SRX

I'm planning to migrate the core firewall services form Palo Alto to SRX. Is there a document about that migration from PA to SRX? Or a tool that can help with the process? Seems like PA to SRX is not a big topic 😞

Hello,

I am not aware of a conversion tool, but I hope these pointers may be useful

> How many policies are we looking at?

> Config from the PA can be exported as an xml

> All address book entries in PA are global

> You can easily port them to SRX

> Then create the policies by hand

> Take a look at the PA xml config I am sure there is a lot of stuff that can be re-used

I hope this helps.

Regards,

Vikas

Thanks for your reply, and sorry if the below questions are too basic. I'm not very good in Juniper world (not that I'm good anywhere else )

• I have 5 VSYS in PA. Each one has some objects dedicated to them, and also there's soem shared objects between all VSYSs (address, address groups, etc.)
• All addresses combined are around 6000, and all sec policies are around 1000.

1. Can I implement VSYS concept in SRX or I it's better to convert it to a flat design?
2. Seems like SRX doesn't have two separate concepts for Services and Application? In that case do I just convert the services to application in SRX?
3. Not so many NAT rules and doesn't seem to be a problem
4. Is there something like TAG in SRX? Not VLAN tag nor VLAN ID, just a tag for administration purposes?
5. What's SRX's equivalent for Security Profiles in PA? I have some admin created sec profiles and the predefined default profiles from PA are being used as well. Here are the major ones:
   1. Antivirus - Default and defined
   2. Anti-Spyware - Default
   3. URL Filtering - Defined
6. I have 5 virtual routers conifgured with around 1000 only static routes on them, each plugged into some VSYSs.
   1. What SRX has to match the virtual routers?
   2. If I don't do VSYS in SRX, I don't think I need vRouter, right? 
7. Does SRX take the sub interfaces as good as it says here: https://www.juniper.net/documentation/en_US/junos/topics/example/interfaces-layer3-subinterfaces-ex-series.html
8. Does this page really take care of log forwarding to something like Splunk? https://kb.juniper.net/InfoCenter/index?page=content&id=KB16224&actp=METADATA
9. I have couple of hundered of site to site VPNs on PA as well, and seems like that part I figured it out already. Unless there's some thing someone has to say as heads up.

OH BOY. That's a lot to even type in summary! Who's gonna do itl?!

Hello,

Please find answers inline. I hope I covered everything 🙂

1. Can I implement VSYS concept in SRX or I it's better to convert it to a flat design?

We can implement lsys in srx but that needs a license. If there is a reason for the vsys config on the PA, for isolation/security I suggest you retain the same.

2. Seems like SRX doesn't have two separate concepts for Services and Application? In that case do I just convert the services to application in SRX?

Application in junos = service in PA

Dynamic application in junos (related to App-FW) = application in PA

Prior to 18.2R1 we had a different Security policy rule base and a different one for Application-FW. Application is used in Security policy while Dynamic-Application is used in App-FW rulebase

Good news. Starting 18.2R1 we do something called unified policy where the security policy integrates dynamic application. So the policy would look very similar to that on the PA.

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/configuring-unified-policies.html

https://www.juniper.net/documentation/en_US/junos/topics/concept/security-utm-support-within-unified-policy.html

3. Not so many NAT rules and doesn't seem to be a problem
4. Is there something like TAG in SRX? Not VLAN tag nor VLAN ID, just a tag for administration purposes?

SRX does not have security policy tag as in PA. If you want you can add the tag to the description of the policy that way you can search/filter using the tag.

5. What's SRX's equivalent for Security Profiles in PA? I have some admin created sec profiles and the predefined default profiles from PA are being used as well. Here are the major ones:
   1. Antivirus - Default and defined
   2. Anti-Spyware - Default
   3. URL Filtering – Defined

We have a utm-policy in srx. This is not exactly the same as Security profile on PA, since PA security profile includes IDP policy as well if I am not wrong. You can do the above mentioned in a utm-policy

https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-edit-utm-policy.html

6. I have 5 virtual routers conifgured with around 1000 only static routes on them, each plugged into some VSYSs.
   1. What SRX has to match the virtual routers? SRX has the concept of virtual routers too
   2. If I don't do VSYS in SRX, I don't think I need vRouter, right? You would need LSYS and Virtual-Router as well. Each VRouter configured within a specific LSYS
7. Does SRX take the sub interfaces as good as it says here: https://www.juniper.net/documentation/en_US/junos/topics/example/interfaces-layer3-subinterfaces-ex-...

Yes, sub-interfaces and vlan-tagging works perfectly. If you are using a cluster you, would need to create the sub-interfaces on a reth interface

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-redundant-ethernet-interfaces.html

https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-verification.html

8. Does this page really take care of log forwarding to something like Splunk? https://kb.juniper.net/InfoCenter/index?page=content&id=KB16224&actp=METADATA

Yes, this link is ok

9. I have couple of hundered of site to site VPNs on PA as well, and seems like that part I figured it out already. Unless there's some thing someone has to say as heads up.

Regards,

Vikas

There's a tool available in the Juniper Partners portal for converting PA to Junos. I suggest contacting your salesperson for assistance in utilizing this.