topic Re: Firewall migration, testing rules in General Topics

Firewall migration, testing rules

gonzox98 — Mon, 11 Feb 2019 21:33:46 GMT

Is there a way to test the rules on a new Palo alto vs the existing firewall it will be replacing without affecting traffic? Something like TAP mode but that can block traffic like an in production firewall?

Re: Firewall migration, testing rules

OtakarKlier — Mon, 11 Feb 2019 21:48:28 GMT

Hello,

One way would be a VirtualWire with the last policy set as ANY/ANY. This way you can see if any traffic hits the last policy and if a policy needs to be rewritten.

Hope that helps.

Re: Firewall migration, testing rules

BPry — Tue, 12 Feb 2019 03:57:22 GMT

@gonzox98,

Generally, during migration, a vwire configuration would be utilized as @OtakarKlier already mentioned. I'm personally not a huge fan of this method as it leaves a bit of cleanup work when moving to l2 or l3 routing in the final implementation. You could implement the firewall as you want to in your final design, and then simply enable 'temp' allow policies that you can monitor in the logs and build out policies as you identify additional traffic you need to allow.