Latest Posts

Palo Alto Firewall Migration Plan Tasks List


It is simple breakdown for a complicate firewall migration plan. It can be used to plan migration from existing firewalls to new Palo Alto Firewall. The tasks should be modified based on the real production situation in your environment.

This is for on prem case. For cloud situation, the tasks will be slightly different. But most will be same.




No Task Order % Due date
1 Prestage firewalls (FW mgmt settings, mgmt tunnel, software updates) 10 100% 19/11/2019
2 Racking/mounting 15 75%
3 Network connectivity (switch ports assignment) 20 50%
4 Network connectivity (switch ports configuration/Etherchannel, etc.) 25 0%
5 Generate firewall self-signed certificate 30 0%
6 Distribution of firewall certificate to endpoints 32 0%
7 Define URL Filtering policies (Internal users, guests, servers) 34 0%
8 Configure URL Filtering profiles 36 0%
9 Identify external host for URL blocking page hosting 37 0%
10 Configure URL Filtering blocking page (requires hosting on public website) 38 0%
11 Define VPN gateway FQDN 40 100%
12 Generate SSL certificate for VPN gateway 42 100%
13 Create AD Palo Alto VPN prerequisites 43 0%
14 Configure Palo Alto VPN gateway 45 0%
15 Configure GlobalProtect VPN client 47 0%
16 Test GlobalProtect VPN connectivity 49 0%
17 Identify VPN tunnels and 3rd party admins 50 30%
18 Identify DMZ hosts 51 50%
19 Identify OSC resources accessed via site-to-site VPN 52 0%
20 Identify 3rd party resources accessed via site-to-site VPN 54 0%
21 Identify routing for VPN tunnels/DMZ hosts 55 50%
22 Identify routing changes for Phase 1 (Cisco ASA firewalls in parallel with Palo Alto) 56 20%
23 Configure routing for VPN tunnels/DMZ hosts (if applicable) 57 0%
24 Create timelines for VPN migration 58 0%
25 Define SSL Decryption Firewall Policies (outbound only) 60 0%
26 Configuration of SSL decryption domain -> 1 firewall interface 63 0%
27 Switch SPAN ports configured for SSL decryption domain 65 0%
28 Firewall rules migrated/configured 70 15%
29 Deployment of Palo Alto UserID Agent 71 30%
30 Palo Alto UserId Integration 72 0%
31 Define firewall IPS/Antimalware inspection policies 74 0%
32 Implement firewall IPS/Antimalware inspection policies 75 0%
33 Define logging policies 76 75%
34 Implement logging policies 77 50%
35 Testing (users, scope, applications, websites, etc.). Identify remote sites for testing (to add static routes). 80 0%
36 Transition to Day 2 - Next Phase 100 0%








No comments