Migrate to network rulesets
About the migration
Palo Alto Networks will work with you to get all of your network policies and external networks converted over to the new model. We provide this summary to give you a high-level sense of the process.
Do not add any network policies or external networks containing ports/protocols after upgrading.
1. Review tag prefixes
Review the concept of tag prefixes. Determine whether your network policies and external networks contain tags that do not have matching tag prefixes. If so, you either need to modify the default tag prefixes or use tags that have tag prefixes in your network rulesets. Network rulesets and external networks that use tags without matching tag prefixes will not be enforced after you toggle to the new model.
2. Convert your network policies and external networks
- Network policies to network rulesets
- Move ports/protocols from external networks to network rulesets
3. Upgrade all of your enforcers
Uninstall all of your 3.14 or prior enforcers. Install the 5.0 enforcer.
3. Enable discovery mode
Use the following namespace properties to enable discovery mode:
defaultPUIncomingTrafficAction: Allow defaultPUOutgoingTrafficAction: Allow
You must have privileges in the parent namespace to modify the setting.
4. Switch to the new model
Toggle the Microsegmentation Console to the new model as follows.
voila - (release-5.0.6) ➤ set_value global.defaultNetpolicyRendererVersion v2 voila - (release-5.0.6) ➤ doit
5. Review your flows
After allowing your namespaces to run in discovery mode for some time, review the flows carefully. Any traffic with dashed green lines will be rejected once you disable discovery mode. Allow any traffic you do not wish to be rejected.
6. Disable discovery mode
Use the following namespace properties to disable discovery mode:
defaultPUIncomingTrafficAction: Reject defaultPUOutgoingTrafficAction: Reject