TPO Technologies experienced professional services staff bring decades of knowledge from the Cyber Security and Networking fields. On top of our core compentencies TPO Technologies have a plethora of varied experiences across a variety of Information Technology industry verticals.
Working remotely, onsite, within data centres, during or after business hours, our professional services staff understand that a different approach can suit both a client's requirements, but also the type of work being carried out.
Performing work with our own forces gives us more flexible scheduling capabilities. We do not have to rely on the availability of external resources, you can trust us to provide an outcome that will tick all the boxes, if not more. Read ahead through just a handful of TPO Technologies professional services projects.
TPO Technologies professional services staff designed and deployed an F5 network security architecture as part of a large green field data centre redesign, deploying 36 F5 BIG-IP instances using LTM, GTM (DNS), APM, ASM, and AFM modules. The various F5 BIG-IP instances tied directly into the infrastructure, integrating into the routing of all network traffic, analysing traffic using SSL decryption zones, and load balancing across various data centre nodes. Access Policy Manager was implemented to replace legacy SSL VPN solutions, centralise authentication as an IdP, and secure remote application delivery.
The F5 devices are core to this network, providing routing and NAT functionality for all North/South and ~50% of East/West traffic. Various zones provide a tiered configuration starting with DDoS and network level filtering at the edge, SSL decryption for all traffic offloading to firewalls for inspection and re-encryption, and service load balancing where required. The LTM module is used to steer traffic alongside routing protocols, merging with NSX South of the protection zones. F5 BIG-IP GTM, now known as DNS, is used for DNS inspection and dynamic control of data centre service selection, optimising path selection prior to internal LTM load balancing selection. Access Policy Manager integrates with over 100 SAML service providers using a single access policy, serving over 80 SAML Identity Providers customising available authentication methods including a variety of MFA options. Access Policy Manager also serves thousands of remote access endpoint options including remote desktop access, Portal Access, L3 VPN, and application tunnels. This skims the surface of what has truly been implemented
TPO Technologies professional services staff successfully migrated a large university’s Fortinet firewall deployment, migrating into a new Palo Alto Networks 7k chassis-based firewall solution. The existing Fortinet solution hosted 34 virtual instances, separated into both external and internal protection zones. The replacement solution needed to provide a cutover methodology that allowed for a change freeze window of 60 minutes or less, due to client requirements. TPO Technologies staff automated the conversion of policy to cater for this requirement, allowing for near real time policy conversion with the restriction being merely the 20,000 firewall rules and the pace at which scripts can run.
The Palo Alto Networks firewall solution provided an active/active standalone configuration, plumbing into the dynamic routing protocols operating on the University network. Panorama in conjunction with dedicated logging collectors integrating into high-speed log forwarding cards, was used to ensure policy synchronisation between firewall instances. Public BGP peering using 2 100Gbit Internet connections provided both load balancing and failover, incorporating a total of 600Gbit of internal throughput. Two successful migrations took place at midnight, for both the external and internal systems, and due to the extensive application testing plans in place with the University little to no remediation was required post cutover.
TPO Technologies professional services staff designed, implemented, and maintained a complex Fortinet SDWAN deployment for an 80 site banking institution, migrating from an existing simple 4G failover Cisco WAN. The deployment included 3 links per site, with 2 data centres, and several VRFs separating core banking systems. All configuration was automated and deployed via scripting methodologies using FortiManager, monitored using FortiAnalyzer and via an external SOC/SIEM.
The technical capabilities of this installation included 12 virtual links per site, across 3 physical links, catering for layer 3/4 and layer 7 application steering without the requirement of SNAT for symmetric return. All networking was BGP and BFD integrated with failover times or traffic steering decisions occurring in near real time. Once the deployment of the data centres was complete, the remote sites were meticulously organised to be cut over 2 per day, every consecutive day, until completion. The speed of the traffic failover and steering occurred quickly, catering for sites where the ISP had not yet provisioned all 3 links. Due to the complexity of existing legacy systems not all configurations could be automated, however after answering just a few questions the configuration of a replacement device or new site was as close to zero touch as possible. The deployment occurred prior to SDWAN provisioning tech from Fortinet becoming available.
TPO Technologies professional services staff redesigned the client’s routing infrastructure, collapsing WAN edge, Internet Edge, and Core/Distribution networking, incorporating remote Riverbed SDWAN and MPLS sites, global connectivity and both AWS and Azure connectivity. The migration was implemented in 3 phases separating the WAN edge collapse, Internet Edge and Core/Distribution network zones. A variety of network protocols were already in place and required a complete redesign and convergence with zero down time. After the success of the WAN edge and Core/Distribution phases the client opted to use TPO Technologies professional services staff to incorporate a migration from existing Cisco FTD firewalls to Palo Alto Networks firewalls, during the Internet edge redesign phase.
Prior to the redesign many routing protocols were in use, including static, PBR, OSPF, RIP, iBGP, eBGP and EIGRP. The design collapsed all routing protocols into eBGP sparing a few static routes that were unavoidable due to systems owning IP addressing but not participating in routing protocol configuration. Each cutover phase required zero down time due to abattoir, administration, distribution, and warehousing operations across both Australia, but also in New Zealand and the US. After the success of the WAN edge and Core/Distribution network redesign, the Cisco FTD to Palo Alto Networks firewall migration finalised the complete network reconfiguration.
We’re always looking for new opportunities. If you’re interested in partnering with us, please drop us a line.