added , you will see API KEY Registered✅

Retrieve running configuration from the PAN-OS device

● Expand Contents-> RETRIEVE CONTENTS -> Running Configuration, Expedition will make an API
call to pull down running configuration from the firewall or panorama..

Policy Manipulations

37
● Optional steps for Panorama device, Expand Panorama Devices-> RETRIEVE DEVICES, Expedition
will make an API call to retrieve all the connected devices that’s managed by the panorama

● All edits on the device have been completed. click on to save the changes.

38
● If you have already created a Device, you can select it from the Device Access box. By selecting a
firewall or panorama in the device access box, you are forcing Expedition to import the same
Applications database to your project, that Applications database was downloaded to Expedition at
the same time when the configuration was retrieved. As a result, your Project will have the same
applications database as your Firewall.

Delete the PAN-OS device

When done with the project, and the pan-os device is no longer needed, you can select PAN-OS

devices from the DEVICES view, click to delete the devices.

Policy Manipulations

39
Migration Workflow through GUI

Expedition streamlines the process of migrating configuration elements from other security vendors
and converting them into a Palo Alto Networks configuration. This reduces the time and potential
errors associated with manual migration. However, the results should always be reviewed by a
professional familiar with both the original vendor and Palo Alto Networks technologies. The
migration workflow is as follows:

Start a new migration

Select the type of PAN-OS base configuration
Import the vendor configuration
Load the converted configuration into the project
Review the project dashboard
Address any warnings that appear
Review Invalid objects
Remove unused objects
Merge duplicate objects
Import a Base configuration (Palo Alto Networks configuration from the device that you are
migrating to)
Merge the migrated config with the base configuration
Download the merged Output in your preferred format (XML, SET Commands)
Load generated output onto PAN-OS device

40
Start a new migration

To start a new migration, first create a project and enter it by double-clicking on the project
name. Once inside the project, click on NEW CONFIGURATION followed by START A NEW
MIGRATION.

Select the type of PAN-OS base configuration

Choose the type of PAN-OS base configuration you'd like to use for your migration. In
Expedition 2.x, a default PAN-OS v10.1.x base configuration is provided for your convenience. Decide
whether you want to merge the converted configuration with a Firewall base config or a Panorama
base configuration.

Policy Manipulations

41
Once you select the type of baseconfig, click START MIGRATION

Import the Vendor Configuration

● Click on the vendor name to select the vendor configuration you wish to migrate. Assign a
name to the configuration file, browse to the file location on your local drive.

● If you are merging with a Panorama config later, it is recommended to use the VSYS name
that your Panorama template belongs to. For example, you can name your configuration file
vsys1.

42
● Click UPLOAD & MIGRATE to upload the vendor configuration.

Load the converted configuration into the project

Once the migration is complete, you will receive a Migration completed message. To load
the migrated configuration into the same project, navigate to the configuration section at the
top of the page.

Policy Manipulations

43
After selecting the configuration file, if you've chosen a firewall configuration as the base, you
will be prompted to select vsys name ex : vsys1. If a Panorama base configuration was
selected, you will be prompted to choose a device group and template section.

Review the project dashboard

After the configuration is loaded, you will be directed to the project dashboard, which
displays a summary of object counts. Please review the information provided in View
Configuration in the project

Address any warnings that appear

Address any warnings that emerge by navigating to the Warning page. These warnings are
automatically generated during the conversion of your vendor config, and it's essential to
review and resolve them as necessary.

44
Examine the action column for suggested actions. If the action column is not visible, hover
your mouse over any column, click the downward arrow, and ensure that the checkbox next
to action is checked.

Policy Manipulations

45
Review Invalid objects

In the Expedition 2 parser, while converting the vendor configuration, the parser automatically
searches for and replaces invalid service objects with the corresponding APP-IDs defined in the service
mapping file. For more details, refer to the Available Parser Vendor Matrix. If the invalid service objects are
not defined in the vendor service file, you will need to manually review and replace them with the
appropriate service objects with ports or APP-IDs. Please refer to the Clean up Invalid Objects section in the
documentation for guidance.

Please note that the search and replace function is still under development. However, this feature is
available in the API, and you can write a script to replace invalid objects with APP-IDs.

Remove unused objects (Optional)

If you would like to remove unused objects, you can first apply a filter to identify these
objects. Then, take action to remove all or some of the unused objects as needed. For more details on how
to remove unused objects, please refer to the Remove Unused Objects section in the documentation.

Merge duplicate objects

Due to PAN-OS not accepting objects with the same name, it is necessary to address this issue. First,
apply a filter to identify objects with duplicate names. Then, take action to merge all objects with duplicate
names as needed. For more details on how to merge duplicate objects, please refer to the Merge Duplicate
Objects section for details

Import a Base configuration (Palo Alto Networks configuration from the device that
you are migrating to)

● Click NEW CONFIGURATION click IMPORT PANOS CONFIGURATION on the right panel.
This will allow you to import your existing PAN-OS configuration file into the tool.

46
● There are two methods to import your PAN-OS baseconfig :
1. IMPORT XML FILE - Manually download the running config from the PAN-OS device
to your local drive, and import the PAN-OS configuration from your local drive.

2. IMPORT FROM A PANOS DEVICE - Retrieve the running configuration from the device
tab when you have added the PAN-OS device in the project . For more details on adding a
PAN-OS device, please refer to the Create a new PAN-OS Device section in the
documentation.

Merge the migrated config with the base configuration

If you would like to merge the converted configuration with your PAN-OS base configuration,
navigate to the main interface and click on TOOLS followed by MERGE CONFIGURATION.
This feature allows you to combine the converted configuration with your existing PAN-OS
base configuration, ensuring a seamless integration.

Policy Manipulations

47
To merge the configuration, follow these steps:

1. Select the PAN-OS base config from the base config dropdown, the base config will be
displayed on the right panel, if it’s a panorama config, the device group hierarchy will be
displayed. Template hierarchy will not be displayed. This allows you to view and manage
configuration for specific device groups.

2. Select your vendor migrated config from the config to merge dropdown on the left panel.

48
3. Perform mapping on each section of configuration. This may include objects, policies, and
networks. Review each section carefully, ensuring that the settings from the migrated
configuration are mapped correctly to the PAN-OS base configuration.

You could select the DG and Template you want to merge every section of the
configuration on the top like below screenshot , map all objects and policies to Device
Group DG1 , and all networks configuration to Template1.

If you are merging with a firewall configuration, all configurations will be mapped to
the VSYS name that came from your base configuration.

4. Click to apply mapping. You will see the mapping display similar to the screenshot
provided , you can manually change the mapping if necessary , such as mapping objects in
the shared section of the vendor configuration to shared in the Panorama base
configuration.

Policy Manipulations

49
5. After applying mapping to all sections of the configuration, click icon on each of the
sections. You will see a green checkmark next to the mapped configuration sections,
indicating successful mapping. You only need to map the main folder (eg: shared, vsys1,
default folder), as all the configuration under the folder will be mapped to the same Device
group or template as the main folder.

50
6. After mapping is done, click to start merging the configuration. Click Yes to
confirm merge.

7. The system will start merging the configurations based on the mapping you have set up. This
process may take some time, depending on the complexity and size of the configurations.
Once the merge is complete, you can review the merged configuration to ensure everything
has been properly combined. When merging is done, will changed to indicating
successfully merging.

8. After the merge is complete, you will see a reminder like the one shown in the screenshot.
This reminder serves as a prompt to carefully review the merged configuration and check for
any issues. Specifically, you should:

Policy Manipulations

51
1. Ensure there are no duplicate objects: Review the merged configuration to identify
and remove any duplicate objects that might have been created during the merging
process.
2. Verify Interfaces and Zones: Check that the interfaces and zones under the Template
are assigned with the correct VSYS name. This is crucial to maintain proper network
segmentation and functionality.

By thoroughly reviewing the merged configuration and addressing any potential issues, you
will maintain consistency across your network configurations and ensure your PAN-OS
configuration is committable.

If the VSYS name was not correctly assigned to interfaces and zones during the merge, you can
apply bulk changes to assign the correct VSYS name using the following steps:

1. For Interfaces:
a. Select the interfaces you want to re-assign the VSYS name.
b. Navigate to the Bulk Change option in the Extended view window.
c. Select VSYS Name from the drop-down menu.
d. Choose the proper VSYS name for the selected interfaces and apply the changes.

2. For Zones:

a. Select the Zones you want to re-assign the VSYS name.

b. Navigate to the Bulk Change option in the Extended view window.
c. Select VSYS Name from the drop-down menu.
d. Choose the proper VSYS name for the selected zones and apply the changes.

52
Download the merged Output in your preferred format (XML, SET Commands)

After the configurations are merged, follow these steps to generate and download the output:

1. Click to access the download page

2. Click to generate the merged configuration

3. Navigate to the Download sections, where you will find four types of output available for
download:
● XML reduced - An XML file that’s reduced in size. you can load this version of xml file directly
onto a PAN-OS device.
● Set Command - Set commands for the entire configuration.
● XML - A pretty format of the XML file , which is easy to read, you can load this version of xml
file directly onto a PAN-OS device.
● All - A Zip folder containing all of the three of the outputs mentioned above.

Load generated output onto PAN-OS device

After download the output file, you can choose one of the following methods to load the
configuration onto you PAN-OS device:

1. Load the full xml file onto a PAN-OS device via PAN-OS GUI: This method is best suited for
greenfield deployment. To do this, follow these steps:
Log in to the PAN-OS GUI.
Go to Device > Setup > Operations.

Policy Manipulations

53
Under the Configuration Management section, click Import named configuration
snapshot and select the downloaded XML file.
Click Load named configuration snapshot, choose the imported configuration, and
then click OK to load it.
Commit to the PAN-OS device.

2. Use the Load Config Partial command from the CLI of the PAN-OS device to load selected
sections of the configuration: This method is best suited for merging with production
Panorama devices to avoid conflicts. To do this, follow these steps:

Log in to the PAN-OS GUI.

Go to Device > Setup > Operations.
Under the Configuration Management section, click Import named configuration
snapshot and select the downloaded XML file.
Connect to the PAN-OS device CLI.
Enter the configure mode by typing configure.
Execute the command load config partial from <filename> mode merge from-xpath
<source_xpath> to-xpath <destination_xpath> with the appropriate file name and
XPaths.
Commit the changes using the commit command.

3. Copy and paste the set command provided in the PAN-OS CLI. This method is suitable for
loading specific settings or objects without replacing the entire configuration. To do this,
follow these steps:

Connect to the PAN-OS device CLI.

Enter the configure mode by typing configure.
Copy the set commands from the downloaded output file and paste them into the
PAN-OS device CLI.
Commit the changes using the commit command.

Machine Learning Analysis

Overview
Machine learning features described below require the PANOS firewall logs stored and
processed in the ML container. There are 2 types of Machine learning analysis that can be
performed:

a. Rule Enrichment: This feature is used to tighten existing security policies to remove
“any” in security policies. For example, you have a security policy that contains “any”
in either applications, users, zones, or services fields. This feature will auto discover
APP-ID and service port info in the firewall traffic logs to see if it matched the

54
application-default ports and help you to tighten your security policies to replace
“any '' with correct APP-ID and service ports in the security policy.
b. Rule Suggestion: This feature will suggest new sets of security policies based on
analysis of the firewall traffic logs. It is often used in Greenfield deployment or when
you have a set of rules that’s more permissive than required and you don’t know
what security policies are required. This process will identify servers, consumers and
provide all the security policies including source, destinations, APP-ID, and
service-ports.

ML Container Token
When setting up the ML container, the steps provided in the README file for the docker
container can be used to generate the token by the ML Container Admin. This token should be
added on Expedition2 UI to allow it to communicate with the ML container.

1. On Expedition2 UI, navigate to System Settings -> T. Analytics

2. Enter ML Container Address and ML Token and Save

Get the log files into ML Container

There are multiple ways to get the logs into the ML container

1. Scheduled Log Export from NGFW Firewall

Details about configuring ‘Scheduled Log Export’ functionality on Palo Alto
Networks Firewalls is here:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device-sc
heduled-log-export

Policy Manipulations

55
Note: The PA-7000 Series and Panorama devices do not offer such log Export functionality
or it is limited to the first 1.000.000 entries

a. Select ‘traffic’ for log type

b. Enter the ML container IP or DNS hostname in the hostname field
c. Scheduled Export Start Time to specify when to start the export. It is recommended
to schedule this in off-peak hours to minimize load on the firewall
d. Specify the destination folder as /PALogs or a sub-directory within /PALogs
e. Specify the username and password to access the ML container (Default:
expedition/paloalto). It is highly recommended to change the password.
f. Run the following command to ensure the correct write privileges are set fo the
/PALogs folder: chown -R expedition.www-data /PALogs

2. Manually Export Logs from Firewall and Upload to ML Container

a. On the Palo Alto Networks Firewall, navigate to the Monitor tab and export the logs
in CSV format.
b. Upload the CSV file to the ML Container. This can be achieved in one of 2 ways:
i. Using SFTP
● SFTP to the ML container using the ‘expedition’ user:
‘sftp expedition@<ml-container-ip>’
● Navigate to /PALogs: ‘cd /PALogs’
● Upload the csv file: ‘put <filename>’
● On ML Container, validate the permissions or execute the following
command to ensure the right permissions are set:
chown -R expedition.www-data /PALogs
ii. Copy log files from Docker host to ML container

56
● Start at the folder with the docker-compose.yml for the ML container.
● Navigate to . /runtime/PALogs. Sub-directories can be created within
this folder
● Copy the log files into this folder
● On ML Container, validate the permissions or execute the following
command to ensure the right permissions are set:
chown -R expedition.www-data /PALogs

3. Setup ML container as Syslog Server

The ML container runs a Syslog server to receive logs from the Palo Alto Networks
firewalls. This service is running at startup. The firewall needs to be set up to submit traffic log
entries to the ML Container using Log Forwarding Profile.

Enable Log Processing

Log processing is performed under devices. This converts the log files into a format that is
easy for the machine learning modules to analyze.

1. Under the Devices menu, select the device.

Policy Manipulations

57
2. Go to the T.Analytics section in the ‘Extended View’ of the device
3. Select the following parameters:
a. Label: Specify the path where the log lines are available within the container.
b. After Process: Select between Nothing, Compress and Delete for automatic post
processing of log file.
i. Nothing: Log files will remain in the folder even after they are processed
ii. Compress: Log files will be compressed after processing
iii. Delete: Log files will be deleted after processing
c. AutoProcess CSV Log files: When selected, these logs are auto-processed daily at a
specified time .
This specified time is configured using an environment variable
ML_AUTO_LOG_PROCESS defined within /var/www/html/.env in the expedition-ml
container. Default value is 23 GMT.
d. Log files come from syslog: When selected, log processing is not done for the
current date since logs are received in real time.
e. Select ‘Update’ to set these values
f. Click the icon at the bottom right of the ‘List of Files in Folder’ section to view all
the log files available for the device based on the specified path. If required, the log
processing can be triggered at any time instead of waiting for the once in a day
auto-processing. Click the drop-down beside the “PROCESS PENDING FILES” button
to get the options:

i. Process Pending Files: To process all the pending files in the specified path
for the device
ii. Process Selected Files: Process only specific files from the list selected using
the checkbox

Note: The log processing can take a long time depending on the volume of logs to process.

This completes the settings needed under devices. The logs are available in a format used by the
machine learning module to perform the analysis. The rest of the steps should be done within the
project.

Log Connector Settings

This step is needed to allow the project to access the logs processed for a device. Navigate into the
project with the required configurations imported (Steps provided under GUI Features ->
Projects section above)

58
1. In the project, go to ‘log settings’ menu:

a. Select ‘Traffic Analytics’

b. Select ‘Log Settings’

2. Configure Log Connector Settings:

3. Select ‘Log Connector Settings’ (Selected by default)

4. Add new Log connector by clicking the ‘+’ icon
5. In the ‘Extended View’, enter the following log connector details
a. Log Connector Name
b. PANOS Device (Select imported device from drop down list)

Policy Manipulations

59
c. Source Config (Select source configuration from the drop down list)
d. Virtual System (Select vsys from the drop down list)
e. Period of Study (Select time frame to run the machine learning analysis)
6. Click ‘Create’ to complete Log Connector Settings

Enable Rule Enrichment or Rule Suggestion for a Security Policy

a. Select ‘Policies’ to get the list of policies

b. Select the specific policy to run the machine learning features
c. In the ‘Extended View’, scroll down within the ‘Security Rule’ tab under ‘Details’.
d. Select either ‘Rule Enrichment’ or ‘Rule Suggestion’ and click ‘Update’.

This enables the required Machine learning feature for the rule. But, the analysis hasn't started yet.
Repeat these steps as required for additional rules.

Perform Rule Enrichment Analysis

1. Select ‘Rule Enrichment’ under ‘Traffic Analytics’

2. Go to ‘Analyze Data’ in the ‘Extended View’

a. Select the timeframe to run the analysis. There should be logs available from the
previous steps for the device serial number in the selected time frame to get
appropriate recommendations.

60
b. Specify minimum thresholds to ignore logs from the analysis

c. Select the dropdown button to the right side of ‘Analyze Data’. A pop-up should give
the list of log connectors available in the project. Select the required log connector
and click ‘Analyze Data’

3. Once analysis is complete, the rules recommended by the Rule Enrichment analysis are
displayed. This can be a long task depending on the volume of logs analyzed. The
recommended rules are grouped by the parent rule used to initiate the analysis.

Policy Manipulations

61
4. In the ‘Extended View’, go to ‘Import into Project’ to select the specific criteria to import
rules.
a. Select if all rules or only selected rules should be imported
b. Select which parameters like Application, source, destination, users, zones, service
should be included from the recommended rules during the import.
c. The ‘Custom Source’ and ‘Custom Destination’ field is applicable only if Networks/24
consolidation is selected in source or destination. The number specified is the
minimum of IP’s needed to consolidate to a /24 subnet.
d. Template selection is needed only if Zones are selected for the import
e. We can also select if the rules should replace the existing rule or be imported as new
cloned rules placed above the existing rule.

5. Once these options are selected, select Import.

62
Perform Rule Suggestion analysis
1. Select ‘Rule Suggestion’ under ‘Traffic Analytics’

2. Go to ‘Analyze Data’ in the ‘Extended View’

a. Select the timeframe to run the analysis. There should be logs available from the
previous steps for the device serial number in the selected time frame to get
appropriate recommendations.
b. Specify minimum thresholds to ignore logs from the analysis

Policy Manipulations

63
3. Once analysis is complete, the rules recommended by the Rule Suggestion analysis are
displayed. This can be a long task depending on the volume of logs analyzed.
4. In the ‘Extended View’, go to ‘Import into Project’ to select the specific criteria to import
rules.
a. Select if all rules or only selected rules should be imported
b. Select which parameters like Application, source, destination, users, zones, service
should be included from the recommended rules during the import.
c. The ‘Custom Source’ and ‘Custom Destination’ field is applicable only if Networks/24
consolidation is selected in source or destination. The number specified is the
minimum of of IP’s needed to consolidate to a /24 subnet
d. Template selection is needed only if Zones are selected for the import

5. Once these options are selected, select Import.

64
Agents & Jobs

The Agents & Jobs tab provides information about the status of agents and status of jobs.
Here’s a general overview of what you will find in Agents & Jobs tab:

1. Agent status window

This window displays the current status of agents and their associated job information. You
can perform actions such as restarting an agent, if needed, by clicking on the power button located
on the right side of the agent's status row.

2. Jobs status window

This window displays all jobs that have been executed or are pending based on their current
status. You can review the job status by applying filters to show specific types of jobs:

Completed: Jobs that have successfully finished execution.

Failed: Jobs that encountered errors and could not complete successfully.

Policy Manipulations

65
Running: Jobs that are currently in progress.

Pending: Jobs that are scheduled to run but have not yet started.

Canceled: Jobs that have been manually canceled by the user.

To cancel a pending job, highlight the desired job in the list, and click on the

button. This will stop the selected job from executing and update its status to
"Canceled."

Audit

On the audit page, any API calls made in the background will be listed along with the API
route and action. You can filter the API calls by selecting the action type, such as get, put, post, etc.

Object Manipulation

Object Manipulations in PAN-OS management tools allow users to perform various functions on
PAN-OS objects, helping to maintain an organized, efficient, and secure configuration. Some of the
functions that can be performed using Object Manipulations include:

66
● Clean up unused address/service objects: This function helps identify and remove objects
that are not being used in any security policies or NAT rules, helping to declutter and
streamline the configuration.
● Move objects from device group to shared: This function enables users to move objects from
a specific device group to a shared location, making the objects accessible and reusable
across multiple device groups.
● Merge duplicate objects by name or/and value: This function helps identify and merge
duplicate objects with the same name or value, reducing redundancy and simplifying
management.
● Apply prefix/suffix to object names: This function allows users to add a prefix or suffix to the
names of selected objects, helping to standardize naming conventions and improve the
organization of objects.
● Rename objects: Users can rename objects to maintain consistency and follow naming
conventions across the configuration.
● Drag and Drop objects to group objects: This function enables users to easily organize and
manage objects by allowing them to add sets of objects as members of group objects. By
using the drag and drop feature, administrators can quickly and efficiently group related
objects together, which simplifies policy management and enhances overall configuration
organization.

Table1: Objects Manipulations Available on GUI (N/A = Not Applicable)

Log
Address Service Apps Apps Forward.
Function Address Group Service Group Apps Filter Groups Contents Regions Tags Profile

Custom XML XML

Add ✔ ✔ ✔ ✔ App-ID ✔ ✔ format ✔ ✔ format
only only only
Custom XML XML
Edit ✔ ✔ ✔ ✔ App-ID ✔ ✔ format ✔ ✔ format
only only only
Non-pre Custom Non-pre Non-pr Non-pre Non-pre
Delete ✔ ✔ defined ✔ App-ID ✔ ✔ defined edefine defined defined
only only only d only only only

Clone ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Copy to ✔ ✔ ✔ ✔ ✔
clipboard

Policy Manipulations

67
Past from ✔ ✔ ✔ ✔ ✔
clipboard

Bulk ✔ ✔ ✔ ✔ ✔
Changes

Convert to ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
shared
Add
Prefix/suffix/r
✔ ✔ ✔ ✔ ✔ ✔ ✔ N/A ✔
eplace object
name

Add/Delete ✔ ✔ ✔ ✔ ✔ N/A N/A N/A N/A N/A N/A

Tag

Predefined ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
filters
Drag and
Drop to ✔ ✔ ✔ ✔ ✔ ✔ ✔ N/A N/A N/A
Group

Here are some use cases demonstrating the benefits of Expedition object manipulation functions in
real-world scenarios:

Expedition objects icons

Expedition 2.x has brand new interfaces and Icons then Expedition 1.x . The following table
provides the meanings of various icons:

Table2: Expedition Objects Icons

Icon Descriptions

Objects utilized more than five times in the configuration.

Objects used fewer than 5 times in the configuration; the red number indicates
usage (e.g., a red number of 2 signifies that the object has been used twice in the
configuration).

Unused objects refer to objects not referenced in the configuration.

68
TCP protocol service object(connection-based protocol ).

UDP protocol service object(connectionless).

Objects or rules with issues that require further examination. When you click on
these objects, a detailed warning message will be displayed in the warning section
of the Extended View window.

Drag & Drop to add members of the group object

When adding address object on the left panel to group object on the right panel, you could
use drag and drop function, for example: To add below two address objects : 10.3.0.254/16 and
10.4.203.253/24 to the address group object AG1, follow these steps:

● Navigate to the Objects section where you can view individual address objects and the
corresponding address group objects.
● Click on the address group object AG1 to bring up the extended view window. Locate the
Members field in the extended view window.
● In the left panel, find and highlight the address objects you want to add as members of AG1 (
in this case, 10.3.0.254/16 and 10.4.203.253/24)
● Click and hold the left mouse button on the highlighted address objects , then drag and drop
them to the Members field of the address group object AG1 in the extended view window.
● Click Update to update the address group object AG1.

Policy Manipulations

69
Clipboard

Clipboard is a helpful feature introduced in Expedition 2.x, which simplifies the process of copying
and pasting objects within your PAN-OS configuration. The clipboard allows you to easily transfer
objects between different sections , streamlining object management and improving overall
organization.

For the objects support copy and paste between clipboard , you can select the object click icon
on the menu bar , Expedition will copy the selected objects in the clipboard , and when you move

your cursor to the objects you would like to paste the objects to, click to paste the object from
the clipboard.

Let’s go over an example on copy selected address objects and past it onto a address group object as
members:

1. Select address objects from the OBJECTS -> ADDRESS

70
2. Click on the menu bar

3. Click CLIPBOARD on the lower left section

Policy Manipulations

71
4. Verify the clipboard contain the three copied address objects:

5. Select Address Group object by clicking on it. The Extended View will open on the right side
of the screen. In the Extended View, locate the MEMBERS section where you can manage the
address objects associated with the selected address group.

6. Click the icon to paste the copied address objects from the clipboard. The previously
copied address objects will immediately appear in the MEMBERS section of the address
group.

72
7. Click to save the changes
8. Every time you copy new objects into clipboard, it will overwrite the objects in the clipboard,

or you can click to clean up the selected objects in clipboard:

Policy Manipulations

73
Policy Manipulation

Policy Manipulations is a major feature of PAN-OS configuration management feature , user can
leverage this feature to perform below functions on Security/NAT/Application Policies: Example
includes: Remove unused rules, merge duplicate rules, bulk changes to apply security profile
groups, tags, descriptions, User-ID, etc. This feature provides users with greater flexibility and control
over their policies, allowing them to make changes quickly and efficiently, which can ultimately help
to improve their overall network security posture.

Table3: Policies Manipulations (N/A = Not Applicable)

Function Security Policy NAT Policy

Add ✔ ✔

Edit ✔ ✔

Delete ✔ ✔

Clone ✔ ✔

Convert to shared ✔ ✔

Add Prefix/suffix/replace policy name ✔ ✔

Predefined filters ✔ ✔

✔ ✔
Rule Name manipulation1

1
Clear, Rename, Fix Duplicate

74
✔ ✔
Enabled Bulk Changes

Tag Bulk Changes2 ✔ ✔

Other Bulk Changes3 ✔ N/A

Policy Manipulations in Expedition 2.x can be used in various scenarios to optimize and manage PAN-OS
configurations. Here are some common use cases:

Bulk Change to apply security profiles Group

Applying Security Profiles consistently: Security Profiles and Security Profile Groups are
essential for protecting your network. Policy Manipulations can be used to apply Security Profiles
consistently across multiple rules, ensuring your policies are secure and up-to-date.

1. Navigate to POLICIES -> SECURITY

2. Highlight the security policies you would like to apply bulk change

2
Add/Delete Tag, Add delete Group Tags
3
Append/Prepend Descriptions, Add/Delete Source/Destination Zone, Add/Remove Log Forwarding Profile, Add/Delete
Security Profile Group, Enable/Disable Log at session start/end, Enable/Disable DSRI

Policy Manipulations

75
3. In the extended view window on the right , you can then scroll down to the Security profile

group section , and select the security profile group from the dropdown , click

Networks

Most of the network configuration changes can be done in the Expedition project, you can perform
changes on below sections of network configurations if required. Examples include: Rename
interface to different interface name, change interface type, etc.

76
Table4: Sections of network configurations

Features Descriptions

Interface Add/Edit/Rename/Delete interface

Configuration Define Interface type, tag. link speed, duplex and state,
Assign static and dynamic IP v4 address (DHCP client)
Assign interface to VR, Vsys, and Zone
Assign management profile to interface

Zone Configuration Add/Edit/Delete zones

Assign interfaces for Zone
Enable Packet Buffer Protection and User-ID

Virtual Router Add/Edit/Delete VR

Configuration Assigned interfaces to VR
Add/Edit/Remove Static routes in VR configuration

GUI limitations

While Expedition 2.x provides a powerful GUI for managing and optimizing PAN-OS
configurations, there are certain features that are not currently available in the GUI. These
features can be accessed and utilized through the API:

● Pushing Configuration to PAN-OS Device: The GUI does not provide the option to directly
push configurations to PAN-OS devices like Expedition 1.x does. You can use the three
methods listed in the Load generated output onto the PAN-OS device section.
● Machine Learning (ML) and Rule Enrichment (RE) features: Expedition's ML and RE
features, which can analyze traffic logs and refine your security policies are under
development.

Despite these limitations in the GUI, Expedition's API provides a flexible and powerful way to
access and use these features. By leveraging the API, you can further enhance and optimize
your PAN-OS configuration management and take full advantage of Expedition's capabilities.

Policy Manipulations

77
Parser and Migration-related Features

The Expedition Parser plays a crucial role in this process by parsing and converting configurations
from various vendors into a format compatible with PAN-OS. Here's an overview of the migration
capabilities currently available in the Expedition-Parser, as well as features planned for future
releases:

Available Parser Vendor Matrix

Expedition 2 builds upon the migration parsers from the Migration Tool and Expedition 1, improving
the migration process and offering additional functionalities. One such enhancement is the
autocorrection of invalid service objects from third-party vendor configurations. This feature maps
these services to corresponding tcp-udp services or equivalent Palo Alto Networks applications.

The conversion information for these predefined third-party vendor services is stored in CSV files
located in the following filesystem paths:

● For individual services objects: /var/www/html/contents/parsers/VENDOR-services.csv

● For service groups: /var/www/html/contents/parsers/VENDOR-groups.csv

Table5: Supported Vendor Matrix

78
Vendor Supported Global Addr. Addr. Serv. Serv. Sec. NAT Net. Int. Static VPN
Vendor OS Addr. Obj. Group Obj. Group Pol. Pol. (L3) route
Object Obj. Obj. s
Checkpoint R75, R77 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
>=R80 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Cisco ASA 9.0, 9.1, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
9.6, 8.2, 8.4
FirePower ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
[only in ASA
syntax]
Fortinet Fortigate 4.0, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
5.0, 6.0
IBM XGS 5.1 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Juniper All ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Netscreen
firewalls
(ScreenOS)
Junos 11.4, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
12.1, 12.3
Forcepoint Sidewinder ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Stonesoft ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Below Vendors are supported by Panser Web Services

Sonicwall >=v.7.0 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Cisco ASA >=8.4 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

All sub features of Expedition Parser

The Expedition Parser performs several features during the conversion stage to ensure a smooth and
efficient migration process. Here are some of the most important conversion features:

Policy Manipulations

79
Table6: All sub features of Expedition Parser

Features Descriptions

Migration logs Expedition will provide detailed migration logs, it will show errors on the items
not migrated and/or those that need manual checking. Logs will include
notifications in case automated actions have taken place to generate a valid
configuration, such as trimming object names to fit length limitations. You can
access migration logs under the “Warning” tab

Auto fix invalid Expedition will auto replace invalid service objects with APP-ID when possible.
service objects Otherwise, it will report Errors on the migration logs.
Example, replace icmp service object with APP-ID- ICMP.
Also, it will provide a mapping from predefined services in third party vendors to
the known tcp/udp services.

Auto Remap Auto Remap Network Interface name to PAN-OS network interface naming
network convention. Example: GigabitEthernet1/1 will be converted to Ethernet1/1. Check
Interface name interface rename activities in the “Warning” section.

AutoZone When converting from a non zone-based firewall, Expedition will auto assign
zone names based on interface name and provided routing tables. Zone names
may have a numeric value.

Auto split Support for auto splitting bi-directional NAT rules into two separate rules with
bi-directional their according Zones and corrected IPs if necessary.
NAT rules

Support Replace Cisco DM_inline group object by member objects in the security rule to
migration of improve their readability.
Cisco DM_Inline
group objects

PANser Web Service

PANser Web Service is a standalone Docker image container developed by the Migration Factory
team within the Palo Alto Networks Professional Services department. The primary function of
PANser is to parse and transform third-party vendor configurations into PAN-OS compatible
configurations.

80
Expedition uses PANser as its parsing tool, and the converted data is stored within Expedition's
database rather than in PANser's storage. This integration streamlines the migration process and
enables users to manage and optimize the converted configurations using Expedition's powerful
features.

As of now, PANser supports the following third-party vendors:

SonicWall: PANser can parse and convert configurations from SonicWall firewalls with firmware
versions 7.0 and later.

Cisco: PANser supports the conversion of configurations from Cisco firewalls, allowing users to
migrate their configurations to Palo Alto Networks firewalls seamlessly. For cisco migration, users can
select whether they want to use expedition parser or PANser parser.

The support for additional vendors may be added in future releases, further enhancing PANser's
capabilities and making it even more versatile for users looking to migrate their firewall
configurations to Palo Alto Networks firewalls.

To enable Expedition using Panser Web Service for Expedition unsupported vendor migration:

Here are the Steps:

1. Setting up the Panser web service Docker container, please refer to the readme in the
downloaded package.

2. Define PANser settings

URL: POST https://{{expeditionLocal}}/api/v1/panser_settings

Params:

url: https://host.docker.internal:8000

jwt_private_key: file containing the private key .pem

3. Define vendors using PANser

4. Convert the vendor file in Expedition using script or GUI

Policy Manipulations

81
For Step 3 and 4 , please refer to the Expedition-API-Scripts Container for example scripts ,
The sonicwall migration script is at /migration/sonicwall.ipynb , define parser setting is in
4th-6th code blocks.

API Features

The Expedition API offers several features to streamline the migration process, with more
features planned for future releases. Detailed information on how to consume these features can be
found in the Swagger documentation, available at the following URL:

https://localhost/api/v1/documentation

This documentation provides an overview of the available API endpoints, parameters, and responses.

Available API Features

The Expedition API offers, in this initial version, a list of features that can be accessed via the related
API routes. Please review the API documentation published on
https://localhost/api/v1/documentation and https://pan.dev/expedition/docs/expedition_apiint/

82
API Documentation and Testing

Expedition provides a web-based resource for learning about and testing the Expedition API. This
documentation utilizes the Swagger framework and can be accessed within each Expedition using
the following URL: https://localhost/api/v1/documentation.

Swagger processes an api-docs.yaml file to showcase the API features and enable interactivity. The
api-docs.yaml file is updated with each Expedition-API container version and can be found at
/app/expedition-api/app/storage/api-docs/vX/api-docs.yaml, where vX corresponds to the current
version of the Expedition 2 API (currently v1).

As the API development progresses, the documentation will evolve accordingly to include upcoming
features and improvements.

Policy Manipulations

83
If you do not have access to an Expedition instance, you can still explore the API documentation
using the public service https://editor.swagger.io/. To do so, upload the relevant api-docs.yaml file to
the editor, and you will be able to review all the published API calls and features.

To consume the various API methods, you must first establish a valid session for authentication and
authorization. This can be done using Swagger by making an initial request to the /api/v1/generate_api_key
route.

To make a request, follow these steps:

1. Click on the desired route to call.
2. Activate the interactive mode by clicking the Try it out button.
3. Enter the required parameters (usesr_id=0, the default login "admin" and password
"paloalto").
4. Click on Execute.

5. Upon successful execution, the API will return a response containing an api_key. This key
should be included in the headers of subsequent requests to validate the user's session and
permissions.

84
To use the api_key for authorization in Swagger, follow these steps:
1. Copy the api_key from the API response.
2. Locate the Authorize button at the top of the Swagger site.
3. Click on the Authorize button and paste the copied api_key into the appropriate field.
4. Confirm the authorization.

After completing these steps, all future requests made through Swagger will be
authenticated using the provided api_key.

Policy Manipulations

85
Expedition-API-Scripts Container for sample jupyter notebook
scripts

The functionalities available through the Expedition UI can also be accessed via scripts using your
preferred programming language. Almost all API functionalities necessitate user authentication.

To familiarize users with scripting and foster a community around the tool, the Expedition team has
created a private repository to be announced. This repository contains a collection of scripts that
represent common workflows for various use cases. Some examples include migrating third-party
vendor configurations, cleaning up configurations by identifying and deleting unused objects, and
optimizing configurations by detecting objects and rules that can be merged.

Setup Expedition-API-Scripts container

Follow the steps defined on the document Notebook - Quick set-up.pdf.

Available sample jupyter notebook scripts in Expedition-API scripts

container
1. Set up the Expedition-API scripts Container: Ensure that you have access to the Container, which
contains various example scripts showcasing how to use Expedition API features.
2. Explore the available scripts: Browse through the provided scripts in the Jupyter Notebook Container
to find relevant use case examples and learn how to interact with the Expedition API.
3. Run the scripts: Execute the appropriate scripts in the Jupyter Notebook Container to test the API
features and understand how they can be used in your migration process.
4. Modify the scripts as needed: Customize the provided scripts to fit your specific migration
requirements and develop a deeper understanding of the Expedition API capabilities.

By following these steps, you can test various use cases using the provided scripts in the Jupyter
Notebook Container and gain hands-on experience with the Expedition API features. This
knowledge will help you optimize your migration process and optimize the PAN-OS configuration.

The following is a list of folders and sample scripts that you can use as a starting point for your use cases.
Make sure you always get the latest content of the scripts by downloading the most recent folder.

Feel free to test, modify, and adapt these scripts to fit your specific needs. Additionally, you are encouraged
to contribute your own scripts based on your use cases to help others in the community.

Table9: Sample Jupyter notebook Scripts in Expedition-API Scripts Container

86
Folder Script examples (may differ from Description
the notebook content)

/address/ move_to_shared.ipynb Move address objects from device

group level to shared

reverse_dns.ipynb Perform reverse DNS on address

objects

tag_address.ipynb Create tags and assign tags to

address and address_group objects
as specified in an input csv file

transform_from_hardcoded_to_obje Transform hardcoded IPs to address

ct.ipynb objects

/audit/ manage_expedition_audit.ipynb Define expedition audit settings, list

all entries and delete them
contains scripts to list audit
settings and delete them
manage_project_audit.ipynb Define project audit settings, list all
entries and delete them

/authentication/ change_password.ipynb Updates the password of a user.

generate_api_key.ipynb Generates a new api key each time it

is called. Will return the token
generated.

revoke_api_key.ipynb Invalidates the api key for a user.

/commons/ get_api_key.ipynb when call this function , it will make

api call to generate api key
Contains two frequently
used api calls , you will use wait_for_ job.ipynb when call this function with jobId, it
these two scripts in all use will print job status
cases

/export/ download_exported_config.ipynb Generates an xml with the result

configuration and downloads it
inside a zip file.

download_migration_logs.ipynb Downloads the logs result from a

migration.

export_push_to_device.ipynb Push configuration via API calls from

Expedition to Firewall

/files/ No scripts in this folder, you can use the sample config files in this folder or
upload your own config files to this folder.

Policy Manipulations

87
Folder Script examples (may differ from Description
the notebook content)

Contains all sample files

you can use in the scripts

/Filters/ clone_filter.ipynb Clones an existing filter.

Contains all filter related combined_filters.ipynb Creates a filter which is a

use case scripts combination of another filter. In this
case, get all security rules that in the
source_address contains addresses
that are ipv6.

complex_filter.ipynb Create a complex filter

generate_predefined_filters.ipynb Creates a set of predefined filters by

default to be used if necessary.

manage_filters_history.ipynb Get the history of a filter. This shows

when it was created, updated and
executed. Shows how many results
had in each execution.

manage_filters.ipynb Shows the basic operations of the

filters: create, update, execute, get
results, delete.

operator_filters.ipynb Operates with filters. Creates a

couple of filters and the one that
combines one and the other.

remove_unused.ipynb Remove all unused address,

address_group, service,
service_group objects

search_rules_with_filters.ipynb Search and display security rules

that contains specific subnets

/issues/ manage_issues.ipynb Makes the basic operations with

issues: create one, update its state,
list them, list depending on the
state, delete it.

/merge_configs/ merge_firewall_to_panorama.ipynb Merge a firewall configuration into a

panorama configuration and.
contains scripts to migrate Indicate which parts should be in
firewall config to panorama each device_group or template
device group config

merge_panorama_to_panorama.ipy Merge panorama configuration into

nb another panorama configuration.

/merge_objects/ merge_objects_by_name_and_valu Merge addresses that have the

e.ipynb same name and value.
Contains example scripts to
merge objects merge_objects_by_name.ipynb Merge addresses that have the
same name.

88
Folder Script examples (may differ from Description
the notebook content)

merge_objects_by_value.ipynb Merge addresses that have the

same value.

/migration/ checkpoint_r80.ipynb Import and convert checkpoint >=

R80 configuration and merge with a
Contains all conversion default pan-os firewall baseconfig
scripts from legacy vendors
to pan-os configuration checkpoint.ipynb Import and convert checkpoint <
R80 configuration and merge with a
default pan-os firewall baseconfig