Opportunity Detail

Questions and Answers

SOT/Rhodes Tower/SOCC Firewall Infrastructure Upgrade
Document #:  DBJFS-18-05-003


Question:   Would the state consider a change to the language of Section 2.5?

Answer:   No, the state does not intend to change the language of Section 2.5.

Date: 2/9/2018

Inquiry: 51137


Question:   We utilize subcontractors who work either only for us or primarily for us (75% or more of their work time). Would this meet the definition of full-time regular employees in Section 2.5?

Answer:   No, this would not meet the definition of full-time regular employees in Section 2.5.

Date: 2/9/2018

Inquiry: 51137


Question:   The WAH users (250) and site-to-site VPN’s (250) will terminate on the Palo Alto: are those in the SOCC, the SOT, or both? When failing over, what is the failover target technology?

Answer:   Currently all WAH and site-to-site VPN’s are terminated on one device (ASA) at the SOT. At the completion of the project the goal it to utilize both the SOCC and the SOT PAN devices to terminate all of these devices with the ability to failover between sites.

Date: 2/9/2018

Inquiry: 51137


Question:   Regarding moving of 250 WAH users, please better describe what is meant by "Far- end consists of diagnosing and augmenting rules on Cisco ASA 5500 platform firewalls".

Answer:   WAH users have a Cisco ASA 5500 series firewall as part of their solution. These firewalls are currently maintained and monitored by JFS. Any changes to the headend (moving from ASA to PAN) will generate a change to the ASA WAH equipment.

Date: 2/9/2018

Inquiry: 51137


Question:   Please describe any role which Palo Alto technology plays in the Hamilton County environment?

Answer:   Palo Altos are not being implemented within the Hamilton County environment.

Date: 2/9/2018

Inquiry: 51137


Question:   Please describe any role which Palo Alto technology plays in the DUO design. Please confirm that DUO is the replacement technology for the 1,600 users of RSA tokens.

Answer:   Users will be using the Palo Alto technology to log into DUO. Duo is the replacement technology for the 1600 RSA token users.

Date: 2/9/2018

Inquiry: 51137


Question:   Please define the functionality requirements of the DUO solution, including any training, supporting rollout to end users, documentation or knowledge transfer for supporting end users after the completion of the conversion from RSA.

Answer:   The functionality requirements for the DUO solution are to replicate the same access that users currently have with the existing RSA solution. The contractor will be responsible for interpreting the existing rules with the ASA firewalls and translating them to the Palo Alto firewalls. They will also be responsible for following the procedure currently being developed. There is documentation that is sent out to the users explaining how to utilize the new system. There may be cases where certain users have questions or need support with their access. The contractor will need to be involved in these interactions. Knowledge transfer and documentation will be required at the completion of this portion of the project as there may be nuances and/or opportunities for improvement that need to be shared.

Date: 2/9/2018

Inquiry: 51137


Question:   Will State provide a copy of the source configuration file so we may inspect use cases and estimate effort for conversion?

Answer:   For obvious reasons the lines of code from the ASA's will only be provided to the awarded vendor.

Date: 2/9/2018

Inquiry: 51137


Question:   Regarding the SOT site: o There is mention of converting 3,800 lines of ASA code to PANW and another mention of converting 3,900 lines of code? Is this the same conversion or two different conversions?

Answer:   Two different conversions. One pair of ASA's are used for the traffic flows and the other pair of ASA's are used for VPN connections. They will both be combined into one pair of Palo Alto Firewalls.

Date: 2/9/2018

Inquiry: 51137


Question:   What model is the PANW target?

Answer:   PA-5050

Date: 2/9/2018

Inquiry: 51137


Question:   What model is the ASA with 3,300 lines of code?

Answer:   ASA5550

Date: 2/9/2018

Inquiry: 51137


Question:   Regarding the SOCC site: o In one section the RFP talks of replacing an ASA 5520 with an ASA 5516-X. In another section, also for the SOCC, it talks of migrating an ASA to PANW (3,300) lines. For the SOCC ASA whose 3,300 lines of code are to be converted to PANW (3,300 lines), will State provide a copy of the source configuration file so we may inspect use cases and estimate effort for conversion?

Answer:   The ASA 5520 to ASA 5516-X is referring to the SOCC vendor firewall. The other work at the SOCC is the ASA to PANW for the border firewalls. For obvious reasons the 3300 lines of code from the ASA will only be provided to the awarded vendor.

Date: 2/9/2018

Inquiry: 51137


Question:   For the SOCC and SOT sites, please confirm that the traffic migration in SOCC and SOT, with respect to ASA 5550 and ASA 5540, is accomplished within the Cisco space, and that the “other end” Palo Alto’s are largely unchanged aside from communicating with a different ASA.

Answer:   The Palo Alto's and Cisco ASA's are currently in parallel at the SOCC and SOT so there is no need for communication between the two. As traffic is moved from the ASA's to the Palo Alto's the routing must be changed to accommodate the move. The devices on both sides of the firewalls are Cisco devices.

Date: 2/9/2018

Inquiry: 51137


Question:   Please define what work on the migration of the Cisco 5550 and 5540 firewalls (SOCC and SOT) to the Palo Alto PA-5050 firewalls has been completed, and what additional work is expected for the Contractor to complete.

Answer:   At both the SOCC and SOT. The traffic with the highest amount of bandwidth requirements have been moved off the 1 Gb Cisco ASA's and onto the 10Gb Palo Alto solution. What is left are the more specific flows that will require more in depth coordination between the resource owners and the destination services.

Date: 2/9/2018

Inquiry: 51137


Question:   Please more clearly define the functionality requirements and technical or security objectives for each the firewalls which are to be put into production. Include add-on subscriptions/modules, such as IPS or others, which are to be included in scope.

Answer:   The only two not in Production yet are the Hamilton County firewall pair and the vendor firewall pair. There are no subscription services associated with these firewalls. Both pairs are upgrades from the existing ASA5500 series firewalls to ASA5500X series firewalls. The Vendor firewall is just a straight replacement while the Hamilton County firewall will have some IP and routing changes associated with the infrastructure upgrade at the site. This one will need to be done on a planned date while the switches at the site are upgraded.

Date: 2/9/2018

Inquiry: 51137


Question:   On page 17 of the Solicitation, the table that identifies the price performance formula states the Cost is equal to 70% of the evaluation and Technical is equal to 30% of the evaluation. However, further down the page in the narrative, it appear that cost is 30% (300 points) and technical is 70% (700 points). Please clarify the correct price performance formula.

Answer:   Cost is 30%, technical 70%. An amendment will be issued to reflect the change.

Date: 2/9/2018

Inquiry: 51129


Question:   In reference to page 17 of the RFP, Price Performance Formula. Please clarify the scoring weight allocated to the Technical Proposal and the Cost Summary. The table on page 17 indicates the Technical Proposal is 30% and the Cost Summary is 70%. Subsequent language on page 17 indicates the Technical Proposal is 70% and Cost Summary is 30%.

Answer:   Cost is 30%, technical 70%. An amendment will be issued to reflect the change.

Date: 2/9/2018

Inquiry: 51112


Question:   Will the integrator be required to make contact with all 250 Site-to-Site VPN termination device administrators, or will ODJFS communicate with them?

Answer:   Integrator will be required to contact the VPN termination device administrators.

Date: 2/8/2018

Inquiry: 51131


Question:   Will the integrator be required to deploy the end clients or end client configurations to the 1600 end users, or only establish the process for which clients should use to register on the new remote access VPN?

Answer:   ODJFS is currently in the pilot phase of moving the end clients to the new VPN solution. The integrator will be required to move the rest of the users to the new solution using the process that is currently being developed.

Date: 2/8/2018

Inquiry: 51130


Question:   a) Would ODJFS and OIT be willing to adjust the change management schedule to allow more than one major change per month? b) How many VPN Policies exist today? c) How many network zones (inside, outside, dmz, management, etc.) exist on each firewall being upgraded

Answer:   A. Yes. B. 54. C. 1 pair has 9, 2 of the pairs have 5 zones while the rest only have 3.

Date: 2/6/2018

Inquiry: 51064


Question:   a) Are there up to date network detailed diagrams today that would be modified or is the integrator required to build net new diagrams? b) For the Hamilton County Firewall, does the new firewall pair have Firepower services enabled? If so, please list the licensing associated with that equipment to include FirePower Management Center.

Answer:   A. New environment Diagrams are fairly up-to-date with minor changes not documented. Old environments are out of date, but are going away. Integrator will need to provide updated documents when recommending changes and at the end of the endeavor. B. Firepower is not enabled.

Date: 2/6/2018

Inquiry: 51063


Question:   a) Is the integrator required to configure and support DUO and RSA or is the integrator responsible only to send Multi-Factor Authentication (MFA) requests to the solutions that are managed by another party? b) What type of BGP (Internal, external) is being used and for what purpose is that routing protocol being used for? c) Scope of Work section 3.1.11 states “IP changes of existing applications that are accessed by external entities.” What are the IP’s that are changing to be updated and are they related only to VPN changes being made?

Answer:   A. Integrator will be responsible for interpreting the firewall rules associated with each group on the Cisco ASA(RSA), documenting the changes within a request form, submitting users lists to the Access Control unit for group access build with AD and implementing the firewall rules on the Palo Alto firewall(DUO). Coordinating and working with users to assure a successful transition. B. Internal. Used to communicate dynamically with OIT and translate to OSPF. C. Primarily related to VPN users. Applications are constantly moving or being upgraded so there may be a need to augment ASA rules in the Counties while the contractor is on site.

Date: 2/6/2018

Inquiry: 51062


Question:   a) Is the integrator required to provide an enhancement assessment of any rules or Network Address Translation (NAT) policies prior to migration? b) Are any IP address changes required in this process? c) Does ODJFS and/or OIT require or desire a phased approach to reduce issues during this migration, such as, a pilot test phase, etc. or is the desire to be a single migration event?

Answer:   A. Yes the contractor is required to provide an enhanced assessment. B. Yes there will be IP address changes required. C. Phased approach is desired.

Date: 2/6/2018

Inquiry: 51061


Question:   Are any certificates used for the Firewall environment? If so, please elaborate on how many profiles are using those certificates, what type of certificates (Public, private, etc.) exist, and who manages them. Also If so, is SSL Decryption being used and expected to resume use at the completion of this project?

Answer:   SSL encryption and decryption as well as certificates are currently not being used. However, it has not been ruled out in the new environment.

Date: 2/6/2018

Inquiry: 51060


Question:   1) Is the Firewall environment being migrated to at OIT a new environment dedicated to ODJFS or a shared model with other agencies? a) If all new, could ODJFS Provide the listing of the actual hardware and licensing that will be used in the new environment? b) If this is part of a shared hardware infrastructure, how will the integrator work to access the environment and make changes?

Answer:   1. 1a.) These are primarily dedicated JFS firewalls. SOT and SOCC – Hardware Palo Alto PA-5050 failover pair. Software version 7.0.17 VPN/Vendor firewalls – Hardware Cisco ASA 5516X – Still in the box Hamilton County Firewalls – Cisco ASA 5515X – Not installed yet b.)For the RSA to DUO VPN project, the configuration is for JFS staff, but will be placed on DAS OIT Palo Alto, which vendor will be provided access.

Date: 2/6/2018

Inquiry: 51059


back

Inquiry period ended:  2/9/2018 8:00:00 AM