Firewall conversions are never easy, but maintaining a robust security posture is vital to your business. The goal of this document is to provide answers to common questions and help elevate concerns when upgrading from legacy security platforms to the next generation of US Signal’s Managed Security offering, powered by Palo Alto.
How Will My Existing Firewall Configuration Be Migrated To The New Palo Alto Platform?
The existing firewall configuration will be audited and manually translated to the new Palo Alto platform.
Is There Any Downtime Associated With The Conversion?
If the same WAN and LAN interface configuration is required, there will be downtime associated with the conversion. The existing firewall will need to be taken offline before the new Palo Alto firewall can come online.
How Much Downtime Is Expected During A Firewall Migration?
We recommend scheduling 90 minutes of downtime while the migration takes place.
Will I Be Able To Transfer The Lan & Wan Networks Assigned To My Existing Firewall Over to The New Palo Alto Firewall?
There are two different directions you can go with this; You can be assigned new LAN and WAN networks or choose to migrate the existing networks over to the new firewall. If you are assigned new LAN and WAN networks, the Palo firewall can be running alongside the existing firewall platform simultaneously. Depending on the environment, this may allow you to test features out on the Palo Alto firewall such as Site-to-Site VPN connectivity and the Remote Access VPN without needing to schedule a Hot-Cut/MOP. If you wish to retain the same LAN/WAN networks, the Palo Alto firewall must remain in an admin-down state to prevent an overlapping IP address conflict.
Does The Palo Alto Firewall Support A Site-to-Site IPSec VPN Solution, And If So, How Does It Differ From Previous US Signal Firewall Platforms?
The Palo Alto firewall features a route-based Site-toSite IPSec VPN solution. Previous US Signal platforms featured a policy-based Site-to-Site IPSec VPN solution.
Will The Palo Alto Route-Based VPN Soltuion Work With A Third-Party Policy-Based VPN, And Is There Anything That I Need To Be Aware Of?
The Palo Alto firewall’s remote access VPN solution is referred to as GlobalProtect. The client and configuration files can be downloaded by navigating to the firewall’s FQDN from a web browser. Mobile devices can download the GlobalProtect application from the iOS/Android App store and enter the FQDN from within the application to obtain the configuration file. This will NOT be Provisioned by default.
Does The Palo Alto Firewall Support A Remote Access VPN Solution, And If So, How Do I Deploy It To Users?
The Palo Alto firewall does provide support to interoperate with third-party policy-based VPNs. When doing so, many of the advantages associated with a route-based VPN are not supported. The biggest difference is that the Palo Alto firewall makes forwarding decisions over a VPN tunnel based on its routing table and destination IP address. There cannot be overlapping remote VPN networks configured on the Palo Alto firewall.
How Will Remote Acess VPN Users Authenticate?
It is recommended that you provide an external authentication source, such as a RADIUS or LDAP server, that the firewall can use to authenticate remote VPN users. This allows you to maintain complete control over remote access VPN user account administration. Although less scalable and secure, the local user database on the Palo Alto firewall can alternatively be used to authenticate users. When using the firewall’s local user database, you are responsible for opening a ticket with the Technical Operations Center to add, remove, or modify user accounts.
How Can I Control Which Networks The Remote Users Have Access To?
By default, once connected to the VPN client, all traffic is encrypted and routed to the Palo Alto firewall, no matter the destination. However, the Palo Alto firewall does support Split-Tunnel configuration, which allows for traffic destined only to corporate networks maintained in US Signal’s infrastructure to be sent across the tunnel.
I Am Already Using A Remote Access VPN Client Supported On A Different Firewall Platform. Will I Be Able To transfer this Over To The New Palo Alto?
No, you will need to deploy this new remote access VPN client to all users.
What Is App-ID?
App-ID is a feature that allows the Palo Alto firewall to do Layer 7 (application) identification, classification, and filtering. Network traffic is not only classified by source & destination IP address, ports, and the transport layer protocol (TCP/UDP), but also by application signatures, decoding, and heuristics.
How Is App-ID Implemented & Do I Need To Enable It?
App-ID functions on a security policy rule basis. This means that the security policy rules on the Palo Alto platform can use App-ID or the traditional port-based method. Leveraging App-ID is recommended; however, it is not a requirement and can be bypassed.
What Are The Disadvantages Of Using App-ID?
Traditional legacy firewalls will make security policy rule enforcement based on IP address, Ports, and Protocols collectively. This may allow for evasive and malicious applications to disguise themselves as “trusted” network traffic by using well-known ports and protocols. The use of App-ID allows for the underlying application behind the network traffic to be identified properly and for security policy rule enforcement to take place based on the application. The disadvantage of using App-ID is that some network traffic can be inadvertently blocked if there is no clear understanding of which applications are in use within the network.