Expedition 2.x Getting - Started - Guide - 20231204
Expedition 2.x Getting - Started - Guide - 20231204
www.paloaltonetworks.com
© 2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our trademarks can be
found at https://www.paloaltonetworks.com/company/trademarks.html. All other marks mentioned herein may be trademarks of their
respective companies.
Revision Date: May,26th, 2023
Expedition 2.0 Getting Started Guide
Contact Information
Corporate Headquarters:
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
2
Palo Alto Networks
3000 Tannery Way
Santa Clara, CA 95054
● For the most recent version of this guide, visit the Expedition Live Community Documentation portal
https://live.paloaltonetworks.com/t5/Expedition-Migration-Tool/ct-p/migration_tool
● Have feedback or questions for us? Leave a comment in the Expedition portal on Expedition 2
section, or write to us at [email protected]
Copyright
Palo Alto Networks, Inc.
www.paloaltonetworks.com
© 2022-2023 Palo Alto Networks, Inc. Palo Alto Networks is a registered trademark of Palo Alto Networks. A list of our
trademarks can be found at www.paloaltonetworks.com/company/ trademarks.html. All other marks mentioned herein
may be trademarks of their respective companies.
Last Revised
May, 30th 2023
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
3
Table of Contents
About This Guide 7
Terminology 7
Expedition 2 Architecture 8
Installation 11
Install Docker Desktop 11
Setup the Expedition Container 11
Verify Expedition container is up and running 13
Update your expedition container when there is a new release 14
Available Features 16
GUI Features 17
Login 17
DASHBOARD 19
PROJECTS 21
Create a Project 21
Import Configuration in the project 23
View Configuration in the project 25
Import and Export Expedition Project 28
Capture a Snapshot of the project 31
Delete Project 33
DEVICES 34
Create a new PAN-OS Device 34
Retrieve running configuration from the PAN-OS device 37
Delete the PAN-OS device 39
Migration Workflow through GUI 40
Start a new migration 41
Select the type of PAN-OS base configuration 41
Import the Vendor Configuration 42
Load the converted configuration into the project 43
Review the project dashboard 44
Address any warnings that appear 44
Review Invalid objects 46
Remove unused objects (Optional) 46
Merge duplicate objects 46
Import a Base configuration (Palo Alto Networks configuration from the device that you are
migrating to) 46
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
4
Merge the migrated config with the base configuration 47
Download the merged Output in your preferred format (XML, SET Commands) 53
Load generated output onto PAN-OS device 53
Machine Learning Analysis 54
Overview 54
ML Container Token 55
Get the log files into ML Container 55
Enable Log Processing 57
Log Connector Settings 58
Enable Rule Enrichment or Rule Suggestion for a Security Policy 60
Perform Rule Enrichment Analysis 60
Perform Rule Suggestion analysis 63
Agents & Jobs 65
Audit 66
Object Manipulation 66
Expedition objects icons 68
Drag & Drop to add members of the group object 69
Clipboard 70
Policy Manipulation 74
Bulk Change to apply security profiles Group 75
Networks 76
GUI limitations 77
Parser and Migration-related Features 78
Available Parser Vendor Matrix 78
PANser Web Service 80
API Features 82
Available API Features 82
API Documentation and Testing 83
Expedition-API-Scripts Container for sample jupyter notebook scripts 86
Setup Expedition-API-Scripts container 86
Available sample jupyter notebook scripts in Expedition-API scripts container 86
Testing sample jupyter notebook scripts in Expedition-API-Script container 92
Filter 94
Filter Types 95
Single Filter 95
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
5
Predefined Filters 99
Operations filters 102
Accessing Filter on GUI 103
Clean up Invalid Objects 106
Remove Unused Objects 107
Merge Duplicate Objects 110
Access Expedition Project related files via File manager or Finder 112
Report Bugs and Improvements 113
Known Issues 113
FAQ 114
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
6
About This Guide
Thank you for your interest and help to improve Expedition 2 ! We are excited about this new version
of the Expedition tool, and looking forward to your participation as we continue to refine the tool.
Through this guide, you will discover available features in Expedition 2 and the features that are in
the roadmap. The guide will also help you to get started with the tool, to download and install the
Expedition container and start testing the tool.
Terminology
The following are a list of terms that may be found when reading this documentation and when
consuming the Expedition features.
Term Description
PANObject Any object that can be found in a PANOS configuration, including objects (e.g.
addresses, tags), policies (e.g. security rules, application override), network (e.g.
VLANs, VPNs),
Trash Expedition does not fully delete objects from the projects when the DELETE API
action is submitted. Instead, objects are moved to a trash space so it offers a
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
7
Term Description
Expedition 2 Architecture
The Expedition 2 container image consists of a set of individual containers (see Figure 1) that interact
between each other, being the expedition-api the orchestrator for all workflow interactions. In the
current version Expedition 2.0, the following packages, services and version should be found:
● Expedition-API:
Container is intended to provide a RESTful API that can be consumed by your scripting language
of choice and to present the UI (HTML/JS). The back-end API is developed using the Laravel PHP
framework and served via Apache 2. Also running one or more PHP Agent(s) to support
asynchronous requests that help with the execution of automated tasks and multi-processing
actions. The agents also consume the API and communications with them are performed via
RabbitMQ.
○ Services installed:
■ Apache/2.4.53
■ PHP/7.4.29
○ API (Laravel) logs path:
■ /var/www/html/expedition-api/storage/logs
○ Some configuration files are stored in volumes on the host.
● RabbitMQ:
Container to provide the RabbitMQ service for asynchronous requests. Communications are
performed between web service API calls and PHP agents. Stopping this service will prevent
agents from receiving messages for the execution of blocking or long lasting tasks, such as
downloading configuration files from a PANOS device, doing reverse DNS resolutions,
autoprocessing CSV traffic log files, among others.
○ Services installed:
■ RabbitMQ/3.8
● Expedition-db:
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
8
Container intended to provide a RDBMS as storage for the application data. Stopping this
container will block all Expedition’s functionalities, as it would interrupt authentication, access to
project information, or auditing.
● Expedition-parsers:
Container intended to provide the parser library and workflows to migrate from third party
vendors to Palo Alto Networks configurations. This container includes mappings for specific
service to configuration conversions when those are not TCP or UDP protocols.
Not directly available to be consumed by the user, but by the Expedition-API container when
migrations are being requested. This container does not expose an API.
This container does not have persistence, therefore all data generated is only available during the
container lifecycle.
○ Services installed:
■ Apache/2.x
■ PHP/7.0
● Expedition-parsers-db:
Helper container for the expedition-parser container to store temporal data needed for parsing
vendor configs. After a migration, the databases are wiped.
○ Without persistence so all data generated is available during the container lifecycle.
○ Services installed:
■ Maria DB ver. 10.2
○ Databases:
■ Projects DB. A project is a collection of information related to a specific migration to a
device. Each project is stored on a dedicated database within the same RDBMS. The
databases resemble the structure used by parsers in Expedition 1.
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
9
■ PANDBRAC DB. Database to store information required for the migration scripts,
such as name of the project under migration, version of the PANOS target device, and
user controls.
Fig 1. Expedition 2 Architecture diagram showing the different containers and shared volumes
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
10
Installation
This document provides instructions on how to utilize Expedition with Docker desktop, although it is
possible to use any docker engine.
Please refer to https://docs.docker.com/desktop/ for details on how to install docker desktop on your
platform or contact your IT Support to help you setting Expedition on a container hosting site.
The Expedition team does not provide support on creating a docker capable environment.
Ensure the Docker Desktop is up and running before proceeding with the following steps to setup
the Expedition Container:
1. Access the Google Drive location shared with you, folder install from Release X.Y.Z.
2. Download the following files from the install folder and place them in your workspace, for
example: (for example: Expedition2-Release1 folder):
○ .env
○ docker-compose.yml
○ README.md
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
11
○ For Windows, Intel MAC and others: download intel_images/image.zip file
4. Unzip the downloaded image.zip file in your workspace. The unzip will create a folder named
images containing all Expedition2 images. The file structure should look like the following
screenshot:
5. .env is a hidden file, make sure your file system can display hidden files. Edit the .env file and
update the following two variables:
● MYSQL_ROOT_PASSWORD=
Add your desired password for accessing the Expedition databases. This password could not
be changed later and will be used to encrypt your database. For example, if the desire
password is "paloalto" , update the line to :MYSQL_ROOT_PASSWORD=paloalto
● EXPEDITION2_UI_PORT=443
The Expedition GUI runs on port 443 by default , if you need to change the port # , update the
value accordingly.
6. Open a Command Line Interface( CLI), navigate to the Expedition2-Release1 folder and
execute the following commands: (pay attention to the image name, if you have newer images,
change the file name accordingly in the below command) :
NOTE: On Apple M1 chipset, replace intel_images with m1_images in the above command
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
12
7. Run the Expedition 2 container using the below command:
docker-compose up -d
8. Wait for one minute , open Google Chrome and access the UI using the following URL:
https://localhost:443(default credentials are: admin/paloalto)
9. To access the Swagger API definition for API purposes, use the following URL:
https://localhost/api/v1/documentation
Once the expedition-container is up and running, you should see running status on all of the
below 5 sub containers:
expedition-rabbitmq
expedition-db
expedition-parsers-db
expedition-api
expedition-parsers
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
13
Update your expedition container when there is a new release
Below are the steps to update your expedition container when there is a new release on the docker
images:
1. Access the Google Drive location shared with you, folder update from Release X.Y.Z.
2. Download the following files from the update folder and place them in your workspace, for
example: (for example: Expedition2-Release1 folder):
○ docker-compose.yml
○ README.md
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
14
○ For Windows, Intel MAC and others: download intel_images/image.zip file
4. Unzip the downloaded image.zip file in your workspace. The unzip will create a folder named
images containing the updated Expedition2 images.
5. Stop the container by going to docker desktop GUI, click on the button to stop the
expedition container.
6. In command line (CLI), go inside the expedition2-release1 folder, issue below command to
update the images: (If there are multiple updated images , you will need to issue the same
command for other images as well, just replace the image name in the command )
$docker-compose up -d
8. In Docker Desktop, verify all components of the expedition container are up and running
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
15
Available Features
We recognize that participating in the testing phase of Expedition Beta requires effort and is a
valuable contribution to the Expedition team. Your input helps enhance the tool, accelerates the
identification of potential issues and missing features, and ultimately improves the overall user
experience.
Before you embark on a project expecting final results, it is crucial to understand the tool's current
features. This section outlines the available features in the tool, as well as the functionalities planned
for future releases.
As a tester, evaluate the tool's impact on your current configuration projects and consider how
upcoming features may expedite future projects. If you identify features that have not yet been
implemented or listed for future releases, we encourage you to report these as Feature Requests
through the channels specified in the Report Bugs and Improvements section.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
16
GUI Features
Note: We are still working on improving the stability of the user interface, and while it is functional, there
may be some limitations and issues that we are working to address.
Login
Once the container is up and running, you can access Expedition either through scripts that
utilize the API or the provided JavaScript UI. By default, the Expedition UI can be accessed via
a web browser on TCP port 443. If you are running the Expedition API on your desktop and
haven't mapped the web-service port to a different one than TCP/443, you can access the UI
using the following URL: https://localhost
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
17
The Expedition web-service includes a self-signed SSL certificate. As a result, when accessing
Expedition for the first time using Google Chrome, you may encounter a "Your connection is
not private" warning message. To bypass this warning, simply type "thisisunsafe" on the
screen. Although your typing will not be visible on the UI, Chrome will register the keystrokes
and understand that you are willing to proceed with accessing a self-signed site.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
18
username=”admin”
password=”paloalto”
DASHBOARD
Let’s explore the Dashboard’s main feature by navigating to Main screen-> Dashboard
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
19
1. Get Started: This panel provides shortcuts for specific tasks, such as:
● Create a new project: Clicking the shortcut takes you to the project window.
● Import a new PAN-OS device: Clicking the shortcut takes you to the device window.
2. Continue where you left off:
This section lists shortcuts to projects you were previously working on. Click on Open Project:
{your project name}" to access the project.
3. Projects by Tag:
This section displays the number of projects grouped by tag information. For example, if you
have tagged all your Checkpoint >= R80 migrations as cp-r80 and have four projects with
that tag, hovering your mouse over the tag info will display cp-r80-4
4. Projects by User:
This section shows the number of users assigned to specific projects. The view may be limited
to projects you have the rights to participate in.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
20
.have not been active during the last 30 days
PROJECTS
The PROJECTS tab takes you to the project window where you can create , edit, delete
projects . Double clicking a project opens it. Let’s go over some use cases:
Create a Project
In Expedition each project has its own database, and you can create as many projects as you
want. To create a new project follow these steps::
Navigate to the PROJECTS tab and click on located on the top right.
In the extended view window that appears, assign a name to your project (project names must have
at least 5 characters)
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
21
Click to create the project.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
22
Import Configuration in the project
● To access a project, double click on the project name. If the project is already
associated with a configuration , the configuration file dropdown will display the
config name for you to select.
● If no configuration is associated with the project, you will see no config selected
next to the configuration selection drop down
● To import an configuration, click the NEW CONFIGURATION tab to either start a new
migration or import a PAN-OS configuration:
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
23
If you are working on a 3rd party vendor migration project, select START A NEW
MIGRATION. Refer to the Migration Workflow section for more detailed steps.
If you already have a PAN-OS config , and would like to view or refine the pan-os
configuration, there are two ways to import the configuration:
2. If you have retrieved the configuration from the PAN-OS device as per the steps in the
DEVICES section, select IMPORT FROM A PANOS DEVICE. Double-click the device to
import the configuration, if you do not see any device in the list , you likely haven’t
assigned the device to the project. Please review the steps on Assigning a PAN-OS
device to the project
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
24
View Configuration in the project
Once the configuration is selected, you can select the configuration with specific
device group, virtual system, or template you want to view and click on APPLY
CHANGES.
Expedition will load the configuration into the project and direct you to the project
dashboard, which displays the statistics of your configuration:
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
25
● SUMMARY TOTAL: A table displaying the total number of objects across all device
groups/vsys.
● SUMMARY BY DEVICE GROUP: A table displaying the total number of objects per
device group/vsys , broken down into individual devices group/vsys. Click + to expand
individual device groups( vsys) or - to collapse specific device groups/vsys.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
26
● To view objects and rules, navigate to different tabs. For example, click on OBJECTS ->
Address to view address and address-group objects
You can view objects in the left panel and group objects in the right panel, as shown in the
screenshot.
The same concept applies to other tabs. To view security rules and NAT rules, click on
POLICIES and select either Security or NAT to view corresponding rulesets.
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
27
For details on actions you can perform on objects and policies, please refer to the sections:
● Object Manipulations
● Policy Manipulations
From the tab IMPORT/EXPORT you can export and import the current Project This is
useful when you want to create a full backup of Expedition or import it into another
instance.
Import a Project:
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
28
2. Highlight the project , in the Extended view window, click on the button , then
click on the button to select the file from your desktop. Once the file is
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
29
Export a Project:
Highlight the project. In the Extended view window , click on the button and
the export project will be downloaded to your local machine with name EXP_xx.zip. You can
then share this exported project.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
30
Capture a Snapshot of the project
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
31
1. Automatic snapshot:
Expedition automatically takes snapshots during significant changes in the project, such as:
● Before importing a configuration
● Bulk changes to objects or rules
● Moving objects and rules
● Deleting objects and rules
● Before merging vendor-converted config and source configuration
2. Manual snapshot:
Similar to Expedition 1.x, you can take a manual snapshot whenever you desire. To create
manual snapshot, follow these steps:
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
32
In the snapshot window, you can manage snapshots by:
● Loading a snapshot: Select a specific snapshot and click the "load" icon.
By using these snapshot features, you can better manage your configurations and maintain a history
of changes, allowing you to revert to previous states if needed.
Delete Project
1. Select the projects you would like to delete , then click on the button to
remove the projects, you can select multiple projects at once:
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
33
3. Click on the button to confirm project deletions.
By following these steps, you can delete one or multiple projects from Expedition.
Remember to double-check your selections before confirming the deletion, as this action
cannot be undone.
DEVICES
The DEVICES tab in Expedition allows you to add your Palo Alto Networks devices and import
your Palo Alto Networks firewalls and Panorama configuration to Expedition, enabling you to use
them as a base configuration for making improvements or merge with vendor-converted
configuration.
Expedition supports all Pan-OS versions since version 4.0 up to 11.0. Let’s follow an example on
how to create a new Device and import the configuration and securely store it on Expedition.
● Add a new Device by navigating to DEVICE , clicking on the CREATE A NEW DEVICE button
located on the top-right from the panel.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
34
● In the information tab, enter below informations as required:
○ Device Name: It’s the name you want to call your firewall
○ Model: Palo Alto Networks device model
○ Hostname/IP: IP or name used to connect to your firewall, if it’s a name Expedition needs to
know how to resolve it, check the DNS used by Expedition it's the right one. You can check
from the CLI
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
35
● After entering all the required info, click on the to add the device first.
● Once the Device has been created and listed from the Devices view we have to edit and add the
credentials to retrieve the contents like applications database, system information and the
configuration. Select the device and expand the extended view on the right to edit it , click on the +
to expand the Authentication section :
● Click the ADD NEW API KEYS purple button, this will bring up a sub window, let’s select Role & API
Keys to add firewall login credentials and Expedition will make a request to the firewall to generate a
new API key.
○ Role and Apply all Roles: When you add a new API Key this can be attached to a Role inside
Expedition, that means when you have a user from Expedition with Role admin inside one
Project and that user tries to push changes using API Keys Expedition will use the API Key
based on the user’s Role in this example admin. If you didn’t add an API key to the admin role
that user will be unable to send any API Call out. For small environments where you will have
only one user and it will be admin there is no need to check the Apply all Roles and keep that
key only attached to the admin Role.
● Notice the generated API Key will be valid as long as the user doesn't change the password from the
firewall. Click on the SAVE KEYS to add a new API Keys
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
36
● Once the API keys are successfully added , you will see API KEY Registered✅
● Expand Contents-> RETRIEVE CONTENTS -> Running Configuration, Expedition will make an API
call to pull down running configuration from the firewall or panorama..
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
37
● Optional steps for Panorama device, Expand Panorama Devices-> RETRIEVE DEVICES, Expedition
will make an API call to retrieve all the connected devices that’s managed by the panorama
● All edits on the device have been completed. click on to save the changes.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
38
● If you have already created a Device, you can select it from the Device Access box. By selecting a
firewall or panorama in the device access box, you are forcing Expedition to import the same
Applications database to your project, that Applications database was downloaded to Expedition at
the same time when the configuration was retrieved. As a result, your Project will have the same
applications database as your Firewall.
When done with the project, and the pan-os device is no longer needed, you can select PAN-OS
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
39
Migration Workflow through GUI
Expedition streamlines the process of migrating configuration elements from other security vendors
and converting them into a Palo Alto Networks configuration. This reduces the time and potential
errors associated with manual migration. However, the results should always be reviewed by a
professional familiar with both the original vendor and Palo Alto Networks technologies. The
migration workflow is as follows:
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
40
Start a new migration
To start a new migration, first create a project and enter it by double-clicking on the project
name. Once inside the project, click on NEW CONFIGURATION followed by START A NEW
MIGRATION.
Choose the type of PAN-OS base configuration you'd like to use for your migration. In
Expedition 2.x, a default PAN-OS v10.1.x base configuration is provided for your convenience. Decide
whether you want to merge the converted configuration with a Firewall base config or a Panorama
base configuration.
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
41
Once you select the type of baseconfig, click START MIGRATION
● Click on the vendor name to select the vendor configuration you wish to migrate. Assign a
name to the configuration file, browse to the file location on your local drive.
● If you are merging with a Panorama config later, it is recommended to use the VSYS name
that your Panorama template belongs to. For example, you can name your configuration file
vsys1.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
42
● Click UPLOAD & MIGRATE to upload the vendor configuration.
Once the migration is complete, you will receive a Migration completed message. To load
the migrated configuration into the same project, navigate to the configuration section at the
top of the page.
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
43
After selecting the configuration file, if you've chosen a firewall configuration as the base, you
will be prompted to select vsys name ex : vsys1. If a Panorama base configuration was
selected, you will be prompted to choose a device group and template section.
After the configuration is loaded, you will be directed to the project dashboard, which
displays a summary of object counts. Please review the information provided in View
Configuration in the project
Address any warnings that emerge by navigating to the Warning page. These warnings are
automatically generated during the conversion of your vendor config, and it's essential to
review and resolve them as necessary.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
44
Examine the action column for suggested actions. If the action column is not visible, hover
your mouse over any column, click the downward arrow, and ensure that the checkbox next
to action is checked.
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
45
Review Invalid objects
In the Expedition 2 parser, while converting the vendor configuration, the parser automatically
searches for and replaces invalid service objects with the corresponding APP-IDs defined in the service
mapping file. For more details, refer to the Available Parser Vendor Matrix. If the invalid service objects are
not defined in the vendor service file, you will need to manually review and replace them with the
appropriate service objects with ports or APP-IDs. Please refer to the Clean up Invalid Objects section in the
documentation for guidance.
Please note that the search and replace function is still under development. However, this feature is
available in the API, and you can write a script to replace invalid objects with APP-IDs.
If you would like to remove unused objects, you can first apply a filter to identify these
objects. Then, take action to remove all or some of the unused objects as needed. For more details on how
to remove unused objects, please refer to the Remove Unused Objects section in the documentation.
Due to PAN-OS not accepting objects with the same name, it is necessary to address this issue. First,
apply a filter to identify objects with duplicate names. Then, take action to merge all objects with duplicate
names as needed. For more details on how to merge duplicate objects, please refer to the Merge Duplicate
Objects section for details
Import a Base configuration (Palo Alto Networks configuration from the device that
you are migrating to)
● Click NEW CONFIGURATION click IMPORT PANOS CONFIGURATION on the right panel.
This will allow you to import your existing PAN-OS configuration file into the tool.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
46
● There are two methods to import your PAN-OS baseconfig :
1. IMPORT XML FILE - Manually download the running config from the PAN-OS device
to your local drive, and import the PAN-OS configuration from your local drive.
2. IMPORT FROM A PANOS DEVICE - Retrieve the running configuration from the device
tab when you have added the PAN-OS device in the project . For more details on adding a
PAN-OS device, please refer to the Create a new PAN-OS Device section in the
documentation.
If you would like to merge the converted configuration with your PAN-OS base configuration,
navigate to the main interface and click on TOOLS followed by MERGE CONFIGURATION.
This feature allows you to combine the converted configuration with your existing PAN-OS
base configuration, ensuring a seamless integration.
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
47
To merge the configuration, follow these steps:
1. Select the PAN-OS base config from the base config dropdown, the base config will be
displayed on the right panel, if it’s a panorama config, the device group hierarchy will be
displayed. Template hierarchy will not be displayed. This allows you to view and manage
configuration for specific device groups.
2. Select your vendor migrated config from the config to merge dropdown on the left panel.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
48
3. Perform mapping on each section of configuration. This may include objects, policies, and
networks. Review each section carefully, ensuring that the settings from the migrated
configuration are mapped correctly to the PAN-OS base configuration.
You could select the DG and Template you want to merge every section of the
configuration on the top like below screenshot , map all objects and policies to Device
Group DG1 , and all networks configuration to Template1.
If you are merging with a firewall configuration, all configurations will be mapped to
the VSYS name that came from your base configuration.
4. Click to apply mapping. You will see the mapping display similar to the screenshot
provided , you can manually change the mapping if necessary , such as mapping objects in
the shared section of the vendor configuration to shared in the Panorama base
configuration.
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
49
5. After applying mapping to all sections of the configuration, click icon on each of the
sections. You will see a green checkmark next to the mapped configuration sections,
indicating successful mapping. You only need to map the main folder (eg: shared, vsys1,
default folder), as all the configuration under the folder will be mapped to the same Device
group or template as the main folder.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
50
6. After mapping is done, click to start merging the configuration. Click Yes to
confirm merge.
7. The system will start merging the configurations based on the mapping you have set up. This
process may take some time, depending on the complexity and size of the configurations.
Once the merge is complete, you can review the merged configuration to ensure everything
has been properly combined. When merging is done, will changed to indicating
successfully merging.
8. After the merge is complete, you will see a reminder like the one shown in the screenshot.
This reminder serves as a prompt to carefully review the merged configuration and check for
any issues. Specifically, you should:
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
51
1. Ensure there are no duplicate objects: Review the merged configuration to identify
and remove any duplicate objects that might have been created during the merging
process.
2. Verify Interfaces and Zones: Check that the interfaces and zones under the Template
are assigned with the correct VSYS name. This is crucial to maintain proper network
segmentation and functionality.
By thoroughly reviewing the merged configuration and addressing any potential issues, you
will maintain consistency across your network configurations and ensure your PAN-OS
configuration is committable.
If the VSYS name was not correctly assigned to interfaces and zones during the merge, you can
apply bulk changes to assign the correct VSYS name using the following steps:
1. For Interfaces:
a. Select the interfaces you want to re-assign the VSYS name.
b. Navigate to the Bulk Change option in the Extended view window.
c. Select VSYS Name from the drop-down menu.
d. Choose the proper VSYS name for the selected interfaces and apply the changes.
2. For Zones:
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
52
Download the merged Output in your preferred format (XML, SET Commands)
After the configurations are merged, follow these steps to generate and download the output:
After download the output file, you can choose one of the following methods to load the
configuration onto you PAN-OS device:
1. Load the full xml file onto a PAN-OS device via PAN-OS GUI: This method is best suited for
greenfield deployment. To do this, follow these steps:
Log in to the PAN-OS GUI.
Go to Device > Setup > Operations.
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
53
Under the Configuration Management section, click Import named configuration
snapshot and select the downloaded XML file.
Click Load named configuration snapshot, choose the imported configuration, and
then click OK to load it.
Commit to the PAN-OS device.
2. Use the Load Config Partial command from the CLI of the PAN-OS device to load selected
sections of the configuration: This method is best suited for merging with production
Panorama devices to avoid conflicts. To do this, follow these steps:
3. Copy and paste the set command provided in the PAN-OS CLI. This method is suitable for
loading specific settings or objects without replacing the entire configuration. To do this,
follow these steps:
Overview
Machine learning features described below require the PANOS firewall logs stored and
processed in the ML container. There are 2 types of Machine learning analysis that can be
performed:
a. Rule Enrichment: This feature is used to tighten existing security policies to remove
“any” in security policies. For example, you have a security policy that contains “any”
in either applications, users, zones, or services fields. This feature will auto discover
APP-ID and service port info in the firewall traffic logs to see if it matched the
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
54
application-default ports and help you to tighten your security policies to replace
“any '' with correct APP-ID and service ports in the security policy.
b. Rule Suggestion: This feature will suggest new sets of security policies based on
analysis of the firewall traffic logs. It is often used in Greenfield deployment or when
you have a set of rules that’s more permissive than required and you don’t know
what security policies are required. This process will identify servers, consumers and
provide all the security policies including source, destinations, APP-ID, and
service-ports.
ML Container Token
When setting up the ML container, the steps provided in the README file for the docker
container can be used to generate the token by the ML Container Admin. This token should be
added on Expedition2 UI to allow it to communicate with the ML container.
There are multiple ways to get the logs into the ML container
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
55
Note: The PA-7000 Series and Panorama devices do not offer such log Export functionality
or it is limited to the first 1.000.000 entries
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
56
● Start at the folder with the docker-compose.yml for the ML container.
● Navigate to . /runtime/PALogs. Sub-directories can be created within
this folder
● Copy the log files into this folder
● On ML Container, validate the permissions or execute the following
command to ensure the right permissions are set:
chown -R expedition.www-data /PALogs
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
57
2. Go to the T.Analytics section in the ‘Extended View’ of the device
3. Select the following parameters:
a. Label: Specify the path where the log lines are available within the container.
b. After Process: Select between Nothing, Compress and Delete for automatic post
processing of log file.
i. Nothing: Log files will remain in the folder even after they are processed
ii. Compress: Log files will be compressed after processing
iii. Delete: Log files will be deleted after processing
c. AutoProcess CSV Log files: When selected, these logs are auto-processed daily at a
specified time .
This specified time is configured using an environment variable
ML_AUTO_LOG_PROCESS defined within /var/www/html/.env in the expedition-ml
container. Default value is 23 GMT.
d. Log files come from syslog: When selected, log processing is not done for the
current date since logs are received in real time.
e. Select ‘Update’ to set these values
f. Click the icon at the bottom right of the ‘List of Files in Folder’ section to view all
the log files available for the device based on the specified path. If required, the log
processing can be triggered at any time instead of waiting for the once in a day
auto-processing. Click the drop-down beside the “PROCESS PENDING FILES” button
to get the options:
i. Process Pending Files: To process all the pending files in the specified path
for the device
ii. Process Selected Files: Process only specific files from the list selected using
the checkbox
Note: The log processing can take a long time depending on the volume of logs to process.
This completes the settings needed under devices. The logs are available in a format used by the
machine learning module to perform the analysis. The rest of the steps should be done within the
project.
This step is needed to allow the project to access the logs processed for a device. Navigate into the
project with the required configurations imported (Steps provided under GUI Features ->
Projects section above)
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
58
1. In the project, go to ‘log settings’ menu:
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
59
c. Source Config (Select source configuration from the drop down list)
d. Virtual System (Select vsys from the drop down list)
e. Period of Study (Select time frame to run the machine learning analysis)
6. Click ‘Create’ to complete Log Connector Settings
This enables the required Machine learning feature for the rule. But, the analysis hasn't started yet.
Repeat these steps as required for additional rules.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
60
b. Specify minimum thresholds to ignore logs from the analysis
c. Select the dropdown button to the right side of ‘Analyze Data’. A pop-up should give
the list of log connectors available in the project. Select the required log connector
and click ‘Analyze Data’
3. Once analysis is complete, the rules recommended by the Rule Enrichment analysis are
displayed. This can be a long task depending on the volume of logs analyzed. The
recommended rules are grouped by the parent rule used to initiate the analysis.
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
61
4. In the ‘Extended View’, go to ‘Import into Project’ to select the specific criteria to import
rules.
a. Select if all rules or only selected rules should be imported
b. Select which parameters like Application, source, destination, users, zones, service
should be included from the recommended rules during the import.
c. The ‘Custom Source’ and ‘Custom Destination’ field is applicable only if Networks/24
consolidation is selected in source or destination. The number specified is the
minimum of IP’s needed to consolidate to a /24 subnet.
d. Template selection is needed only if Zones are selected for the import
e. We can also select if the rules should replace the existing rule or be imported as new
cloned rules placed above the existing rule.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
62
Perform Rule Suggestion analysis
1. Select ‘Rule Suggestion’ under ‘Traffic Analytics’
c. Select the dropdown button to the right side of ‘Analyze Data’. A pop-up should give
the list of log connectors available in the project. Select the required log connector
and click ‘Analyze Data’
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
63
3. Once analysis is complete, the rules recommended by the Rule Suggestion analysis are
displayed. This can be a long task depending on the volume of logs analyzed.
4. In the ‘Extended View’, go to ‘Import into Project’ to select the specific criteria to import
rules.
a. Select if all rules or only selected rules should be imported
b. Select which parameters like Application, source, destination, users, zones, service
should be included from the recommended rules during the import.
c. The ‘Custom Source’ and ‘Custom Destination’ field is applicable only if Networks/24
consolidation is selected in source or destination. The number specified is the
minimum of of IP’s needed to consolidate to a /24 subnet
d. Template selection is needed only if Zones are selected for the import
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
64
Agents & Jobs
The Agents & Jobs tab provides information about the status of agents and status of jobs.
Here’s a general overview of what you will find in Agents & Jobs tab:
This window displays the current status of agents and their associated job information. You
can perform actions such as restarting an agent, if needed, by clicking on the power button located
on the right side of the agent's status row.
This window displays all jobs that have been executed or are pending based on their current
status. You can review the job status by applying filters to show specific types of jobs:
Failed: Jobs that encountered errors and could not complete successfully.
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
65
Running: Jobs that are currently in progress.
Pending: Jobs that are scheduled to run but have not yet started.
To cancel a pending job, highlight the desired job in the list, and click on the
button. This will stop the selected job from executing and update its status to
"Canceled."
Audit
On the audit page, any API calls made in the background will be listed along with the API
route and action. You can filter the API calls by selecting the action type, such as get, put, post, etc.
Object Manipulation
Object Manipulations in PAN-OS management tools allow users to perform various functions on
PAN-OS objects, helping to maintain an organized, efficient, and secure configuration. Some of the
functions that can be performed using Object Manipulations include:
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
66
● Clean up unused address/service objects: This function helps identify and remove objects
that are not being used in any security policies or NAT rules, helping to declutter and
streamline the configuration.
● Move objects from device group to shared: This function enables users to move objects from
a specific device group to a shared location, making the objects accessible and reusable
across multiple device groups.
● Merge duplicate objects by name or/and value: This function helps identify and merge
duplicate objects with the same name or value, reducing redundancy and simplifying
management.
● Apply prefix/suffix to object names: This function allows users to add a prefix or suffix to the
names of selected objects, helping to standardize naming conventions and improve the
organization of objects.
● Rename objects: Users can rename objects to maintain consistency and follow naming
conventions across the configuration.
● Drag and Drop objects to group objects: This function enables users to easily organize and
manage objects by allowing them to add sets of objects as members of group objects. By
using the drag and drop feature, administrators can quickly and efficiently group related
objects together, which simplifies policy management and enhances overall configuration
organization.
Log
Address Service Apps Apps Forward.
Function Address Group Service Group Apps Filter Groups Contents Regions Tags Profile
Clone ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Copy to ✔ ✔ ✔ ✔ ✔
clipboard
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
67
Past from ✔ ✔ ✔ ✔ ✔
clipboard
Bulk ✔ ✔ ✔ ✔ ✔
Changes
Convert to ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
shared
Add
Prefix/suffix/r
✔ ✔ ✔ ✔ ✔ ✔ ✔ N/A ✔
eplace object
name
Predefined ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
filters
Drag and
Drop to ✔ ✔ ✔ ✔ ✔ ✔ ✔ N/A N/A N/A
Group
Here are some use cases demonstrating the benefits of Expedition object manipulation functions in
real-world scenarios:
Expedition 2.x has brand new interfaces and Icons then Expedition 1.x . The following table
provides the meanings of various icons:
Icon Descriptions
Objects used fewer than 5 times in the configuration; the red number indicates
usage (e.g., a red number of 2 signifies that the object has been used twice in the
configuration).
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
68
TCP protocol service object(connection-based protocol ).
Objects or rules with issues that require further examination. When you click on
these objects, a detailed warning message will be displayed in the warning section
of the Extended View window.
When adding address object on the left panel to group object on the right panel, you could
use drag and drop function, for example: To add below two address objects : 10.3.0.254/16 and
10.4.203.253/24 to the address group object AG1, follow these steps:
● Navigate to the Objects section where you can view individual address objects and the
corresponding address group objects.
● Click on the address group object AG1 to bring up the extended view window. Locate the
Members field in the extended view window.
● In the left panel, find and highlight the address objects you want to add as members of AG1 (
in this case, 10.3.0.254/16 and 10.4.203.253/24)
● Click and hold the left mouse button on the highlighted address objects , then drag and drop
them to the Members field of the address group object AG1 in the extended view window.
● Click Update to update the address group object AG1.
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
69
Clipboard
Clipboard is a helpful feature introduced in Expedition 2.x, which simplifies the process of copying
and pasting objects within your PAN-OS configuration. The clipboard allows you to easily transfer
objects between different sections , streamlining object management and improving overall
organization.
For the objects support copy and paste between clipboard , you can select the object click icon
on the menu bar , Expedition will copy the selected objects in the clipboard , and when you move
your cursor to the objects you would like to paste the objects to, click to paste the object from
the clipboard.
Let’s go over an example on copy selected address objects and past it onto a address group object as
members:
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
70
2. Click on the menu bar
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
71
4. Verify the clipboard contain the three copied address objects:
5. Select Address Group object by clicking on it. The Extended View will open on the right side
of the screen. In the Extended View, locate the MEMBERS section where you can manage the
address objects associated with the selected address group.
6. Click the icon to paste the copied address objects from the clipboard. The previously
copied address objects will immediately appear in the MEMBERS section of the address
group.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
72
7. Click to save the changes
8. Every time you copy new objects into clipboard, it will overwrite the objects in the clipboard,
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
73
Policy Manipulation
Policy Manipulations is a major feature of PAN-OS configuration management feature , user can
leverage this feature to perform below functions on Security/NAT/Application Policies: Example
includes: Remove unused rules, merge duplicate rules, bulk changes to apply security profile
groups, tags, descriptions, User-ID, etc. This feature provides users with greater flexibility and control
over their policies, allowing them to make changes quickly and efficiently, which can ultimately help
to improve their overall network security posture.
Edit ✔ ✔
Delete ✔ ✔
Clone ✔ ✔
Convert to shared ✔ ✔
Predefined filters ✔ ✔
✔ ✔
Rule Name manipulation1
1
Clear, Rename, Fix Duplicate
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
74
✔ ✔
Enabled Bulk Changes
Policy Manipulations in Expedition 2.x can be used in various scenarios to optimize and manage PAN-OS
configurations. Here are some common use cases:
Applying Security Profiles consistently: Security Profiles and Security Profile Groups are
essential for protecting your network. Policy Manipulations can be used to apply Security Profiles
consistently across multiple rules, ensuring your policies are secure and up-to-date.
2. Highlight the security policies you would like to apply bulk change
2
Add/Delete Tag, Add delete Group Tags
3
Append/Prepend Descriptions, Add/Delete Source/Destination Zone, Add/Remove Log Forwarding Profile, Add/Delete
Security Profile Group, Enable/Disable Log at session start/end, Enable/Disable DSRI
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
75
3. In the extended view window on the right , you can then scroll down to the Security profile
group section , and select the security profile group from the dropdown , click
Networks
Most of the network configuration changes can be done in the Expedition project, you can perform
changes on below sections of network configurations if required. Examples include: Rename
interface to different interface name, change interface type, etc.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
76
Table4: Sections of network configurations
Features Descriptions
GUI limitations
While Expedition 2.x provides a powerful GUI for managing and optimizing PAN-OS
configurations, there are certain features that are not currently available in the GUI. These
features can be accessed and utilized through the API:
● Pushing Configuration to PAN-OS Device: The GUI does not provide the option to directly
push configurations to PAN-OS devices like Expedition 1.x does. You can use the three
methods listed in the Load generated output onto the PAN-OS device section.
● Machine Learning (ML) and Rule Enrichment (RE) features: Expedition's ML and RE
features, which can analyze traffic logs and refine your security policies are under
development.
Despite these limitations in the GUI, Expedition's API provides a flexible and powerful way to
access and use these features. By leveraging the API, you can further enhance and optimize
your PAN-OS configuration management and take full advantage of Expedition's capabilities.
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
77
Parser and Migration-related Features
The Expedition Parser plays a crucial role in this process by parsing and converting configurations
from various vendors into a format compatible with PAN-OS. Here's an overview of the migration
capabilities currently available in the Expedition-Parser, as well as features planned for future
releases:
Expedition 2 builds upon the migration parsers from the Migration Tool and Expedition 1, improving
the migration process and offering additional functionalities. One such enhancement is the
autocorrection of invalid service objects from third-party vendor configurations. This feature maps
these services to corresponding tcp-udp services or equivalent Palo Alto Networks applications.
The conversion information for these predefined third-party vendor services is stored in CSV files
located in the following filesystem paths:
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
78
Vendor Supported Global Addr. Addr. Serv. Serv. Sec. NAT Net. Int. Static VPN
Vendor OS Addr. Obj. Group Obj. Group Pol. Pol. (L3) route
Object Obj. Obj. s
Checkpoint R75, R77 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
>=R80 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Cisco ASA 9.0, 9.1, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
9.6, 8.2, 8.4
FirePower ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
[only in ASA
syntax]
Fortinet Fortigate 4.0, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
5.0, 6.0
IBM XGS 5.1 ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Juniper All ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Netscreen
firewalls
(ScreenOS)
Junos 11.4, ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
12.1, 12.3
Forcepoint Sidewinder ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
Stonesoft ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔ ✔
The Expedition Parser performs several features during the conversion stage to ensure a smooth and
efficient migration process. Here are some of the most important conversion features:
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
79
Table6: All sub features of Expedition Parser
Features Descriptions
Migration logs Expedition will provide detailed migration logs, it will show errors on the items
not migrated and/or those that need manual checking. Logs will include
notifications in case automated actions have taken place to generate a valid
configuration, such as trimming object names to fit length limitations. You can
access migration logs under the “Warning” tab
Auto fix invalid Expedition will auto replace invalid service objects with APP-ID when possible.
service objects Otherwise, it will report Errors on the migration logs.
Example, replace icmp service object with APP-ID- ICMP.
Also, it will provide a mapping from predefined services in third party vendors to
the known tcp/udp services.
Auto Remap Auto Remap Network Interface name to PAN-OS network interface naming
network convention. Example: GigabitEthernet1/1 will be converted to Ethernet1/1. Check
Interface name interface rename activities in the “Warning” section.
AutoZone When converting from a non zone-based firewall, Expedition will auto assign
zone names based on interface name and provided routing tables. Zone names
may have a numeric value.
Auto split Support for auto splitting bi-directional NAT rules into two separate rules with
bi-directional their according Zones and corrected IPs if necessary.
NAT rules
Support Replace Cisco DM_inline group object by member objects in the security rule to
migration of improve their readability.
Cisco DM_Inline
group objects
PANser Web Service is a standalone Docker image container developed by the Migration Factory
team within the Palo Alto Networks Professional Services department. The primary function of
PANser is to parse and transform third-party vendor configurations into PAN-OS compatible
configurations.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
80
Expedition uses PANser as its parsing tool, and the converted data is stored within Expedition's
database rather than in PANser's storage. This integration streamlines the migration process and
enables users to manage and optimize the converted configurations using Expedition's powerful
features.
SonicWall: PANser can parse and convert configurations from SonicWall firewalls with firmware
versions 7.0 and later.
Cisco: PANser supports the conversion of configurations from Cisco firewalls, allowing users to
migrate their configurations to Palo Alto Networks firewalls seamlessly. For cisco migration, users can
select whether they want to use expedition parser or PANser parser.
The support for additional vendors may be added in future releases, further enhancing PANser's
capabilities and making it even more versatile for users looking to migrate their firewall
configurations to Palo Alto Networks firewalls.
To enable Expedition using Panser Web Service for Expedition unsupported vendor migration:
1. Setting up the Panser web service Docker container, please refer to the readme in the
downloaded package.
Params:
url: https://host.docker.internal:8000
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
81
For Step 3 and 4 , please refer to the Expedition-API-Scripts Container for example scripts ,
The sonicwall migration script is at /migration/sonicwall.ipynb , define parser setting is in
4th-6th code blocks.
API Features
The Expedition API offers several features to streamline the migration process, with more
features planned for future releases. Detailed information on how to consume these features can be
found in the Swagger documentation, available at the following URL:
https://localhost/api/v1/documentation
This documentation provides an overview of the available API endpoints, parameters, and responses.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
82
API Documentation and Testing
Expedition provides a web-based resource for learning about and testing the Expedition API. This
documentation utilizes the Swagger framework and can be accessed within each Expedition using
the following URL: https://localhost/api/v1/documentation.
Swagger processes an api-docs.yaml file to showcase the API features and enable interactivity. The
api-docs.yaml file is updated with each Expedition-API container version and can be found at
/app/expedition-api/app/storage/api-docs/vX/api-docs.yaml, where vX corresponds to the current
version of the Expedition 2 API (currently v1).
As the API development progresses, the documentation will evolve accordingly to include upcoming
features and improvements.
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
83
If you do not have access to an Expedition instance, you can still explore the API documentation
using the public service https://editor.swagger.io/. To do so, upload the relevant api-docs.yaml file to
the editor, and you will be able to review all the published API calls and features.
To consume the various API methods, you must first establish a valid session for authentication and
authorization. This can be done using Swagger by making an initial request to the /api/v1/generate_api_key
route.
5. Upon successful execution, the API will return a response containing an api_key. This key
should be included in the headers of subsequent requests to validate the user's session and
permissions.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
84
To use the api_key for authorization in Swagger, follow these steps:
1. Copy the api_key from the API response.
2. Locate the Authorize button at the top of the Swagger site.
3. Click on the Authorize button and paste the copied api_key into the appropriate field.
4. Confirm the authorization.
After completing these steps, all future requests made through Swagger will be
authenticated using the provided api_key.
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
85
Expedition-API-Scripts Container for sample jupyter notebook
scripts
The functionalities available through the Expedition UI can also be accessed via scripts using your
preferred programming language. Almost all API functionalities necessitate user authentication.
To familiarize users with scripting and foster a community around the tool, the Expedition team has
created a private repository to be announced. This repository contains a collection of scripts that
represent common workflows for various use cases. Some examples include migrating third-party
vendor configurations, cleaning up configurations by identifying and deleting unused objects, and
optimizing configurations by detecting objects and rules that can be merged.
By following these steps, you can test various use cases using the provided scripts in the Jupyter
Notebook Container and gain hands-on experience with the Expedition API features. This
knowledge will help you optimize your migration process and optimize the PAN-OS configuration.
The following is a list of folders and sample scripts that you can use as a starting point for your use cases.
Make sure you always get the latest content of the scripts by downloading the most recent folder.
Feel free to test, modify, and adapt these scripts to fit your specific needs. Additionally, you are encouraged
to contribute your own scripts based on your use cases to help others in the community.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
86
Folder Script examples (may differ from Description
the notebook content)
/files/ No scripts in this folder, you can use the sample config files in this folder or
upload your own config files to this folder.
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
87
Folder Script examples (may differ from Description
the notebook content)
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
88
Folder Script examples (may differ from Description
the notebook content)
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
89
Folder Script examples (may differ from Description
the notebook content)
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
90
Folder Script examples (may differ from Description
the notebook content)
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
91
Testing sample jupyter notebook scripts in Expedition-API-Script
container
To convert legacy vendor firewall configurations to PAN-OS configurations using scripts, you will find
the relevant scripts stored in the /migration/ folder. For example, to migrate a Cisco ASA
configuration, follow these steps:
1. Prepare your Cisco ASA configuration file: Before starting the migration process, make sure
you have your Cisco ASA configuration file ready on your local hard drive.
2. Access the /migration/ folder: Navigate to the /migration/ folder in the Expedition-API Script
Container, which contains scripts for various vendor configuration migrations.
3. Locate the Cisco ASA migration script: Find the appropriate script for Cisco ASA migration,
ciscoasa.ipynb. you can use the existing scripts as a starting point and modify them to
accommodate Cisco ASA configurations.
4. Upload the Cisco ASA configuration file: In the Expedition-API Script Container, navigate to
the /files/ folder and click the upload icon to upload your Cisco ASA configuration file from
your local hard drive.
5. Modify the migration script: Open the Cisco ASA migration script in the Jupyter Notebook
Container and replace the file path and name in the LEGACY_CONFIG_PATH in the variable
code block with the path and name of your uploaded Cisco ASA configuration file.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
92
6. Run the modified migration script in the Jupyter Notebook Container to convert your Cisco
ASA configuration file to a PAN-OS compatible configuration. Run each code block in order:
Each script contains several code blocks that perform specific tasks in the migration process.
To run the script, click on the Run button.
7. Monitor the output: As you execute each code block, keep an eye on the output displayed
beneath it. This feedback will inform you of any errors and API responses. It is important to
not skip any code blocks or move on to the next one until the output of the current block has
been fully processed, as each block is dependent on the output of the previous one.
8. Address any issues: If you encounter any errors or issues while running the script, analyze the
output and adjust the script as needed to resolve the problem. Re-run the affected code
blocks to ensure that the issue is resolved and the script proceeds as expected.
9. Review the final output: Once you have executed all code blocks in the migration script,
review the final output to ensure that the migration process has been completed
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
93
successfully. You should see a PAN-OS compatible configuration generated from your legacy
vendor firewall configuration and it’s loaded in the Expedition 2.x GUI.
By following these steps, you can successfully migrate your legacy vendor firewall
configurations, like Cisco, Juniper, Checkpoint, etc to PAN-OS configurations using the scripts
provided in the /migration/ folder. This will enable you to transition your firewall
configurations from third-party vendors to Palo Alto Networks firewalls seamlessly.
Filter
Expedition 2 provides a powerful filter feature that allows you to create, manage, and apply filters on
various objects within a configuration. These filters can be used for multiple purposes, such as
restricting the target of actions, specifying which objects should appear in reports, identifying
objects that should be deleted, and more. Filters in Expedition 2 are designed with sharing and reuse
in mind, offering the following key characteristics:
● Named: Filters are assigned a name, making it easy to identify and refer to them when
needed.
● Background Execution: Filters are executed in the background as non-blocking tasks,
allowing you to continue working in Expedition while the filter is being processed. You can
also monitor the progress of these tasks as they run.
● Stored: Filter results are saved so that you can review and access them at any time.
● Reusable: Filters can be combined and reused in other filters to create more complex filtering
scenarios.
● Exportable: Filters can be easily exported and shared between projects and different
instances of Expedition. This feature promotes collaboration and streamlines the application
of filters across multiple projects.
By utilizing these advanced filtering features, Expedition 2 users can effectively manage their
configuration.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
94
Filter Types
Expedition API supports a variety of filter types to provide flexibility and control when filtering
objects in your configuration. These filter types can be categorized into three main groups: Single
Filters, Combined Filters, and Operations Filters. The filter type is not explicitly required when
creating filters, as it will be determined internally.
Single Filter
This is the most basic filter type, where you can query specific properties of one or multiple
object types. A Single Filter allows you to filter objects based on a single criterion, such as a specific
attribute, value, or condition. For example, you can create a Single Filter to identify address objects
containing specific values. .
By using Single Filters, you can quickly and easily isolate specific objects in your configuration
based on their properties, enabling more efficient management and organization of your firewall
configurations.
The example provided demonstrates how to create a Single Filter using the Expedition API.
Let's break down the syntax and components of the filter for better understanding:
This filter would return all address and address_group objects where the name contains the
word "office".
Syntax Components:
● [object_types]: Indicates which object types the filter applies to, enclosed in square brackets
and separated by commas. In this example, the object types are address and address_group.
● property: Specifies the property of the object type to search. In this example, the property is
name.
● operator: Defines the operator to use for comparison. Operators can be negated with a not
before the operator. In this example, the operator is contains.
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
95
● "value": Represents the value to search for, enclosed in quotes. In this example, the value is
"office".
Available Operators:
Object types
The following table lists the valid object types for filtering in Expedition, based on the Palo
Alto Networks configuration objects:
By using these object types in your filters, you can effectively search, organize, and manage
various aspects of your Palo Alto Networks firewall configuration within Expedition. Keep in mind
that the specific object types available for filtering may depend on your Expedition version and the
features supported by your Palo Alto Networks firewall.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
96
schedule vlan
profile zone_protection_profile
profile_group qos_profile
region bfd_profile
report lldp_profile
report_group gp_portal
error_correction_profile gp_mdm
traffic_distribution_profile gp_gateway
path_quality_profile clientless_app
saas_quality_profile clientless_app_group
email_scheduler application_status
pdf_summary_report sdwan_interface_profile
scep lldp
ssl_tls_profile ethernet_interface
certificate ethernet_subinterface
vlan_interface
loopback_interface
sdwan_interface
tunnel_interface
Properties
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
97
The table below presents the valid properties for each object type, based on the configuration
objects in Palo Alto Networks:
All object types can filter by properties: name, description
address type
ip_type
ipaddress
netmask
Id
address_group type
filter
expression
id
service id
type
protocol
src_port
dst_port
timeout
tcp_half_closed_timeout
tcp_time_wait_timeout'
timeout_override
service_group id
type
application id
application_container
parent_app
technology
category
subcategory
risk
evasive_behavior
consume_big_bandwidth
prone_to_misuse
able_to_transfer_file
tunnel_other_application
used_by_malware
has_known_vulnerability
pervasive_use
tunnel_applications
file_type_ident
virus_ident
data_ident
default_type
value
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
98
timeout
tcp_timeout
tcp_half_closed_timeout
tcp_time_wait_timeout
udp_timeout
spyware_ident
vtype
alg_disable_capability
no_appid_caching
application_filter evasive_behavior
consume_big_bandwidth
prone_to_misuse
able_to_transfer_file
tunnel_other_application
used_by_malware
has_known_vulnerability
pervasive_use
saas_certifications
saas_risk
type
category
subcategory
technology
risk
characteristic
Predefined Filters
Predefined filters are a type of single filter used to quickly filter objects based on specific criteria.
Syntax::
[object_types] is (not) predefined_filter.success
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
99
The table below presents the valid predefined filters in Expedition.
used all
invalid all
valid all
without-description all
ipv4 address
ipv6 address
fqdn address
name-is-ip address
trashed all
static-ip nat_rule
dynamic-ip-and-port nat_rule
dynamic-ip nat_rule
bidirectional nat_rule
no-nat nat_rule
log-start security_rule
log-end security_rule
ml-enabled security_rule
re-enabled security_rule
dsri-enabled security_rule
layer-4 security_rule
layer-7 security_rule
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
100
Filter Object Types possibles
has-user security_rule
without-tag security_rule
without-service security_rule
service-any security_rule
Combined Filter
Combined filters are filters that require subfilters. For example, a security rule that contains specific
addresses in its source.
This will return all security rules that have the "office" addresses from the previous example in their
source.
● [object_types]: Indicates which object types the filter applies to, enclosed in brackets and separated
by commas. In this example, the object types are security_rule.
● property: Property of the object type to search. In this example, the property is source_address.
● operator: Operator to compare the property with the filter. The operators can also be negated with a
not before the operator. In this example, the operator is contains
● filter: Required keyword to indicate that a filter name follows.
● filter_reference: Name of the filter to act as a subfilter. In this example, the filter_reference is
office_address.sucess.
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
101
Operations filters
Operations filters allow you to combine filters using unions and intersections. There are two different
operators allowed: or (unions) and and (intersections).These operators can also be negated with a not.
Defining syntax can be complex due to multiple combinations using operators and parentheses.
Here is an example:
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
102
Accessing Filter on GUI
You can access the filter features on the GUI as well. To access the Filter section, go to TOOLS ->
FILTERS
FILTERS
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
103
To generate common filters , expand GENERATE COMMON FILTERS and click GENERATE.
The process will generate common filters for your current configuration, including common use
cases. Below are some common filters that you can run against your configuration:
Category: Rules
Disabled rules : Display all the disabled security and NAT rules in the filter result.
Is from panorama: Display all the rules that are defined in panorama in the filter result.
is hardcoded: Display all hard coded IPs, for example IP that are not address objects but
reference in the rules.
Category:usage
unused objects: Display all objects that are not being referenced in the group objects,
Security policies and NAT policies
Category:validity
By using these common filters, you can easily identify specific items in your configuration and
manage them accordingly.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
104
To run the predefined filters, you will follow below steps:
1. Check the predefined filter you like to run against your configuration
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
105
Here are some common use cases for using predefined filters:
1. On the project dashboard, review the service objects with the issue column marked as
critical. Double-Click on the red number ,and it will take you to the service object page.
2. If the invalid service objects are not displayed correctly, manually re-apply the filter with
issue critical and Success.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
106
3. There are two methods to replace the invalid service objects:
Method 1:
Modify the service definition file located inside the parsers container (expedition-parsers) at
/var/www/html/contents/parsers/VENDOR-services.csv to include new mapping and re-run the
import in a new project.
Method 2:
Manually replace the invalid service object with service object specifying either tcp or udp with the
port# or replace them with the corresponding APP-IDs.
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
107
2. Once the filter has been run, navigate to the OBJECTS -> ADDRESS or OBJECTS ->
SERVICES tab to show filter results by clicking the filter name unused objects.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
108
3. Select all or the objects you would like to remove , then click the trash can icon in the right
upper corner.
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
109
By following these steps, you can efficiently remove unused objects from your configuration,
making it cleaner and easier to manage.
2. After running the filter, navigate to the OBJECTS -> ADDRESS or OBJECTS -> SERVICES tab
to display the filter results by clicking the filter name duplicated name->success.
3. Highlight the objects you would like to merge , and click Merge on the Extended View
window. The following merge options are available::
● REDUCE by-The goal is to merge objects from multiple to one , thus reducing object
counts . You can choose from four options:
○ Selection - Mark one object as the primary object and click this option to
merge, all selected objects will be merged to the same value as the primary
object.
○ Value - Merge objects by value; after merging , objects with the same value will
be merged.
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
110
○ Name - Merge objects by name, after merging , objects with the same name
will be merged.
○ Name and value - Merge objects by name and value, after merging, objects
with the same name and same values will be merged.
● COMBIE By-The goal is not to reduce object count but to add selected objects to a
group object.
4. After selecting the action , a confirmation window will ask you to confirm the action. click
YES to merge the objects.
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
111
Access Expedition Project related files via File manager or Finder
● conversions Folder - stored all migration logs related to migration based on migration ID
● devices Folder - stored all pan-os device configuration based on device ID
● projects Folder - stored all expedition projects based on project ID, includes converted
configuration files from legacy vendor configurations.
● uploads Folder - stored all upload configuration files including original legacy vendor firewall
configuration.
Troubleshooting
For API related issue, you can perform below steps in expedition-api container:
For parser related issue, you can perform below steps in expedition-parsers container:
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
112
Report Bugs and Improvements
If you encounter any functionality within the tool that does not behave as expected or according to
the documentation, we would appreciate your collaboration in identifying the cause of the issue and
addressing it at its source. To achieve this, certain information can help us reproduce the problem,
pinpoint the affected code, and devise a strategy for its resolution.
Please report any issues you encounter to [email protected]. If you need to share a
configuration or any client-sensitive data/information (such as configuration screenshots, traffic logs,
etc.), please do so through a TAC Case number.
Known Issues
There are a number of general issues and limitations that we’ve encountered as our development
has progressed. Below is a summary of what is currently expected.
Known Issues
Unsupported PAN-OS attributes are not We are investigating the issue , the workaround is to not
imported in Expedition load the full configuration in a production PAN-OS
device.
No data is displayed on the grids We are still working on improving the stability of the
user interface, and while it is functional, there may be
some limitations and issues that we are working to
address. As a workaround refresh your tab browser and
access again to Expedition2
© 2023 Palo Alto Networks, Inc. Expedition 2.0 Getting Started Guide
Policy Manipulations
113
FAQ
No, Expedition 2.x is available on docker version, so it’s not compatible with expedition 1.x .
https://live.paloaltonetworks.com/t5/expedition/ct-p/migration_tool
or email us @ [email protected]
Expedition 2.0 Getting Started Guide © 2023 Palo Alto Networks, Inc.
114