What to look out for?
You should be conscious in understanding the TO-BE network security topology & ensure the required assets (additional switches, cables, etc) and get ready with the solutions & logical diagram
Most importantly, have skilled resources to perform the task. If the present employees are not master in PA. Please provide them training and ensure they complete certification (at least ACE)
If your end-objective is to enable PA features after migration; please install the PA box in vWire/TAP mode first to see the application visibility. Schedule workshop with end-user to note down the features that need to be enabled in PA (after migration & don’t enable everything to check the performance. Make it only if that demands for the business)
How did you do it?
There are many approaches to perform the migration. But my suggested method is to (Step 1) audit the current network security solutions and clean-up everything (one time activity) that will help you understand that you never duplicate that is not functioning in your current setup
Next (Step 2) enough spending good time in planning and designing the migration activity. ask your business owner why you chosen this for migration and the business demands. Have everything captured in your planning and design documentation
Then (Step 3) my advice is to perform workshop of simulating the migration in staging environment. Use migration tool to migrate the checkpoint configs to PA xml file. Fine tune it to fit the desired technical output. Manually add the configurations which are not part of migration tool (its perfect like-to-like migration and you’re not enabling PA features here)
This (Step 4) is more important. Perform migration on the planned schedule. Disconnect the existing solution. Enable the PA solution and uploaded the tested config (from Workshop) and perform QA
Next (Step 5) perform enabling PA features (50 rules per day) with the input you’ve got while deploying the solution in vWire/TAP mode and interviews with system owners
Finally (Step 6) document everything and handover to operations
Most of the things you’ve planned should work if everyone in the project are passion to achieve the goal. You’ll learn from the mistakes during workshop and will correct your planning & design or will go back to business advising what can be done (don’t over-commit)
If we try to put all eggs in single basket at one go – there are chances of breaking any of the egg. Better to be cautious in planning while migration solutions from logical (context/virtual) firewalls to physical and merging various solutions into single PA solution
Why didnt it work?
As everyone agree, the reasons of failures would be lack of ownership, knowledge, more dependencies. Most of them dont know where to start; disruption during discovery and execution & quality of data
Palo Alto Firewall Migration
What to look out for?