I'm planning to migrate the core firewall services form Palo Alto to SRX. Is there a document about that migration from PA to SRX? Or a tool that can help with the process? Seems like PA to SRX is not a big topic 😞
I am not aware of a conversion tool, but I hope these pointers may be useful
> How many policies are we looking at?
> Config from the PA can be exported as an xml
> All address book entries in PA are global
> You can easily port them to SRX
> Then create the policies by hand
> Take a look at the PA xml config I am sure there is a lot of stuff that can be re-used
I hope this helps.
Thanks for your reply, and sorry if the below questions are too basic. I'm not very good in Juniper world (not that I'm good anywhere else )
OH BOY. That's a lot to even type in summary! Who's gonna do itl?!
Please find answers inline. I hope I covered everything 🙂
We can implement lsys in srx but that needs a license. If there is a reason for the vsys config on the PA, for isolation/security I suggest you retain the same.
Application in junos = service in PA
Dynamic application in junos (related to App-FW) = application in PA
Prior to 18.2R1 we had a different Security policy rule base and a different one for Application-FW. Application is used in Security policy while Dynamic-Application is used in App-FW rulebase
Good news. Starting 18.2R1 we do something called unified policy where the security policy integrates dynamic application. So the policy would look very similar to that on the PA.
SRX does not have security policy tag as in PA. If you want you can add the tag to the description of the policy that way you can search/filter using the tag.
We have a utm-policy in srx. This is not exactly the same as Security profile on PA, since PA security profile includes IDP policy as well if I am not wrong. You can do the above mentioned in a utm-policy
Yes, sub-interfaces and vlan-tagging works perfectly. If you are using a cluster you, would need to create the sub-interfaces on a reth interface
Yes, this link is ok
There's a tool available in the Juniper Partners portal for converting PA to Junos. I suggest contacting your salesperson for assistance in utilizing this.