Migration Zip file
In this section we present how to create a valid ZIP file that will provide original vendor's configuration files and mapping instructions to generate a valid converted PANOS XML file.
The ZIP structure#
The following is a representation of the structure of a ZIP contents. A mapping.json file is mandatory at the root of
the zip file, and will be used to determine how the rest of the files in the zip are being used during the migration processes.
.+-- config.xml+-- mapping.json+-- _cpBranches| +-- objects.C| +-- ospf_dump.txt| +-- policy.W| +-- routes.txt| +-- rulebases_5_0.fws+-- _cpInterent| +-- config.txt| +-- routes.txt+-- _cpProvides| +-- exported_data.xmlThe mapping.json file would represent the mapping structure used for performing the migration.
The following is an example that represents the migration of three configurations into different device groups in a Panorama configuration:
{ "baseConfig":{ "file": "config.xml", "type": "panorama", "version": "10.0" }, "configs": [{ "name": "Branches", "vendor": "cp", "routes": "cpBranches/routes.txt", "dynamicRoutes": "cpBranches/ospf_dump.txt", "objects": "cpBranches/objects.C", "policy": "cpBranches/policy.W", "rulebase": "cpBranches/rulebases_5_0.fws" },{ "name": "Internet-Access", "vendor": "ciscoasa", "routes": "cpInternet/routes.txt", "objects":"cpInternet/config.txt" },{ "name": "Providers", "vendor": "stonesoft", "config": "cpProviders/exported_data.xml", "mapping": [{"firewall": "ClusterSite1", "policy": "Provider1"}, {"firewall": "ClusterSite2", "policy": "Provider2"}], "replacements":{ "comment": "not available yet", "networks": [ {"from": "10.0.0.0/24", "to": "10.0.23.0/24"}, {"from": "192.168.0.0/24", "to": "192.168.23.0/24"} ], "interfaces": [ {"from": "CVI-4.321-10.0.0.1", "to": "ethernet1/7"} ] } }]}info
The valid vendor values are:
- cp โ Checkpoint < R80
- cp-r80 โ Checkpoint > R80
- ciscoasa โ Cisco ASA
- fortinet โ Fortinet Fortigate
- netscreen โ Juniper Netscreen
- sonicwall โ Sonicwall
- srx โ Juniper Junos
Coming soon:
- ciscoswitch โ Cisco Switch
- ciscoisr โ Cisco ISR
- pfsense โ Pfsense
- sophos โ Sophos
Obtaining Third party vendor's configuration information#
To assist you in the generation of the mapping.json file, we can call a discovery method that would analyze a
configuration file and, depending on the vendor, will provide back a set of valid options.
For instance, given the exporte_data.xml Stonesoft configuration file, the method can list the declared Firewalls and Clusters in the configuration, and declared security policies.
| Method | URL | Parameters |
|---|---|---|
| POST | https://<ExpIP>/api/v1/migration/discovery | in body {"vendor": "value", "config": "path to the config file", (if cp) "policy": "path to the policy file", (if cp) "objects": "path to the objects file", (if cp) "rulebase": "path to the rulebase file"} |
| example | https://10.0.0.1/api/v1/migration/discovery | in body {"vendor": "stonesoft", "config": "/tmp/myMigrationFiles/cpProviders/exported_data.xml"} |
| example | https://10.0.0.1/api/v1/migration/discovery | in body {"vendor": "cp", "policy": "/tmp/myMigrationFiles/cpProviders/policy.W", "objects": "/tmp/myMigrationFiles/cpBranches/objects.C", "rulebase": "/tmp/myMigrationFiles/cpBranches/rulebases_5_0.fws"} |
Depending on the vendor, more parameters can be given to discover sections within them. For instance, Checkpoint <R80 would also allow the fields
policy (in replacement of config), objects and rulebase.
Response example:
- Stonesoft
- Checkpoint <R80
- Checkpoint R80+
{ "firewalls": [ "ClusterSite1", "ClusterSite2", "Firewall1", "Firewall2", "Firewall3" ], "policies": [ "Provider1", "Provider2", "Provider3", "Provider4" ]}{ "policies": [ "policy1", "policy2" ]} { "policies": [ "policy1", "policy2" ]}