Recommendation
We recommend proceeding with the NetBird migration immediately. The convergence of five independent risk factors makes this urgent:
- The PA-2020 has been unsupported for 6 years — no security patches are possible
- An active credential-spraying campaign is targeting our GlobalProtect portal with millions of attempts
- Cyber insurers report 11x ransomware likelihood for organizations using self-managed VPNs — EOSL hardware may void coverage
- The risk-adjusted cost of staying ($31,000-$166,500/year) dwarfs the migration cost ($472/year)
- A proven alternative exists (NetBird) that eliminates the attack surface entirely, at 69% lower cost than a Palo Alto replacement
Requested approval: Proceed with Phase 1 (Azure VM provisioning) to begin the 10-week migration timeline.
Timeline Summary
Section titled “Timeline Summary”| Week | Phase | Milestone |
|---|---|---|
| 1 | Phase 1 | Azure VM + NetBird Management Server |
| 1-2 | Phase 2 | Routing Peers (Hawaii VM + Boulder pfSense) |
| 2-3 | Phase 3 | SSPR + Entra Connect (parallel) |
| 3 | Phase 4 | TRMM Deployment Script + IT Testing |
| 3-4 | Phase 5a | Pilot (IT team, 5-10 machines) |
| 4-5 | Phase 5b | Office workers Honolulu (30-40) |
| 5-6 | Phase 5c | Office workers Boulder (20-30) |
| 6-7 | Phase 5d | Remote workers (20-30) |
| 7-8 | Phase 5e | Field workers (5-10) |
| 8-10 | Phase 6 | GP deactivation + 30-day parallel |
| 10+ | Decommission | Decommission GlobalProtect |
Total implementation time: ~10 weeks (conservative, with 30-day parallel operation)