Your Palo Alto firewall deployed right. First time.
From greenfield deployment to legacy firewall migration or model upgrade — our certified engineers handle the entire installation. Security rules, App-ID conversion, VPN configuration, SSL decryption, cutover support, and handoff. Fixed scope. Fixed price.
100% remote delivery. One NGFW or HA pair per engagement. Add-on services available for complex requirements.
Covers PA-400 through PA-5450 series — greenfield, legacy migration, or model upgrade. Security rules, App-ID conversion, VPN, SSL decryption, and HA pair configuration all included in fixed scope.
Before cutover
Have your existing rules been converted to App-ID policies before migration?
Is your HA pair failover tested and documented before the cutover window?
Do you have an SSL decryption policy — or will encrypted traffic pass uninspected?
Are your VPN tunnels documented and ready to migrate on cutover day?
Do you have a rollback plan if cutover needs to be reversed mid-window?
Model Coverage
All Palo Alto series. Three deployment scenarios.
Every model tier is covered. Every deployment scenario is supported. The scope of work scales with the complexity of the model.
Greenfield
New Palo Alto deployment in a new environment — no existing firewall to migrate from.
Legacy Migration
Replace an existing non-Palo Alto firewall. Rules and profiles migrated via Palo Alto's Expedition tool.
PAN-OS Upgrade
Upgrade from an existing Palo Alto model to a new one — configuration carried forward.
PA-400 Series
Entry-Level NGFW
Small offices, branch locations, remote sites
Rules
Up to 50
Interfaces
Up to 5
Cutover
2 hours
MSRP
$8,160
PA-1400 Series
Mid-Range NGFW
Growing businesses, distributed locations
Rules
Up to 100
Interfaces
Up to 10
Cutover
2 hours
MSRP
$10,200
PA-3200/3400 Series
Enterprise NGFW
Data centres, campus deployments, regional hubs
Rules
Up to 250
Interfaces
Up to 15
Cutover
4 hours
MSRP
$12,240
PA-5200/5400 Series
High-Performance NGFW
Large enterprises, carrier-grade, multi-site core
Rules
Up to 500
Interfaces
Up to 20
Cutover
4 hours
MSRP
$14,280
PA-5450
Data Centre NGFW
High-throughput data centre and service provider environments
Rules
Up to 750
Interfaces
Up to 24
Cutover
4 hours
MSRP
$16,320
Scope of Work
Exactly what's included — by model.
No surprises. Every deliverable is defined before engagement starts. What's not listed is out of scope — available as an add-on or custom SOW.
Security & NAT Rules
Migrate existing rules from legacy firewall or create new security and NAT policies. Port/protocol rules migrated — App-ID conversion available as an add-on.
PA-400
Up to 50 rules
PA-1400
Up to 100 rules
PA-3200/3400
Up to 250 rules
PA-5200/5400+
Up to 500–750 rules
App-ID & Security Profiles
Security profile setup and MFA configuration included on all models. App-ID conversion (port/protocol to App-ID) and Panorama integration included.
All models
MFA + Panorama integration
All models
Security profiles
Add-on
App-ID Conversion (+$5,100)
Add-on
GlobalProtect (+$4,080)
Interface & VPN Configuration
Physical and logical interface configuration plus logging setup. IPSec VPN and GlobalProtect remote access available as add-ons.
PA-400
Up to 5 interfaces
PA-1400
Up to 10 interfaces
PA-3200/3400
Up to 15 interfaces
PA-5200/5400+
Up to 20–24 interfaces
Cutover & Next-Day Support
Night or weekend cutover hours included in a single session, plus next-day troubleshooting support. Log forwarding to up to 2 destinations included on all models.
PA-400/1400
2 hrs cutover + 2 hrs next-day
PA-3200+
4 hrs cutover + 4 hrs next-day
All models
Log forwarding (up to 2 destinations)
All models
SNMP monitoring & alerting
What's not included: Advanced routing (BGP, OSPF), SD-WAN, user management, third-party VPN configuration, App-ID conversion, SSL decryption, and integrations not listed above. All available as add-on services or a custom SOW.
Responsibility Model
We deploy. You approve.
Responsibility is assigned before engagement starts — the final RACI is confirmed during the discovery call.
We deliver
We own it end-to-end
Shared
Both teams involved
You coordinate
We support or need access
Pre-Deployment
Planning, access, and sign-off before a single config is touched.
Discovery assessment & network review
We map your current environment
Network topology & requirements
You provide diagrams and constraints
Legacy firewall configuration review
We audit what's migrating via Expedition
Infrastructure access provisioning
You grant dashboard and device access
Migration plan & cutover window
Agreed jointly before execution
Deployment
Configuration, rule migration, and security profile setup.
Palo Alto hardware/virtual configuration
Full platform setup by our engineers
Security/NAT rule migration & creation
Per model scope, Expedition-assisted
App-ID and security profile setup
MFA + Panorama integration included
Security policy approval
You review and sign off on policies
Logging, monitoring & alerting
Up to 2 log destinations + SNMP
VPN configuration
Per base scope — add-ons available
Cutover & Handoff
Go-live execution, validation, and documentation transfer.
Cutover execution & validation testing
Night/weekend window, single session
Network access during cutover
You maintain site/device availability
Business-critical traffic confirmation
Jointly validate key flows are live
Next-day support & troubleshooting
2–4 hrs post-cutover coverage
Configuration documentation & handoff
Full runbook delivered to your team
Transparent Pricing
Fixed price. Per model tier. No surprises.
One price covers the full deployment scope for your Palo Alto model. Pricing shown is MSRP — contact us for your actual rate.
PA-400 Series
Entry-Level NGFW
$8,160
MSRP per deployment
Includes
Up to 50 security/NAT rules
MFA + Panorama integration
Up to 5 interfaces
2 hours cutover support
SKU: JF3832
PA-1400 Series
Mid-Range NGFW
$10,200
MSRP per deployment
Includes
Up to 100 security/NAT rules
MFA + Panorama integration
Up to 10 interfaces
2 hours cutover support
SKU: JF3835
PA-3200/3400 Series
Enterprise NGFW
$12,240
MSRP per deployment
Includes
Up to 250 security/NAT rules
MFA + Panorama integration
Up to 15 interfaces
4 hours cutover support
SKU: JF3834
PA-5200/5400 Series
High-Performance NGFW
$14,280
MSRP per deployment
Includes
Up to 500 security/NAT rules
MFA + Panorama integration
Up to 20 interfaces
4 hours cutover support
SKU: JF3837
PA-5450
Data Centre NGFW
$16,320
MSRP per deployment
Includes
Up to 750 security/NAT rules
MFA + Panorama integration
Up to 24 interfaces
4 hours cutover support
SKU: JF3836
Pricing Notes
Pricing is per single deployment event — one NGFW or one HA pair per SKU
Multiple devices in the same cutover require separate SKU purchases or a custom quote
Third-party firewall migration via Expedition tool is included in the base service
Advanced configurations (SSL decryption, App-ID, GlobalProtect) are available as add-ons
Pricing shown is MSRP — contact us for discounted rates
Add-On Services
Extend the scope. Same delivery standard.
Complex deployments require scope beyond the base service. Add-ons are fixed-price, delivered as part of the same engagement. Grouped by capability area.
Security & Access
GlobalProtect (Remote Access VPN)
JF3840Configure GlobalProtect portal, gateway, client profiles, and up to 25 security rules for remote access.
$4,080
SSL Decryption — Outbound
JF3842SSL decryption outbound forward proxy deployment on up to 2 NGFWs. Up to 10 decryption rules.
$4,080
SSL Decryption — Inbound
JF3848SSL decryption inbound inspection for up to 10 target systems on up to 2 NGFWs.
$4,080
User-ID (Policy Enforcement)
JF3845User-ID deployment with up to 3 agents, 2 AD domain controllers, and IP mapping redistribution for up to 10 NGFWs.
$1,020
Platform & Management
App-ID Conversion
JF3846Convert up to 100 port/protocol-based rules to Palo Alto App-ID rules on one NGFW or HA pair. Includes 2 cutover events.
$5,100
Panorama Deployment
JF3839Deploy or upgrade one Panorama instance — RBAC, device groups, templates, and log management.
$4,080
Virtual NGFW Deployment
JF3838Deploy a Palo Alto NGFW in a virtual environment (VMware, KVM, Hyper-V). Purchased in addition to the primary deployment SKU.
$2,040
IPSec VPN Add-On
JF3843Additional IPSec VPN tunnels beyond the base service — up to 5 tunnels per NGFW. Third-party device configuration not included.
$1,020
Advanced Solutions
IoT Security
JF3841Deploy IoT security subscription on up to 5 NGFWs — Cortex Data Lake, device inventory, and reporting.
$10,200
Cortex XDR
JF3849Deploy Cortex XDR framework and tune up to 2,000 endpoint agents. Includes policy tuning and knowledge transfer.
$7,650
Prisma Access (Network + Mobile)
JF3830Full Prisma Access deployment — remote networks, service connections, ZTNA connectors, and mobile user setup.
$10,200
Prisma Access (Network Only)
JF3831Prisma Access network-only deployment — remote networks and service connections.
$7,140
Prisma Access (Mobile Only)
JF3833Prisma Access mobile user-only deployment for remote workforce access.
$5,100
Ongoing Support
Security/NAT Rules Add-On
JF3844Migrate up to 250 or create up to 50 additional security/NAT rules per NGFW or HA pair — beyond base deployment scope.
$4,080
Quick Config Service (8 hours)
JQ80928 hours of expert consultation for minor configurations, modifications, or updates on existing Palo Alto appliances.
$2,000
Configuration Assistance (CAS) — Annual
JF3847Annual 50-hour block for configuration and support. Can be applied across multiple sites. Auto-renews at 90% usage.
$12,750 / year
Custom Statement of Work
JF3850For deployments requiring scope beyond standard QuickStart services — custom scoped and priced.
Call for quote
Migration Compatibility
Migrating from another vendor? We've got it covered.
The following firewalls are supported for automated rule migration via Palo Alto's Expedition tool. Any firewall outside this list requires written pre-approval before engagement.
Check Point
Supported versions
R75, R77, R80+
Cisco
Supported versions
ASA 9.0, 9.1, 9.6, 8.2, 8.4 · FirePower (ASA syntax)
Fortinet
Supported versions
FortiGate 4.0, 5.0, 6.0
Juniper
Supported versions
All Netscreen (ScreenOS) · Junos 11.4, 12.1, 12.3
Forcepoint
Supported versions
Sidewinder · Stonesoft
IBM
Supported versions
XGS 5.1
What's migrated: Global address objects, address group objects, service objects, service group objects, security policy, NAT policy, network interfaces (L3 only), static routes, and VPN where supported by the source platform.
Not Sure Where to Start?
Begin with an assessment. Deploy with confidence.
Before committing to a deployment, a security assessment tells you exactly what you have, what needs replacing, and what the right architecture looks like.
Cybersecurity Assessments
Penetration testing and vulnerability scanning identify what your current firewall is missing before a new one goes in. Know your exposure before you scope the deployment.
Network Health Assessment
Wired and wireless network assessment maps your current topology, device inventory, and configuration compliance — the baseline your deployment design should be built from.
Common Questions
Before you ask — we've answered it.
Ready to deploy your Palo Alto firewall?
A 30-minute assessment call reviews your environment, confirms the right model tier, and scopes any add-ons required. Quote typically within 24 hours.
Assessment call → Quote & timeline → Schedule deployment window → Execute & handoff.