Latest Posts

Palo Alto Firewall Migration Plan Tasks List


It is simple breakdown for a complicate firewall migration plan. It can be used to plan migration from existing firewalls to new Palo Alto Firewall. The tasks should be modified based on the real production situation in your environment.

This is for on prem case. For cloud situation, the tasks will be slightly different. But most will be same.




No Task Order % Due date
1 Prestage firewalls (FW mgmt settings, mgmt tunnel, software updates) 10 100% 19/11/2019
2 Racking/mounting 15 75%
3 Network connectivity (switch ports assignment) 20 50%
4 Network connectivity (switch ports configuration/Etherchannel, etc.) 25 0%
5 Generate firewall self-signed certificate 30 0%
6 Distribution of firewall certificate to endpoints 32 0%
7 Define URL Filtering policies (Internal users, guests, servers) 34 0%
8 Configure URL Filtering profiles 36 0%
9 Identify external host for URL blocking page hosting 37 0%
10 Configure URL Filtering blocking page (requires hosting on public website) 38 0%
11 Define VPN gateway FQDN 40 100%
12 Generate SSL certificate for VPN gateway 42 100%
13 Create AD Palo Alto VPN prerequisites 43 0%
14 Configure Palo Alto VPN gateway 45 0%
15 Configure GlobalProtect VPN client 47 0%
16 Test GlobalProtect VPN connectivity 49 0%
17 Identify VPN tunnels and 3rd party admins 50 30%
18 Identify DMZ hosts 51 50%
19 Identify Client resources accessed via site-to-site VPN 52 0%
20 Identify 3rd party resources accessed via site-to-site VPN 54 0%
21 Identify routing for VPN tunnels/DMZ hosts 55 50%
22 Identify routing changes for Phase 1 (Cisco ASA firewalls in parallel with Palo Alto) 56 20%
23 Configure routing for VPN tunnels/DMZ hosts (if applicable) 57 0%
24 Create timelines for VPN migration 58 0%
25 Define SSL Decryption Firewall Policies (outbound only) 60 0%
26 Configuration of SSL decryption domain -> 1 firewall interface 63 0%
27 Switch SPAN ports configured for SSL decryption domain 65 0%
28 Firewall rules migrated/configured 70 15%
29 Deployment of Palo Alto UserID Agent 71 30%
30 Palo Alto UserId Integration 72 0%
31 Define firewall IPS/Antimalware inspection policies 74 0%
32 Implement firewall IPS/Antimalware inspection policies 75 0%
33 Define logging policies 76 75%
34 Implement logging policies 77 50%
35 Testing (users, scope, applications, websites, etc.). Identify remote sites for testing (to add static routes). 80 0%
36 Transition to Day 2 - Next Phase 100 0%


Updated List :

No
Task
1
Prestage firewall (FW mgmt settings, mgmt tunnel, software updates)
2
Racking/mounting
3
Installation of SFPs
4
Purchase network cables
5
LAN
Network connectivity (switch ports assignment)
Network connectivity (switch ports configuration, etc.)
6
Firewalls
Network connectivity (switch ports config, etc.)
7
Install firewall self-signed certificate
8
Configure URL Filtering profiles
9
Configure URL Filtering blocking page (requires hosting on public website)
10
Configure Palo Alto VPN gateway
11
Assigned dedicated public IP for VPN gateway
12
Test GlobalProtect VPN connectivity
13
Identify VPN tunnels and 3rd party admins
14
Identify DMZ hosts
15
Identify Client resources accessed via site-to-site VPN
16
Identify routing for VPN tunnels/DMZ hosts
17
Identify routing changes for Phase 1 (Cisco ASA firewall in parallel with Palo Alto)
18
Configure routing for VPN tunnels/DMZ hosts (if applicable)
Add PBR for Cisco ISE
19
Create timelines for VPN migration
20
Configuration of SSL decryption domain -> 1 firewall interface
21
Test SSL decryption for regular user web traffic
22
Obtain DMZ server SSL certificate
23
Configuration of SSL decryption for inbound traffic
24
Test SSL decryption for inbound traffic
25
Obtain license for decryption mirroring
26
Switch SPAN ports configured for SSL decryption domain
27
Firewall rules migrated/configured
28
Implement firewall IPS/Antimalware inspection policies
29
Implement logging policies
30
Transition to Day 2
31
Full site-to-site VPN tunnel migration (performed by the delivery team, with support from SOC)
32
Testing (users, websites, etc.). Identify remote sites for testing (to add static routes).
33
Cut-over testing plan: users, applications, criteria, etc.
34
Create cut over MoP
35
Submit change request for cut-over
36
Cut-over









No comments