Firewall migration, testing rules


Changes to the LIVEcommunity experience are coming soon... Here's what you need to know.

L0 Member

Firewall migration, testing rules

Is there a way to test the rules on a new Palo alto vs the existing firewall it will be replacing without affecting traffic? Something like TAP mode but that can block traffic like an in production firewall?

Cyber Elite


One way would be a VirtualWire with the last policy set as ANY/ANY. This way you can see if any traffic hits the last policy and if a policy needs to be rewritten.


Hope that helps.

Cyber Elite


Generally, during migration, a vwire configuration would be utilized as @OtakarKlier already mentioned. I'm personally not a huge fan of this method as it leaves a bit of cleanup work when moving to l2 or l3 routing in the final implementation. You could implement the firewall as you want to in your final design, and then simply enable 'temp' allow policies that you can monitor in the logs and build out policies as you identify additional traffic you need to allow. 

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!