Fortinet black logo

Online Help

7.0.3
7.0.4
7.0.3
7.0.2
7.0.1
7.0.0
6.2.2
6.2.1
6.2.0
6.0.3
6.0.2
6.0.1
6.0.0

Palo Alto Application Mapping

Palo Alto Application Mapping

Applications can be configured in Palo Alto policies, and FortiConverter supports converting Palo Alto policies into FortiGate policies in policy-based mode. The mapping relationship between Palo Alto applications and FortiGate applications needs to be maintained manually, and FortiConverter automatically applies the mapping relationship in the policies.

Before setting the application mapping, please extract the definitions of FortiOS applications from the target FortiGate device. The application definitions are downloaded and updated from FortiGuard every week. It is highly recommended to connect the target FortiGate device to FortiGuard, install security updates, and import the updated definitions to FortiConverter before setting the application mapping.

Steps to extract the definitions of FortiOS applications from the target FortiGate device

  1. Connect to the console of the target FortiGate.
  2. Input the following commands to show the definitions of FortiOS applications:

    3. config global (only when the device is in multi-vdom mode)

    config application list

    edit default

    config entries

    edit 1

    set application ?

  3. Save the output into a file.

    4. Any type of terminal application is applicable as long as it supports saving the output. The following screenshot is an example to save the output using the FortiGate CLI console.

  4. Remove irrelevant lines and only keep the lines which starts from "ID / Select application ID". This file can be imported directly to the application mapping table. Alternatively, the output can be saved into a CSV file with headers in the first line, ID in the first column, and application name in the second column. The import result will be the same.

Steps to convert Palo Alto policies with applications and set application mapping relationship

  1. Choose the option Converted source vendor's application ID as-is at the start page. This converts the configuration into policy-based mode in FortiGate.
  2. Proceed the conversion to the tuning page.
  3. Click Application mapping in the left column to show the mapping table then the Palo Alto applications used in the policies would be listed.

  4. Click Import Definition and import the file with the FortiOS applications definitions extracted from the target FortiGate device. When the dialog window pops up, select whether to save the definition as default definition.

    Please note that the default definitions will only be used in future conversions with the same FortiOS version because each FortiOS version has a different application list.

    For example, if the current conversion uses FortiOS 7.2, and the definitions are saved as default, then the default definitions will only be applied on 7.2 conversions in the future, not on 7.4 conversions or other FortiOS versions. (If no definitions are imported, FortiConverter uses its own default definitions from FortiOS applications. However, this method is not recommended because some of the default definitions may be obsolete.)

  5. Click on the rows to specify the mapping of the Palo Alto application:

  6. Type the FortiGate application name or ID to search the corresponding FortiGate applications.

  7. Select and add one or more FortiGate applications to the mapping list.

    '

  8. If the Palo Alto application is not mapped into any FortiGate applications, please enable No Mapping in the table. FortiConverter would skip this application in the output config.

  9. Click Save to save the mapping relationship. If Yes is selected, the mapping relationship becomes the default mapping of Palo Alto conversions, and it will be applied to all Palo Alto conversions directly in the future.

    Please note that the default mapping only applies to Palo Alto conversions with the same FortiOS version because each FortiOS version has a different application list.

    For example, if the current conversion uses FortiOS 7.2, and a default mapping is saved in this conversion, then the default mapping will only be applied on 7.2 conversions in the future, but not on conversions using 7.4 or other FortiOS versions.

  10. If there are multiple applications marked as "No Mapping", it is not necessary to click into each application. It can be done by selecting rows on the table, right click and select Mark as No Mapping.

  11. After setting up the mapping relationships click Download config and review the converted policies, the FortiGate application IDs specified in the application mapping table would be used in the policies. However, if the mapping of a Palo Alto application is not specified (just like "radius" in the picture below), and it is not marked as "No Mapping", then FortiConverter would still use the Palo Alto application name in the policy with a warning message.

  12. The mapping can be exported into a CSV file and can be reused in the future Palo Alto Conversion. Please click Export Mapping and Import Mapping to export and import mapping CSV files.

    Please note that it would be better to use the same definition of the FortiOS applications in the conversions that export and import the mapping. If a different definition was used, some application IDs in the exported CSV file may not exist in the imported conversion and those mappings would not be applied.

Previous
Next

Palo Alto Application Mapping

Applications can be configured in Palo Alto policies, and FortiConverter supports converting Palo Alto policies into FortiGate policies in policy-based mode. The mapping relationship between Palo Alto applications and FortiGate applications needs to be maintained manually, and FortiConverter automatically applies the mapping relationship in the policies.

Before setting the application mapping, please extract the definitions of FortiOS applications from the target FortiGate device. The application definitions are downloaded and updated from FortiGuard every week. It is highly recommended to connect the target FortiGate device to FortiGuard, install security updates, and import the updated definitions to FortiConverter before setting the application mapping.

Steps to extract the definitions of FortiOS applications from the target FortiGate device

  1. Connect to the console of the target FortiGate.
  2. Input the following commands to show the definitions of FortiOS applications:

    3. config global (only when the device is in multi-vdom mode)

    config application list

    edit default

    config entries

    edit 1

    set application ?

  3. Save the output into a file.

    4. Any type of terminal application is applicable as long as it supports saving the output. The following screenshot is an example to save the output using the FortiGate CLI console.

  4. Remove irrelevant lines and only keep the lines which starts from "ID / Select application ID". This file can be imported directly to the application mapping table. Alternatively, the output can be saved into a CSV file with headers in the first line, ID in the first column, and application name in the second column. The import result will be the same.

Steps to convert Palo Alto policies with applications and set application mapping relationship

  1. Choose the option Converted source vendor's application ID as-is at the start page. This converts the configuration into policy-based mode in FortiGate.
  2. Proceed the conversion to the tuning page.
  3. Click Application mapping in the left column to show the mapping table then the Palo Alto applications used in the policies would be listed.

  4. Click Import Definition and import the file with the FortiOS applications definitions extracted from the target FortiGate device. When the dialog window pops up, select whether to save the definition as default definition.

    Please note that the default definitions will only be used in future conversions with the same FortiOS version because each FortiOS version has a different application list.

    For example, if the current conversion uses FortiOS 7.2, and the definitions are saved as default, then the default definitions will only be applied on 7.2 conversions in the future, not on 7.4 conversions or other FortiOS versions. (If no definitions are imported, FortiConverter uses its own default definitions from FortiOS applications. However, this method is not recommended because some of the default definitions may be obsolete.)

  5. Click on the rows to specify the mapping of the Palo Alto application:

  6. Type the FortiGate application name or ID to search the corresponding FortiGate applications.

  7. Select and add one or more FortiGate applications to the mapping list.

    '

  8. If the Palo Alto application is not mapped into any FortiGate applications, please enable No Mapping in the table. FortiConverter would skip this application in the output config.

  9. Click Save to save the mapping relationship. If Yes is selected, the mapping relationship becomes the default mapping of Palo Alto conversions, and it will be applied to all Palo Alto conversions directly in the future.

    Please note that the default mapping only applies to Palo Alto conversions with the same FortiOS version because each FortiOS version has a different application list.

    For example, if the current conversion uses FortiOS 7.2, and a default mapping is saved in this conversion, then the default mapping will only be applied on 7.2 conversions in the future, but not on conversions using 7.4 or other FortiOS versions.

  10. If there are multiple applications marked as "No Mapping", it is not necessary to click into each application. It can be done by selecting rows on the table, right click and select Mark as No Mapping.

  11. After setting up the mapping relationships click Download config and review the converted policies, the FortiGate application IDs specified in the application mapping table would be used in the policies. However, if the mapping of a Palo Alto application is not specified (just like "radius" in the picture below), and it is not marked as "No Mapping", then FortiConverter would still use the Palo Alto application name in the policy with a warning message.

  12. The mapping can be exported into a CSV file and can be reused in the future Palo Alto Conversion. Please click Export Mapping and Import Mapping to export and import mapping CSV files.

    Please note that it would be better to use the same definition of the FortiOS applications in the conversions that export and import the mapping. If a different definition was used, some application IDs in the exported CSV file may not exist in the imported conversion and those mappings would not be applied.

Previous
Next