Migration Workflow

In this section we present a workflow example to migrate a third party vendor configuration into a PANOS configuration.

Below flowhart demo the workflow and the related API calls in each of the steps:

Step 1. Obtain the API Keys

Refer to Obtaining the API Keys section to obtain a valid API key stored in the hed variable.

Step 2. Start the Expedition Agent

Refer to Managing Expedition's Agent section to start the agent and be able to perform imports into a project.

Step 3. Create an Expedition project

In the large amount of automation cases, we will require having an Expedition project. Making a POST call to the project route, we can create a project with a desired name. By default, the creator of a project is as well one of the project administrators. Notice that this time we attach the credentials hed in the CURL headers to present our credentials and verify we have permission to create a project.

API syntax for creating a new project:

Method	EndPoint	Parameters
POST	`https://localhost/api/v1/project`	in url { "project":Name of the project, "description":Description of the project }
example	`https://localhost/api/v1/project`	{"project":"MyLittleProject", "description":"A migration project"}

Python
Php

print("*****Create a new Expedition Project*****\n")
projectName = "vendormigration"
print(" \n")
data = {"name": projectName}
r = requests.post(
    "https://" + ip + "/api/v1/project", data=data, verify=False, headers=hed
)
response = r.json()
success = json.dumps(response["success"])
if success == "true":
    print("New project created successfully" + " \n")
    projectId = json.dumps(response['data']['id'])
    print("Your project-ID is", str(projectId) + " \n")
print("\n")

echo "\n";
echo "CREATE NEW PROJECT\n";
$data = ["project"=> $projectName];
$url = 'https://'.$ip.'/api/v1/project';
$curl = curl_init($url);
curl_setopt($curl, CURLOPT_RETURNTRANSFER, TRUE);
curl_setopt($curl, CURLOPT_HTTPHEADER,$hed);
curl_setopt($curl,CURLOPT_POST, TRUE);
curl_setopt($curl,CURLOPT_POSTFIELDS, $data);
curl_setopt($curl, CURLOPT_SSL_VERIFYHOST, FALSE);
curl_setopt($curl, CURLOPT_SSL_VERIFYPEER, FALSE);
$response = curl_exec($curl);
$jsonResponse = json_decode($response);
$success = $jsonResponse->Contents->success;
if ($success=='true'){
    print_r($response);
    $projectId = $jsonResponse->Contents->response->data->content->id;
    print_r($jsonResponse->Contents->response->{'response-messages'}->messages[0]->message);
}
echo "\n";

Step 4. Create a new migration in the project

This step will creat a new migration in the project. In the request body parameters, you will need to specify projectID from previous step , and the PAN-OS device type you want to merge the source file with. There are two options:

1. panorama
2. firewall

The API response will contain migration_id and device_id. Those IDs will be used in the subsequent API calls throughout the workflow.

API syntax for the step:

Method	EndPoint	Parameters
POST	`https://localhost/api/v1/project/{project_id}/migration`	in url "project_id":"ProjectId" in_body {"device_type":"panorama or firewall" }
example	`https://localhost/api/v1/project/22/migration`	{"device_type":"panorama"}

Python

print("*****Create a new migration in the project*****\n")
url = "https://" + ip + "/api/v1/project/{0}/migration".format(int(projectId))
print(url)
data = {"name": "my first migration","device_type": "panorama"}
r = requests.post(url, data=data, verify=False, headers=hed)
response = r.json()
migrationId = json.dumps(response["data"]["id"])
deviceId = json.dumps(response["data"]["device_id"])

Step 5. Upload the 3rd party vendor (source) configuration to migration

The migration process would require to upload one of more configuration files to be migrated. A minimum one would be the original vendor configuration file. In below example, we use a sample config called "ciscoasa.txt" stored in the user's local drive path "/Users/username/Downloads/ciscoasa.txt"

API syntax for the step:

Method	EndPoint	Parameters
POST	`https://localhost/api/v1/project/{project_id}/migration/{migration_id}/upload/{vendorname}`	in url "project_id":"projectId" "migration_id":"migrationId" "vendorname":"vendorname" in_body {"name":"configname","config":"configfile" }
example	`https://localhost/api/v1/project/22/migration/25/cisco_asa`	{"name":"cisco","config":cisco_config}

info

Available vendorname parameter can be used in the path are below:

cisco_asa
checkpoint (For checkpoint config < v. R80)
checkpoint_r80 (For checkpoint config >= v. R80)
fortinet
srx
netscreen
stonesoft

Python

print("*****Upload CISCO config to migration*****\n")
url = "https://" + ip + "/api/v1/project/"+projectId+"/migration/"+migrationId+"/upload/cisco_asa"
print(url)
file = '/Users/username/Downloads/ciscoasa.txt'
cisco_config = open(file, "rb")
files = {"config": cisco_config}
data = {"name": "cisco"}
r = requests.post(url, data=data, verify=False, files=files, headers=hed)
response = r.json()

Step 6. Convert the 3rd party configuration to a PAN-OS configuration

This step will convert the 3rd party configuration that you uplaoded from previous step to a PAN-OS config. The sucessfully response will contain a job_id for you to track the status , please refer to the checking job status Checking Job Status section

API syntax for Converting 3rd party vendors' configurations:

Method	URL	Parameters
POST	`https://localhost/api/v1/project/{project_id}/migration/{migration_Id}/convert`	in url "project_id":projectId "migration_id":migrationId
example	`https://localhost/api/v1/project/22/migration/25/convert`	in url "project_Id": 22, "migration_id": 25

Python

print("*****Converting the 3rd party vendor config to a PAN-OS config*****\n")
url = "https://" + ip + "/api/v1/project/"+projectId+"/migration/"+migrationId+"/convert"
print(url)
r = requests.post(url, data=data, verify=False, files=files, headers=hed)
response = r.json()
print("CHECK migration status...........")
jobId = json.dumps(response["data"]["job_id"])
wait_for_job(jobId)

Step 7. Import the Converted Configuration into project

Once the conversion has done, we can import the resulting XML config file into an existing project for later configuration manipulations, such as delete unused objects, rename zones, etc.

The API syntax for Importing the converted PAN-OS Configuration into the project:

Method	EndPoint	Parameters
POST	`https://localhost/api/v1/project/{project_id}/import/device`	in url "project": "projectID" in body { "device_id": "deviceId" }
example	`https://localhost/api/v1/project/22/import/device`	in url project=22 in body { "device_id": "23" }

Python

print("*****Import Configuration to project*****")
url = "https://" + ip + "/api/v1/project/{0}/import/device".format(int(projectId))
print(url)
data = {"device_id": deviceId}
r = requests.post(url, data=data, verify=False, headers=hed)
response = r.json()
jobId = json.dumps(response["data"]["job_id"])
print("CHECK configuration upload status...........")
wait_for_job(jobId)

Step 1. Obtain the API Keys​

Step 2. Start the Expedition Agent​

Step 3. Create an Expedition project​

Step 4. Create a new migration in the project​

Step 5. Upload the 3rd party vendor (source) configuration to migration​

Step 6. Convert the 3rd party configuration to a PAN-OS configuration​

Step 7. Import the Converted Configuration into project​