VPN Modernization Proposal
Our Palo Alto PA-2020 firewall reached End-of-Service-Life on April 30, 2020 and has been unsupported for nearly six years. It runs PAN-OS 7.1, receives zero security updates, and exposes a login portal at vpn.gsisg.com that is actively targeted by a global credential-spraying campaign (1.7 million attempts in a single 16-hour window).
We propose replacing GlobalProtect with NetBird, an open-source WireGuard-based mesh VPN that eliminates the exposed login portal entirely, runs on existing infrastructure at $0/month, and deploys in 8-10 weeks with zero downtime.
Key Sections
Section titled “Key Sections”- Executive Summary — The case for immediate migration
- Current State Assessment — PA-2020 EOL status, usage patterns, security vulnerabilities, credential spraying timeline
- Proposed Solution — NetBird architecture, password reset flow, end-user experience
- Security Comparison — Side-by-side comparison table and cyber insurance implications
- Cost Analysis — 5-year TCO comparison, self-hosted feature trade-offs
- Implementation Plan — 6 phases over 10 weeks
- Risk Register — 10 risks with mitigations
- Gotchas & Edge Cases — 15 gotchas for the implementing engineer
- Performance Analysis — 5 real-world scenarios with throughput comparisons
- Decision Points — 6 decisions requiring management input
- Recommendation — Final recommendation and timeline
Network Diagrams
Section titled “Network Diagrams”- Proposed NetBird Architecture — The target state
- Current Network Topology — Existing infrastructure
- Honolulu Office — Detailed Honolulu site diagram
- Boulder Office — Detailed Boulder site diagram
Research Reports
Section titled “Research Reports”- Research Synthesis — Combined findings from 8 domain reports
- Individual Reports — Deep-dive research across 9 domains
Appendix
Section titled “Appendix”- TacticalRMM Deployment Script — PowerShell silent deployment script
- Feature Comparison Matrix — NetBird vs. GlobalProtect feature-by-feature