Troubleshooting Migration Issues

Troubleshooting for the Secure Firewall Migration Tool

A migration typically fails during the PAN configuration file upload or during the push of the migrated configuration to management center.

Unexpected file—Invalid files detected for PAN. For example, when zipped using Mac OS, Mac system files are created. Remove the Mac files.

Secure Firewall Migration Tool Support Bundle

The Secure Firewall migration tool provides the option to download a support bundle to extract valuable troubleshooting information like log files, DB, and configuration files. Perform the following:

On the Complete Migration screen, click the Support button.

The Help support page appears.

Check the Support Bundle check box and then select the configuration files to download.

Note

The Log and dB files are selected for download by default.

Click Download.

The support bundle file is downloaded as a .zip to your local path. Extract the Zip folder to view the log files, DB, and the Configuration files.
Click Email us to email the failure details for the technical team.

You can also attach the downloaded support files to your email.

Click Visit TAC page to create a TAC case in the Cisco support page.

Note

You can open a TAC case at any time during the migration from the support page.

Logs and Other Files Used for Troubleshooting

You can find information that is useful for identifying and troubleshooting issues in the following files.


File	Location
Log file	`<migration_tool_folder>`\logs
Pre-migration report	`<migration_tool_folder>`\resources
Post-migration report	`<migration_tool_folder>`\resources
unparsed file	`<migration_tool_folder>`\resources
telemetry_sessionid_timestamp.json	`<migration_tool_folder>`\resources\telemetry_data

Troubleshooting Example for PAN: Cannot Find Member of Object Group

In this example, the PAN configuration file upload and parsing failed because of an error in the configuration of an element.

Procedure

Step 1

Review the error messages to identify the problem.

This failure generates the following error messages:


Location	Error Message
Secure Firewall migration tool message	Check Point config files parsed with errors.
Log file	[ERROR \| objectGroupRules] > "ERROR, SERVICE_GROUP_RULE not applied for port-group object [services_epacity_nt_abc] as CheckPoint object [ica] does not exist in <service> table;" [INFO \| objectGroupRules] > "Parsing object-group service:[services_gvxs06]" [INFO \| objectGroupRules] > "Parsing object-group service:[services_iphigenia]" [INFO \| objectGroupRules] > "Parsing object-group service:[Services_KPN_ISP]"

Step 2

Open the PAN services.xml file.

Step 3

Search the object-group with name as services_gvxs06.

Step 4

Create the missing member for the object-group using the smart dashboard.

Step 5

Export the configuration file again. For more information, see .

Step 6

If there are no more errors, upload the new PAN configuration zip file to the Secure Firewall migration tool and continue with the migration.

Migrating Palo Alto Networks Firewall to Cisco Secure Firewall Threat Defense with the Migration Tool

Bias-Free Language

Book Title

Migrating Palo Alto Networks Firewall to Cisco Secure Firewall Threat Defense with the Migration Tool

Chapter Title