SRX

Expand all | Collapse all

Migrating from Palo Alto to SRX

Jump to Best Answer
  • 1.  Migrating from Palo Alto to SRX

    Posted 03-20-2019 10:28

    I'm planning to migrate the core firewall services form Palo Alto to SRX. Is there a document about that migration from PA to SRX? Or a tool that can help with the process? Seems like PA to SRX is not a big topic 😞



  • 2.  RE: Migrating from Palo Alto to SRX

     
    Posted 03-20-2019 20:40

    Hello,

     

    I am not aware of a conversion tool, but I hope these pointers may be useful

    > How many policies are we looking at?

    > Config from the PA can be exported as an xml

    > All address book entries in PA are global

    > You can easily port them to SRX

    > Then create the policies by hand

    > Take a look at the PA xml config I am sure there is a lot of stuff that can be re-used

     

    I hope this helps.

     

    Regards,

     

    Vikas



  • 3.  RE: Migrating from Palo Alto to SRX

    Posted 04-08-2019 12:37

    Thanks for your reply, and sorry if the below questions are too basic. I'm not very good in Juniper world (not that I'm good anywhere else Smiley Very Happy)

     

    • I have 5 VSYS in PA. Each one has some objects dedicated to them, and also there's soem shared objects between all VSYSs (address, address groups, etc.)
    • All addresses combined are around 6000, and all sec policies are around 1000.

     

    1. Can I implement VSYS concept in SRX or I it's better to convert it to a flat design?
    2. Seems like SRX doesn't have two separate concepts for Services and Application? In that case do I just convert the services to application in SRX?
    3. Not so many NAT rules and doesn't seem to be a problem
    4. Is there something like TAG in SRX? Not VLAN tag nor VLAN ID, just a tag for administration purposes?
    5. What's SRX's equivalent for Security Profiles in PA? I have some admin created sec profiles and the predefined default profiles from PA are being used as well. Here are the major ones:
      1. Antivirus - Default and defined
      2. Anti-Spyware - Default
      3. URL Filtering - Defined
    6. I have 5 virtual routers conifgured with around 1000 only static routes on them, each plugged into some VSYSs.
      1. What SRX has to match the virtual routers?
      2. If I don't do VSYS in SRX, I don't think I need vRouter, right? 
    7. Does SRX take the sub interfaces as good as it says here: https://www.juniper.net/documentation/en_US/junos/topics/example/interfaces-layer3-subinterfaces-ex-series.html
    8. Does this page really take care of log forwarding to something like Splunk? https://kb.juniper.net/InfoCenter/index?page=content&id=KB16224&actp=METADATA
    9. I have couple of hundered of site to site VPNs on PA as well, and seems like that part I figured it out already. Unless there's some thing someone has to say as heads up.

    OH BOY. That's a lot to even type in summary! Who's gonna do itl?!Smiley Tongue

     

     

     



  • 4.  RE: Migrating from Palo Alto to SRX
    Best Answer

     
    Posted 04-09-2019 20:48

    Hello,

     

    Please find answers inline. I hope I covered everything 🙂

     

    1. Can I implement VSYS concept in SRX or I it's better to convert it to a flat design?

    We can implement lsys in srx but that needs a license. If there is a reason for the vsys config on the PA, for isolation/security I suggest you retain the same.

    1. Seems like SRX doesn't have two separate concepts for Services and Application? In that case do I just convert the services to application in SRX?

    Application in junos = service in PA

    Dynamic application in junos (related to App-FW) = application in PA

    Prior to 18.2R1 we had a different Security policy rule base and a different one for Application-FW. Application is used in Security policy while Dynamic-Application is used in App-FW rulebase

    Good news. Starting 18.2R1 we do something called unified policy where the security policy integrates dynamic application. So the policy would look very similar to that on the PA.

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/configuring-unified-policies.html

    https://www.juniper.net/documentation/en_US/junos/topics/concept/security-utm-support-within-unified-policy.html

    1. Not so many NAT rules and doesn't seem to be a problem
    2. Is there something like TAG in SRX? Not VLAN tag nor VLAN ID, just a tag for administration purposes?

    SRX does not have security policy tag as in PA. If you want you can add the tag to the description of the policy that way you can search/filter using the tag.

    1. What's SRX's equivalent for Security Profiles in PA? I have some admin created sec profiles and the predefined default profiles from PA are being used as well. Here are the major ones:
      1. Antivirus - Default and defined
      2. Anti-Spyware - Default
      3. URL Filtering – Defined

    We have a utm-policy in srx. This is not exactly the same as Security profile on PA, since PA security profile includes IDP policy as well if I am not wrong. You can do the above mentioned in a utm-policy

    https://www.juniper.net/documentation/en_US/junos/topics/reference/configuration-statement/security-edit-utm-policy.html

    1. I have 5 virtual routers conifgured with around 1000 only static routes on them, each plugged into some VSYSs.
      1. What SRX has to match the virtual routers? SRX has the concept of virtual routers too
      2. If I don't do VSYS in SRX, I don't think I need vRouter, right? You would need LSYS and Virtual-Router as well. Each VRouter configured within a specific LSYS
    2. Does SRX take the sub interfaces as good as it says here: https://www.juniper.net/documentation/en_US/junos/topics/example/interfaces-layer3-subinterfaces-ex-...

     

    Yes, sub-interfaces and vlan-tagging works perfectly. If you are using a cluster you, would need to create the sub-interfaces on a reth interface

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-redundant-ethernet-interfaces.html

    https://www.juniper.net/documentation/en_US/junos/topics/topic-map/security-chassis-cluster-verification.html

     

    1. Does this page really take care of log forwarding to something like Splunk? https://kb.juniper.net/InfoCenter/index?page=content&id=KB16224&actp=METADATA

    Yes, this link is ok

     

    1. I have couple of hundered of site to site VPNs on PA as well, and seems like that part I figured it out already. Unless there's some thing someone has to say as heads up.

    Regards,

     

    Vikas



  • 5.  RE: Migrating from Palo Alto to SRX

     
    Posted 04-22-2019 14:13

    There's a tool available in the Juniper Partners portal for converting PA to Junos. I suggest contacting your salesperson for assistance in utilizing this.