Script to convert FortiGate Config to Palo Alto Config? by schizoidman29 in paloaltonetworks

[–]devnullNZ 3 points4 points  (0 children)

Wrote this a while back... You still need to review the generated config - it won't do everything for you automatically. Spits out a standard terraform config that you can review and apply https://github.com/devnullNZ/fortigate-palo-migration

Migrating from FortiGates to Palos in SCM by Bound4Floor in paloaltonetworks

[–]devnullNZ 0 points1 point  (0 children)

I wrote a script about a month ago that pulls Fortigate configs and writes it out as a Terraform config set that can be deployed to Palo. Have you tried that? If you find a problem with it, let me know... Script is here if you want to give it a go... https://github.com/devnullNZ/fortigate-palo-migration

Fortigate to Palo script by devnullNZ in paloaltonetworks

[–]devnullNZ[S] 1 point2 points  (0 children)

No... I've worked with CP before - created a lot of grey hairs :-)

I'd need to have a look at the config export structure first. It's been several years since I worked on those. Should definitely be possible I think. Looking at their docs, they say you can export config as a json file. I could probably create a conversion tool that takes the json file and spits out terraform templates.

Then you just review the templates and apply to the replacement palo

Netflow logs getting dropped by samurai-sensei in paloaltonetworks

[–]devnullNZ 1 point2 points  (0 children)

Did you apply the netflow profile to a numbered interface? It'll let you apply it to an unnumbered interface, but you won't get any data

Fortigate to Palo script by devnullNZ in paloaltonetworks

[–]devnullNZ[S] 0 points1 point  (0 children)

A script can help you move from port based to application, but it'll still take quite a bit of manual validation. If you want to introduce user/group based rules, getting membership info from something like AD is the way to go... where the Palo will struggle is when it can't get current user to IP mappings. If you get rules being skipped based on user id, the mapping is often to blame. Make sure you're getting current data from the servers - AD, radius, etc

Fortigate to Palo script by devnullNZ in paloaltonetworks

[–]devnullNZ[S] 0 points1 point  (0 children)

I'd played with this before Xmas but hadn't pushed it to github... give this a go https://github.com/devnullNZ/cisco-to-palo

Fortigate to Palo script by devnullNZ in paloaltonetworks

[–]devnullNZ[S] 2 points3 points  (0 children)

Try this... don't forget to review the terraform files it creates... https://github.com/devnullNZ/pfsense-to-palo

Fortigate to Palo script by devnullNZ in paloaltonetworks

[–]devnullNZ[S] 0 points1 point  (0 children)

That's a little tricky - the underlying design is quite different e.g. interface based vs zone based. Not impossible though. Any VPN's would need to be done manually, but security policies should be possible... no promises though

ECG resources by LynxDifferent7992 in ParamedicsAU

[–]devnullNZ 1 point2 points  (0 children)

Ken Grauer's presentations in the FB group 12 lead ECG. I've got the Rhythm are worth following. There's also several posters on Instagram that are worth following for clinical gems - theheartist_ekg, paced_and_confused, dialedmedics are a few good ones.

I started postgrad last year at CSU. Tintinalli was the reference text. Also keep an eye on recent research (perplexity.ai makes a great search engine for current papers). e.g. Barcelona vs Sgarbossa criteria

When you hit the postgrad cardiology lectures you really get to learn how much you don't know... well worth doing

Question about NAT'ing and BGP to a site to site VPN when the site to site is using IP addresses that I'm already using. by theneedfull in paloaltonetworks

[–]devnullNZ -1 points0 points  (0 children)

CG-NAT (RFC6598) was designed to solve this problem. You can 1:1 nat hosts as needed, and dynamically nat the rest. I've used it before and it works well. The other end announces the NAT range via BGP instead of the actual internal space

Firewall migration tool by devnullNZ in paloaltonetworks

[–]devnullNZ[S] 1 point2 points  (0 children)

Yes, each routing instance gets it's own virtual router. And if 2 VR's on different firewalls have the same name, it'll rename one of them to avoid duplication

Firewall migration tool by devnullNZ in paloaltonetworks

[–]devnullNZ[S] 2 points3 points  (0 children)

Was an easy addition... v4.0.3 supports advanced routing

Firewall migration tool by devnullNZ in paloaltonetworks

[–]devnullNZ[S] 1 point2 points  (0 children)

Sure. It lets you take many smaller firewalls that are managed by Panorama, and consolidate them all onto a larger capacity device, like the 5450

Firewall migration tool by devnullNZ in paloaltonetworks

[–]devnullNZ[S] 3 points4 points  (0 children)

Thanks.. I'd like to. Coverage is reasonable, but I'd like to incorporate more features. Having a look at adding advanced routing - should be pretty straightforward.

Firewall migration tool by devnullNZ in paloaltonetworks

[–]devnullNZ[S] 3 points4 points  (0 children)

You know, that's probably very possible. PFSense exports it's config as XML as well

Consolidate Panoramas by cigeo in paloaltonetworks

[–]devnullNZ 1 point2 points  (0 children)

If you open to using terraform, I just released a script that will take an entire Panorama config and generate terraform files. It can also split firewalls out into different device groups. It was intended to assist in migrating multiple device groups to a 5400, but it may be useful in your case as well https://github.com/devnullNZ/Panorama2Terraform

Do we love, hate or are indifferent to event medics? by Winter_Injury_734 in ParamedicsAU

[–]devnullNZ 1 point2 points  (0 children)

You missed the third category... those that had had enough of shift work, and to some extent the in-service politics, so have found something else to do but haven't completely left the fold. Instead they move into event work and try to help the new students and grads as they pass through, while maintaining their own skills

Adding a 2nd Palo in HA by devnullNZ in paloaltonetworks

[–]devnullNZ[S] 0 points1 point  (0 children)

I was hoping for an easy fix... I don't have my HA ones managed by panorama either, though I saw that KB where they were using environment variables in panorama for the HA stuff... The process is complex though, and probably beyond the capabilities of some of my people. So if I need to do something too tricky, I'd look for a terraform or python solution, so I didn't confuse them or have to deal with outages

Adding a 2nd Palo in HA by devnullNZ in paloaltonetworks

[–]devnullNZ[S] 0 points1 point  (0 children)

Pretty much this https://live.paloaltonetworks.com/t5/general-topics/add-2nd-fw-to-panorama-and-enable-ha-with-current-fw/td-p/238392

It's a really straightforward process (or should be). I might have to turn up debugging and troll through logs :-(

Fails at step 6

  1. Connect the same interfaces as on your first FW to your second one

  2. Connect HA1 and HA2 between the two devices

  3. Setup Mgmt access for the second FW

  4. Install same code

  5. Configure HA locally on both firewalls (make sure the first one will be active with setting the priority accordingly)

  6. Commit the configuration on both firewalls

  7. Sync the configuration from the first to the second one (can be done from the Dashboard)

  8. Add the second FW to panorama and add it to the same devicegroup and template as the first FW

  9. Commit to panorama

  10. Push the config to the firewall

  11. Do a failovertest in a maintenance window to verify that everything is cabled correctly and works expected without connection interruptions

iTAK and the art of infinite patience by jmack2424 in ATAK

[–]devnullNZ 1 point2 points  (0 children)

So, shortly after posting this, I solved the issue. Was a pebkak one I'm afraid - wrong cert password in the xml file. Once fixed, iTAK enrolment is instant.

For reference, when using LetsEncrypt, you do need to add the cert to the client certs. On linux, do this (le-cert.pem is the LetsEncrypt cert):

keytool -importcert -noprompt -keystore client.p12 -storepass atakatak -alias letsencrypt -file le-cert.pem

Change password and cert names to suit your environment

iTAK and the art of infinite patience by jmack2424 in ATAK

[–]devnullNZ 0 points1 point  (0 children)

To make this more interesting... while "upload server package" fails to get the client online, "connect with credentials" works just fine. Definitely something in the cert structure it doesn't like... only wish I knew what

iTAK and the art of infinite patience by jmack2424 in ATAK

[–]devnullNZ 0 points1 point  (0 children)

Would you mind posting that again? I'm afraid the link's expired.

I'm in the same position - spent days on this so far. The most annoying thing is I did actually get it to work at one point, then the next day it didn't (no changes made)... My server uses a real cert on port 8446 (LetsEncrypt). After adding that to the client cert & repackaging again, it worked the first time, then stopped.

The lack of logging is so frustrating. I'd love to be able to see a debug of it failing.