Recently, we came across a migration project where all workloads needed to move from a DVPG to an NSX-backed overlay segment. Previously, East-West (E-W) communication was handled by a physical Palo Alto firewall. Now, as all VMs will be migrated behind the NSX overlay segment and the gateway changes from Palo Alto to NSX Tier-1 (T1), we faced a big challenge: migrating all existing firewall rules.

Here’s what made this project tricky:

• We had 3000+ firewall rules in Palo Alto.
• There were 5000+ address object groups and a similar count of service ports.
• No ready-made tools exist to migrate these objects from Palo Alto to NSX.

Manually migrating these would have been extremely time-consuming and prone to human error.

Luckily, NSX provides an API to create address objects and service ports. By using Postman’s Runner feature, we can send multiple PATCH requests to NSX and automate the creation of objects efficiently.

In this blog series, I’ll walk you through a step-by-step guide to migrate all rules from Palo Alto to NSX Distributed Firewall (DFW). The process is flexible and can be applied to other vendor firewalls as well, as long as you consider the data format.

Migration Steps Overview

1. Create Multiple Address Objects at Once
   Instead of manually adding one address at a time, we’ll use the NSX API to create multiple addresses in bulk.
2. Create Service Ports in Bulk
   Similarly, we can automate the creation of service ports, saving time and reducing errors.
3. Import Firewall Rules from Palo Alto to NSX DFW
   Once all address objects and service ports are ready in NSX, we can import the existing rules from Palo Alto into NSX DFW using python.

By following these steps, you can migrate firewall rules efficiently and reliably—without the headache of doing it manually.

In the upcoming blogs, I’ll provide detailed examples, code snippets, and Postman configurations to help you perform the migration smoothly.

Stay tuned, and let’s make firewall migration fun and less painful! 🚀