Is there a way to test the rules on a new Palo alto vs the existing firewall it will be replacing without affecting traffic? Something like TAP mode but that can block traffic like an in production firewall?
One way would be a VirtualWire with the last policy set as ANY/ANY. This way you can see if any traffic hits the last policy and if a policy needs to be rewritten.
Hope that helps.
Generally, during migration, a vwire configuration would be utilized as @OtakarKlier already mentioned. I'm personally not a huge fan of this method as it leaves a bit of cleanup work when moving to l2 or l3 routing in the final implementation. You could implement the firewall as you want to in your final design, and then simply enable 'temp' allow policies that you can monitor in the logs and build out policies as you identify additional traffic you need to allow.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!
The Live Community thanks you for your participation!