It is simple breakdown for a complicate firewall migration plan. It can be used to plan migration from existing firewalls to new Palo Alto Firewall. The tasks should be modified based on the real production situation in your environment.This is for on prem case. For cloud situation, the tasks will be slightly different. But most will be same.
| No | Task | Order | % | Due date |
| 1 | Prestage firewalls (FW mgmt settings, mgmt tunnel, software updates) | 10 | 100% | 19/11/2019 |
| 2 | Racking/mounting | 15 | 75% | |
| 3 | Network connectivity (switch ports assignment) | 20 | 50% | |
| 4 | Network connectivity (switch ports configuration/Etherchannel, etc.) | 25 | 0% | |
| 5 | Generate firewall self-signed certificate | 30 | 0% | |
| 6 | Distribution of firewall certificate to endpoints | 32 | 0% | |
| 7 | Define URL Filtering policies (Internal users, guests, servers) | 34 | 0% | |
| 8 | Configure URL Filtering profiles | 36 | 0% | |
| 9 | Identify external host for URL blocking page hosting | 37 | 0% | |
| 10 | Configure URL Filtering blocking page (requires hosting on public website) | 38 | 0% | |
| 11 | Define VPN gateway FQDN | 40 | 100% | |
| 12 | Generate SSL certificate for VPN gateway | 42 | 100% | |
| 13 | Create AD Palo Alto VPN prerequisites | 43 | 0% | |
| 14 | Configure Palo Alto VPN gateway | 45 | 0% | |
| 15 | Configure GlobalProtect VPN client | 47 | 0% | |
| 16 | Test GlobalProtect VPN connectivity | 49 | 0% | |
| 17 | Identify VPN tunnels and 3rd party admins | 50 | 30% | |
| 18 | Identify DMZ hosts | 51 | 50% | |
| 19 | Identify Client resources accessed via site-to-site VPN | 52 | 0% | |
| 20 | Identify 3rd party resources accessed via site-to-site VPN | 54 | 0% | |
| 21 | Identify routing for VPN tunnels/DMZ hosts | 55 | 50% | |
| 22 | Identify routing changes for Phase 1 (Cisco ASA firewalls in parallel with Palo Alto) | 56 | 20% | |
| 23 | Configure routing for VPN tunnels/DMZ hosts (if applicable) | 57 | 0% | |
| 24 | Create timelines for VPN migration | 58 | 0% | |
| 25 | Define SSL Decryption Firewall Policies (outbound only) | 60 | 0% | |
| 26 | Configuration of SSL decryption domain -> 1 firewall interface | 63 | 0% | |
| 27 | Switch SPAN ports configured for SSL decryption domain | 65 | 0% | |
| 28 | Firewall rules migrated/configured | 70 | 15% | |
| 29 | Deployment of Palo Alto UserID Agent | 71 | 30% | |
| 30 | Palo Alto UserId Integration | 72 | 0% | |
| 31 | Define firewall IPS/Antimalware inspection policies | 74 | 0% | |
| 32 | Implement firewall IPS/Antimalware inspection policies | 75 | 0% | |
| 33 | Define logging policies | 76 | 75% | |
| 34 | Implement logging policies | 77 | 50% | |
| 35 | Testing (users, scope, applications, websites, etc.). Identify remote sites for testing (to add static routes). | 80 | 0% | |
| 36 | Transition to Day 2 - Next Phase | 100 | 0% |
Updated List :
|
Task
|
|
|
1
|
Prestage firewall (FW mgmt settings, mgmt
tunnel, software updates)
|
|
2
|
Racking/mounting
|
|
3
|
Installation of SFPs
|
|
4
|
Purchase network cables
|
|
5
|
LAN
Network connectivity (switch ports assignment) Network connectivity (switch ports configuration, etc.) |
|
6
|
Firewalls
Network connectivity (switch ports config, etc.) |
|
7
|
Install firewall self-signed certificate
|
|
8
|
Configure URL Filtering profiles
|
|
9
|
Configure URL Filtering blocking page (requires
hosting on public website)
|
|
10
|
Configure Palo Alto VPN gateway
|
|
11
|
Assigned dedicated public IP for VPN gateway
|
|
12
|
Test GlobalProtect VPN connectivity
|
|
13
|
Identify VPN tunnels and 3rd party admins
|
|
14
|
Identify DMZ hosts
|
|
15
|
Identify Client resources accessed via site-to-site
VPN
|
|
16
|
Identify routing for VPN tunnels/DMZ hosts
|
|
17
|
Identify routing changes for Phase 1 (Cisco ASA
firewall in parallel with Palo Alto)
|
|
18
|
Configure routing for VPN tunnels/DMZ hosts (if
applicable)
Add PBR for Cisco ISE |
|
19
|
Create timelines for VPN migration
|
|
20
|
Configuration of SSL decryption domain -> 1
firewall interface
|
|
21
|
Test SSL decryption for regular user web traffic
|
|
22
|
Obtain DMZ server SSL certificate
|
|
23
|
Configuration of SSL decryption for inbound
traffic
|
|
24
|
Test SSL decryption for inbound traffic
|
|
25
|
Obtain license for decryption mirroring
|
|
26
|
Switch SPAN ports configured for SSL decryption
domain
|
|
27
|
Firewall rules migrated/configured
|
|
28
|
Implement firewall IPS/Antimalware inspection
policies
|
|
29
|
Implement logging policies
|
|
30
|
Transition to Day 2
|
|
31
|
Full site-to-site VPN tunnel migration (performed
by the delivery team, with support from SOC)
|
|
32
|
Testing (users, websites, etc.). Identify remote
sites for testing (to add static routes).
|
|
33
|
Cut-over testing plan: users, applications,
criteria, etc.
|
|
34
|
Create cut over MoP
|
|
35
|
Submit change request for cut-over
|
|
36
|
Cut-over
|
No comments:
Post a Comment