Migration Tool - Palo Alto Networks

PA L O A LT O N E T W O R K S : M i g r a t i o n To o l D a t a s h e e t
Migration Tool
Automate and simplify the task of migrating
firewall configurations from Cisco, Check
Point, Fortinet, McAfee and Juniper to a
Palo Alto Networks next-generation firewall
configuration.
•Analyze existing security policies
•Migrate existing firewall configurations to Palo Alto
Networks Next-Generation Firewall
•Validate objects, addresses and rule sets to ensure
a smooth transition
Benefits of using the Palo Alto Networks Migration Tool:
•Automated process for migrating your old security
policies
•Validated Palo Alto Networks Configurations
•Optimized security policies for maximum performance
•Advanced protection from the evolving threat landscape with application- and user-based security
policies
“Being able to migrate seamlessly from
the old system to the new one had been
a key concern for us, but in the event,
it was very easy, with no disruption to
students or staff. Now, the console gives
us total network visibility at any given
time.”
— Voyage Io
Administrative Officer
Macao Polytechnic Institute
Palo Alto Networks® offers a disruptive next-generation
security platform built from the ground up to specifically
address the rapidly evolving threat landscape. The unique
platform combines the power of a next-generation
firewall (NGFW) with advanced subscriptions for
Threat Prevention, URL Filtering, GlobalProtect™ and
WildFire™. Having an integrated solution helps, not
only to address every step of the kill chain, but also to
increase prevention rates.
OVERVIEW
Fundamental shifts in application usage, user behavior, and network
infrastructure have resulted in an evolved threat landscape that has
exposed weaknesses in traditional port-based firewall protection. Palo
Alto Networks has developed an innovative approach to securing
networks that identifies all traffic based on applications using an
application-traffic signature called App-ID™. This replaces conventional
approaches that control traffic based on port.
PA L O A LT O N E T W O R K S : M i g r a t i o n To o l D a t a s h e e t
Migrating from a third-party firewall to a Palo Alto Networks
next-generation firewall can be accelerated by leveraging the Palo
Alto Networks Migration Tool. This software tool will transfer
ver
uto
Au
d
Co
e
rt
Ana
PALO ALTO NETWORKS MIGRATION TOOL
The Palo Alto Networks Migration Tool enables you to
analyze your existing environment, convert existing security
policies to Palo Alto Networks next-generation firewalls, and
assist with the transition from proof-of-concept to production.
Primary functions of the Palo Alto Networks Migration Tool:
1.
2.
3.
4.
5.
6.
7.
Third-party Migration
Adoption of App-ID
Optimization
Consolidation
Centralized Management with Panorama™
Auto-zoning
Customized Response Pages
With a combination of tools, expertise and best practices,
Palo Alto Networks will help analyze your existing environment,
migrate policies and firewall settings to the next-generation
firewall, and assist in all phases of the transition.
e
nv
The migration to a Palo Alto Networks next-generation
firewall is a critical step toward the prevention and detection
of cyberattacks. Today’s advanced threats require moving
away from port-based firewall policies, which are no longer
adequate to protect against a modern threat landscape, into an
architecture that reduces your attack surface by safely enabling
only those applications that are critical to your business, and
eliminating applications that introduce risk.
• Cisco ASA/PIX/FWSM
• Check Point
•Fortinet
• McAfee Sidewinder
• Juniper SRX/NETSCREEN
it
Simply put, the traffic-classification limitations of port-based
firewalls make them unable to protect today’s networks and
leaves businesses at the mercy of dealing with security breaches
after they occur. App-ID provides visibility and control over
both work-related and non-work-related applications that can
otherwise evade detection by masquerading as legitimate traffic.
With App-ID, you will gain a level of prevention that was
previously unavailable.
Easily migrate from existing port-based firewalls to Palo Alto
Networks next-generation firewalls with the assistance of the
Migration Tool. Third-party migrations are available from the
following firewall vendors:
yz
• Hopping ports
• Using SSL and SSH
• Sneaking across port 80
• Using non-standard ports
THIRD-PARTY MIGRATION
C
Traffic classification is at the heart of any firewall because
your classifications form the basis of your security policies.
Traditional firewalls filter traffic by port and protocol.
Initially, this was an acceptable mechanism for securing the
perimeter, but port-based security firewalls are no longer
sufficient. Continuing to use a port-based firewall may allow
applications to bypass ports undetected by:
l
Palo Alto Networks
Migration Tool helps
to automate and
accelerate your migration. The Palo Alto
Networks Migration
Tool enables you to
analyze your existing
environment, convert
existing security policies
to Palo Alto Networks
next-generation firewalls, and assist with
the transition from
proof-of-concept to
production.
the various firewall rules, addresses and service objects to a
PAN-OS® XML config file that can be imported into a Palo Alto
Networks firewall.
ADOPTION OF APP-ID
This migration will enable you to get the most value from
your next-generation firewall, while reducing your attack
surface, and regaining visibility and control over your
organization through the use of App-ID.
OPTIMIZATION
Keep your next-generation firewalls operating at peak
performance with Palo Alto Networks Optimization Services.
Our experienced consultants will apply product expertise and
knowledge of best practices to evaluate and optimize your
next-generation firewall system including:
• Architecture Review
• System Health Check
• Configuration Audit
• Optional Product Tuning and Configuration
Change Implementation
PAGE 2
PA L O A LT O N E T W O R K S : M i g r a t i o n To o l D a t a s h e e t
CONSOLIDATION
Consolidating your legacy firewalls to Palo Alto Networks
virtual systems enables you to customize administration,
networking and security policies for the network traffic that
is associated with specific departments or customers. In a
standard virtual system interface configuration, each virtual
system uses a dedicated interface to the Internet, requiring the
use of multiple IP addresses. A shared gateway allows you to
create a common virtual interface for the virtual systems that
correspond to a single physical interface. This is helpful in
environments where the ISP provides only a single IP address.
All of the virtual systems communicate with the outside world
through the physical interface using a single IP address.
CENTRALIZED MANAGEMENT WITH PANORAMA
Panorama enables you to centrally manage the process of
configuring devices, deploying security policies, performing
forensic analysis, and generating reports across your entire
network of Palo Alto Networks next-generation firewalls.
Available as either a virtual appliance or a dedicated
management platform, Panorama and the individual devicemanagement interfaces share the same Web-based look and
feel, ensuring workflow consistency while minimizing any
learning curve or delay in executing the task at hand.
AUTO-ZONING
The AutoZone Assign feature will automatically adapt security
policies from vendors that currently do not use zones and
zones-based rules. The mapping of zones depends on the routes
and the zone interface IP address. The mappings will adjust
when you set or change the Interfaces and Zones settings.
CUSTOMIZED RESPONSE PAGES
In PAN-OS, administrators can load a customized page for
various response pages to notify end users of the policy violation.
WHY MIGRATE TO PALO ALTO NETWORKS
MTC – Management & Training Corp, Centerville, Utah
The high cost of maintaining its network, combined with the
need to keep pace with the changing threat landscape, led
MTC to re-examine its network design. “We had issues at times
with unreliable VPN connectivity, and also with consistent
Active Directory user mappings for web filtering,” says Brian
Goodwin, Network Security Administrator, MTC. “The Palo
Alto Networks solution has been a solid fit for our company,
and has increased our company services uptime with regards to
VPN connectivity and web filtering.”
4401 Great America Parkway
Santa Clara, CA 95054
Main:+1.408.753.4000
Sales:
+1.866.320.4788 Support:+1.866.898.9087
www.paloaltonetworks.com
Additional network issues arose from the evolution of threats.
“In the past, viruses could take you down, but now botnet,
spyware, and malware type stuff are main concerns,” says
Goodwin. “Our incumbent system lacked the visibility to meet
these new risks.”
CAME Group, Treviso, Italy
Management at CAME recognized that its decentralized
network was impacting business performance. “They
authorized our team to centralize network management,
increase security, collect and report network information
better, and to standardize application access and security
policies across all locations worldwide,” says Massimiliano
Tesser, Group CIO, CAME Group.
The next-generation security platform from Palo Alto
Networks natively brings together all key network-security
functions, including a next-generation firewall, URL filtering,
IDS/IPS, and advanced threat protection. These functions are
purposely built into the platform from the ground up, and
natively share important information across the respective
disciplines, to ensure better security than legacy firewalls,
UTMs, or point threat-detection products. At throughput
speeds of up to 120 Gbps, Palo Alto Networks can safely
enable the use of all applications, maintain complete visibility
and control, and protect businesses from the most basic to
sophisticated cyberattacks — both known and unknown.
CONSULTING SERVICES
Firewall-policy migration can be a challenging task, and is most
effectively accomplished with professional services assistance
from Palo Alto Networks and a network of solution partners,
who can guide you though the migration process using a
combination of automated tools and best practices.
Palo Alto Networks Consulting Services are available to ensure a
smooth transition and enable you to get the maximum value from
your next-generation firewall from Palo Alto Networks. Take
advantage of the Palo Alto Networks Firewall Migration Services
to get your next-generation firewall project off to a great start.
Copyright ©2015, Palo Alto Networks, Inc. All rights reserved. Palo Alto Networks,
the Palo Alto Networks Logo, PAN-OS, App-ID and Panorama are trademarks of
Palo Alto Networks, Inc. All specifications are subject to change without notice.
Palo Alto Networks assumes no responsibility for any inaccuracies in this document
or for any obligation to update information in this document. Palo Alto Networks
reserves the right to change, modify, transfer, or otherwise revise this publication
without notice. PAN_DS_MT_033115