| 1 | GP coexistence triggers WireGuard restart during parallel operation | HIGH | MEDIUM | Deploy with --network-monitor=false. Safe for production. Remove after GP is fully removed. |
| 2 | Entra ID OIDC misconfiguration locks users out | MEDIUM | HIGH | Test with pilot group. Maintain local break-glass admin accounts. Document exact App Registration settings. |
| 3 | Management server outage | MEDIUM | MEDIUM | Existing tunnels survive. Monitor with alerting. Docker restart: unless-stopped. Recovery: minutes. |
| 4 | Credential-spraying breach on PA-2020 before migration completes | LOW-MEDIUM | CRITICAL | Accelerate timeline. Block known malicious IP ranges as interim measure. |
| 5 | Self-hosted deprovisioning gap — terminated user retains access | MEDIUM | MEDIUM | Set login expiration to 24h. Documented offboarding checklist: disable in Entra ID + remove from NetBird + revoke setup keys. |
| 6 | pfSense package incompatibility on Boulder Netgate 6100 | LOW | MEDIUM | Test in maintenance window. Linux VM fallback plan ready. Package is actively maintained. |
| 7 | User productivity loss during transition | HIGH | MEDIUM | Silent deployment (users see nothing). Step-by-step guides. Per-team VPN champions. Wave-based rollout. |
| 8 | Insurance claim denial due to EOSL hardware | MEDIUM | HIGH | Document migration as security improvement. Notify broker proactively. |
| 9 | Auto-update resets client settings (bug #5128) | MEDIUM | LOW | Pin version via dashboard during initial deployment. Use TacticalRMM for controlled updates. |
| 10 | Rollback fails — GP cannot be re-enabled | LOW | HIGH | Do NOT uninstall GP until NetBird stable for 30+ days. Keep PA-2020 powered on. Rollback RTO: <1 hour. |