Decision Points
These choices require management input and cannot be resolved by technical analysis alone.
1. Self-hosted vs Cloud Team plan
Section titled “1. Self-hosted vs Cloud Team plan”Self-hosted saves $6,000/year but requires manual offboarding and has no management HA. Cloud Team ($5/user/mo) provides background IdP-Sync and automatic deprovisioning.
2. Install NetBird on pfSense vs separate VM
Section titled “2. Install NetBird on pfSense vs separate VM”Direct installation is simpler, but some organizations prohibit third-party packages on production firewalls.
3. Login expiration policy
Section titled “3. Login expiration policy”Default 24h. Shorter = more secure, slower deprovisioning gap. Longer = less friction. Setup key peers (routing peers) should have no expiration.
4. Migration timeline
Section titled “4. Migration timeline”Recommended 8-10 weeks. Can compress to 4-5 weeks if credential-spraying urgency or insurance concerns warrant it.
5. Whether to notify cyber insurance broker proactively
Section titled “5. Whether to notify cyber insurance broker proactively”Migrating from EOSL VPN to ZTNA is a security improvement, but draws attention to EOSL hardware. Consult with broker or legal counsel.
6. PA-2020 post-migration
Section titled “6. PA-2020 post-migration”Decommission immediately, retain as emergency fallback for 90 days, or repurpose for non-security role.