Firewall migration, testing rules

Announcements

Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

Reply
gonzox98
L0 Member

Firewall migration, testing rules

Is there a way to test the rules on a new Palo alto vs the existing firewall it will be replacing without affecting traffic? Something like TAP mode but that can block traffic like an in production firewall?

OtakarKlier
Cyber Elite

Hello,

One way would be a VirtualWire with the last policy set as ANY/ANY. This way you can see if any traffic hits the last policy and if a policy needs to be rewritten.

 

Hope that helps.

BPry
Cyber Elite

@gonzox98,

Generally, during migration, a vwire configuration would be utilized as @OtakarKlier already mentioned. I'm personally not a huge fan of this method as it leaves a bit of cleanup work when moving to l2 or l3 routing in the final implementation. You could implement the firewall as you want to in your final design, and then simply enable 'temp' allow policies that you can monitor in the logs and build out policies as you identify additional traffic you need to allow. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!