Palo Alto Networks TSA separation is the work of standing up Newco's own firewall estate, rebuilding the security policy in a dedicated Panorama, provisioning a Newco Prisma Access tenant, and cutting GlobalProtect remote access before the seller's perimeter still inspects or controls Newco traffic. The work sits inside the broader carve-out advisory program and behaves as a Day One control, because the firewall is the boundary every other system depends on.
Palo Alto separation starts with an inventory of the seller estate. The buyer needs the appliance footprint across physical PA series firewalls and VM series instances, the Panorama management hierarchy with its device groups and templates, the subscription scope across Threat Prevention, Advanced URL Filtering, WildFire, and DNS Security, the Prisma Access footprint if the seller runs cloud delivered security, and the GlobalProtect gateways and portals that carry remote access.
The clean end state is a dedicated Newco firewall estate with its own Panorama, its own subscriptions, and its own remote access service. A shared seller perimeter keeps Newco traffic under seller policy and seller visibility, which is unacceptable beyond a short bridge. The firewall is not a tool Newco can quietly leave on the seller's network, because the seller can see and cut the traffic at the boundary.
Target strategy treats the perimeter as a Day One readiness item. Newco firewalls and a baseline policy stand up before close so that on Day One, Newco sites and users transit Newco's perimeter rather than the seller's. The hardware lead time for physical appliances is the long pole, so the appliance decision is settled early, in step with the network and identity separation.
A clean inventory and a settled estate decision drive the downstream sequence: the Panorama policy rebuild, the Prisma Access provisioning, the GlobalProtect cutover, and identity integration. The pattern aligns with the broader carve-out network plan and the Day One security control set.
Palo Alto is sold as appliance or VM capacity plus per device security subscriptions, with Prisma Access metered by user or by bandwidth. The seller agreement does not transfer in a carve-out. Newco signs a direct purchase sized to its real site count, its remote user population, and the subscriptions it actually needs, rather than inheriting a bundle scoped for the combined organization.
A carve-out reads to the vendor as a buyer with a Day One deadline, which is real leverage on the sell side of the table. The buyer offsets that by opening the commercial conversation early, before the deadline removes optionality, and by separating what Newco needs on Day One from what can be decided later. Where Newco is reconsidering its perimeter architecture, a credible alternative strengthens the position, though Day One timing usually argues for continuity first.
Where the seller provides perimeter security through a TSA window, the pricing is cost-plus or fixed-fee with a defined exit ramp, and the TSA states how Newco usage is metered. The seller cannot mark up subscription costs it does not separately incur. Because the firewall is a Day One control, the TSA tail here is usually short and the exit is sequenced ahead of softer services.
Where a partner is engaged for the rebuild, the contract is fixed fee for defined deliverables with disciplined change control. The audit discipline runs through the broader TSA license consolidation work so Newco rationalizes its security spend at the point of exit rather than carrying forward the seller's scale.
The security policy is rebuilt rather than copied wholesale. Security rules, NAT policy, App ID and User ID configuration, decryption policy, security profiles for threat and URL, and the address and service objects are reconstructed in the Newco Panorama to match Newco's footprint. The seller policy is a useful reference, but it carries seller specific zones, objects, and exceptions that Newco should review rather than inherit blindly.
Decryption deserves dedicated attention because it depends on the forward trust certificate being trusted on every endpoint. The Newco certificate is deployed through endpoint management so that inspection works without breaking applications on Day One. The buyer coordinates this with the endpoint separation so the certificate lands before the perimeter cutover rather than after it.
The Panorama hierarchy is redesigned for Newco. Device groups and templates that mirrored the seller's regional structure are collapsed or rebuilt around Newco's actual sites. Log forwarding and the SIEM feed are repointed so Newco security operations see the traffic rather than the seller's, which closes a visibility gap that otherwise persists after cutover.
Allowlists and application overrides are validated against Newco's real application estate so that legitimate traffic is not blocked when sites move behind the Newco perimeter. The discipline mirrors the endpoint and identity separation sequence so the controls land together rather than in conflict.
Where the seller delivers security from the cloud through Prisma Access, a dedicated Newco tenant is provisioned with its own service connections to Newco data centers and applications, its own security processing nodes near Newco users, and its own policy. The seller tenant routes Newco traffic through seller infrastructure, so the clean boundary requires Newco's own tenant rather than a shared one.
GlobalProtect is the remote access path for the workforce. New Newco portals and gateways are stood up, the agent configuration is repointed through endpoint management, and the split tunnel and routing policy are rebuilt for Newco's applications. Because remote users authenticate at connection, the GlobalProtect cutover is gated on the identity boundary being live so that authentication and group based policy resolve against Newco identity.
Identity integration is the binding piece. The firewalls and Prisma Access authenticate users and map group membership against the identity provider through SAML and User ID. Both the perimeter policy and the remote access policy are integrated with Newco's identity provider so that authentication, group membership, and policy assignment all resolve against Newco identity from the first login.
Policy assignment by user group is validated so the right people get the right access on Day One, in step with the identity and endpoint separations. The sequence keeps the perimeter, the remote access, and the identity boundary moving together rather than leaving one pointing at seller infrastructure.
Cutover moves traffic from the seller perimeter to the Newco perimeter. At Newco sites, the default route and internet breakout are repointed to Newco firewalls. For remote users, the GlobalProtect agent registers with Newco portals. For cloud delivered security, Newco service connections carry the traffic. The runbook covers the certificate deployment, the policy go live, the route change, and the validation gate, staged by site where the network allows it.
Validation confirms continuity. Internet access is tested against business applications, inbound services behind NAT are tested against each published application, remote access is tested against each gateway, and decryption is confirmed not to break critical sites. Because this is a Day One control, the validation is rehearsed on a pilot site before the broad cutover so that the first day of standalone operation is not the first test.
Stabilization runs thirty to sixty days. Blocked applications, certificate issues, and routing problems are triaged within agreed service-level commitments. Policy is tuned as real Newco traffic patterns emerge, and false positives in threat and URL filtering are resolved against Newco's actual usage rather than the seller's.
Decommissioning is explicit. Once Newco operates on its own perimeter, the seller removes Newco zones, objects, and rules from its Panorama, disables Newco GlobalProtect access, and confirms that Newco traffic no longer traverses the seller's firewalls or appears in the seller's logs.
Palo Alto separation cost is driven by appliance and VM capacity, the security subscriptions Newco buys, the Prisma Access user or bandwidth tier, and the rebuild effort across policy and remote access. The discipline is to right size the estate to Newco's real footprint and to subscribe to the modules Newco needs rather than copying the seller's full bundle. A perimeter sized for the combined organization is a recurring cost the separation should correct, not carry forward.
The common failure mode is treating the firewall as a later exit rather than a Day One control. If Newco sites and users still transit the seller perimeter after close, the seller has visibility into Newco traffic and the ability to cut access. Buyers that stand up the Newco estate and baseline policy before Day One avoid both the exposure and the operational risk of a sudden access loss.
The second failure mode is the decryption certificate and the hardware lead time. A cutover without the Newco forward trust certificate deployed breaks inspected applications, and an appliance order placed late leaves Newco short of capacity at Day One. The fix is to sequence the certificate ahead of cutover and to place hardware orders as soon as the estate decision is settled. A PMO maintains the dependency map across the firewall, the network, endpoint, and identity, escalating blocks inside forty eight hours.
A clean Palo Alto separation produces a Newco that owns its own perimeter, its own policy, and its own traffic visibility, with the optionality to evolve its security architecture on its own timeline. The discipline runs through the TSA exit acceleration program under a Fixed Fee plus Portfolio Retainer engagement model.
Yes. The firewall is the perimeter every other system depends on, so the clean end state is a dedicated Newco estate with its own Panorama, subscriptions, Prisma Access tenant, and GlobalProtect service. A shared seller perimeter keeps Newco traffic under seller policy and seller visibility, which is unacceptable beyond a short bridge.
The firewall controls internet access, inbound services, and remote access for the whole organization. If Newco still transits the seller perimeter on Day One, the seller sees Newco traffic and can cut it. The perimeter and baseline policy must be on Newco infrastructure by Day One even if tuning continues afterward.
Estate provisioning, Panorama policy rebuild, Prisma Access tenant provisioning where cloud security is used, GlobalProtect remote access cutover, and identity integration. Each is rebuilt for Newco rather than copied wholesale from the seller, and the appliance hardware lead time is the long pole.
A baseline perimeter and policy can stand up in weeks for Day One, gated by appliance lead time, but full policy tuning, Prisma Access rollout, and decommissioning usually run two to four months as sites and applications are validated and migrated.
FortiGate and FortiManager split, FortiGuard subscriptions, and the Day One perimeter boundary.
Read the article →Tenant strategy, ZIA and ZPA policy rebuild, and the secure access cutover.
Read the article →The network workstream and how the perimeter fits the Day One plan.
Read the article →The 90-day governance, IT, finance, HR and procurement separation plan we run on live carve-outs. Get the playbook plus the bi-weekly Day One Letter — short, signal-heavy, buyer-side.
No spam. Unsubscribe in one click. · Read the overview first →

Fixed-fee proposal in 48 hours. Senior team on day one. The first conversation is always free.
Seven buyer-side moves to exit a Transition Services Agreement on time and below budget. The mark-up, the extension-fee curve, exit sequencing, and the 11-month calendar.
Exit the seller's security stack first. Every week of shared security is a week of shared blast radius on a business they no longer own.
One tactic, one benchmark, or one pattern from a recent buyer-side engagement. Short. Signal heavy. Free.
Subscribe to The Day One Letter →