Change is never easy. Except when you plan ahead and just need to plug in a cable. Then it’s pretty straightforward. Or at least it was for PDQ’s Director of Service Operations Josh Mackelprang when he transitioned the company from the Fortinet firewall to Palo Alto Networks — along with the associated virtual private network (VPN). We’ll break down the process and share Josh’s insights.
Deciding to change firewalls
The decision to change firewalls happened organically. PDQ’s Fortinet firewall was quickly approaching its end-of-life date, so Josh started shopping around. Specifically, PDQ was in the market to upgrade to a next-gen firewall with a higher throughput for increased speed.
Fortinet and Palo Alto Networks were the two front-runners because, well, they’re Fortinet and Palo Alto Networks. But other than that, the team didn’t have a clear preference.
“They both can do everything,” Josh said. “We didn't really care.”
Ultimately, the decision came down to a head-to-head comparison with a cost-benefit analysis, and Palo Alto Networks came out on top. Since PDQ was formerly a Fortinet shop, this decision meant switching platforms.
Approaching the cutover
Before the cutover date, Josh and his team took all the necessary steps to ensure a seamless transition.
The procurement process took a few months, so Josh had plenty of time to plan the switch before the hardware even arrived. Once the firewall made its way to PDQ headquarters, Josh and his team chipped away at configurations for a few weeks. But by preparing ahead of time, the process was low pressure.
According to Josh, “It's sitting on your desk, and you're like, ‘I have a few minutes between tasks, so I'll go move over part of the configuration.’”
All in, Josh estimated the configuration would have taken about 2 hours if he’d sat down and done it in one fell swoop. If you were transitioning between firewalls in the same family, the process of configuring settings in the graphical user interface (GUI) could be whittled down to even less time — we’re talking 40 minutes … maybe less if you were well caffeinated.
But Josh noted that there’s an even easier way: “If you're familiar with all of these vendors’ command lines, the cool thing about networking equipment is you don't have to click around in the GUI. You can dump the entire configuration into a text file, and then just copy and paste.”
Want to get hyperspecific? PDQ has a complicated setup — because we can. We’re performing Border Gateway Protocol (BGP) with two ISPs with both assigned IPv4 and IPv6 autonomous system numbers (ASNs) assigned by American Registry for Internet numbers (ARIN). We have two virtual routing and forwarding (VRF) systems internally that we're trying to split that ISP service to, so we have an external router that sits in front of the firewall. According to Josh, “We are wonderfully overcomplicated.”
Preparing users
Before making the switch, IT informed users of the changeover date ahead of time and deployed GlobalProtect by Palo Alto Networks to end-user devices. Users understood that once the transition was complete, they could log in to the new VPN using the same password they used for the Fortinet VPN. From an end-user perspective, this made the change simple and painless.
Transitioning to Palo Alto Networks
Like any cutover process with a single point of failure, the transition to a Palo Alto Networks firewall needed to be seamless in order to limit downtime.
Despite the relative straightforwardness of the process, Josh knew he needed to prepare for the worst-case scenario.
“You'll miss stuff,” Josh said. “Like you'll miss some like IPsec tunnel rule. You'll miss some split tunnel rule. You'll miss something, but you know pretty instantly if you broke the whole thing.”
Josh’s rollback plan was simple: Don’t remove the old firewall from the rack until he’d tested the new one. From there, it was just a matter of moving the cable from one firewall to another and waiting to see if everything worked.
“It's always an opportunity to kind of scream test some of the configurations,” Josh said. “If I don't bring over part of the configuration and nobody screams, do we really need it?”
From an end-user perspective, it was just a minute or two of downtime late one evening, well outside of normal working hours. While a user or two reached out to Josh over the next few days wondering where Fortinet had gone, the process was almost entirely frictionless.
Choosing the right hardware for your environment
PDQ’s switch from Fortinet to Palo Alto Networks was seamless, but that doesn’t mean our firewall and cutover process are ideal for every environment.
Most people are likely to gravitate toward whatever they’re already familiar with.
“If you're a Cisco purist, then ASA [Adaptive Security Appliance] is going to be easy because you're familiar with Cisco IOS and iOS XE and that syntax,” Josh said. “If you're a Juniper shop, you'll probably like Palo Alto because its command line feels very much like Juniper.”
The cutover process is also largely based on personal experiences. And, all too often, troubling memories that IT teams would rather not relive.
According to Josh, “Every shop does it differently, and they all have their own deployment guidelines. And they're usually based off of snafus. Someone oopsed one time, so now there's a process for that.”
But never fear! With careful planning, switching firewalls and VPNs isn’t complicated — unless you really want it to be.
Not everything in life has to be hard. The right processes and tools can make virtually any task painless. That’s why PDQ is here. Deploy packages and maintain an up-to-date inventory with just a few clicks — no fuss, no hassle, no disconcertingly severe headache you need to consult your doctor about. Sign up for a free trial to savor the unfamiliar calm of simplicity.