Large Scale Juniper SRX to Palo Alto Firewall Deployment SOW
Statement of Work
Large-Scale security posture change from “Permit All” to “Deny All” with a transition from Juniper SRX firewalls to Palo Alto firewalls. Analyze over 100,000 daily traffic flows using PAN Expedition for the creation of new specific userID, appID rulesets.
Integration Guidelines

Traffic Analysis with Gigamon and Palo Alto Expedition Tool
- Configure Gigamon to send/mirror ‘clean’ CORE traffic to logging server for analysis.
- Configure PAN firewalls to export logs to Expedition server
- Configure Expedition to ingest traffic logs.

Traffic Flow and Firewall Rules Analysis
- Refine existing legacy packet filter Security Policies for one (1) Juniper SRX firewall pair:
- Configure daily log exports on one (1) Palo Alto firewall to the verified working Expedition server
- Perform iterative analysis of exported firewall logs to produce security policy rules
- Create net new security policies based on manual effort, log ingestion, and Expedition machine learning
- Analyze CORE traffic logs and patterns for the purpose of creating new rules to permit legitimate CORE traffic through the firewall.
- Present and review the current CORE traffic logs to ABank personnel to determine legitimate vs. illegitimate traffic.
- Create a draft of new security rulesets–Layer 7 rulesets will be priority with L3/4 rulesets being used as necessary.

Staging and Configuration PAN Firewalls in HA mode
- Onsite – Stage new PAN firewalls for integration into the ABank network
- Onsite – Configure management interface and routing functionality (if necessary) to receive CORE traffic
- Perform PAN-OS upgrade, dynamic updates, licensing updates and content database update
- Configure PAN IDS/IPS, Threat Prevention and Wildfire to default best practice posture (tuning is not included)
- Configure new rule sets between CORE and ABank zones on new PA-5280 HA pair at Zayo data center and existing PA-5220 HA pair at ABank data center.
- PAN firewall policies to be configured and pushed from existing ABank Palo Alto Networks Panorama.

Cutover Production Traffic
- Export Staged Palo Alto firewall policy configuration to HA pair
- Perform PAN-OS upgrade, dynamic updates, licensing updates and content database updates
- Perform Palo Alto current best practices configuration
- A checklist will be sent to CLIENT for approval as some of these best practices may exceed CLIENT Information Security Policy (ISP) and audit requirement
- Perform cutover from SRX firewall to Palo Alto firewall:
- Cleary define success criteria with CLIENT and engage stakeholders to perform validation testing
- Schedule Internet service provider technician to clear ARP if circuit(s) terminated on layer-2 device
- Perform HA validation testing
