Executive Summary
Our current VPN solution — Palo Alto GlobalProtect running on a PA-2020 firewall in Honolulu — presents an unacceptable security risk. The PA-2020 reached End-of-Service-Life on April 30, 2020 and has been unsupported for nearly six years. It runs PAN-OS 7.1 maximum (itself EOL since June 2020), receives zero security updates, and exposes a publicly reachable login portal at vpn.gsisg.com that is a confirmed target of an ongoing global credential-spraying campaign. GreyNoise Intelligence documented 1.7 million login attempts against GlobalProtect portals in a single 16-hour window in December 2025, with continued 11x spikes through February 2026.
Our TLS configuration is outdated (TLS 1.0/1.1 enabled, 3DES ciphers, no forward secrecy), and the majority of our 100+ users only connect to GlobalProtect for one reason: to reset their Active Directory password every 4 months.
Cyber insurance data from At-Bay shows organizations using self-managed VPNs are 11x more likely to experience ransomware attacks. Coalition reports 58% of ransomware claims begin with VPN/firewall compromise. Running EOSL hardware may result in claim denial or policy non-renewal.
We propose replacing GlobalProtect with NetBird, an open-source WireGuard-based mesh VPN that:
- Eliminates the exposed login portal — credential spraying is architecturally impossible
- Runs silently in the background — users never have to “connect to VPN”
- Costs $0/month on existing infrastructure vs. $19,000-$27,000 for a replacement Palo Alto appliance
- Solves the password reset problem — paired with Microsoft SSPR and always-on DC connectivity
- Deploys in 8-10 weeks with zero downtime via parallel operation with GlobalProtect
Current State at a Glance
Section titled “Current State at a Glance”| Site | Firewall | ISP | Network | Domain Controllers |
|---|---|---|---|---|
| Honolulu | Palo Alto PA-2020 (10.100.7.1) | Spectrum (98.147.1.83) | 10.100.7.0/24 | AD0 (10.100.7.10), AD1 (10.100.7.11) |
| Boulder | Netgate 6100 pfSense+ (10.15.0.254) | Comcast (50.198.217.249) | 10.15.0.0/24 | AD1 (10.15.0.10), AD2 (10.15.0.11) |
Identity: On-premises Active Directory at both sites, synced to Microsoft Entra ID via Entra Connect.
VPN Usage Patterns
Section titled “VPN Usage Patterns”| User Group | % of Users | VPN Usage | Frequency |
|---|---|---|---|
| General Staff | ~90% | AD password reset only | Every 4 months |
| Power Users (Engineers) | ~10% | SMB shares, RDP, CAD/GIS/SAGE access | Daily |
The vast majority of VPN connections exist solely to maintain connectivity to a Domain Controller for password changes.