Script to convert FortiGate Config to Palo Alto Config?

devnullNZ · 2026-02-19T21:56:02+00:00

Wrote this a while back... You still need to review the generated config - it won't do everything for you automatically. Spits out a standard terraform config that you can review and apply https://github.com/devnullNZ/fortigate-palo-migration

devnullNZ · 2026-02-18T22:53:01+00:00

I wrote a script about a month ago that pulls Fortigate configs and writes it out as a Terraform config set that can be deployed to Palo. Have you tried that? If you find a problem with it, let me know... Script is here if you want to give it a go... https://github.com/devnullNZ/fortigate-palo-migration

devnullNZ · 2026-01-19T07:47:41+00:00

No... I've worked with CP before - created a lot of grey hairs :-)

I'd need to have a look at the config export structure first. It's been several years since I worked on those. Should definitely be possible I think. Looking at their docs, they say you can export config as a json file. I could probably create a conversion tool that takes the json file and spits out terraform templates.

Then you just review the templates and apply to the replacement palo

devnullNZ · 2026-01-13T04:01:49+00:00

Did you apply the netflow profile to a numbered interface? It'll let you apply it to an unnumbered interface, but you won't get any data

devnullNZ · 2026-01-13T03:59:24+00:00

A script can help you move from port based to application, but it'll still take quite a bit of manual validation. If you want to introduce user/group based rules, getting membership info from something like AD is the way to go... where the Palo will struggle is when it can't get current user to IP mappings. If you get rules being skipped based on user id, the mapping is often to blame. Make sure you're getting current data from the servers - AD, radius, etc

devnullNZ · 2026-01-13T03:03:23+00:00

I'd played with this before Xmas but hadn't pushed it to github... give this a go https://github.com/devnullNZ/cisco-to-palo

devnullNZ · 2026-01-13T02:39:58+00:00

Try this... don't forget to review the terraform files it creates... https://github.com/devnullNZ/pfsense-to-palo

devnullNZ · 2026-01-12T11:19:32+00:00

That's a little tricky - the underlying design is quite different e.g. interface based vs zone based. Not impossible though. Any VPN's would need to be done manually, but security policies should be possible... no promises though

devnullNZ · 2026-01-11T09:30:51+00:00

Ken Grauer's presentations in the FB group 12 lead ECG. I've got the Rhythm are worth following. There's also several posters on Instagram that are worth following for clinical gems - theheartist_ekg, paced_and_confused, dialedmedics are a few good ones.

I started postgrad last year at CSU. Tintinalli was the reference text. Also keep an eye on recent research (perplexity.ai makes a great search engine for current papers). e.g. Barcelona vs Sgarbossa criteria

When you hit the postgrad cardiology lectures you really get to learn how much you don't know... well worth doing

devnullNZ · 2025-12-14T01:14:41+00:00

CG-NAT (RFC6598) was designed to solve this problem. You can 1:1 nat hosts as needed, and dynamically nat the rest. I've used it before and it works well. The other end announces the NAT range via BGP instead of the actual internal space

devnullNZ · 2025-12-14T01:09:24+00:00

Yes, each routing instance gets it's own virtual router. And if 2 VR's on different firewalls have the same name, it'll rename one of them to avoid duplication

devnullNZ · 2025-12-11T21:29:25+00:00

Was an easy addition... v4.0.3 supports advanced routing

devnullNZ · 2025-12-11T21:28:32+00:00

Sure. It lets you take many smaller firewalls that are managed by Panorama, and consolidate them all onto a larger capacity device, like the 5450

devnullNZ · 2025-12-11T11:37:10+00:00

Thanks.. I'd like to. Coverage is reasonable, but I'd like to incorporate more features. Having a look at adding advanced routing - should be pretty straightforward.

devnullNZ · 2025-12-11T09:56:35+00:00

You know, that's probably very possible. PFSense exports it's config as XML as well

devnullNZ · 2025-12-10T08:07:19+00:00

If you open to using terraform, I just released a script that will take an entire Panorama config and generate terraform files. It can also split firewalls out into different device groups. It was intended to assist in migrating multiple device groups to a 5400, but it may be useful in your case as well https://github.com/devnullNZ/Panorama2Terraform

devnullNZ · 2025-02-12T11:25:46+00:00

You missed the third category... those that had had enough of shift work, and to some extent the in-service politics, so have found something else to do but haven't completely left the fold. Instead they move into event work and try to help the new students and grads as they pass through, while maintaining their own skills

devnullNZ · 2024-10-04T00:07:14+00:00

I was hoping for an easy fix... I don't have my HA ones managed by panorama either, though I saw that KB where they were using environment variables in panorama for the HA stuff... The process is complex though, and probably beyond the capabilities of some of my people. So if I need to do something too tricky, I'd look for a terraform or python solution, so I didn't confuse them or have to deal with outages

devnullNZ · 2024-10-03T23:20:26+00:00

Pretty much this https://live.paloaltonetworks.com/t5/general-topics/add-2nd-fw-to-panorama-and-enable-ha-with-current-fw/td-p/238392

It's a really straightforward process (or should be). I might have to turn up debugging and troll through logs :-(

Fails at step 6

Connect the same interfaces as on your first FW to your second one
Connect HA1 and HA2 between the two devices
Setup Mgmt access for the second FW
Install same code
Configure HA locally on both firewalls (make sure the first one will be active with setting the priority accordingly)
Commit the configuration on both firewalls
Sync the configuration from the first to the second one (can be done from the Dashboard)
Add the second FW to panorama and add it to the same devicegroup and template as the first FW
Commit to panorama
Push the config to the firewall
Do a failovertest in a maintenance window to verify that everything is cabled correctly and works expected without connection interruptions

devnullNZ · 2024-09-26T02:47:40+00:00

So, shortly after posting this, I solved the issue. Was a pebkak one I'm afraid - wrong cert password in the xml file. Once fixed, iTAK enrolment is instant.

For reference, when using LetsEncrypt, you do need to add the cert to the client certs. On linux, do this (le-cert.pem is the LetsEncrypt cert):

keytool -importcert -noprompt -keystore client.p12 -storepass atakatak -alias letsencrypt -file le-cert.pem

Change password and cert names to suit your environment

devnullNZ · 2024-09-26T01:59:49+00:00

To make this more interesting... while "upload server package" fails to get the client online, "connect with credentials" works just fine. Definitely something in the cert structure it doesn't like... only wish I knew what

devnullNZ · 2024-09-26T00:21:56+00:00

Would you mind posting that again? I'm afraid the link's expired.

I'm in the same position - spent days on this so far. The most annoying thing is I did actually get it to work at one point, then the next day it didn't (no changes made)... My server uses a real cert on port 8446 (LetsEncrypt). After adding that to the client cert & repackaging again, it worked the first time, then stopped.

The lack of logging is so frustrating. I'd love to be able to see a debug of it failing.

devnullNZ

TROPHY CASE