You are on page 1of 8


Project Name: Palo Alto Migration Seller Representative:
Customer Name: County of Dupage (IL) Damian Gonzalez
CDW Affiliate: CDW Government, LLC. 3127149529
SOW Effective Date: March 7, 2016 Solution Architect:
Jeff Trower
Seller Services Manager: Mike Gutknecht
Version: 1

This statement of work (“Statement of Work” or “SOW”) is made and entered into this March 7, 2016 (the “SOW
Effective Date”) by and between the undersigned, CDW Government, LLC. (“Provider”, “Seller” and “we”) and
County of Dupage (IL) (“Customer” and “you”).

Seller will provide professional services to assist with the design and implementation of a security solution
leveraging the Palo Alto security platform. Palo Alto’s security platforms provide market leading Next Generation
security, offering URL Filtering, and Intrusion Prevention services.

As part of this project, Seller will perform the following tasks:

 General configuration of 2 Palo Alto PA3050’s and Next Generation Services

o Set the hostname, domain name, date and time
o Configure Ethernet settings and sub-interfaces
o Configure appropriate security level of interfaces
o Configure Routed mode
o Configure IP routing
 Design and configure stateful failover based on High Availability considerations for Customer
o Configure the control link
o Configure the data link
o Configure HA3 link for Active-Active deployment
 Design and configuration of security rule sets relevant to Customer’s business and technical requirements
o Configure authentication, authorization, and accounting (AAA) services for network access
 Configure inbound and outbound access-lists for permitting or denying network access
 Design and configuration of NAT/PAT addressing policies to reflect connectivity requirements
 Design and configuration of any IPSec and SSL VPN connectivity requirements
o Define IKE Crypto Profiles
o Define IPSEC Crypto Profiles
o Configure tunnel monitoring
o Test VPN Connectivity based on Customer Use-Cases
 Design and configuration of SSL Decryption
 Design and configuration of QoS/Rate limiting
o Configuration of 2 polices
Page 1
Proprietary and Confidential CDW Government, LLC.
Version: 1
Contract Number: 1668
Drafted by: Maggie Siembab
 Define security zones
 Creation of security policies
o Design and configure Threat Prevention Policy
o Design and configure URL Filtering Policy
o Define and configure User Policy
o Define and configure Application Policy
o Define and configure DNS Inspection and Sinkhole Policy
o Apply Security Polices to defined security zones
 Analysis and basic tuning of Threat Prevention

The planning phase consists of the following:

 Project Kickoff – The project team will be chartered and staff will be assigned to project roles. The team
will review Customer’s needs, discuss/revise the project scope and assumptions, and finalize logistical
 Inventory Hardware – Seller staff will inventory, document, and hardware power-on test. Issues with faulty
hardware, as well as inventory discrepancies, will be identified and resolved.
 Project Planning – Members of the project team will develop a detailed project plan and test plan for the
Palo Alto Firewall with Next Generation Services deployment.

Seller will conduct a detailed design session with the project team. The goal of this design session is to identify and
address architectural, security, and device management requirements. The design phase consists of the following

 Analysis – Seller and Customer technical staff will work together to:
○ Review network architecture, technical specifications, and VPN requirements
○ Analyze hardware configuration
○ Review industry best practices in order to develop baseline design information.
 Network Design – Seller staff will lead an effort to:
○ Develop the final design
○ Identify all security zones on the network
○ Map security zones to physical and virtual interfaces on the Firewall
○ Design site-to-site and remote access VPN considerations
○ Design SSL VPN considerations
 Documentation – Seller staff will document and diagram the Firewall with Next Generation Services
design, including VPN.

The process for staging, configuring and testing the Palo Alto Firewall can be further detailed as follows:

 Unpack the hardware

 Upgrade the Firewall software to meet the standards specified in the design phase
○ Install Next Generation Licenses
○ Download latest signatures and service updates

Page 2
Proprietary and Confidential CDW Government, LLC.
Version: 1
Contract Number: 1668
Drafted by: Maggie Siembab
○ Install User-ID on a Domain Member computer and ensure User and Group information is
populated in the Palo Alto Firewall
 Build the Firewall configuration to the specifications documented in the design phase, including:
○ Firewall security zones
○ Apply initial security polices
○ VPN configuration
 Execute the test plan developed during the planning phase to ensure proper design and configuration


The process for implementing the Palo Alto Services can be further detailed as follows:

 During a scheduled change period, the Palo Alto firewalls will be placed into production.
 Seller will work with Customer to perform application testing to validate the implemented firewall policy
developed in the design phase of this project.
 Site to Site VPN connectivity will be tested
The Seller will provide day one support on the first production day following the cutover.

The process for implementing the Palo Alto Services on the firewall can be further detailed as follows:

 An initial Threat Prevention policy in “alert, don’t block” configuration will be applied to begin creating a
tuned ruleset based upon the initial network discovery information
 An initial URL filtering policy will be applied for web browsing and reporting
 App-ID rules will be created using the identified applications in the Palo Alto Management Console’s

Seller will provide up to 4 hours of basic training for the Palo Alto Management interface. Topics include
operational tasks, managing security policies and updates.

This phase signifies the end of the project. All services in the Description of Services section of this document are
completed and all items to be provided are received by Customer.

Customer is responsible for the following:
1. Provide a 4 hour maintenance window to allow for the cutover to the Palo Alto Solution.
2. Customer will provide documentation for required connectivity through the firewall that includes source IP,
destination IP, port, protocol information, and network address translation requirements. If traffic analysis
is required to determine the appropriate connectivity information; it may result in a revision of the services
3. Customer is responsible for all change control procedures and notifications that are necessary for the
performance of this project.
4. Customer is responsible for application testing to be performed during cutover(s).
5. Customer will provide full access to all network devices to Seller.
6. Customer is responsible for any additional hardware, software, certificates, and licenses that are required
for installation.

Page 3
Proprietary and Confidential CDW Government, LLC.
Version: 1
Contract Number: 1668
Drafted by: Maggie Siembab
7. Customer will provide at least one (1) domain member computer for installation of the Palo Alto User-ID
agent to allow for user policy creation for each unique domain to be identified during the design phase of
this project.

1. Customer will provide Seller staff with appropriate physical and network access to implement
configurations defined in this statement of work.
2. There is adequate power, UPS, rack space, and network connectivity for the devices included on the bill of
3. For the Next Generation services, Seller will configure up to:
a. 6 Access control policies
b. 4 IPS and Application Visibility policies
c. 3 URL policies
d. 2 DNS Inspection policies
4. URL Filtering will configured as a migration and replacement of Websense.
5. Training documentation is not part of this project.
6. Seller will migrate customer’s existing ASA firewall configuration and Websense configurations to the
Palo Alto solution.

Tasks outside this SOW include, but are not limited to:
1. Configuration of any other network equipment not directly related task of implementing the Palo Alto
Firewall with Next Generation services and configuring required services. Within scope are minor changes
to existing network infrastructure that may need to occur to accommodate required services, such as VLAN
configurations, routing, and AAA (authentication, authorization, accounting) services.
2. Custom IPS signature creation.
3. Custom App ID creation.
4. Wildfire anti-malware configurations.
Services not specified in this SOW are considered out of scope and will be addressed with a separate SOW or
Change Order.


The following will be provided to Customer by the completion of this project.

Table 1 – Item(s) Provided to Customer

Item Description Format

Design Document A detailed diagram including Next Generation Services and PDF
VPN requirement
Network Diagram Diagram of logical and physical connectivity Visio
Implementation Access policy descriptions PDF
Reference Document

Page 4
Proprietary and Confidential CDW Government, LLC.
Version: 1
Contract Number: 1668
Drafted by: Maggie Siembab
Customer and Seller, who will jointly manage this project, will together develop timelines for an anticipated
schedule (“Anticipated Schedule”) based on Seller’s project management methodology. Any dates, deadlines,
timelines or schedules contained in the Anticipated Schedule, in this SOW or otherwise, are estimates only, and the
Parties will not rely on them for purposes other than initial planning.

The total fees due and payable under this SOW (“Total Fees”) include both fees for Seller’s performance of work
(“Service Fees”) and any other related costs and fees specified in the Expenses section (“Expenses”). Unless
otherwise specified, taxes will be invoiced but are not included in any numbers or calculations provided herein.
Seller will invoice for the Total Fees.
Services Fees hereunder are FIXED FEES, meaning that the amount invoiced for the Services will be $24,312.00.

The invoiced amount of Services Fees will equal the amount of fees applicable to each completed project milestone,
as specified in Table .

Table 2 – Services Fees

Project Milestones Percentage Fees

Signed SOW 25% $6,078.00
Discovery 50% $12,156.00
Completion 25% $6,078.00
Totals 100.00% $24,312.00

Payments under this agreement are in accordance with the Local

Government Prompt Payment Act.
Neither travel time nor direct expenses will be billed for this project.
Two (2) weeks’ advance notice from Customer is required for any necessary travel by Seller personnel.

Seller will provide Services benefiting the locations specified on the attached Exhibit (“Customer-Designated

1. Customer is responsible for providing all physical and communications access, privileges, environmental
conditions, properly functioning hardware and software, qualified personnel, project details, material
information, decisions/directions, and personnel and stakeholder interviews that are reasonably necessary to
assist and accommodate Seller’s performance of the Services (“Customer Components”).

Page 5
Proprietary and Confidential CDW Government, LLC.
Version: 1
Contract Number: 1668
Drafted by: Maggie Siembab
2. Seller is not responsible for delays in performance directly caused by the unavailability of the Customer
Components and will have the right to invoice Customer, with prior written notice, for time Seller
personnel is thereby idled or to reassign Seller personnel to work unrelated to this SOW and the services
3. Customer will provide in advance and in writing, and Seller will follow, all applicable Customer safety and
security rules and procedures.
4. Customer will secure and maintain the confidentiality of all Seller personnel information.
5. When Services are performed at a Customer-Designated Location, the site will be secure; Seller is not
responsible for lost or stolen equipment.
6. This SOW can be terminated by either party without cause upon at least fourteen (14) days’ advance
written notice.


Each Party will appoint a person to act as that Party’s point of contact (“Contact Person”) as the time for
performance nears, and will communicate that person’s name and information to the other Party’s Contact Person.

The Customer Contact Person is authorized to approve materials and Services provided by Seller, and Seller may
rely on the decisions and approvals made by the Customer Contact Person (except that Seller understands that
Customer may require a different person to sign any Change Orders amending this SOW). The Customer Contact
Person will manage all communications with Seller, and when Services are performed at a Customer-Designated
Location, the Customer Contact Person will be present or available. The Parties’ Contact Persons shall be authorized
to approve changes in personnel and associated rates for Services under this SOW.

Except as otherwise agreed by the Parties, Customer will pay invoices containing amounts authorized by this SOW
within thirty (30) days of receipt. Any objections to an invoice must be made to the Seller Contact Person within
fifteen (15) days after the invoice date.


This SOW expires and will be of no force or effect unless it is signed by Customer, transferred in its entirety to
Seller so that it is received within thirty (30) days from the date written on its cover page, and then signed by Seller,
except as otherwise agreed by Seller.

This SOW may be modified or amended only in a writing drafted by Seller, generally in the form provided by Seller
and signed by both Customer and Seller (“Change Order”). Each Change Order will be of no force or effect until
signed by Customer, transferred in its entirety to Seller so that it is received within thirty (30) days from the date on
its cover page and then signed by Seller, except as otherwise agreed by Seller.

Page 6
Proprietary and Confidential CDW Government, LLC.
Version: 1
Contract Number: 1668
Drafted by: Maggie Siembab
In the event of a conflict between the terms and conditions set forth in a fully executed Change Order and those set
forth in this SOW or a prior fully executed Change Order, the terms and conditions of the most recent fully executed
Change Order shall prevail.

This SOW shall be governed by Seller’s “Terms and Conditions of Product Sales and Service Projects”, accessed
via the “Terms & Conditions” link at (the “Agreement”). If there is a conflict between this SOW
and the Agreement, then the Agreement will control, except as expressly amended in this SOW by specific reference
to the Agreement. References in the Agreement to a SOW or a Work Order apply to this SOW. This SOW and any
Change Order may be signed in separate counterparts, each of which shall be deemed an original and all of which
together will be deemed to be one original. Electronic signatures on this SOW or on any Change Order (or copies of
signatures sent via electronic means) are the equivalent of handwritten signatures. This SOW is the proprietary and
confidential information of Seller.

In acknowledgement that the parties below have read and understood this Statement of Work and agree to be bound
by it, each party has caused this Statement of Work to be signed and transferred by its respective authorized

CDW Government, LLC. County of Dupage (IL)

By: ____________________________
In ternalSignature1 By: ___________________________
E xternalSignature1

signature Signature

Name: ____________________________
InternalName1 Name: ____________________________
Ex ternalName1

Date: InternalDate1 _______________________________________ Date: ________________________________________


Mailing Address: Mailing Address:

230 N. Milwaukee Avenue, Vernon Hills, IL. 60061 Street: ________________________________________
City/ST/ZIP: ___________________________________
 A purchase order for payment hereunder is attached. Billing Contact:
 A purchase order is not required for payment Street: ________________________________________
hereunder. City/ST/ZIP: ___________________________________
 The following PSM has given approval:
Mike Gutknecht
120813 Standard

Page 7
Proprietary and Confidential CDW Government, LLC.
Version: 1
Contract Number: 1668
Drafted by: Maggie Siembab
Seller will provide Services benefiting the following locations (“Customer-Designated Locations”).

Table – Customer-Designated Locations

Location(s) Service(s)
 ☐ Assessment  ☑ Implementation  ☐ Support
421 N. County Farm Rd.
 ☐ Configuration  ☐ Project Management  ☐ Training
Wheaton, IL 60187
 ☑ Design  ☐ Staff Augmentation  ☐ Custom Work

Page 8
Proprietary and Confidential CDW Government, LLC.
Version: 1
Contract Number: 1668
Drafted by: Maggie Siembab