It is simple breakdown for a complicate firewall migration plan. It can be used to plan migration from existing firewalls to new Palo Alto Firewall. The tasks should be modified based on the real production situation in your environment.
This is for on prem case. For cloud situation, the tasks will be slightly different. But most will be same.
No | Task | Order | % | Due date |
1 | Prestage firewalls (FW mgmt settings, mgmt tunnel, software updates) |
10 | 100% | 19/11/2019 |
2 | Racking/mounting | 15 | 75% | |
3 | Network connectivity (switch ports assignment) |
20 | 50% | |
4 | Network connectivity (switch ports configuration/Etherchannel, etc.) |
25 | 0% | |
5 | Generate firewall self-signed certificate |
30 | 0% | |
6 | Distribution of firewall certificate to endpoints |
32 | 0% | |
7 | Define URL Filtering policies (Internal users, guests, servers) |
34 | 0% | |
8 | Configure URL Filtering profiles |
36 | 0% | |
9 | Identify external host for URL blocking page hosting |
37 | 0% | |
10 | Configure URL Filtering blocking page (requires hosting on public website) |
38 | 0% | |
11 | Define VPN gateway FQDN |
40 | 100% | |
12 | Generate SSL certificate for VPN gateway |
42 | 100% | |
13 | Create AD Palo Alto VPN prerequisites |
43 | 0% | |
14 | Configure Palo Alto VPN gateway |
45 | 0% | |
15 | Configure GlobalProtect VPN client |
47 | 0% | |
16 | Test GlobalProtect VPN connectivity |
49 | 0% | |
17 | Identify VPN tunnels and 3rd party admins |
50 | 30% | |
18 | Identify DMZ hosts |
51 | 50% | |
19 | Identify Client resources accessed via site-to-site VPN |
52 | 0% | |
20 | Identify 3rd party resources accessed via site-to-site VPN |
54 | 0% | |
21 | Identify routing for VPN tunnels/DMZ hosts |
55 | 50% | |
22 | Identify routing changes for Phase 1 (Cisco ASA firewalls in parallel with Palo Alto) |
56 | 20% | |
23 | Configure routing for VPN tunnels/DMZ hosts (if applicable) |
57 | 0% | |
24 | Create timelines for VPN migration |
58 | 0% | |
25 | Define SSL Decryption Firewall Policies (outbound only) |
60 | 0% | |
26 | Configuration of SSL decryption domain -> 1 firewall interface |
63 | 0% | |
27 | Switch SPAN ports configured for SSL decryption domain |
65 | 0% | |
28 | Firewall rules migrated/configured |
70 | 15% | |
29 | Deployment of Palo Alto UserID Agent |
71 | 30% | |
30 | Palo Alto UserId Integration |
72 | 0% | |
31 | Define firewall IPS/Antimalware inspection policies |
74 | 0% | |
32 | Implement firewall IPS/Antimalware inspection policies |
75 | 0% | |
33 | Define logging policies |
76 | 75% | |
34 | Implement logging policies |
77 | 50% | |
35 | Testing (users, scope, applications, websites, etc.). Identify remote sites for testing (to add static routes). |
80 | 0% | |
36 | Transition to Day 2 – Next Phase |
100 | 0% |