Network Security
Complex platform, content, and network decisions where revenue, rights, and customer experience intersect.
Inside this journey
-
Pre-Discovery
Align cross-functional decision-makers (security, network, ops) on priorities, timelines, and acceptance criteria before technical discovery.
-
Stakeholder Alignment
Confirm decision roles, timelines, and divergent success criteria across security, networking, and ops teams.
Alignment Questions
Starting Point: What's the Story Behind This Refresh?
- What's prompting this firewall refresh conversation today?
- How would you briefly describe your current firewall estate (approximate size, mix of appliances/virtuals, and which sites are most critical)?
- How many devices or distinct sites are in scope for this project?
- Which environments must be prioritized for inspection in this rollout?
- What single metric, event, or deadline made this project non‑negotiable right now?
Are You Comfortable with the Risk You're Living With?
- If you had to place a bet, how likely is it that a threat has already bypassed inspection due to config, performance, or expired feeds?
- Can you describe a recent instance where detection fell short or where expired subscriptions/slow updates created a measurable gap?
- Which detection-related issues are causing you the most pain today?
- How does your team currently validate detection efficacy—third‑party reports, internal red team, SIEM trends, or ad hoc checks?
- How does the security team feel about the current exposure—calm, uneasy, pressured by execs, or urgent to remediate?
How Much Throughput Can You Afford to Lose?
- If full inspection at line-rate added X ms of latency, where does that become a deal-breaker for your network team?
- What are your typical and peak link utilizations today (percent and time windows) that must be represented in any benchmark?
- Approximately what percentage of your traffic is encrypted (TLS 1.2/1.3) and needs decryption to inspect effectively?
- Tell us about a past incident where inspection caused a performance issue or outage—what was the business impact and remediation path?
- Which throughput scenarios should the vendor pass during evaluation?
Who Really Decides — and When?
- When security demands maximum inspection but networking demands zero added latency, which view typically carries the day in your organization?
- Which stakeholders must sign off to progress from PoC to purchase and cutover?
- Describe any fixed procurement timelines, blackout windows, fiscal constraints, or executive review points we should plan around.
- Do different teams have explicit, conflicting success criteria (for example: security wants X% detection improvement, network wants Y ms latency)?
- Who will own policy migration approvals, change-control sign-off, and post-cutover operational ownership?
What Would a Successful Cutover Actually Look Like?
- If you were handed a green dashboard after cutover but still hesitated to retire the legacy firewall, what would likely be missing?
- Which acceptance tests must pass before the legacy devices are decommissioned?
- How long do you expect parallel operation to continue for confidence (and why)?
- What are your specific rollback triggers during cutover (e.g., packet loss, missed alerts, app failures)?
- What level of professional services do you need for the cutover phase?
Where Do Your Policies Hide the Real Risk?
- If we could point to the 20% of rules creating 80% of risk, would you act immediately or need staged proof and stakeholder buy-in?
- How many firewall rules exist across the estate today (approximate)?
- What percentage of those rules do you suspect are obsolete, overly permissive, or duplicate?
- Name the top three applications or business flows you are most worried migrating will break—why are they critical?
- How would you prefer policy migration to be executed: automated mapping with SME review, fully manual by PS, or a hybrid approach?
Can We See It Run in Your Wild?
- Would you run an inline PoC on production traffic if it proved detection and throughput decisively—or does production feel too precious to test in-line?
- What PoC duration would make you comfortable that we saw realistic behavior?
- Which specific traffic windows or peak events must be included in testing to be meaningful?
- Which telemetry and artifacts must we produce from the PoC for you to be convinced?
- What operational safeguards do you require during an inline PoC (fail-open, BFD, redundant paths, designated on-call contacts)?
- Who must have access to management, logs, and analysis during the PoC?
What's the Long-Term Picture — Beyond First Install?
- If you received an easy renewal decision in three years, what would make that an automatic 'yes'—and what would create a hard negotiation?
- Which enterprise commercial model do you prefer for licensing and subscriptions?
- What is your expected hardware refresh cadence across sites?
- Which centralized capabilities will determine the platform’s long-term value to you?
- What ongoing operating model do you prefer post-deployment: advisory support, co-managed operations, or fully managed service?
- What tuning and review cadence would make you comfortable for maintaining detection and performance (initial vs steady-state)?
-
Current State Mapping
Document existing firewall estate, policy volume, performance baselines, and failure modes that drove the refresh.
Current State
Start Here — Map the Estate in One Breath
- Roughly how many firewall instances, sites, and virtual edges are in scope for this refresh (including data centers, campuses, and branches)?
- Which form factors are currently deployed across that estate?
- What’s the primary business driver behind this project right now?
- What timeline are you targeting for a decision and for first deployments?
- Who will be the core stakeholders we should be talking to (list roles and teams)?
Is Your Current Reality Leaving You Vulnerable?
- What single incident, risk, or realization made this project urgent—what changed in your risk calculus?
- Describe any recent events where traffic that should have been inspected was not (examples: TLS bypass, failed decryption, signature gaps). When did it happen and what was the impact?
- How often do you experience service-impacting failures or silent performance degradations (e.g., packet drops, high CPU, TLS handshake failures)?
- Which current devices/models are showing the most strain or highest failure rates?
- How are your security signatures, threat feeds, and sandbox updates currently managed—and have you had lapses in those subscriptions?
- How do these reliability or subscription issues feel to your teams—frustrating, risky, paralyzing? Give an example of the emotional or organizational impact.
Where Do Your Policies Hide Complexity?
- If we had to migrate your policy set tomorrow, which single thing would you most fear breaking?
- How large is your rulebase today—rules, objects, and nested groups (ballpark)?
- What percentage of rules do you suspect are stale, shadowed, or duplicates (last hit >2 years)?
- Which applications or flows have the most fragile or bespoke policies (list examples and why they're sensitive)?
- How is policy ownership and cleanup governed today—who approves changes, and how are exceptions documented?
- Would you be open to an automated policy optimization that reduces rule count if we can prove zero functional change? Why or why not?
Playbook for Performance — What’s the Real Baseline?
- When you run full inspection with TLS 1.3 decryption enabled at typical peak, what observable effect do you see on latency or throughput?
- What are your measured baseline metrics today—peak Mbps/Gbps, average latency, and accepted max latency increase (ms)?
- Which benchmarking tools and traffic mixes do you use to validate performance (e.g., real user traffic, IXIA/Spirent, custom scripts)?
- What TLS profile best represents your traffic (percentages)?
- Which failure modes worry you most under load (select all that apply)?
- How much operational headroom do you require for growth and spikes (percentage of provisioned capacity)?
Who Really Decides When 'Good Enough' Is Good Enough?
- When security asks for deeper inspection and networking pushes back on latency, whose criteria ultimately determines acceptance?
- List the people who must sign off on acceptance and what each cares about most (name, role, primary success metric).
- Are there non-negotiable thresholds (regulatory, SLA, or contract) that will block acceptance?
- How would you weight detection efficacy versus added latency on a scale—for example: detection prioritized 70/30, or latency prioritized 60/40?
- Is there a governance committee or change board that will own final sign-off, and when do they meet?
Proofs That Matter — What Will Win This Deal?
- Would a live, inline PoC using your production traffic with TLS decryption enabled for 2–4 weeks materially change the vendor shortlist?
- Which external validation reports do you trust most when choosing a supplier?
- What acceptance tests must the PoC absolutely demonstrate (select up to 4)?
- What minimum duration and sample traffic profile would satisfy you that results are representative?
- Who from your side will run validation, provide test access, and sign the PoC acceptance report?
- What would be an immediate deal-killer result during PoC (e.g., application outage, consistent packet drops, unacceptable latency)?
Cutover and Continuity — How Will You Sleep at Night?
- If the new firewall silently disrupted a critical flow during cutover, what would be the operational and business consequence in the first 24 hours?
- Do you require parallel operation between old and new devices? If so, for how long?
- Do you have fixed maintenance windows and rollback cutover windows we must fit into?
- Which applications absolutely require hitless or zero-downtime migration (list them and why)?
- What logging, monitoring, and validation checks must run immediately after cutover to confirm success?
- Who will be on the escalation path during cutover (roles, contact method), and who has final rollback authority?
Money, Licenses, and Long-Term Value
- Are you prepared to trade some hardware capacity for richer subscriptions or services if it reduces operational risk and migration burden?
- Which of these license elements are mandatory for your purchase?
- What procurement model do you prefer for enterprise licensing?
- Will policy migration professional services be part of the contract scope or a separate statement of work?
- How will you evaluate Total Cost of Ownership—what horizon matters (3 years, 5 years, other)?
- Are there procurement or budget constraints (approval committees, leasing rules, preferred vendors) we should know about?
Signals of Success — How Will We Know This Worked?
- Imagine the project is complete and you brief the board—what measurable result would make you proud to say the migration was a success?
- What detection efficacy targets are acceptable (choose the closest range)?
- What throughput and latency bounds must be met with full inspection and TLS decryption enabled?
- What percent policy migration completeness do you require before decommissioning legacy devices?
- Which ongoing KPIs should be monitored in the first 90 days post-deployment?
- How should lessons learned and tuning requests be captured and acted on—single channel, weekly review, or formal change board?
-
-
Outcome Discovery
Define measurable success signals including detection efficacy targets, throughput/latency bounds with full inspection, and policy migration completeness.
Discovery Questions
Quick Snapshot — What Brought You to This Table?
- Which single factor best describes why you're evaluating a new firewall platform now?
- Tell us about the scale of the estate we’d be addressing (number of sites, classes of locations, and highest per-site throughput requirement).
- Who are the decision makers and technical approvers for this purchase? List roles and any cross-functional stakeholders we should include.
- What timeline are you working towards for a purchase decision and production cutover?
- Which incumbent vendors or solutions will be in the comparison set for this bake-off?
If It Were Broken, What Would That Look Like?
- Where do you suspect inspection is failing today — what kinds of traffic or threats might be slipping through unnoticed?
- Give a specific recent example (incident, anomaly, or audit finding) that made you question the current firewall posture.
- How frequently do those gaps surface in your telemetry or audits?
- What business or compliance impact would recur if those gaps weren’t fixed (lost revenue, downtime, failed audits, reputational risk)?
- Who in your org feels the pain most acutely when these issues occur, and how does it show up in their priorities or behavior?
Where Security and Network Are Quietly Competing
- Which security capability are you currently being asked to compromise to preserve network performance or latency?
- Quantify the network team's performance constraints: acceptable added latency (ms), max acceptable CPU utilization, and required percent of line-rate throughput with all services enabled.
- What traffic mix and peak utilization scenarios should we replicate in a PoC to make the network team comfortable?
- How do you currently handle TLS 1.3 traffic—do you decrypt in-line today, selectively, or not at all?
- What network regressions (latency, session drops, broken app flows) would be a deal-breaker versus tolerable during a PoC?
The Acceptance Bar — What Will Count as Success?
- If we had to set one hard, measurable detection target to win this deal, what would it be (examples: SE‑Labs grade, MITRE ATT&CK coverage percentage, detection rate vs. known incidents)?
- What false positive tolerance can your security ops team accept during and after migration (daily noise levels, manual review capacity)?
- Define the throughput and latency acceptance bands we should use as pass/fail criteria for the PoC (e.g., sustained throughput with TLS full inspection, max latency added).
- What percentage of existing policy/rules must be migrated and validated before you consider the migration complete?
- Who will be the final signatory(s) that a PoC or migration met the acceptance criteria?
The Migration Story — Moving Rules Without a Heart Attack
- How many firewall policies/rules and NAT entries are in scope for migration (provide counts or ranges for data centers, campuses, and branch sets)?
- How complex are your rules—do they rely heavily on device groups, nested objects, custom application signatures, or dynamic address lists?
- What has been your historical experience with automated policy migration tools—what worked and what failed?
- What length of parallel operation (running incumbent and new platform) are you prepared to support to verify parity and rollback safely?
- Which validation checks do you require post-migration (application flow tests, synthetic transactions, user acceptance, log parity, performance baselines)?
- Who owns rollback authority and what are the explicit triggers that would force a rollback?
PoC Reality Check — What Will Decide the Bake‑off?
- If a PoC could only prove three things to clinch the deal, which three must it demonstrate?
- Where do you prefer the PoC run: inline in production, mirrored/lifted traffic, or in a representative lab? Why?
- How long should the PoC run at minimum to be statistically meaningful for both detection and performance (consider burst cycles, business patterns)?
- What telemetry and test data do we need to collect during the PoC to satisfy both security and network teams (packet captures, flow logs, FP rates, CPU metrics)?
- Who will operate the PoC from your side (roles and contacts) and who must be available 24/7 during critical test windows?
- What simulated or real threat scenarios should we include to validate detection (known samples, red-team exercises, past incidents replay)?
Budget, Contracts, and the Real Cutover Plan
- How are you expecting to structure commercial terms—hardware buy, subscription, enterprise license agreement, or appliance-as-a-service?
- What minimal SLA terms and support windows are mandatory for your operations team (RTO, RPO, 24/7 support, escalation path)?
- Which software subscriptions and threat feeds are required on day one (IPS signatures, sandboxing, URL/DNS feeds, third‑party threat intel)?
- What budget cycle constraints or procurement approvals could slow a decision, and how long does that procurement process typically take?
- During cutover, what maintenance windows and blackout periods must we avoid (time-of-day, business quarters, regulatory periods)?
- What licensing model elements matter most to you—predictable renewal, per-site SKUs, bundle discounts, or feature-based entitlements?
Emotions, Risk Appetite, and the Five‑Year View
- How would you describe your organization's appetite for risk during major infrastructure changes—conservative, balanced, or aggressive?
- What previous vendor experiences (good or bad) are shaping your skepticism or trust right now?
- What would give you long‑term confidence in a vendor beyond passing the PoC (roadmap, references, operational maturity, partner ecosystem)?
- If this project goes well, what does success look like in 12 months and in 5 years for security and for networking respectively?
- What hidden anxieties might make you hesitate at final contract signing (fear of regressions, lifetime cost, staff ramp-up, vendor lock-in)?
Make It Real — Clear Next Steps to Move Forward
- What are the three immediate pieces of information or access we need from you to scope a representative PoC (baseline traffic captures, policy exports, topology diagrams)?
- Who should be on the executive and technical kickoff call, and what is the best target date window for that meeting?
- Which internal milestones must be met before the PoC can begin (procurement approval, device shipping, certificate/key access for decryption)?
- What would be a realistic target date for signing off a successful PoC and moving into a phased migration?
- Is there anything we have not asked that would materially change how you evaluate vendors or run a PoC for this project?
-
Solution Experience
Plan and align an inline proof-of-concept and scenario walkthroughs that validate both detection effectiveness and real-world throughput with TLS decryption enabled.
Experience Meetings
- PoC Objectives & Stakeholder Alignment
- Traffic Profile & Detection Scenario Workshop
- Inline Architecture, HA, and Risk/Compliance Review
- Scenario Walkthrough — Dry Run & Validation Script Review
- PoC Kickoff & Go/No-Go
Issues & Enhancements
- Agree final reporting templates for PoC progress and acceptance evidence.
- Approve deployment architecture and HA behavior that meets network availability constraints.
- Lock a tested rollback plan and emergency procedures with clear authorities.
- Obtain compliance sign-off on TLS decryption controls and data handling safeguards.
- Confirm telemetry endpoints and monitoring dashboards are sufficient to prove acceptance criteria.
- Network team to provide TAP/SPAN port access details and physical wiring diagrams for each PoC location.
- Vendor to provide PoC device configuration templates and HA test procedures for customer review.
- Compliance/legal to sign a short TLS decryption attestation and list any flows that must be excluded.
- DevOps/SRE to provision SIEM ingestion endpoints and shared dashboards for PoC metrics.
- Walkthrough of Each Test Scenario
- Prove that each scenario's test script produces the expected detection or performance signal in a controlled run.
- Verify that measurement pipelines and dashboards reliably capture required metrics and evidence.
- Confirm rollback drill completes within agreed RTO and that owners understand their roles.
- Introductions & Roles
- Vendor to run agreed dry-run scenarios and produce preliminary evidence packets (PCAPs, logs, screenshots) for review.
- Customer to validate that detected events map to expected ground truth and document any mismatches.
- Operations to time the mock rollback steps and report actual durations against target RTOs.
- Finalize the daily/weekly PoC report template and distribution list.
- Recap Objectives & Acceptance Criteria
- Obtain formal go/no-go sign-off to start the full PoC execution based on initial validation.
- Verify that initial inline activation meets safety and non-disruption criteria.
- Confirm owners, reporting cadence, and immediate escalation paths for the PoC period.
- Execute initial validation capture and produce a short-form report within 24-48 hours for stakeholder review.
- If issues arise, invoke the rollback playbook and document root cause for follow-up workshops.
- Begin full PoC schedule per agreed timeline and ensure daily stand-up cadence for the first week.
- Vendor to deliver interim measurement dashboards accessible to customer and vendor teams.
- Capture an agreed single-sentence current state and the explicit consequence that creates urgency.
- Agree a one-sentence future state and 3–5 measurable success signals that will determine PoC success.
- Finalize PoC scope, duration, acceptance tests, and primary owners with a clear go/no-go checkpoint.
- Confirm delivery of all pre-work artifacts and legal/compliance approvals required for TLS decryption.
- Customer provides one-sentence current state and quantified consequence in writing before the next meeting.
- Customer delivers baseline throughput/latency metrics and 72 hours of representative PCAPs for planned PoC locations.
- Customer confirms TLS decryption approach (key escrow, forward proxy cert, or alternative) and obtains compliance/legal sign-off.
- Vendor/SE to draft initial PoC acceptance test matrix and share for customer review.
- Schedule Traffic & Detection Scenario Workshop and allocate required SMEs.
- Review Baseline Traffic & PCAPs
- Finalize a catalog of test scenarios with MITRE mappings and expected detection outcomes.
- Agree on traffic utilization targets and exact measurement metrics to be captured during PoC.
- Confirm TLS decryption approach and privacy/compliance mitigations for the PoC.
- Assign owners for running attack simulations and establishing ground truth.
- Customer to label and deliver additional PCAP samples for peak/low traffic windows and identify critical application flows to exclude from decryption if required.
- Security team to approve test malware samples and provide an approved list of simulated attack artifacts.
- Vendor to prepare test harness configurations and traffic generator profiles that match agreed mixes.
- Set up dashboards and define logs/metrics retention for PoC (SIEM/collector access details).
- Proposed Inline Deployment Diagram
- Execute Representative Dry-Run Tests
- Readiness Checklist Review
- High-Availability & Bypass Modes
- Define Traffic Mix & Utilization Targets
- Crystal-Clear Current State (forced)
- Validate Measurement Collection & Dashboards
- Initial Light Inline Activation (observed)
- Explicit Consequence
- TLS Decryption Approach & Constraints
- Rollback & Emergency Contingency Plan
- Mock Cutover & Rollback Drill
- Define Future State & Success Signals
- Privacy/Compliance Safeguards for TLS Decryption
- Run First Validation Tests & Adjudicate Results
- Detection Scenarios & MITRE Mapping
-
Solution Scope
Define hardware SKUs, software subscriptions, threat feeds, policy migration service, PoC duration, and explicit acceptance tests.
Scope Configuration
- Rack, Power, and Network Appliances Onsite
- Install Firewall OS and Apply Licenses
- Provision Enterprise License Bundles
- Integrate Threat Intelligence Feeds
- Enable TLS 1.3 Decryption at Line Rate
- Deploy Inline Sandbox for File Analysis
- Configure IPS with Real-Time Signatures
- Migrate and Translate Existing Firewall Policies
- Parallel Operation Cutover and Traffic Steering
- Centralized Management and Policy Orchestration Setup
- Enable Zero‑Trust Microsegmentation Policies
- Deploy Log Aggregation and Traffic Analytics Pipelines
Scope Questions
Rack, Power, and Network Appliances Onsite
- How many physical sites will receive new appliances in this phase?
- For each target site, what is the available rack U space and preferred mounting orientation?
- What power characteristics are available at each site (e.g., single/dual PDU, voltage, UPS)?
- What network handoff speeds and port types will the appliance terminate (e.g., 10G SFP+, 100G QSFP28)?
- Do you require onsite staging, burn-in, and configuration before rack installation?
- Are there any physical constraints or compliance rules (e.g., data center cage, seismic racks, restricted access windows)?
Install Firewall OS and Apply Licenses
- Which OS image and major software version do you require (or are you open to recommended latest stable)?
- Will devices be activated via online licensing portal, offline entitlement files, or partner-managed license keys?
- Who will own certificate management for management plane TLS and decryption proxies (customer, vendor, or joint)?
- Do you require automated OS rollbacks and version pinning for stability during PoC and rollout?
- Are there scheduled maintenance windows or blackout periods we must respect for OS installs?
- List any pre-existing management or monitoring credentials and onboarding steps required for license application (API access, TACACS, etc.).
Provision Enterprise License Bundles
- Which feature bundles are required across the estate (select all that apply)?
- What license term lengths do you prefer for budgeting and renewal alignment?
- Do you require pooled/license-sharing across devices or strict per-device entitlements?
- How many total devices and how many of each SKU (or expected throughput tiers) need licenses?
- Are there procurement or enterprise agreement constraints (e.g., purchase order templates, PO holdbacks, reseller channel requirements)?
- Do you need trial or evaluation license keys for a PoC before committing to enterprise bundles?
Integrate Threat Intelligence Feeds
- Which threat intelligence feeds do you currently consume or require (commercial, open-source, internal)?
- Do you need feed aggregation, enrichment, and mapping to enforcement objects (IP lists, URL categories, hashes)?
- What integration points are required for SIEM, SOAR, or SOC tooling (syslog, API, STIX/TAXII)?
- How often should signature and feed updates be pushed to devices (real-time, hourly, daily)?
- Are there custom allowlists/denylists or internal intel that must be prioritized or excluded from automated feeds?
- Estimate expected additional bandwidth/processing overhead for feed ingestion and correlation per site (if known).
Enable TLS 1.3 Decryption at Line Rate
- Will decryption be deployed as forward (proxy) or transparent (inline) mode, or a mix?
- What percentage of traffic is expected to be TLS 1.3 and what is the expected decrypted throughput requirement per site?
- Do you have legal, privacy, or compliance constraints (e.g., PCI, GDPR) that restrict TLS inspection of certain hosts or categories?
- Who will provide/own server and intermediate certificates for forward proxy interception (customer CA, HSM, vendor-managed)?
- Do appliances require hardware crypto acceleration or dedicated TLS offload modules for target line-rate decryption?
- List any applications or services that must be excluded from decryption (e.g., banking, health portals, partner APIs).
Deploy Inline Sandbox for File Analysis
- Should sandboxing be inline-blocking, inline-allow-with-later-block, or asynchronous (out-of-band) analysis?
- Which file types and max file sizes should be sent to the sandbox (e.g., exe, docx, pdf; size thresholds)?
- What SLAs do you require for sandbox verdicts (seconds, minutes), and can delayed verdicts be tolerated for some flows?
- Do you require extraction and storage of suspicious samples for offline analysis or SOC evidence retention?
- Are there licensing or regulatory constraints on where sandboxing can run (on-prem only, cloud-only, specific regions)?
- How should sandbox findings be remediated (auto-block, create ticket, alert SOC, quarantine host)?
Configure IPS with Real-Time Signatures
- Do you want IPS in inline blocking mode, detect-only (alert), or a staged transition from detect to block?
- What signature update cadence and source trust model is required (vendor-managed auto-updates, customer-validated, or SOC-approved rollouts)?
- How should false positives be handled and who is the approver for signature tuning (network team, security team, joint)?
- Do you require custom signatures or integration with an internal ruleset repository?
- Estimate expected throughput and any latency SLAs while IPS is active at expected traffic mix.
- Are there specific protocol parsers or application decoders needed (ICS/SCADA, VoIP, proprietary apps)?
Migrate and Translate Existing Firewall Policies
- How many total firewall rules, objects, and NAT entries exist in the incumbent estate (approximate counts)?
- What formats are your existing policies available in for migration (CSV exports, vendor API, manual configs, screenshots)?
- Do you want policy cleanup and optimization (remove dead rules, merge duplicates) as part of migration?
- Will application-ID mapping or semantic translation be required for advanced features (App-ID, user-ID, service tags)?
- What acceptance tests should be run post-migration to validate policy parity (specific transactions, test scripts, user sign-off)?
- Do you require professional services to perform the migration, or will you provide in-house resources for validation and cutover?
Parallel Operation Cutover and Traffic Steering
- How long do you plan to run parallel operation for each site (days, weeks, months)?
- Which traffic steering method will be used for parallel run and cutover (policy-based routing, BGP/ECMP, transparent inline, tap + steering)?
- What rollback criteria and validation checkpoints must be met before decommissioning the legacy device?
- Do you require phased cutovers (by site tiers, by region, or big-bang)?
- Who are the on-call escalation owners and contacts for cutover windows (network ops, security ops, vendor PS)?
- Will you need traffic mirroring or additional monitoring probes during parallel ops to validate performance and detection?
Centralized Management and Policy Orchestration Setup
- How many total devices will be managed by the central manager and across how many regions or management domains?
- Do you require high-availability for the management plane and what RTO/RPO are acceptable?
- What role-based access controls, audit logging, and change approval workflows are required for administrators?
- Do you want automated rule optimization, drift detection, and policy simulation features enabled?
- What log retention and indexing policy is required for management-level events and policy change history?
- Will centralized management integrate with existing ITSM or ticketing systems for change control?
-
Mutual Commit
Finalize enterprise licensing, SLAs, cutover windows, parallel-operation plan, and rollback/validation criteria.
Agreement Modules
- Enterprise License Agreement (ELA)
- Statement of Work (SOW)
- Service Level Agreement (SLA)
- Order Form & Hardware SKU Confirmation
- Subscription & Threat Intelligence Schedule
- Professional Services & Policy Migration Schedule
- Proof-of-Concept (PoC) Acceptance Criteria
- Cutover Window & Parallel-Operation Plan
- Rollback & Validation Criteria
- Acceptance Test Plan & Sign-off
- Payment, Billing & Invoicing Terms
- Support & Escalation Matrix
- Change Order & Amendment Process
- Data Processing Agreement (DPA) & Compliance Addendum
- Renewal & Termination Terms
-
Deployment
Operationalize rollout with readiness checks, enablement, and outcome validation to protect production traffic during cutover.
-
Pre-Deployment Readiness
Confirm access, test traffic profiles, policy migration data, owners, and risk controls are in place for execution.
Readiness Questions
Warm-Up: Who’s in the Room (and who answers the phone at 2AM)?
- Who will be our primary point of contact for deployment coordination?
- Which additional people must be looped into day-to-day PoC/deployment decisions (names/roles)?
- Who is the escalation contact for outages during deployment (title and preferred contact method)?
- Which single role holds the final sign-off for acceptance testing and decommissioning the legacy device?
If We Flip The Switch Tomorrow, What’s Most Likely to Fail?
- What single outage or regression would cause the most operational pain or regulatory exposure if it occurred during cutover?
- Have you experienced a firewall refresh or major policy migration that caused a production incident? If yes, what broke and why?
- How do such failures typically affect customers or internal teams (quantify downtime, SLA impact, or business consequences)?
- What would you need in place to sleep comfortably the night before cutover?
What Does Your Traffic Actually Look Like When It Matters?
- What are the top three sites by inspection throughput we must validate during PoC (include port speeds/expected peak util)?
- What percentage of traffic is TLS (approx) and how much of that must be decrypted for inline inspection?
- Do you have mirrored or test feeds available that reflect real-world mixes (e.g., HTTP/S, DNS, database, east-west flows) for benchmarking?
- When are your traffic peaks (daily/weekly/seasonal) and which windows would you prefer for heavy validation or cutover?
- Are there specific applications or protocols we must test end-to-end (VoIP, critical DB, proprietary apps)? List names and why they’re critical.
How Healthy Is Your Policy Estate—Really?
- Approximately how many firewall rules/policies exist across the scope we will migrate?
- Do you know what percentage of rules are unused, duplicate, or overly permissive today?
- Have you already run a policy rationalization or rule de-duplication effort, and can you share the findings or tools used?
- What would count as policy migration parity for you—exact rule-level parity, behaviorally equivalent, or a reduced/optimized rule set with tests?
- Which policy elements worry you most about breaking (NATs, stateful sessions, VPNs, identity-based rules, microsegmentation)?
Who’s Actually Responsible When Things Go Sideways?
- Which teams must approve the deployment checklist before we begin (pick all that apply)?
- What is your change control/ CAB process for this class of work and what lead time do approvals require?
- Who will own on-the-ground execution (names/roles) vs who retains final sign-off?
- Do you have an on-call rotation and clear escalation paths we can embed into our runbook for cutover hours?
- How comfortable are your application owners with short maintenance windows vs longer parallel ops?
Do We Have the Keys, Diagrams, and Access to Get the Job Done?
- Do we already have verified credentials and network access (console/OOB, SSH, SNMP, API) for each target device?
- Are physical access procedures or site visits required for any locations in scope (building access, cross-connects, ticketing)?
- Do you have up-to-date network diagrams, IP plan, and routing tables we can import into the migration runbook?
- Can we obtain scheduled packet captures or NetFlow for baseline comparison during PoC?
- Is there an approved, secure method to transfer policy/export files and logs between your environment and our professional services team?
How Will We Measure Success (And Spot Failure Immediately)?
- What are the non-negotiable acceptance criteria for the PoC/initial deployment (pick up to three)?
- Which KPIs and thresholds should we instrument and alert on during validation (throughput, CPU, latency, error rates, detection efficacy)?
- Do you have automated test suites or synthetic transactions we can run to validate application flows, or will we rely on live traffic only?
- What is the minimum acceptable detection performance during PoC relative to your benchmark (e.g., meets X product/third-party score or shows Y% lift)?
- What specific rollback triggers should immediately halt cutover and revert to legacy? Please be concrete (error rates, latency spikes, app failures).
Backstops, Parallel Paths, and Insurance Policies
- Do you require parallel operation (both devices active) for a defined period before decommission, and if so, how long?
- What monitoring and logging must remain active during parallel ops (SIEM ingest, packet capture, flow collection)?
- Would you like us to run a staged cutover that moves non-critical traffic first, then critical flows, or a single cutover?
- What contractual or compliance controls must remain in place during the PoC (retention, encryption, audit trails)?
- Are there insurance, regulatory, or executive-level signoffs required before we begin execution?
What Small Commitments Will Unlock Big Confidence?
- What are three concrete items you can commit to completing before we schedule the PoC (e.g., provide credentials, enable mirroring, approve runbook)?
- How soon could your team provide the required access and test feeds if we agreed on dates today?
- What would cause you to delay the PoC even if all technical prep seemed complete (internal priorities, vendor procurement, change freeze)?
- Would a short, jointly-run runbook rehearsal (tabletop) reduce your risk concerns, and who should attend that session?
- Finally, what single outcome from the PoC would make you feel comfortable signing off on a broader rollout?
-
Deployment Enablement
Coordinate schedules, professional services for policy migration, inline PoC execution, and phased rollouts with clear owners and escalation paths.
-
Validation Checklist
Run throughput and detection benchmarks, verify policy parity and application flows, and document acceptance before decommissioning legacy devices.
Validation Questions
Quick Signal: A one-minute snapshot
- In one sentence, why are you evaluating a new firewall now?
- Which of the following triggered this evaluation (pick all that apply)?
- Roughly how many locations and what mix (data center / campus / branch / cloud)? Choose the closest range.
- Who is currently the primary incumbent vendor for your firewall estate?
- If there was a single urgency driver (e.g., breach, compliance deadline), briefly describe what kicked this off and when it happened.
Are you leaving blind spots in plain sight?
- Which traffic streams or environments do you suspect are not being inspected end-to-end today but should be?
- Describe your current firewall estate by form factor and approximate aggregate inspection capacity (e.g., DC chassis X Tbps, campus NGFWs Y Gbps).
- What proportion of your east‑west and north‑south traffic is encrypted with TLS 1.2/1.3 today?
- Do you currently perform inline TLS decryption in production?
- How do you currently detect gaps in inspection or blind spots (select all that apply)?
What’s been breaking the night shift?
- Tell us about a recent incident or near‑miss that showed the current platform failed when it mattered—what happened and who felt the impact?
- When those incidents occur, what business impacts do you see most often?
- How long does it typically take from detection to root‑cause and remediation for serious events?
- Which teams are most often in the middle of firefighting these problems?
- How often do subscription lapses (threat feeds, IPS signatures) correlate to lowered detection or incidents in your environment?
How much inspection is too much?
- If you had to choose between maximum inspection depth with measurable latency increase and zero‑added latency with reduced inspection, which is closer to your organization’s default stance—and why would the other team push back?
- What is the maximum additional latency (one‑way) your applications can tolerate for north‑south flows?
- What minimum inspection throughput must be sustained with all services (IPS, AV, sandbox, TLS decryption) active for your busiest links?
- Which encrypted application classes are highest priority to inspect (select all that apply)?
- Are there internal or regulatory rules that prohibit decryption for certain data domains? If so, which?
What would true parity actually feel like?
- Fast‑forward 90 days post‑migration—what three observable things would make you call the project a clear success?
- Which measurable success signals do you require (pick all that apply) and which of those need numeric targets?
- For any items you selected above that need numeric targets, list the target numbers (e.g., throughput X Gbps, latency <Y ms, detection >Z%):
- Which critical application flows must be functionally identical post‑migration (name apps or services and their owners)?
- How will you balance temporary increases in policy count or tuning work during migration vs. the long‑term goal of policy consolidation?
If we ran the PoC on your production traffic—what would you scrutinize?
- What are the one or two PoC failures that would immediately stop the deal?
- Preferred PoC mode and duration?
- What realistic traffic profiles or peak utilization windows must be included in the PoC (e.g., month‑end backups, daily peak, SaaS sync)?
- Which validation we should run during PoC (pick all that matter)?
- Who will be the PoC decision owners and who must sign acceptance (names/roles)?
Who holds the keys and the timetable?
- Who is the single person or role that ultimately signs the purchase order, and who typically has veto power?
- Map the stakeholders involved and their top priority (select the roles that apply):
- What is your target procurement and deployment timeline?
- Are there budget or contract constraints (e.g., preferred term lengths, financing windows, must‑hit renewal dates)? If yes, explain.
- Which approvals (security council, board, compliance) are required before go‑live?
What would a cutover nightmare look like—and how prepared are you?
- Describe your worst‑case cutover scenario in vivid terms—what breaks, who’s impacted, and how long it takes to recover?
- Do you currently have a parallel‑operation and rollback plan? If yes, how long can you safely run both environments?
- What maximum outage window is acceptable for planned cutover at peak hours?
- Which smoke tests or critical application checks must pass before we can decommission legacy devices?
- Who must be on the war room roster during cutover (roles and contact expectations)?
How will you prove it actually works?
- Which formal validation tests would convince you to accept the deployment—and which single result would force rejection?
- Select the validation checklist items you require (multi‑select):
- Do you require an independent third‑party test or will vendor‑run tests suffice?
- How should test results be presented and who is required to sign the acceptance certificate?
- What are your pass/fail thresholds for throughput, latency increase, and detection efficacy (list numeric targets or ranges)?
Ready to commit — what’s still missing?
- What unresolved concern would cause you to delay licensing even after a successful PoC?
- Which post‑deployment support and SLAs are non‑negotiable for you?
- Preferred licensing model and term?
- What are the next three concrete actions and owners required to move from PoC to purchase and deployment?
- On a scale of readiness, how confident are you to proceed once all PoC acceptance criteria are met?
-
-
Success
Confirm measured outcomes against success signals, capture lessons learned, and maintain a shared channel for tuning, issues, and subscription renewals.
Success Reviews
- Outcomes Review & Formal Acceptance
- Gap Remediation & Revalidation Planning
- Lessons Learned & Operational Handover
- Tuning Cadence, Support Channel & Escalation Setup
- Renewal & Capacity Planning Workshop
Issues & Enhancements
- Provision the shared channel, invite participants, and publish channel governance and expected response times.
- Produce an executable remediation and revalidation plan where each gap has a concrete testable success criterion.
- Assign owners and timelines so there is no ambiguity on who delivers each remediation item.
- Ensure risk controls and rollback procedures are documented for any production-impacting changes.
- Document remediation steps per gap and publish to the shared project repository with owners and dates.
- Provision any required test fixtures (traffic profiles, decryption certs, test endpoints) before remediation work begins.
- Book the revalidation benchmarking window and invite validators from security and network teams.
- Project Timeline & What We Set Out to Solve
- Produce a finalized Lessons Learned document that includes concrete changes to process and technical configurations.
- Deliver updated runbooks and have customer owners accept responsibility for operational tasks.
- Agree on a training plan and schedule to remove vendor dependency for routine operations and tuning.
- Publish the Lessons Learned and updated runbooks to the agreed document repository and notify stakeholders.
- Schedule training sessions and assign attendees for each workshop item (tuning, incident response, upgrades).
- Assign a permanent owner for documentation updates and operational ownership (customer-side).
- Define Shared Channel & Membership
- Create a persistent, agreed shared channel with membership and governance to handle tuning and incidents.
- Agree SLAs and an escalation matrix so response expectations are explicit and testable.
- Set a recurring tuning cadence and define the standard agenda and owners for each item.
- Introductions & Objectives
- Document the incident escalation matrix and schedule an escalation drill within 30 days.
- Set up recurring tuning/review calendar invites and attach the standard agenda template.
- Current License & Consumption Review
- Agree a renewal timeline and preliminary commercial approach that aligns with capacity forecasts and procurement cycles.
- Identify budget owners and procurement contacts and ensure renewal triggers are set well in advance of expiry.
- Mitigate risks associated with subscription lapses or capacity shortfalls by agreeing contingency actions.
- Produce a Renewal Recommendation brief (quantities, SKUs, term options) and hand to the customer's procurement lead.
- Set a renewal reminder trigger in the shared channel and calendar at T-minus 90/60/30 days before contract expiry.
- Run a capacity re-assessment simulation for projected growth scenarios and provide results to the customer within 14 days.
- Achieve formal customer acceptance of the solution against documented success signals, or document an explicit remediation plan and revalidation date.
- Ensure every identified gap has an owner, target completion date, and re-test criteria.
- Capture measurable baseline artifacts (reports, pcap snippets, test scripts) to be stored in the project repository.
- Produce a formal Acceptance Report with pass/fail status per success signal and distribute to stakeholders.
- If gaps exist, create a Remediation Log with owners, remediation steps, due dates, and revalidation criteria.
- Schedule the revalidation benchmarking window (date/time) and assign who will run and validate tests.
- Recap of Acceptance Gaps
- One-sentence Current State Recap
- Root Cause & Remediation Options
- Capacity Forecast & Growth Assumptions
- Tuning Cadence & Agenda
- What Worked Well
- Incident Response & Escalation Matrix
- Renewal Options & Commercial Levers
- Consequence Summary
- What Didn’t Work / Root Causes
- Define Clear Revalidation Tests
- Operational Runbooks & Playbooks
- Owner, Timeline & Risk Controls
- Procurement Timeline & Stakeholders
- Support SLAs & Escalation Tests
- Measured Results — Detection
- Training & Knowledge Transfer Plan
- Subscription Renewal & Licensing Notifications
- Risks & Contingencies
- Measured Results — Network Performance
- Pre-work & Environment Prep
- Policy Migration Parity & Application Flows
- Documentation Acceptance
- Operational Metrics & Reporting
- Confirm Revalidation Meeting
- Decision & Next Steps