0% found this document useful (0 votes)
75 views114 pages

Expedition 2.x Getting - Started - Guide - 20231204

The Expedition 2.0 Getting Started Guide provides comprehensive instructions for installing and using the Expedition tool, including setup via Docker and available features. It outlines the architecture of Expedition 2, detailing its components such as the API, RabbitMQ, and database containers. Additionally, the guide includes troubleshooting tips, contact information, and links to community resources for further assistance.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
75 views114 pages

Expedition 2.x Getting - Started - Guide - 20231204

The Expedition 2.0 Getting Started Guide provides comprehensive instructions for installing and using the Expedition tool, including setup via Docker and available features. It outlines the architecture of Expedition 2, detailing its components such as the API, RabbitMQ, and database containers. Additionally, the guide includes troubleshooting tips, contact information, and links to community resources for further assistance.
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 114

Palo Alto Networks, Inc.

www.paloaltonetworks.com
© 2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be
found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their
respective companies.
Revision Date: May,26th, 2023
Expedition 2.0 Getting Started Guide

Contact Information

Corporate Headquarters:

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

2
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054

About the Documentation

● For the most recent version of this guide, visit the Expedition Live Community Documentation portal
https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migration_tool
● Have feedback or questions for us? Leave a comment in the Expedition portal on Expedition 2
section, or write to us at [email protected]

Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com

© 2022-2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our
trademarks can be found at www.paloaltonetworks.com/company/ trademarks.html. All other marks mentioned herein
may be trademarks of their respective companies.

Last Revised
May, 30th 2023

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

3
Table of Contents
About This Guide 7
Terminology 7
Expedition 2 Architecture 8
Installation 11
Install Docker Desktop 11
Setup the Expedition Container 11
Verify Expedition container is up and running 13
Update your expedition container when there is a new release 14
Available Features 16
GUI Features 17
Login 17
DASHBOARD 19
PROJECTS 21
Create a Project 21
Import Configuration in the project 23
View Configuration in the project 25
Import and Export Expedition Project 28
Capture a Snapshot of the project 31
Delete Project 33
DEVICES 34
Create a new PAN-OS Device 34
Retrieve running configuration from the PAN-OS device 37
Delete the PAN-OS device 39
Migration Workflow through GUI 40
Start a new migration 41
Select the type of PAN-OS base configuration 41
Import the Vendor Configuration 42
Load the converted configuration into the project 43
Review the project dashboard 44
Address any warnings that appear 44
Review Invalid objects 46
Remove unused objects (Optional) 46
Merge duplicate objects 46
Import a Base configuration (Palo Alto Networks configuration from the device that you are
migrating to) 46

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

4
Merge the migrated config with the base configuration 47
Download the merged Output in your preferred format (XML, SET Commands) 53
Load generated output onto PAN-OS device 53
Machine Learning Analysis 54
Overview 54
ML Container Token 55
Get the log files into ML Container 55
Enable Log Processing 57
Log Connector Settings 58
Enable Rule Enrichment or Rule Suggestion for a Security Policy 60
Perform Rule Enrichment Analysis 60
Perform Rule Suggestion analysis 63
Agents & Jobs 65
Audit 66
Object Manipulation 66
Expedition objects icons 68
Drag & Drop to add members of the group object 69
Clipboard 70
Policy Manipulation 74
Bulk Change to apply security profiles Group 75
Networks 76
GUI limitations 77
Parser and Migration-related Features 78
Available Parser Vendor Matrix 78
PANser Web Service 80
API Features 82
Available API Features 82
API Documentation and Testing 83
Expedition-API-Scripts Container for sample jupyter notebook scripts 86
Setup Expedition-API-Scripts container 86
Available sample jupyter notebook scripts in Expedition-API scripts container 86
Testing sample jupyter notebook scripts in Expedition-API-Script container 92
Filter 94
Filter Types 95
Single Filter 95

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

5
Predefined Filters 99
Operations filters 102
Accessing Filter on GUI 103
Clean up Invalid Objects 106
Remove Unused Objects 107
Merge Duplicate Objects 110
Access Expedition Project related files via File manager or Finder 112
Report Bugs and Improvements 113
Known Issues 113
FAQ 114

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

6
About This Guide

Thank you for your interest and help to improve Expedition 2 ! We are excited about this new version
of the Expedition tool, and looking forward to your participation as we continue to refine the tool.

Through this guide, you will discover available features in Expedition 2 and the features that are in
the roadmap. The guide will also help you to get started with the tool, to download and install the
Expedition container and start testing the tool.

Terminology

The following are a list of terms that may be found when reading this documentation and when
consuming the Expedition features.

Term Description

API An application programming interface (API) is a connection between computers


or between computer programs. It is a type of software interface, offering a
service to other pieces of software.
Expedition offers an API that can be consumed via scripts (in python, PHP, C++,
etc.) and through the Expedition web UI.

PANObject Any object that can be found in a PANOS configuration, including objects (e.g.
addresses, tags), policies (e.g. security rules, application override), network (e.g.
VLANs, VPNs),

Trash Expedition does not fully delete objects from the projects when the DELETE API
action is submitted. Instead, objects are moved to a trash space so it offers a

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

7
Term Description

chance to restore them if necessary, identify which objects are going to be


removed from a project or allow generating reports on the deleted objects.

Expedition 2 Architecture

The Expedition 2 container image consists of a set of individual containers (see Figure 1) that interact
between each other, being the expedition-api the orchestrator for all workflow interactions. In the
current version Expedition 2.0, the following packages, services and version should be found:

● Expedition-API:
Container is intended to provide a RESTful API that can be consumed by your scripting language
of choice and to present the UI (HTML/JS). The back-end API is developed using the Laravel PHP
framework and served via Apache 2. Also running one or more PHP Agent(s) to support
asynchronous requests that help with the execution of automated tasks and multi-processing
actions. The agents also consume the API and communications with them are performed via
RabbitMQ.

○ Services installed:
■ Apache/2.4.53
■ PHP/7.4.29
○ API (Laravel) logs path:
■ /var/www/html/expedition-api/storage/logs
○ Some configuration files are stored in volumes on the host.

● RabbitMQ:
Container to provide the RabbitMQ service for asynchronous requests. Communications are
performed between web service API calls and PHP agents. Stopping this service will prevent
agents from receiving messages for the execution of blocking or long lasting tasks, such as
downloading configuration files from a PANOS device, doing reverse DNS resolutions,
autoprocessing CSV traffic log files, among others.

○ Services installed:
■ RabbitMQ/3.8

● Expedition-db:

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

8
Container intended to provide a RDBMS as storage for the application data. Stopping this
container will block all Expedition’s functionalities, as it would interrupt authentication, access to
project information, or auditing.

○ DB files are stored as volumes on the host.


○ Services installed:
■ Maria DB ver. 10.8.2
○ Databases:
■ Projects databases (as exp_XX). A project is a collection of information related to a
specific migration to a device. Each project is stored on a dedicated database within
the same RDBMS.
■ Authentication and authorization database (as pandbRBAC). Database to store
application information such as users, grants and others.
■ Other databases. Additional databases that may be used to contain global values,
such as device capacities, etc.

● Expedition-parsers:
Container intended to provide the parser library and workflows to migrate from third party
vendors to Palo Alto Networks configurations. This container includes mappings for specific
service to configuration conversions when those are not TCP or UDP protocols.

Not directly available to be consumed by the user, but by the Expedition-API container when
migrations are being requested. This container does not expose an API.

This container does not have persistence, therefore all data generated is only available during the
container lifecycle.

○ Services installed:
■ Apache/2.x
■ PHP/7.0

● Expedition-parsers-db:
Helper container for the expedition-parser container to store temporal data needed for parsing
vendor configs. After a migration, the databases are wiped.

○ Without persistence so all data generated is available during the container lifecycle.
○ Services installed:
■ Maria DB ver. 10.2
○ Databases:
■ Projects DB. A project is a collection of information related to a specific migration to a
device. Each project is stored on a dedicated database within the same RDBMS. The
databases resemble the structure used by parsers in Expedition 1.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

9
■ PANDBRAC DB. Database to store information required for the migration scripts,
such as name of the project under migration, version of the PANOS target device, and
user controls.

Fig 1. Expedition 2 Architecture diagram showing the different containers and shared volumes

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

10
Installation

Install Docker Desktop

As Expedition 2 is offered as a container (and dependencies), it would be necessary to have a docker


engine running in your environment.

This document provides instructions on how to utilize Expedition with Docker desktop, although it is
possible to use any docker engine.

Please refer to https://docs.docker.com/desktop/ for details on how to install docker desktop on your
platform or contact your IT Support to help you setting Expedition on a container hosting site.

The Expedition team does not provide support on creating a docker capable environment.

Setup the Expedition Container

Ensure the Docker Desktop is up and running before proceeding with the following steps to setup
the Expedition Container:

1. Access the Google Drive location shared with you, folder install from Release X.Y.Z.

2. Download the following files from the install folder and place them in your workspace, for
example: (for example: Expedition2-Release1 folder):
○ .env
○ docker-compose.yml
○ README.md

3. Download the Expedition Images file, images.zip based on your architecture:

○ For Apple M1 chipset, download m1_images/image.zip file

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

11
○ For Windows, Intel MAC and others: download intel_images/image.zip file

4. Unzip the downloaded image.zip file in your workspace. The unzip will create a folder named
images containing all Expedition2 images. The file structure should look like the following
screenshot:

5. .env is a hidden file, make sure your file system can display hidden files. Edit the .env file and
update the following two variables:

● MYSQL_ROOT_PASSWORD=
Add your desired password for accessing the Expedition databases. This password could not
be changed later and will be used to encrypt your database. For example, if the desire
password is "paloalto" , update the line to :MYSQL_ROOT_PASSWORD=paloalto

● EXPEDITION2_UI_PORT=443
The Expedition GUI runs on port 443 by default , if you need to change the port # , update the
value accordingly.

6. Open a Command Line Interface( CLI), navigate to the Expedition2-Release1 folder and
execute the following commands: (pay attention to the image name, if you have newer images,
change the file name accordingly in the below command) :

docker load -i images/intel_images/expedition-db_1_0_0.tar;


docker load -i images/intel_images/expedition-api_1_1_0.tar;
docker load -i images/intel_images/expedition-parsers-db_1_0_0.tar;
docker load -i images/intel_images/expedition-parsers_1_0_0.tar

NOTE: On Apple M1 chipset, replace intel_images with m1_images in the above command

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

12
7. Run the Expedition 2 container using the below command:
docker-compose up -d
8. Wait for one minute , open Google Chrome and access the UI using the following URL:
https://localhost:443(default credentials are: admin/paloalto)
9. To access the Swagger API definition for API purposes, use the following URL:
https://localhost/api/v1/documentation

Verify Expedition container is up and running

Once the expedition-container is up and running, you should see running status on all of the
below 5 sub containers:

expedition-rabbitmq

expedition-db

expedition-parsers-db

expedition-api

expedition-parsers

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

13
Update your expedition container when there is a new release

Below are the steps to update your expedition container when there is a new release on the docker
images:

1. Access the Google Drive location shared with you, folder update from Release X.Y.Z.

2. Download the following files from the update folder and place them in your workspace, for
example: (for example: Expedition2-Release1 folder):

○ docker-compose.yml
○ README.md

3. Download the Expedition Images file, images.zip based on your architecture:

○ For Apple M1 chipset, download m1_images/image.zip file

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

14
○ For Windows, Intel MAC and others: download intel_images/image.zip file

4. Unzip the downloaded image.zip file in your workspace. The unzip will create a folder named
images containing the updated Expedition2 images.

5. Stop the container by going to docker desktop GUI, click on the button to stop the
expedition container.

6. In command line (CLI), go inside the expedition2-release1 folder, issue below command to
update the images: (If there are multiple updated images , you will need to issue the same
command for other images as well, just replace the image name in the command )

$ docker load -i images/expedition-api_1_1_0.tar

7. Issue below command to restart the expedition container:

$docker-compose up -d

8. In Docker Desktop, verify all components of the expedition container are up and running

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

15
Available Features

We recognize that participating in the testing phase of Expedition Beta requires effort and is a
valuable contribution to the Expedition team. Your input helps enhance the tool, accelerates the
identification of potential issues and missing features, and ultimately improves the overall user
experience.

Before you embark on a project expecting final results, it is crucial to understand the tool's current
features. This section outlines the available features in the tool, as well as the functionalities planned
for future releases.

As a tester, evaluate the tool's impact on your current configuration projects and consider how
upcoming features may expedite future projects. If you identify features that have not yet been
implemented or listed for future releases, we encourage you to report these as Feature Requests
through the channels specified in the Report Bugs and Improvements section.

The following features are ready to be testing:

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

16
GUI Features

Note: We are still working on improving the stability of the user interface, and while it is functional, there
may be some limitations and issues that we are working to address.

Login

Once the container is up and running, you can access Expedition either through scripts that
utilize the API or the provided JavaScript UI. By default, the Expedition UI can be accessed via
a web browser on TCP port 443. If you are running the Expedition API on your desktop and
haven't mapped the web-service port to a different one than TCP/443, you can access the UI
using the following URL: https://localhost

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

17
The Expedition web-service includes a self-signed SSL certificate. As a result, when accessing
Expedition for the first time using Google Chrome, you may encounter a "Your connection is
not private" warning message. To bypass this warning, simply type "thisisunsafe" on the
screen. Although your typing will not be visible on the UI, Chrome will register the keystrokes
and understand that you are willing to proceed with accessing a self-signed site.

● Login with default Expedition credentials.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

18
username=”admin”
password=”paloalto”

DASHBOARD

Let’s explore the Dashboard’s main feature by navigating to Main screen-> Dashboard

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

19
1. Get Started: This panel provides shortcuts for specific tasks, such as:
● Create a new project: Clicking the shortcut takes you to the project window.
● Import a new PAN-OS device: Clicking the shortcut takes you to the device window.
2. Continue where you left off:

This section lists shortcuts to projects you were previously working on. Click on Open Project:
{your project name}" to access the project.
3. Projects by Tag:

This section displays the number of projects grouped by tag information. For example, if you
have tagged all your Checkpoint >= R80 migrations as cp-r80 and have four projects with
that tag, hovering your mouse over the tag info will display cp-r80-4

4. Projects by User:

This section shows the number of users assigned to specific projects. The view may be limited
to projects you have the rights to participate in.

5. User workload sharing: This panel features three tabs:


● User Availability : Gain insights on the number and percentage of users assigned to
projects, as well as the number of projects each user is working on.
● User Rights: Obtain insights on the number and percentage of users in each of the
three different Expedition system roles: Super Users, Administrators, and Users.
● Last User Login: Access insights on the login activity of Expedition users, identifying
users who have:

.connected during this week

.connected during this month

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

20
.have not been active during the last 30 days

PROJECTS

The PROJECTS tab takes you to the project window where you can create , edit, delete
projects . Double clicking a project opens it. Let’s go over some use cases:

Create a Project

In Expedition each project has its own database, and you can create as many projects as you
want. To create a new project follow these steps::

Navigate to the PROJECTS tab and click on located on the top right.

In the extended view window that appears, assign a name to your project (project names must have
at least 5 characters)

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

21
Click to create the project.

● Optional steps during project creation:


○ Provide a description of the project in the Description field.
○ Assign a Tag to the project, for example: assign all your PAN-OS projects with the tag
“paloalto”.
○ Set user permissions for the project. By default , all project are created with admin
role permissions (Read/Write permissions to the project)
○ Assign a specific PAN-OS device to the project in the Device Access tab by checking
the checkbox in front of the device.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

22
Import Configuration in the project

● To access a project, double click on the project name. If the project is already
associated with a configuration , the configuration file dropdown will display the
config name for you to select.

● If no configuration is associated with the project, you will see no config selected
next to the configuration selection drop down

● To import an configuration, click the NEW CONFIGURATION tab to either start a new
migration or import a PAN-OS configuration:

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

23
If you are working on a 3rd party vendor migration project, select START A NEW
MIGRATION. Refer to the Migration Workflow section for more detailed steps.

If you already have a PAN-OS config , and would like to view or refine the pan-os
configuration, there are two ways to import the configuration:

1. Select IMPORT PANOS CONFIGURATION-> IMPORT XML FILES to load the


configuration into the project

2. If you have retrieved the configuration from the PAN-OS device as per the steps in the
DEVICES section, select IMPORT FROM A PANOS DEVICE. Double-click the device to
import the configuration, if you do not see any device in the list , you likely haven’t
assigned the device to the project. Please review the steps on Assigning a PAN-OS
device to the project

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

24
View Configuration in the project

Once the configuration is selected, you can select the configuration with specific
device group, virtual system, or template you want to view and click on APPLY
CHANGES.

Expedition will load the configuration into the project and direct you to the project
dashboard, which displays the statistics of your configuration:

● Graphic Summary: consist of three charts:


○ Objects and Policies by Device Group: Displays the number of objects,
policies, and networks per device group(vsys).
○ Used vs Unused objects: Displays the number of used and unused objects.
○ Issues per Device Group: Displays issues per device group(vsys.)

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

25
● SUMMARY TOTAL: A table displaying the total number of objects across all device
groups/vsys.

● SUMMARY BY DEVICE GROUP: A table displaying the total number of objects per
device group/vsys , broken down into individual devices group/vsys. Click + to expand
individual device groups( vsys) or - to collapse specific device groups/vsys.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

26
● To view objects and rules, navigate to different tabs. For example, click on OBJECTS ->
Address to view address and address-group objects

You can view objects in the left panel and group objects in the right panel, as shown in the
screenshot.

The same concept applies to other tabs. To view security rules and NAT rules, click on
POLICIES and select either Security or NAT to view corresponding rulesets.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

27
For details on actions you can perform on objects and policies, please refer to the sections:

● Object Manipulations
● Policy Manipulations

Import and Export Expedition Project

From the tab IMPORT/EXPORT you can export and import the current Project This is
useful when you want to create a full backup of Expedition or import it into another
instance.

Import a Project:

To Import a project, follow these steps:

1. Create a new Project, assign a NAME , and click on .

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

28
2. Highlight the project , in the Extended view window, click on the button , then

click on the button to select the file from your desktop. Once the file is

completely uploaded, click on the to save the project .

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

29
Export a Project:

To export a project, follow this step:

Highlight the project. In the Extended view window , click on the button and
the export project will be downloaded to your local machine with name EXP_xx.zip. You can
then share this exported project.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

30
Capture a Snapshot of the project

Expedition 2 introduces two types of snapshots:

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

31
1. Automatic snapshot:
Expedition automatically takes snapshots during significant changes in the project, such as:
● Before importing a configuration
● Bulk changes to objects or rules
● Moving objects and rules
● Deleting objects and rules
● Before merging vendor-converted config and source configuration

2. Manual snapshot:
Similar to Expedition 1.x, you can take a manual snapshot whenever you desire. To create
manual snapshot, follow these steps:

a. Click SNAPSHOTS icon.


b. Enter Name of the snapshot and description , then click CREATE.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

32
In the snapshot window, you can manage snapshots by:

● Loading a snapshot: Select a specific snapshot and click the "load" icon.

● Deleting a snapshot: Select the snapshot and click the icon.

By using these snapshot features, you can better manage your configurations and maintain a history
of changes, allowing you to revert to previous states if needed.

Delete Project

Follow below steps to delete projects:

1. Select the projects you would like to delete , then click on the button to
remove the projects, you can select multiple projects at once:

2. Confirmation window will pop up asking for your confirmation:

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

33
3. Click on the button to confirm project deletions.

By following these steps, you can delete one or multiple projects from Expedition.
Remember to double-check your selections before confirming the deletion, as this action
cannot be undone.

DEVICES

The DEVICES tab in Expedition allows you to add your Palo Alto Networks devices and import
your Palo Alto Networks firewalls and Panorama configuration to Expedition, enabling you to use
them as a base configuration for making improvements or merge with vendor-converted
configuration.

Create a new PAN-OS Device

Expedition supports all Pan-OS versions since version 4.0 up to 11.0. Let’s follow an example on
how to create a new Device and import the configuration and securely store it on Expedition.

● Add a new Device by navigating to DEVICE , clicking on the CREATE A NEW DEVICE button
located on the top-right from the panel.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

34
● In the information tab, enter below informations as required:
○ Device Name: It’s the name you want to call your firewall
○ Model: Palo Alto Networks device model
○ Hostname/IP: IP or name used to connect to your firewall, if it’s a name Expedition needs to
know how to resolve it, check the DNS used by Expedition it's the right one. You can check
from the CLI

$ sudo cat /etc/resolv.conf

○ Port: where the management is running, by default 443


○ Serial #: This field is required and will be used as an Index to use the right one.
○ Serial # HA: In case this firewall or Panorama is part of a Cluster you can set the HA serial. This
will matter for the Machine Learning module which will be explained in another chapter of
this document. (Optional)

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

35
● After entering all the required info, click on the to add the device first.
● Once the Device has been created and listed from the Devices view we have to edit and add the
credentials to retrieve the contents like applications database, system information and the
configuration. Select the device and expand the extended view on the right to edit it , click on the +
to expand the Authentication section :

● Click the ADD NEW API KEYS purple button, this will bring up a sub window, let’s select Role & API
Keys to add firewall login credentials and Expedition will make a request to the firewall to generate a
new API key.
○ Role and Apply all Roles: When you add a new API Key this can be attached to a Role inside
Expedition, that means when you have a user from Expedition with Role admin inside one
Project and that user tries to push changes using API Keys Expedition will use the API Key
based on the user’s Role in this example admin. If you didn’t add an API key to the admin role
that user will be unable to send any API Call out. For small environments where you will have
only one user and it will be admin there is no need to check the Apply all Roles and keep that
key only attached to the admin Role.

● Notice the generated API Key will be valid as long as the user doesn't change the password from the
firewall. Click on the SAVE KEYS to add a new API Keys

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

36
● Once the API keys are successfully added , you will see API KEY Registered✅

Retrieve running configuration from the PAN-OS device

● Expand Contents-> RETRIEVE CONTENTS -> Running Configuration, Expedition will make an API
call to pull down running configuration from the firewall or panorama..

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

37
● Optional steps for Panorama device, Expand Panorama Devices-> RETRIEVE DEVICES, Expedition
will make an API call to retrieve all the connected devices that’s managed by the panorama

● All edits on the device have been completed. click on to save the changes.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

38
● If you have already created a Device, you can select it from the Device Access box. By selecting a
firewall or panorama in the device access box, you are forcing Expedition to import the same
Applications database to your project, that Applications database was downloaded to Expedition at
the same time when the configuration was retrieved. As a result, your Project will have the same
applications database as your Firewall.

Delete the PAN-OS device

When done with the project, and the pan-os device is no longer needed, you can select PAN-OS

devices from the DEVICES view, click to delete the devices.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

39
Migration Workflow through GUI

Expedition streamlines the process of migrating configuration elements from other security vendors
and converting them into a Palo Alto Networks configuration. This reduces the time and potential
errors associated with manual migration. However, the results should always be reviewed by a
professional familiar with both the original vendor and Palo Alto Networks technologies. The
migration workflow is as follows:

Start a new migration


Select the type of PAN-OS base configuration
Import the vendor configuration
Load the converted configuration into the project
Review the project dashboard
Address any warnings that appear
Review Invalid objects
Remove unused objects
Merge duplicate objects
Import a Base configuration (Palo Alto Networks configuration from the device that you are
migrating to)
Merge the migrated config with the base configuration
Download the merged Output in your preferred format (XML, SET Commands)
Load generated output onto PAN-OS device

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

40
Start a new migration

To start a new migration, first create a project and enter it by double-clicking on the project
name. Once inside the project, click on NEW CONFIGURATION followed by START A NEW
MIGRATION.

Select the type of PAN-OS base configuration

Choose the type of PAN-OS base configuration you'd like to use for your migration. In
Expedition 2.x, a default PAN-OS v10.1.x base configuration is provided for your convenience. Decide
whether you want to merge the converted configuration with a Firewall base config or a Panorama
base configuration.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

41
Once you select the type of baseconfig, click START MIGRATION

Import the Vendor Configuration

● Click on the vendor name to select the vendor configuration you wish to migrate. Assign a
name to the configuration file, browse to the file location on your local drive.

● If you are merging with a Panorama config later, it is recommended to use the VSYS name
that your Panorama template belongs to. For example, you can name your configuration file
vsys1.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

42
● Click UPLOAD & MIGRATE to upload the vendor configuration.

Load the converted configuration into the project

Once the migration is complete, you will receive a Migration completed message. To load
the migrated configuration into the same project, navigate to the configuration section at the
top of the page.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

43
After selecting the configuration file, if you've chosen a firewall configuration as the base, you
will be prompted to select vsys name ex : vsys1. If a Panorama base configuration was
selected, you will be prompted to choose a device group and template section.

Review the project dashboard

After the configuration is loaded, you will be directed to the project dashboard, which
displays a summary of object counts. Please review the information provided in View
Configuration in the project

Address any warnings that appear

Address any warnings that emerge by navigating to the Warning page. These warnings are
automatically generated during the conversion of your vendor config, and it's essential to
review and resolve them as necessary.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

44
Examine the action column for suggested actions. If the action column is not visible, hover
your mouse over any column, click the downward arrow, and ensure that the checkbox next
to action is checked.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

45
Review Invalid objects

In the Expedition 2 parser, while converting the vendor configuration, the parser automatically
searches for and replaces invalid service objects with the corresponding APP-IDs defined in the service
mapping file. For more details, refer to the Available Parser Vendor Matrix. If the invalid service objects are
not defined in the vendor service file, you will need to manually review and replace them with the
appropriate service objects with ports or APP-IDs. Please refer to the Clean up Invalid Objects section in the
documentation for guidance.

Please note that the search and replace function is still under development. However, this feature is
available in the API, and you can write a script to replace invalid objects with APP-IDs.

Remove unused objects (Optional)

If you would like to remove unused objects, you can first apply a filter to identify these
objects. Then, take action to remove all or some of the unused objects as needed. For more details on how
to remove unused objects, please refer to the Remove Unused Objects section in the documentation.

Merge duplicate objects

Due to PAN-OS not accepting objects with the same name, it is necessary to address this issue. First,
apply a filter to identify objects with duplicate names. Then, take action to merge all objects with duplicate
names as needed. For more details on how to merge duplicate objects, please refer to the Merge Duplicate
Objects section for details

Import a Base configuration (Palo Alto Networks configuration from the device that
you are migrating to)

● Click NEW CONFIGURATION click IMPORT PANOS CONFIGURATION on the right panel.
This will allow you to import your existing PAN-OS configuration file into the tool.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

46
● There are two methods to import your PAN-OS baseconfig :
1. IMPORT XML FILE - Manually download the running config from the PAN-OS device
to your local drive, and import the PAN-OS configuration from your local drive.

2. IMPORT FROM A PANOS DEVICE - Retrieve the running configuration from the device
tab when you have added the PAN-OS device in the project . For more details on adding a
PAN-OS device, please refer to the Create a new PAN-OS Device section in the
documentation.

Merge the migrated config with the base configuration

If you would like to merge the converted configuration with your PAN-OS base configuration,
navigate to the main interface and click on TOOLS followed by MERGE CONFIGURATION.
This feature allows you to combine the converted configuration with your existing PAN-OS
base configuration, ensuring a seamless integration.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

47
To merge the configuration, follow these steps:

1. Select the PAN-OS base config from the base config dropdown, the base config will be
displayed on the right panel, if it’s a panorama config, the device group hierarchy will be
displayed. Template hierarchy will not be displayed. This allows you to view and manage
configuration for specific device groups.

2. Select your vendor migrated config from the config to merge dropdown on the left panel.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

48
3. Perform mapping on each section of configuration. This may include objects, policies, and
networks. Review each section carefully, ensuring that the settings from the migrated
configuration are mapped correctly to the PAN-OS base configuration.

You could select the DG and Template you want to merge every section of the
configuration on the top like below screenshot , map all objects and policies to Device
Group DG1 , and all networks configuration to Template1.

If you are merging with a firewall configuration, all configurations will be mapped to
the VSYS name that came from your base configuration.

4. Click to apply mapping. You will see the mapping display similar to the screenshot
provided , you can manually change the mapping if necessary , such as mapping objects in
the shared section of the vendor configuration to shared in the Panorama base
configuration.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

49
5. After applying mapping to all sections of the configuration, click icon on each of the
sections. You will see a green checkmark next to the mapped configuration sections,
indicating successful mapping. You only need to map the main folder (eg: shared, vsys1,
default folder), as all the configuration under the folder will be mapped to the same Device
group or template as the main folder.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

50
6. After mapping is done, click to start merging the configuration. Click Yes to
confirm merge.

7. The system will start merging the configurations based on the mapping you have set up. This
process may take some time, depending on the complexity and size of the configurations.
Once the merge is complete, you can review the merged configuration to ensure everything
has been properly combined. When merging is done, will changed to indicating
successfully merging.

8. After the merge is complete, you will see a reminder like the one shown in the screenshot.
This reminder serves as a prompt to carefully review the merged configuration and check for
any issues. Specifically, you should:

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

51
1. Ensure there are no duplicate objects: Review the merged configuration to identify
and remove any duplicate objects that might have been created during the merging
process.
2. Verify Interfaces and Zones: Check that the interfaces and zones under the Template
are assigned with the correct VSYS name. This is crucial to maintain proper network
segmentation and functionality.

By thoroughly reviewing the merged configuration and addressing any potential issues, you
will maintain consistency across your network configurations and ensure your PAN-OS
configuration is committable.

If the VSYS name was not correctly assigned to interfaces and zones during the merge, you can
apply bulk changes to assign the correct VSYS name using the following steps:

1. For Interfaces:
a. Select the interfaces you want to re-assign the VSYS name.
b. Navigate to the Bulk Change option in the Extended view window.
c. Select VSYS Name from the drop-down menu.
d. Choose the proper VSYS name for the selected interfaces and apply the changes.

2. For Zones:

a. Select the Zones you want to re-assign the VSYS name.


b. Navigate to the Bulk Change option in the Extended view window.
c. Select VSYS Name from the drop-down menu.
d. Choose the proper VSYS name for the selected zones and apply the changes.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

52
Download the merged Output in your preferred format (XML, SET Commands)

After the configurations are merged, follow these steps to generate and download the output:

1. Click to access the download page

2. Click to generate the merged configuration


3. Navigate to the Download sections, where you will find four types of output available for
download:
● XML reduced - An XML file that’s reduced in size. you can load this version of xml file directly
onto a PAN-OS device.
● Set Command - Set commands for the entire configuration.
● XML - A pretty format of the XML file , which is easy to read, you can load this version of xml
file directly onto a PAN-OS device.
● All - A Zip folder containing all of the three of the outputs mentioned above.

Load generated output onto PAN-OS device

After download the output file, you can choose one of the following methods to load the
configuration onto you PAN-OS device:

1. Load the full xml file onto a PAN-OS device via PAN-OS GUI: This method is best suited for
greenfield deployment. To do this, follow these steps:
Log in to the PAN-OS GUI.
Go to Device > Setup > Operations.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

53
Under the Configuration Management section, click Import named configuration
snapshot and select the downloaded XML file.
Click Load named configuration snapshot, choose the imported configuration, and
then click OK to load it.
Commit to the PAN-OS device.

2. Use the Load Config Partial command from the CLI of the PAN-OS device to load selected
sections of the configuration: This method is best suited for merging with production
Panorama devices to avoid conflicts. To do this, follow these steps:

Log in to the PAN-OS GUI.


Go to Device > Setup > Operations.
Under the Configuration Management section, click Import named configuration
snapshot and select the downloaded XML file.
Connect to the PAN-OS device CLI.
Enter the configure mode by typing configure.
Execute the command load config partial from <filename> mode merge from-xpath
<source_xpath> to-xpath <destination_xpath> with the appropriate file name and
XPaths.
Commit the changes using the commit command.

3. Copy and paste the set command provided in the PAN-OS CLI. This method is suitable for
loading specific settings or objects without replacing the entire configuration. To do this,
follow these steps:

Connect to the PAN-OS device CLI.


Enter the configure mode by typing configure.
Copy the set commands from the downloaded output file and paste them into the
PAN-OS device CLI.
Commit the changes using the commit command.

Machine Learning Analysis

Overview
Machine learning features described below require the PANOS firewall logs stored and
processed in the ML container. There are 2 types of Machine learning analysis that can be
performed:

a. Rule Enrichment: This feature is used to tighten existing security policies to remove
“any” in security policies. For example, you have a security policy that contains “any”
in either applications, users, zones, or services fields. This feature will auto discover
APP-ID and service port info in the firewall traffic logs to see if it matched the

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

54
application-default ports and help you to tighten your security policies to replace
“any '' with correct APP-ID and service ports in the security policy.
b. Rule Suggestion: This feature will suggest new sets of security policies based on
analysis of the firewall traffic logs. It is often used in Greenfield deployment or when
you have a set of rules that’s more permissive than required and you don’t know
what security policies are required. This process will identify servers, consumers and
provide all the security policies including source, destinations, APP-ID, and
service-ports.

ML Container Token
When setting up the ML container, the steps provided in the README file for the docker
container can be used to generate the token by the ML Container Admin. This token should be
added on Expedition2 UI to allow it to communicate with the ML container.

1. On Expedition2 UI, navigate to System Settings -> T. Analytics


2. Enter ML Container Address and ML Token and Save

Get the log files into ML Container

There are multiple ways to get the logs into the ML container

1. Scheduled Log Export from NGFW Firewall


Details about configuring ‘Scheduled Log Export’ functionality on Palo Alto
Networks Firewalls is here:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-web-interface-help/device/device-sc
heduled-log-export

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

55
Note: The PA-7000 Series and Panorama devices do not offer such log Export functionality
or it is limited to the first 1.000.000 entries

a. Select ‘traffic’ for log type


b. Enter the ML container IP or DNS hostname in the hostname field
c. Scheduled Export Start Time to specify when to start the export. It is recommended
to schedule this in off-peak hours to minimize load on the firewall
d. Specify the destination folder as /PALogs or a sub-directory within /PALogs
e. Specify the username and password to access the ML container (Default:
expedition/paloalto). It is highly recommended to change the password.
f. Run the following command to ensure the correct write privileges are set fo the
/PALogs folder: chown -R expedition.www-data /PALogs

2. Manually Export Logs from Firewall and Upload to ML Container


a. On the Palo Alto Networks Firewall, navigate to the Monitor tab and export the logs
in CSV format.
b. Upload the CSV file to the ML Container. This can be achieved in one of 2 ways:
i. Using SFTP
● SFTP to the ML container using the ‘expedition’ user:
‘sftp expedition@<ml-container-ip>’
● Navigate to /PALogs: ‘cd /PALogs’
● Upload the csv file: ‘put <filename>’
● On ML Container, validate the permissions or execute the following
command to ensure the right permissions are set:
chown -R expedition.www-data /PALogs
ii. Copy log files from Docker host to ML container

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

56
● Start at the folder with the docker-compose.yml for the ML container.
● Navigate to . /runtime/PALogs. Sub-directories can be created within
this folder
● Copy the log files into this folder
● On ML Container, validate the permissions or execute the following
command to ensure the right permissions are set:
chown -R expedition.www-data /PALogs

3. Setup ML container as Syslog Server


The ML container runs a Syslog server to receive logs from the Palo Alto Networks
firewalls. This service is running at startup. The firewall needs to be set up to submit traffic log
entries to the ML Container using Log Forwarding Profile.

Enable Log Processing


Log processing is performed under devices. This converts the log files into a format that is
easy for the machine learning modules to analyze.

1. Under the Devices menu, select the device.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

57
2. Go to the T.Analytics section in the ‘Extended View’ of the device
3. Select the following parameters:
a. Label: Specify the path where the log lines are available within the container.
b. After Process: Select between Nothing, Compress and Delete for automatic post
processing of log file.
i. Nothing: Log files will remain in the folder even after they are processed
ii. Compress: Log files will be compressed after processing
iii. Delete: Log files will be deleted after processing
c. AutoProcess CSV Log files: When selected, these logs are auto-processed daily at a
specified time .
This specified time is configured using an environment variable
ML_AUTO_LOG_PROCESS defined within /var/www/html/.env in the expedition-ml
container. Default value is 23 GMT.
d. Log files come from syslog: When selected, log processing is not done for the
current date since logs are received in real time.
e. Select ‘Update’ to set these values
f. Click the icon at the bottom right of the ‘List of Files in Folder’ section to view all
the log files available for the device based on the specified path. If required, the log
processing can be triggered at any time instead of waiting for the once in a day
auto-processing. Click the drop-down beside the “PROCESS PENDING FILES” button
to get the options:

i. Process Pending Files: To process all the pending files in the specified path
for the device
ii. Process Selected Files: Process only specific files from the list selected using
the checkbox

Note: The log processing can take a long time depending on the volume of logs to process.

This completes the settings needed under devices. The logs are available in a format used by the
machine learning module to perform the analysis. The rest of the steps should be done within the
project.

Log Connector Settings

This step is needed to allow the project to access the logs processed for a device. Navigate into the
project with the required configurations imported (Steps provided under GUI Features ->
Projects section above)

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

58
1. In the project, go to ‘log settings’ menu:

a. Select ‘Traffic Analytics’


b. Select ‘Log Settings’

2. Configure Log Connector Settings:

3. Select ‘Log Connector Settings’ (Selected by default)


4. Add new Log connector by clicking the ‘+’ icon
5. In the ‘Extended View’, enter the following log connector details
a. Log Connector Name
b. PANOS Device (Select imported device from drop down list)

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

59
c. Source Config (Select source configuration from the drop down list)
d. Virtual System (Select vsys from the drop down list)
e. Period of Study (Select time frame to run the machine learning analysis)
6. Click ‘Create’ to complete Log Connector Settings

Enable Rule Enrichment or Rule Suggestion for a Security Policy

a. Select ‘Policies’ to get the list of policies


b. Select the specific policy to run the machine learning features
c. In the ‘Extended View’, scroll down within the ‘Security Rule’ tab under ‘Details’.
d. Select either ‘Rule Enrichment’ or ‘Rule Suggestion’ and click ‘Update’.

This enables the required Machine learning feature for the rule. But, the analysis hasn't started yet.
Repeat these steps as required for additional rules.

Perform Rule Enrichment Analysis


1. Select ‘Rule Enrichment’ under ‘Traffic Analytics’

2. Go to ‘Analyze Data’ in the ‘Extended View’


a. Select the timeframe to run the analysis. There should be logs available from the
previous steps for the device serial number in the selected time frame to get
appropriate recommendations.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

60
b. Specify minimum thresholds to ignore logs from the analysis

c. Select the dropdown button to the right side of ‘Analyze Data’. A pop-up should give
the list of log connectors available in the project. Select the required log connector
and click ‘Analyze Data’

3. Once analysis is complete, the rules recommended by the Rule Enrichment analysis are
displayed. This can be a long task depending on the volume of logs analyzed. The
recommended rules are grouped by the parent rule used to initiate the analysis.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

61
4. In the ‘Extended View’, go to ‘Import into Project’ to select the specific criteria to import
rules.
a. Select if all rules or only selected rules should be imported
b. Select which parameters like Application, source, destination, users, zones, service
should be included from the recommended rules during the import.
c. The ‘Custom Source’ and ‘Custom Destination’ field is applicable only if Networks/24
consolidation is selected in source or destination. The number specified is the
minimum of IP’s needed to consolidate to a /24 subnet.
d. Template selection is needed only if Zones are selected for the import
e. We can also select if the rules should replace the existing rule or be imported as new
cloned rules placed above the existing rule.

5. Once these options are selected, select Import.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

62
Perform Rule Suggestion analysis
1. Select ‘Rule Suggestion’ under ‘Traffic Analytics’

2. Go to ‘Analyze Data’ in the ‘Extended View’


a. Select the timeframe to run the analysis. There should be logs available from the
previous steps for the device serial number in the selected time frame to get
appropriate recommendations.
b. Specify minimum thresholds to ignore logs from the analysis

c. Select the dropdown button to the right side of ‘Analyze Data’. A pop-up should give
the list of log connectors available in the project. Select the required log connector
and click ‘Analyze Data’

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

63
3. Once analysis is complete, the rules recommended by the Rule Suggestion analysis are
displayed. This can be a long task depending on the volume of logs analyzed.
4. In the ‘Extended View’, go to ‘Import into Project’ to select the specific criteria to import
rules.
a. Select if all rules or only selected rules should be imported
b. Select which parameters like Application, source, destination, users, zones, service
should be included from the recommended rules during the import.
c. The ‘Custom Source’ and ‘Custom Destination’ field is applicable only if Networks/24
consolidation is selected in source or destination. The number specified is the
minimum of of IP’s needed to consolidate to a /24 subnet
d. Template selection is needed only if Zones are selected for the import

5. Once these options are selected, select Import.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

64
Agents & Jobs

The Agents & Jobs tab provides information about the status of agents and status of jobs.
Here’s a general overview of what you will find in Agents & Jobs tab:

1. Agent status window

This window displays the current status of agents and their associated job information. You
can perform actions such as restarting an agent, if needed, by clicking on the power button located
on the right side of the agent's status row.

2. Jobs status window

This window displays all jobs that have been executed or are pending based on their current
status. You can review the job status by applying filters to show specific types of jobs:

Completed: Jobs that have successfully finished execution.

Failed: Jobs that encountered errors and could not complete successfully.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

65
Running: Jobs that are currently in progress.

Pending: Jobs that are scheduled to run but have not yet started.

Canceled: Jobs that have been manually canceled by the user.

To cancel a pending job, highlight the desired job in the list, and click on the

button. This will stop the selected job from executing and update its status to
"Canceled."

Audit

On the audit page, any API calls made in the background will be listed along with the API
route and action. You can filter the API calls by selecting the action type, such as get, put, post, etc.

Object Manipulation

Object Manipulations in PAN-OS management tools allow users to perform various functions on
PAN-OS objects, helping to maintain an organized, efficient, and secure configuration. Some of the
functions that can be performed using Object Manipulations include:

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

66
● Clean up unused address/service objects: This function helps identify and remove objects
that are not being used in any security policies or NAT rules, helping to declutter and
streamline the configuration.
● Move objects from device group to shared: This function enables users to move objects from
a specific device group to a shared location, making the objects accessible and reusable
across multiple device groups.
● Merge duplicate objects by name or/and value: This function helps identify and merge
duplicate objects with the same name or value, reducing redundancy and simplifying
management.
● Apply prefix/suffix to object names: This function allows users to add a prefix or suffix to the
names of selected objects, helping to standardize naming conventions and improve the
organization of objects.
● Rename objects: Users can rename objects to maintain consistency and follow naming
conventions across the configuration.
● Drag and Drop objects to group objects: This function enables users to easily organize and
manage objects by allowing them to add sets of objects as members of group objects. By
using the drag and drop feature, administrators can quickly and efficiently group related
objects together, which simplifies policy management and enhances overall configuration
organization.

Table1: Objects Manipulations Available on GUI (N/A = Not Applicable)

Log
Address Service Apps Apps Forward.
Function Address Group Service Group Apps Filter Groups Contents Regions Tags Profile

Custom XML XML


Add ✔ ✔ ✔ ✔ App-ID ✔ ✔ format ✔ ✔ format
only only only
Custom XML XML
Edit ✔ ✔ ✔ ✔ App-ID ✔ ✔ format ✔ ✔ format
only only only
Non-pre Custom Non-pre Non-pr Non-pre Non-pre
Delete ✔ ✔ defined ✔ App-ID ✔ ✔ defined edefine defined defined
only only only d only only only

Clone ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Copy to ✔ ✔ ✔ ✔ ✔
clipboard

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

67
Past from ✔ ✔ ✔ ✔ ✔
clipboard

Bulk ✔ ✔ ✔ ✔ ✔
Changes

Convert to ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
shared
Add
Prefix/suffix/r
✔ ✔ ✔ ✔ ✔ ✔ ✔ N/A ✔
eplace object
name

Add/Delete ✔ ✔ ✔ ✔ ✔ N/A N/A N/A N/A N/A N/A


Tag

Predefined ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
filters
Drag and
Drop to ✔ ✔ ✔ ✔ ✔ ✔ ✔ N/A N/A N/A
Group

Here are some use cases demonstrating the benefits of Expedition object manipulation functions in
real-world scenarios:

Expedition objects icons

Expedition 2.x has brand new interfaces and Icons then Expedition 1.x . The following table
provides the meanings of various icons:

Table2: Expedition Objects Icons

Icon Descriptions

Objects utilized more than five times in the configuration.

Objects used fewer than 5 times in the configuration; the red number indicates
usage (e.g., a red number of 2 signifies that the object has been used twice in the
configuration).

Unused objects refer to objects not referenced in the configuration.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

68
TCP protocol service object(connection-based protocol ).

UDP protocol service object(connectionless).

Objects or rules with issues that require further examination. When you click on
these objects, a detailed warning message will be displayed in the warning section
of the Extended View window.

Drag & Drop to add members of the group object

When adding address object on the left panel to group object on the right panel, you could
use drag and drop function, for example: To add below two address objects : 10.3.0.254/16 and
10.4.203.253/24 to the address group object AG1, follow these steps:

● Navigate to the Objects section where you can view individual address objects and the
corresponding address group objects.
● Click on the address group object AG1 to bring up the extended view window. Locate the
Members field in the extended view window.
● In the left panel, find and highlight the address objects you want to add as members of AG1 (
in this case, 10.3.0.254/16 and 10.4.203.253/24)
● Click and hold the left mouse button on the highlighted address objects , then drag and drop
them to the Members field of the address group object AG1 in the extended view window.
● Click Update to update the address group object AG1.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

69
Clipboard

Clipboard is a helpful feature introduced in Expedition 2.x, which simplifies the process of copying
and pasting objects within your PAN-OS configuration. The clipboard allows you to easily transfer
objects between different sections , streamlining object management and improving overall
organization.

For the objects support copy and paste between clipboard , you can select the object click icon
on the menu bar , Expedition will copy the selected objects in the clipboard , and when you move

your cursor to the objects you would like to paste the objects to, click to paste the object from
the clipboard.

Let’s go over an example on copy selected address objects and past it onto a address group object as
members:

1. Select address objects from the OBJECTS -> ADDRESS

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

70
2. Click on the menu bar

3. Click CLIPBOARD on the lower left section

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

71
4. Verify the clipboard contain the three copied address objects:

5. Select Address Group object by clicking on it. The Extended View will open on the right side
of the screen. In the Extended View, locate the MEMBERS section where you can manage the
address objects associated with the selected address group.

6. Click the icon to paste the copied address objects from the clipboard. The previously
copied address objects will immediately appear in the MEMBERS section of the address
group.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

72
7. Click to save the changes
8. Every time you copy new objects into clipboard, it will overwrite the objects in the clipboard,

or you can click to clean up the selected objects in clipboard:

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

73
Policy Manipulation

Policy Manipulations is a major feature of PAN-OS configuration management feature , user can
leverage this feature to perform below functions on Security/NAT/Application Policies: Example
includes: Remove unused rules, merge duplicate rules, bulk changes to apply security profile
groups, tags, descriptions, User-ID, etc. This feature provides users with greater flexibility and control
over their policies, allowing them to make changes quickly and efficiently, which can ultimately help
to improve their overall network security posture.

Table3: Policies Manipulations (N/A = Not Applicable)

Function Security Policy NAT Policy


Add ✔ ✔

Edit ✔ ✔

Delete ✔ ✔

Clone ✔ ✔

Convert to shared ✔ ✔

Add Prefix/suffix/replace policy name ✔ ✔

Predefined filters ✔ ✔

✔ ✔
Rule Name manipulation1

1
Clear, Rename, Fix Duplicate

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

74
✔ ✔
Enabled Bulk Changes

Tag Bulk Changes2 ✔ ✔

Other Bulk Changes3 ✔ N/A

Policy Manipulations in Expedition 2.x can be used in various scenarios to optimize and manage PAN-OS
configurations. Here are some common use cases:

Bulk Change to apply security profiles Group

Applying Security Profiles consistently: Security Profiles and Security Profile Groups are
essential for protecting your network. Policy Manipulations can be used to apply Security Profiles
consistently across multiple rules, ensuring your policies are secure and up-to-date.

1. Navigate to POLICIES -> SECURITY

2. Highlight the security policies you would like to apply bulk change

2
Add/Delete Tag, Add delete Group Tags
3
Append/Prepend Descriptions, Add/Delete Source/Destination Zone, Add/Remove Log Forwarding Profile, Add/Delete
Security Profile Group, Enable/Disable Log at session start/end, Enable/Disable DSRI

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

75
3. In the extended view window on the right , you can then scroll down to the Security profile

group section , and select the security profile group from the dropdown , click

Networks

Most of the network configuration changes can be done in the Expedition project, you can perform
changes on below sections of network configurations if required. Examples include: Rename
interface to different interface name, change interface type, etc.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

76
Table4: Sections of network configurations

Features Descriptions

Interface Add/Edit/Rename/Delete interface


Configuration Define Interface type, tag. link speed, duplex and state,
Assign static and dynamic IP v4 address (DHCP client)
Assign interface to VR, Vsys, and Zone
Assign management profile to interface

Zone Configuration Add/Edit/Delete zones


Assign interfaces for Zone
Enable Packet Buffer Protection and User-ID

Virtual Router Add/Edit/Delete VR


Configuration Assigned interfaces to VR
Add/Edit/Remove Static routes in VR configuration

GUI limitations

While Expedition 2.x provides a powerful GUI for managing and optimizing PAN-OS
configurations, there are certain features that are not currently available in the GUI. These
features can be accessed and utilized through the API:

● Pushing Configuration to PAN-OS Device: The GUI does not provide the option to directly
push configurations to PAN-OS devices like Expedition 1.x does. You can use the three
methods listed in the Load generated output onto the PAN-OS device section.
● Machine Learning (ML) and Rule Enrichment (RE) features: Expedition's ML and RE
features, which can analyze traffic logs and refine your security policies are under
development.

Despite these limitations in the GUI, Expedition's API provides a flexible and powerful way to
access and use these features. By leveraging the API, you can further enhance and optimize
your PAN-OS configuration management and take full advantage of Expedition's capabilities.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

77
Parser and Migration-related Features

The Expedition Parser plays a crucial role in this process by parsing and converting configurations
from various vendors into a format compatible with PAN-OS. Here's an overview of the migration
capabilities currently available in the Expedition-Parser, as well as features planned for future
releases:

Available Parser Vendor Matrix

Expedition 2 builds upon the migration parsers from the Migration Tool and Expedition 1, improving
the migration process and offering additional functionalities. One such enhancement is the
autocorrection of invalid service objects from third-party vendor configurations. This feature maps
these services to corresponding tcp-udp services or equivalent Palo Alto Networks applications.

The conversion information for these predefined third-party vendor services is stored in CSV files
located in the following filesystem paths:

● For individual services objects: /var/www/html/contents/parsers/VENDOR-services.csv

● For service groups: /var/www/html/contents/parsers/VENDOR-groups.csv

Table5: Supported Vendor Matrix

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

78
Vendor Supported Global Addr. Addr. Serv. Serv. Sec. NAT Net. Int. Static VPN
Vendor OS Addr. Obj. Group Obj. Group Pol. Pol. (L3) route
Object Obj. Obj. s
Checkpoint R75, R77 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
>=R80 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Cisco ASA 9.0, 9.1, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
9.6, 8.2, 8.4
FirePower ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
[only in ASA
syntax]
Fortinet Fortigate 4.0, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
5.0, 6.0
IBM XGS 5.1 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Juniper All ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Netscreen
firewalls
(ScreenOS)
Junos 11.4, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
12.1, 12.3
Forcepoint Sidewinder ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Stonesoft ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Below Vendors are supported by Panser Web Services


Sonicwall >=v.7.0 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

Cisco ASA >=8.4 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔

All sub features of Expedition Parser

The Expedition Parser performs several features during the conversion stage to ensure a smooth and
efficient migration process. Here are some of the most important conversion features:

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

79
Table6: All sub features of Expedition Parser

Features Descriptions

Migration logs Expedition will provide detailed migration logs, it will show errors on the items
not migrated and/or those that need manual checking. Logs will include
notifications in case automated actions have taken place to generate a valid
configuration, such as trimming object names to fit length limitations. You can
access migration logs under the “Warning” tab

Auto fix invalid Expedition will auto replace invalid service objects with APP-ID when possible.
service objects Otherwise, it will report Errors on the migration logs.
Example, replace icmp service object with APP-ID- ICMP.
Also, it will provide a mapping from predefined services in third party vendors to
the known tcp/udp services.

Auto Remap Auto Remap Network Interface name to PAN-OS network interface naming
network convention. Example: GigabitEthernet1/1 will be converted to Ethernet1/1. Check
Interface name interface rename activities in the “Warning” section.

AutoZone When converting from a non zone-based firewall, Expedition will auto assign
zone names based on interface name and provided routing tables. Zone names
may have a numeric value.

Auto split Support for auto splitting bi-directional NAT rules into two separate rules with
bi-directional their according Zones and corrected IPs if necessary.
NAT rules

Support Replace Cisco DM_inline group object by member objects in the security rule to
migration of improve their readability.
Cisco DM_Inline
group objects

PANser Web Service

PANser Web Service is a standalone Docker image container developed by the Migration Factory
team within the Palo Alto Networks Professional Services department. The primary function of
PANser is to parse and transform third-party vendor configurations into PAN-OS compatible
configurations.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

80
Expedition uses PANser as its parsing tool, and the converted data is stored within Expedition's
database rather than in PANser's storage. This integration streamlines the migration process and
enables users to manage and optimize the converted configurations using Expedition's powerful
features.

As of now, PANser supports the following third-party vendors:

SonicWall: PANser can parse and convert configurations from SonicWall firewalls with firmware
versions 7.0 and later.

Cisco: PANser supports the conversion of configurations from Cisco firewalls, allowing users to
migrate their configurations to Palo Alto Networks firewalls seamlessly. For cisco migration, users can
select whether they want to use expedition parser or PANser parser.

The support for additional vendors may be added in future releases, further enhancing PANser's
capabilities and making it even more versatile for users looking to migrate their firewall
configurations to Palo Alto Networks firewalls.

To enable Expedition using Panser Web Service for Expedition unsupported vendor migration:

Here are the Steps:

1. Setting up the Panser web service Docker container, please refer to the readme in the
downloaded package.

2. Define PANser settings

URL: POST https://{{expeditionLocal}}/api/v1/panser_settings

Params:

url: https://host.docker.internal:8000

jwt_private_key: file containing the private key .pem

3. Define vendors using PANser


4. Convert the vendor file in Expedition using script or GUI

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

81
For Step 3 and 4 , please refer to the Expedition-API-Scripts Container for example scripts ,
The sonicwall migration script is at /migration/sonicwall.ipynb , define parser setting is in
4th-6th code blocks.

API Features

The Expedition API offers several features to streamline the migration process, with more
features planned for future releases. Detailed information on how to consume these features can be
found in the Swagger documentation, available at the following URL:

https://localhost/api/v1/documentation

This documentation provides an overview of the available API endpoints, parameters, and responses.

Available API Features


The Expedition API offers, in this initial version, a list of features that can be accessed via the related
API routes. Please review the API documentation published on
https://localhost/api/v1/documentation and https://pan.dev/expedition/docs/expedition_apiint/

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

82
API Documentation and Testing

Expedition provides a web-based resource for learning about and testing the Expedition API. This
documentation utilizes the Swagger framework and can be accessed within each Expedition using
the following URL: https://localhost/api/v1/documentation.

Swagger processes an api-docs.yaml file to showcase the API features and enable interactivity. The
api-docs.yaml file is updated with each Expedition-API container version and can be found at
/app/expedition-api/app/storage/api-docs/vX/api-docs.yaml, where vX corresponds to the current
version of the Expedition 2 API (currently v1).

As the API development progresses, the documentation will evolve accordingly to include upcoming
features and improvements.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

83
If you do not have access to an Expedition instance, you can still explore the API documentation
using the public service https://editor.swagger.io/. To do so, upload the relevant api-docs.yaml file to
the editor, and you will be able to review all the published API calls and features.

To consume the various API methods, you must first establish a valid session for authentication and
authorization. This can be done using Swagger by making an initial request to the /api/v1/generate_api_key
route.

To make a request, follow these steps:


1. Click on the desired route to call.
2. Activate the interactive mode by clicking the Try it out button.
3. Enter the required parameters (usesr_id=0, the default login "admin" and password
"paloalto").
4. Click on Execute.

5. Upon successful execution, the API will return a response containing an api_key. This key
should be included in the headers of subsequent requests to validate the user's session and
permissions.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

84
To use the api_key for authorization in Swagger, follow these steps:
1. Copy the api_key from the API response.
2. Locate the Authorize button at the top of the Swagger site.
3. Click on the Authorize button and paste the copied api_key into the appropriate field.
4. Confirm the authorization.

After completing these steps, all future requests made through Swagger will be
authenticated using the provided api_key.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

85
Expedition-API-Scripts Container for sample jupyter notebook
scripts

The functionalities available through the Expedition UI can also be accessed via scripts using your
preferred programming language. Almost all API functionalities necessitate user authentication.

To familiarize users with scripting and foster a community around the tool, the Expedition team has
created a private repository to be announced. This repository contains a collection of scripts that
represent common workflows for various use cases. Some examples include migrating third-party
vendor configurations, cleaning up configurations by identifying and deleting unused objects, and
optimizing configurations by detecting objects and rules that can be merged.

Setup Expedition-API-Scripts container


Follow the steps defined on the document Notebook - Quick set-up.pdf.

Available sample jupyter notebook scripts in Expedition-API scripts


container
1. Set up the Expedition-API scripts Container: Ensure that you have access to the Container, which
contains various example scripts showcasing how to use Expedition API features.
2. Explore the available scripts: Browse through the provided scripts in the Jupyter Notebook Container
to find relevant use case examples and learn how to interact with the Expedition API.
3. Run the scripts: Execute the appropriate scripts in the Jupyter Notebook Container to test the API
features and understand how they can be used in your migration process.
4. Modify the scripts as needed: Customize the provided scripts to fit your specific migration
requirements and develop a deeper understanding of the Expedition API capabilities.

By following these steps, you can test various use cases using the provided scripts in the Jupyter
Notebook Container and gain hands-on experience with the Expedition API features. This
knowledge will help you optimize your migration process and optimize the PAN-OS configuration.

The following is a list of folders and sample scripts that you can use as a starting point for your use cases.
Make sure you always get the latest content of the scripts by downloading the most recent folder.

Feel free to test, modify, and adapt these scripts to fit your specific needs. Additionally, you are encouraged
to contribute your own scripts based on your use cases to help others in the community.

Table9: Sample Jupyter notebook Scripts in Expedition-API Scripts Container

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

86
Folder Script examples (may differ from Description
the notebook content)

/address/ move_to_shared.ipynb Move address objects from device


group level to shared

reverse_dns.ipynb Perform reverse DNS on address


objects

tag_address.ipynb Create tags and assign tags to


address and address_group objects
as specified in an input csv file

transform_from_hardcoded_to_obje Transform hardcoded IPs to address


ct.ipynb objects

/audit/ manage_expedition_audit.ipynb Define expedition audit settings, list


all entries and delete them
contains scripts to list audit
settings and delete them
manage_project_audit.ipynb Define project audit settings, list all
entries and delete them

/authentication/ change_password.ipynb Updates the password of a user.

generate_api_key.ipynb Generates a new api key each time it


is called. Will return the token
generated.

revoke_api_key.ipynb Invalidates the api key for a user.

/commons/ get_api_key.ipynb when call this function , it will make


api call to generate api key
Contains two frequently
used api calls , you will use wait_for_ job.ipynb when call this function with jobId, it
these two scripts in all use will print job status
cases

/export/ download_exported_config.ipynb Generates an xml with the result


configuration and downloads it
inside a zip file.

download_migration_logs.ipynb Downloads the logs result from a


migration.

export_push_to_device.ipynb Push configuration via API calls from


Expedition to Firewall

/files/ No scripts in this folder, you can use the sample config files in this folder or
upload your own config files to this folder.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

87
Folder Script examples (may differ from Description
the notebook content)

Contains all sample files


you can use in the scripts

/Filters/ clone_filter.ipynb Clones an existing filter.

Contains all filter related combined_filters.ipynb Creates a filter which is a


use case scripts combination of another filter. In this
case, get all security rules that in the
source_address contains addresses
that are ipv6.

complex_filter.ipynb Create a complex filter

generate_predefined_filters.ipynb Creates a set of predefined filters by


default to be used if necessary.

manage_filters_history.ipynb Get the history of a filter. This shows


when it was created, updated and
executed. Shows how many results
had in each execution.

manage_filters.ipynb Shows the basic operations of the


filters: create, update, execute, get
results, delete.

operator_filters.ipynb Operates with filters. Creates a


couple of filters and the one that
combines one and the other.

remove_unused.ipynb Remove all unused address,


address_group, service,
service_group objects

search_rules_with_filters.ipynb Search and display security rules


that contains specific subnets

/issues/ manage_issues.ipynb Makes the basic operations with


issues: create one, update its state,
list them, list depending on the
state, delete it.

/merge_configs/ merge_firewall_to_panorama.ipynb Merge a firewall configuration into a


panorama configuration and.
contains scripts to migrate Indicate which parts should be in
firewall config to panorama each device_group or template
device group config

merge_panorama_to_panorama.ipy Merge panorama configuration into


nb another panorama configuration.

/merge_objects/ merge_objects_by_name_and_valu Merge addresses that have the


e.ipynb same name and value.
Contains example scripts to
merge objects merge_objects_by_name.ipynb Merge addresses that have the
same name.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

88
Folder Script examples (may differ from Description
the notebook content)

merge_objects_by_value.ipynb Merge addresses that have the


same value.

/migration/ checkpoint_r80.ipynb Import and convert checkpoint >=


R80 configuration and merge with a
Contains all conversion default pan-os firewall baseconfig
scripts from legacy vendors
to pan-os configuration checkpoint.ipynb Import and convert checkpoint <
R80 configuration and merge with a
default pan-os firewall baseconfig

ciscoasa.ipynb Import and convert Cisco_ASA


configuration and merge with a
default pan-os firewall baseconfig

define_panser_settings.ipynb Defines which vendors should be


migrated using the PANser tool.
Define the needed settings for the
PANser tool to work.

fortinet.ipynb Import and convert fortigate


configuration and merge with a
default pan-os firewall baseconfig

junipersrx.ipynb Import and convert Juniper SRX


configuration and merge with a
default pan-os firewall baseconfig

sonicwall.ipynb Import and convert sonicwall


configuration and merge with a
default pan-os firewall baseconfig

stonesoft.ipynb Import and convert stonesoft


configuration and merge with a
default pan-os firewall baseconfig

/network/ ethernet.ipynb List existing Ethernet interfaces in


the configuration and creates a
contains scripts for Layer3 Ethernet Interface
creating/updating network
objects and profiles: ikeCrypto.ipynb List existing IKE Crypto Network
Profiles and creates a new profile

ikeGateway.ipynb List existing IKE Gateway Network


Profile and creates a new profile

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

89
Folder Script examples (may differ from Description
the notebook content)

interfaceMgmt.ipynb List existing Interface Management


Network Profile and creates a new
profile

ipsecCrypto.ipynb List existing IPsec Crypto Network


Profiles and creates a new profile

ipsecTunnel.ipynb List existing IPSEC Tunnels and


creates a new tunnel

monitor.ipynb List existing Monitor Network


Profiles and creates a new profile

remapInterface.ipynb Migrate a third party config to


PANOS and remap interfaces on
PANOS config

tunnel.ipynb List existing Tunnel Interfaces and


create a new Tunnel Interface

virtualRouter.ipynb Create a new Virtual Router

virtualWire.ipynb Configure a Virtual Wire between 2


interfaces

vlan.ipynb List existing VLAN Interfaces and


vlans. Create new VLAN Interface
and vlan

zone.ipynb List existing zones and create a new


zone

apply_autozone_sec_rules.ipynb Perform autozone on security rules


/policies/ to auto assign zone on security
policy based on interface and static
contains scripts for routes info.
manipulating security
policies: BulkChangeApplySPG.ipynb Bulk Change to apply security
profile groups to all allowed security
policies.

clone_rules.ipynb Clone security rules between device


groups

create_appoverride_rule.ipynb Create app override security rules

create_nat_rules.ipynb Create NAT rules

create_security_rules.ipynb Create Security rules

/project/ delete_old_projects.ipynb Delete old expedition projects

export_import_project.ipynb Export and import Expedition


projects

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

90
Folder Script examples (may differ from Description
the notebook content)

take_load_snapshots.ipynb Take snapshot of the Expedition


projects

/project_and_devices/ import_cisco_config.ipynb Convert a config from another


vendor to Palo Alto Networks and
contains import pan-os import it to a project.
config and manage
device/project scripts import_panos_config.ipynb Create a project and device to
import the device configuration into
the project.

manage_devices.ipynb Create, update, delete and retrieve


device keys and content.

manage_projects.ipynb Create, update, delete, a project.

retrieve_connected_devices.ipynb Retrieve and see the connected


devices from a panorama device.

/search_and_replace/ search_and_replace_using_collectio Manually create a collection, add


ns.ipynb addresses inside it, get the usage of
contains scripts for “search each address inside the collection
and replace” related use and replace all objects inside the
cases collection by an address group.

search_and_replace_using_filters.ip Creates a filter getting a set of


ynb addresses. Replace the addresses
from the filter that are used as a
source_address in security rules by
an address_group

searchhost_and_addprefix_using_fil Search address object with CIDR


ters.ipynb block /32 and add prefix “H-” to the
filtered address objects.

/users/ manage_users.ipynb Create users with different roles.


Update the role of a user.
Delete a user.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

91
Testing sample jupyter notebook scripts in Expedition-API-Script
container

To convert legacy vendor firewall configurations to PAN-OS configurations using scripts, you will find
the relevant scripts stored in the /migration/ folder. For example, to migrate a Cisco ASA
configuration, follow these steps:

1. Prepare your Cisco ASA configuration file: Before starting the migration process, make sure
you have your Cisco ASA configuration file ready on your local hard drive.
2. Access the /migration/ folder: Navigate to the /migration/ folder in the Expedition-API Script
Container, which contains scripts for various vendor configuration migrations.
3. Locate the Cisco ASA migration script: Find the appropriate script for Cisco ASA migration,
ciscoasa.ipynb. you can use the existing scripts as a starting point and modify them to
accommodate Cisco ASA configurations.
4. Upload the Cisco ASA configuration file: In the Expedition-API Script Container, navigate to
the /files/ folder and click the upload icon to upload your Cisco ASA configuration file from
your local hard drive.

5. Modify the migration script: Open the Cisco ASA migration script in the Jupyter Notebook
Container and replace the file path and name in the LEGACY_CONFIG_PATH in the variable
code block with the path and name of your uploaded Cisco ASA configuration file.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

92
6. Run the modified migration script in the Jupyter Notebook Container to convert your Cisco
ASA configuration file to a PAN-OS compatible configuration. Run each code block in order:
Each script contains several code blocks that perform specific tasks in the migration process.
To run the script, click on the Run button.

7. Monitor the output: As you execute each code block, keep an eye on the output displayed
beneath it. This feedback will inform you of any errors and API responses. It is important to
not skip any code blocks or move on to the next one until the output of the current block has
been fully processed, as each block is dependent on the output of the previous one.
8. Address any issues: If you encounter any errors or issues while running the script, analyze the
output and adjust the script as needed to resolve the problem. Re-run the affected code
blocks to ensure that the issue is resolved and the script proceeds as expected.
9. Review the final output: Once you have executed all code blocks in the migration script,
review the final output to ensure that the migration process has been completed

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

93
successfully. You should see a PAN-OS compatible configuration generated from your legacy
vendor firewall configuration and it’s loaded in the Expedition 2.x GUI.

By following these steps, you can successfully migrate your legacy vendor firewall
configurations, like Cisco, Juniper, Checkpoint, etc to PAN-OS configurations using the scripts
provided in the /migration/ folder. This will enable you to transition your firewall
configurations from third-party vendors to Palo Alto Networks firewalls seamlessly.

Filter

Expedition 2 provides a powerful filter feature that allows you to create, manage, and apply filters on
various objects within a configuration. These filters can be used for multiple purposes, such as
restricting the target of actions, specifying which objects should appear in reports, identifying
objects that should be deleted, and more. Filters in Expedition 2 are designed with sharing and reuse
in mind, offering the following key characteristics:

● Named: Filters are assigned a name, making it easy to identify and refer to them when
needed.
● Background Execution: Filters are executed in the background as non-blocking tasks,
allowing you to continue working in Expedition while the filter is being processed. You can
also monitor the progress of these tasks as they run.
● Stored: Filter results are saved so that you can review and access them at any time.
● Reusable: Filters can be combined and reused in other filters to create more complex filtering
scenarios.
● Exportable: Filters can be easily exported and shared between projects and different
instances of Expedition. This feature promotes collaboration and streamlines the application
of filters across multiple projects.

By utilizing these advanced filtering features, Expedition 2 users can effectively manage their
configuration.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

94
Filter Types

Expedition API supports a variety of filter types to provide flexibility and control when filtering
objects in your configuration. These filter types can be categorized into three main groups: Single
Filters, Combined Filters, and Operations Filters. The filter type is not explicitly required when
creating filters, as it will be determined internally.

Single Filter

This is the most basic filter type, where you can query specific properties of one or multiple
object types. A Single Filter allows you to filter objects based on a single criterion, such as a specific
attribute, value, or condition. For example, you can create a Single Filter to identify address objects
containing specific values. .

By using Single Filters, you can quickly and easily isolate specific objects in your configuration
based on their properties, enabling more efficient management and organization of your firewall
configurations.

The example provided demonstrates how to create a Single Filter using the Expedition API.
Let's break down the syntax and components of the filter for better understanding:

Filter Example: [address, address_group] name contains "office"

This filter would return all address and address_group objects where the name contains the
word "office".

Syntax Components:

● [object_types]: Indicates which object types the filter applies to, enclosed in square brackets
and separated by commas. In this example, the object types are address and address_group.
● property: Specifies the property of the object type to search. In this example, the property is
name.
● operator: Defines the operator to use for comparison. Operators can be negated with a not
before the operator. In this example, the operator is contains.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

95
● "value": Represents the value to search for, enclosed in quotes. In this example, the value is
"office".

Available Operators:

● contains: The property value contains the specified value.


● equals: The property value must be exactly the specified value.

Object types

The following table lists the valid object types for filtering in Expedition, based on the Palo
Alto Networks configuration objects:

By using these object types in your filters, you can effectively search, organize, and manage
various aspects of your Palo Alto Networks firewall configuration within Expedition. Keep in mind
that the specific object types available for filtering may depend on your Expedition version and the
features supported by your Palo Alto Networks firewall.

Table10: Object types for Filtering

OBJECT NETWORK POLICY SERVER


PROFILES

address monitor security_rule email_profile

address_group interface_management app_override_rule http_profile

tag gp_ipsec_crypto authentication_rule kerberos_profile

service ipsec_crypto decryption_rule snmp_trap_profil


e

service_group ike_crypto dos_rule saml_profile

application virtual_router tunnel_inspection_rule radius_profile

application_filter zone pbf_rule syslog_profile

application_group ike_gateway nat_rule tacacs_profile

external_list virtual_wire qos_rule netflow_profile

log_setting ipsec_tunnel sdwan_rule ldap_profile

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

96
schedule vlan

profile zone_protection_profile

profile_group qos_profile

region bfd_profile

report lldp_profile

report_group gp_portal

error_correction_profile gp_mdm

traffic_distribution_profile gp_gateway

path_quality_profile clientless_app

saas_quality_profile clientless_app_group

email_scheduler application_status

pdf_summary_report sdwan_interface_profile

scep lldp

ssl_tls_profile ethernet_interface

certificate ethernet_subinterface

vlan_interface

loopback_interface

sdwan_interface

tunnel_interface

Properties

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

97
The table below presents the valid properties for each object type, based on the configuration
objects in Palo Alto Networks:
All object types can filter by properties: name, description

Table11: Properties for each of the Object Type

Object Type Properties

address type
ip_type
ipaddress
netmask
Id

address_group type
filter
expression
id

service id
type
protocol
src_port
dst_port
timeout
tcp_half_closed_timeout
tcp_time_wait_timeout'
timeout_override

service_group id
type

application id
application_container
parent_app
technology
category
subcategory
risk
evasive_behavior
consume_big_bandwidth
prone_to_misuse
able_to_transfer_file
tunnel_other_application
used_by_malware
has_known_vulnerability
pervasive_use
tunnel_applications
file_type_ident
virus_ident
data_ident
default_type
value

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

98
timeout
tcp_timeout
tcp_half_closed_timeout
tcp_time_wait_timeout
udp_timeout
spyware_ident
vtype
alg_disable_capability
no_appid_caching

application_filter evasive_behavior
consume_big_bandwidth
prone_to_misuse
able_to_transfer_file
tunnel_other_application
used_by_malware
has_known_vulnerability
pervasive_use
saas_certifications
saas_risk
type
category
subcategory
technology
risk
characteristic

Predefined Filters

Predefined filters are a type of single filter used to quickly filter objects based on specific criteria.

Filter Example: [address] is not used.success

This filter would return all unused address objects.

Syntax::
[object_types] is (not) predefined_filter.success

Valid predefined filters

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

99
The table below presents the valid predefined filters in Expedition.

Table12: Predefined Filters

Filter Object Types possibles

used all

invalid all

valid all

without-description all

ipv4 address

ipv6 address

fqdn address

name-is-ip address

trashed all

pre-rule security_rule, nat_rule, app_override_rule

post-rule security_rule, nat_rule, app_override_rule

static-ip nat_rule

dynamic-ip-and-port nat_rule

dynamic-ip nat_rule

bidirectional nat_rule

no-nat nat_rule

log-start security_rule

log-end security_rule

ml-enabled security_rule

re-enabled security_rule

dsri-enabled security_rule

layer-4 security_rule

layer-7 security_rule

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

100
Filter Object Types possibles

has-user security_rule

without-tag security_rule

without-service security_rule

service-any security_rule

Combined Filter

Combined filters are filters that require subfilters. For example, a security rule that contains specific
addresses in its source.

Filter Example: [security_rule] source_address contains filter office_address.sucess

Syntax:[object_types] property (not) operator filter filter_reference.success

This will return all security rules that have the "office" addresses from the previous example in their
source.

● [object_types]: Indicates which object types the filter applies to, enclosed in brackets and separated
by commas. In this example, the object types are security_rule.
● property: Property of the object type to search. In this example, the property is source_address.
● operator: Operator to compare the property with the filter. The operators can also be negated with a
not before the operator. In this example, the operator is contains
● filter: Required keyword to indicate that a filter name follows.
● filter_reference: Name of the filter to act as a subfilter. In this example, the filter_reference is
office_address.sucess.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

101
Operations filters

Operations filters allow you to combine filters using unions and intersections. There are two different
operators allowed: or (unions) and and (intersections).These operators can also be negated with a not.

Filter Example: filter office_address and not filter home_address


Syntax: filter filter_name1 and (filter filter_name2.success or filter filter_name4.success)

Defining syntax can be complex due to multiple combinations using operators and parentheses.
Here is an example:

● filter: It is necessary to indicate that a filter name will follow.


● filter_nameX: The name of the filter.
● and: Operator that indicates an intersection between filter results.
● or: Operator that indicates a union of filter results.
● (): Parentheses can be used to give preference to specific operations over others.
● For operations content the not operator is not available.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

102
Accessing Filter on GUI

You can access the filter features on the GUI as well. To access the Filter section, go to TOOLS ->
FILTERS

The filter pages include three sections:

1. FILTER - This section stores all the common filters.


2. CREATE FILTER - In this section, you can create your own filter if you are familiar with the filter
syntax.
3. Filter results - Filter results will be displayed in this section.

FILTERS

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

103
To generate common filters , expand GENERATE COMMON FILTERS and click GENERATE.

The process will generate common filters for your current configuration, including common use
cases. Below are some common filters that you can run against your configuration:

Category: Rules

Disabled rules : Display all the disabled security and NAT rules in the filter result.

Is from panorama: Display all the rules that are defined in panorama in the filter result.

is hardcoded: Display all hard coded IPs, for example IP that are not address objects but
reference in the rules.

Category:usage

unused objects: Display all objects that are not being referenced in the group objects,
Security policies and NAT policies

Category:validity

duplicated name: Display all objects that have duplicate names.

By using these common filters, you can easily identify specific items in your configuration and
manage them accordingly.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

104
To run the predefined filters, you will follow below steps:

1. Check the predefined filter you like to run against your configuration

2. Click to run the filter


3. Once the filter has been run successfully, you will see filter result being displayed on the right
panel

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

105
Here are some common use cases for using predefined filters:

Clean up Invalid Objects

To review and clean up the invalid objects, follow these steps:

1. On the project dashboard, review the service objects with the issue column marked as
critical. Double-Click on the red number ,and it will take you to the service object page.

2. If the invalid service objects are not displayed correctly, manually re-apply the filter with
issue critical and Success.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

106
3. There are two methods to replace the invalid service objects:

Method 1:

Modify the service definition file located inside the parsers container (expedition-parsers) at
/var/www/html/contents/parsers/VENDOR-services.csv to include new mapping and re-run the
import in a new project.

Method 2:

Manually replace the invalid service object with service object specifying either tcp or udp with the
port# or replace them with the corresponding APP-IDs.

Remove Unused Objects

To remove unused objects , follow these steps:

1. Run the pre-defined filter unused objects in the filter page.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

107
2. Once the filter has been run, navigate to the OBJECTS -> ADDRESS or OBJECTS ->
SERVICES tab to show filter results by clicking the filter name unused objects.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

108
3. Select all or the objects you would like to remove , then click the trash can icon in the right
upper corner.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

109
By following these steps, you can efficiently remove unused objects from your configuration,
making it cleaner and easier to manage.

Merge Duplicate Objects

To merge duplicate objects , follow these steps:

1. Run the pre-defined filter duplicated name on the filter page.

2. After running the filter, navigate to the OBJECTS -> ADDRESS or OBJECTS -> SERVICES tab
to display the filter results by clicking the filter name duplicated name->success.
3. Highlight the objects you would like to merge , and click Merge on the Extended View
window. The following merge options are available::
● REDUCE by-The goal is to merge objects from multiple to one , thus reducing object
counts . You can choose from four options:
○ Selection - Mark one object as the primary object and click this option to
merge, all selected objects will be merged to the same value as the primary
object.
○ Value - Merge objects by value; after merging , objects with the same value will
be merged.

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

110
○ Name - Merge objects by name, after merging , objects with the same name
will be merged.
○ Name and value - Merge objects by name and value, after merging, objects
with the same name and same values will be merged.
● COMBIE By-The goal is not to reduce object count but to add selected objects to a
group object.

4. After selecting the action , a confirmation window will ask you to confirm the action. click
YES to merge the objects.

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

111
Access Expedition Project related files via File manager or Finder

Expedition Project related files will be stored inside the


/expedition-container/volumes/user_space folder with below structure:

● conversions Folder - stored all migration logs related to migration based on migration ID
● devices Folder - stored all pan-os device configuration based on device ID
● projects Folder - stored all expedition projects based on project ID, includes converted
configuration files from legacy vendor configurations.
● uploads Folder - stored all upload configuration files including original legacy vendor firewall
configuration.

Troubleshooting
For API related issue, you can perform below steps in expedition-api container:

1. In terminal, type $docker exec -it expedition-api bash


2. cd /expedition-api/storage/logs
3. Review the daily log , the file name will be named laravel-2023-*.log

For parser related issue, you can perform below steps in expedition-parsers container:

1. In terminal, type $docker exec -it expedition-parsers bash


2. cd /home/userSpace/logs
3. Go to the project folder , the folder name is named EXP_*
4. Review the migration.log

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

112
Report Bugs and Improvements

If you encounter any functionality within the tool that does not behave as expected or according to
the documentation, we would appreciate your collaboration in identifying the cause of the issue and
addressing it at its source. To achieve this, certain information can help us reproduce the problem,
pinpoint the affected code, and devise a strategy for its resolution.

Please report any issues you encounter to [email protected]. If you need to share a
configuration or any client-sensitive data/information (such as configuration screenshots, traffic logs,
etc.), please do so through a TAC Case number.

Known Issues

There are a number of general issues and limitations that we’ve encountered as our development
has progressed. Below is a summary of what is currently expected.

Known Issues

Issue Detail or work around

Unsupported PAN-OS attributes are not We are investigating the issue , the workaround is to not
imported in Expedition load the full configuration in a production PAN-OS
device.

No data is displayed on the grids We are still working on improving the stability of the
user interface, and while it is functional, there may be
some limitations and issues that we are working to
address. As a workaround refresh your tab browser and
access again to Expedition2

© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide

Policy Manipulations

113
FAQ

Can I upgrade my existing Expedition 1.x to 2.x?

No, Expedition 2.x is available on docker version, so it’s not compatible with expedition 1.x .

How can I provide feedback?

Please leave a comment in live community :

https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool

or email us @ [email protected]

Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.

114

You might also like