Skip to content

Zero Trust Architecture Master Implementation Checklist

Abhavtech Enterprise Security Transformation


Document Purpose

This master checklist provides implementation tracking for Zero Trust Architecture based on ABHAVTECH-DOCUMENT-1 and ABHAVTECH-DOCUMENT-1B. All tasks are derived from actual documented requirements.

Target Architecture: - 6 Hub Sites (Mumbai, Chennai, London, Frankfurt, New Jersey, Dallas) - 13 Branch Sites across APAC, EMEA, and Americas - 18 ASA to FTD Firewall replacements - 3,200 users with Duo Beyond authentication - XDR/SecureX threat response platform

Core Components (As Documented): - Cisco XDR & SecureX - Threat intelligence and automated response - ASA to FTD Migration - 18 firewall units with SGT-aware inspection - Duo Beyond - Zero Trust authentication with device trust framework - Cisco Secure Access (SASE/Umbrella) - SIG, DNS security, Cloud Firewall - pxGrid Integration - Real-time identity context sharing


Phase 1A: XDR Platform (Weeks 1-4)

Week 1: SecureX Tenant Setup

  • Provision SecureX tenant (abhavtech-prod.securex.us.security.cisco.com)
  • Configure Duo SSO for SecureX access
  • Define RBAC roles (Administrator, Analyst, Viewer)
  • Create API credentials for automation
  • Onboard 25 users (security team, NOC)
  • Store API credentials in CyberArk

Exit Criteria: - [ ] SecureX tenant provisioned - [ ] Duo SSO authentication successful - [ ] 25 users can log in with assigned roles - [ ] API credentials generated and secured

Week 2: ISE pxGrid Integration

  • Enable pxGrid 2.0 on ISE Primary PAN
  • Register SecureX as pxGrid client
  • Configure ISE ribbon in SecureX
  • Validate session queries (test: query user by IP)
  • Verify port 8910 connectivity

Exit Criteria: - [ ] pxGrid enabled on ISE - [ ] SecureX pxGrid certificate approved - [ ] Test query: "Who is 10.252.1.50?" returns correct user - [ ] Zero connectivity errors in SecureX ISE ribbon

Week 3: FTD Integration

  • Enable FMC API access
  • Create API user for SecureX
  • Configure FTD ribbon in SecureX
  • Validate event ingestion (create test IPS event)
  • Verify IPS events visible in SecureX dashboard

Exit Criteria: - [ ] FMC API enabled, API user created - [ ] SecureX FTD ribbon configured - [ ] Test IPS event appears in SecureX within 5 minutes - [ ] Zero API authentication errors

Week 4: Umbrella + AMP Integration, UEBA Baseline

  • Configure Umbrella API credentials
  • Configure Umbrella ribbon in SecureX (DNS logs, proxy logs)
  • Configure AMP ribbon (if applicable)
  • Enable UEBA baseline collection (14-day minimum)
  • Configure 5 automated response workflows (WF-TR-001 to WF-TR-005):
  • WF-TR-001: Phishing Response
  • WF-TR-002: Malware Containment
  • WF-TR-003: Lateral Movement Detection
  • WF-TR-004: DDoS Mitigation
  • WF-TR-005: Compromised Credentials

Exit Criteria: - [ ] Umbrella ribbon configured, DNS logs ingesting - [ ] UEBA enabled, collecting user behavior data - [ ] 5 workflows deployed and tested - [ ] Zero errors in SecureX event correlation

Phase 1A Overall Exit Criteria: - [ ] SecureX tenant operational with 25 users - [ ] ISE pxGrid integrated (real-time session queries) - [ ] FTD integrated (IPS events flowing) - [ ] Umbrella integrated (DNS logs flowing) - [ ] UEBA baseline collection started (14+ days required) - [ ] 5 automated response workflows operational


Phase 1B: Duo Beyond + FTD Migration (Weeks 5-8)

Week 5: Duo Beyond Deployment + FTD Lab Validation

Duo Beyond Tasks: - [ ] Provision Duo Beyond tenant - [ ] Install Duo Auth Proxy (Mumbai: 2 nodes, London: 2 nodes) - [ ] Configure AD/LDAP integration - [ ] Create 4 user groups: - [ ] Corporate Users (2,800 users) - [ ] Executives (50 users) - [ ] Contractors (200 users) - [ ] IT Admins (150 users) - [ ] Enroll 50 pilot users for device trust - [ ] Configure SAML SSO for test application

FTD Lab Validation: - [ ] Set up FTD lab environment (2 FTD units) - [ ] Test ASA configuration migration (FTD Migration Tool) - [ ] Validate SGT propagation from ISE - [ ] Test SGACL enforcement on FTD - [ ] Document migration runbook

Exit Criteria: - [ ] Duo tenant operational, Auth Proxy deployed - [ ] AD integration functional, 50 pilot users enrolled - [ ] SAML SSO working for test app - [ ] FTD lab validated, migration runbook documented

Week 6: Duo Policy Configuration + FTD Pilot Site

Duo Policy Tasks: - [ ] Configure risk-based authentication policies (4 tiers): - [ ] Tier 1: Trusted devices (corporate managed) - [ ] Tier 2: Managed BYOD - [ ] Tier 3: Unmanaged devices - [ ] Tier 4: Unknown/blocked devices - [ ] Configure Duo SSO integration for: - [ ] VPN (existing) - [ ] M365 - [ ] Salesforce - [ ] ServiceNow - [ ] Enable device trust health checks - [ ] Configure remembered devices (30-day policy)

FTD Pilot Site: - [ ] Deploy FTD pair at Mumbai pilot site - [ ] Configure HA (Active/Standby) - [ ] Migrate ASA rules to FTD - [ ] Enable SGT tagging on FTD interfaces - [ ] Configure SGACLs on FTD - [ ] Test traffic flows

Exit Criteria: - [ ] Duo policies configured for all 4 tiers - [ ] SSO working for 4 applications - [ ] Device trust health checks operational - [ ] FTD pilot site operational, ASA rules migrated

Week 7: Duo Rollout + FTD Hub Site Migration (Phase 1)

Duo Rollout: - [ ] Enroll 500 Corporate Users - [ ] Enroll 50 Executives - [ ] Enroll 100 Contractors - [ ] Enroll 50 IT Admins - [ ] Monitor authentication success rate (target: >98%) - [ ] Address user issues/friction

FTD Migration (Mumbai, Chennai): - [ ] Deploy FTD pairs at Mumbai and Chennai - [ ] Configure HA - [ ] Migrate ASA configurations - [ ] Enable SGT enforcement - [ ] Cutover traffic (off-hours) - [ ] Decommission ASA units - [ ] Validate security policies

Exit Criteria: - [ ] 700 users enrolled in Duo - [ ] Authentication success rate >98% - [ ] Mumbai and Chennai FTD operational - [ ] ASA units decommissioned at 2 sites

Week 8: Duo Full Rollout + FTD Hub Site Migration (Phase 2)

Duo Rollout: - [ ] Enroll remaining 2,300 Corporate Users - [ ] Enroll remaining 100 Contractors - [ ] Enroll remaining 100 IT Admins - [ ] Achieve 100% user coverage (3,200 users) - [ ] Monitor helpdesk tickets, address issues

FTD Migration (London, Frankfurt, New Jersey, Dallas): - [ ] Deploy FTD pairs at 4 remaining hub sites - [ ] Configure HA - [ ] Migrate ASA configurations - [ ] Enable SGT enforcement - [ ] Cutover traffic (sequential per site) - [ ] Decommission ASA units - [ ] Validate security policies

Exit Criteria: - [ ] 3,200 users enrolled in Duo (100% coverage) - [ ] All 6 hub sites migrated to FTD - [ ] 12 ASA units decommissioned (6 hubs × 2)

Phase 1B Overall Exit Criteria: - [ ] Duo Beyond operational: 3,200 users, 4 SSO apps - [ ] Device trust policies enforced (4 tiers) - [ ] FTD deployed at 6 hub sites (12 appliances) - [ ] ASA hub sites decommissioned - [ ] SGT enforcement operational on FTD


Phase 1C: Secure Access (SASE/Umbrella) (Weeks 9-12)

Week 9: Umbrella SIG Deployment

  • Provision Umbrella tenant
  • Configure Duo SSO for Umbrella dashboard
  • Create location-based policies (6 hub sites, 13 branches)
  • Configure DNS security policies
  • Deploy Umbrella Virtual Appliances (if required)
  • Configure AD integration for identity-based policies
  • Test DNS resolution and categorization

Exit Criteria: - [ ] Umbrella tenant provisioned - [ ] 19 location policies configured - [ ] DNS security operational - [ ] AD integration functional

Week 10: Umbrella Policy Configuration

  • Configure URL filtering policies:
  • Corporate Users: Standard filtering
  • Executives: Minimal filtering
  • Contractors: Restrictive filtering
  • Guest: Internet-only
  • Configure cloud firewall policies
  • Enable malware protection (Cisco Talos)
  • Configure application controls
  • Enable SSL decryption (for inspection)
  • Test policy enforcement per user group

Exit Criteria: - [ ] 4 policy tiers configured - [ ] Cloud firewall operational - [ ] Malware protection enabled - [ ] SSL decryption working

Week 11: SD-WAN DIA Integration

  • Configure Umbrella on SD-WAN WAN Edge routers
  • Enable Direct Internet Access (DIA) at branches
  • Configure application-aware routing:
  • SaaS apps (M365, Salesforce) to Umbrella
  • Corporate apps to MPLS
  • Internet browsing to Umbrella
  • Test DIA breakout at 3 pilot branches
  • Monitor bandwidth utilization
  • Validate security policy enforcement

Exit Criteria: - [ ] Umbrella configured on 40 WAN Edge routers - [ ] DIA operational at 3 pilot branches - [ ] Application-aware routing working - [ ] Security policies enforced

Week 12: Umbrella Full Rollout + Roaming Client

  • Roll out DIA to remaining 10 branches
  • Deploy Umbrella Roaming Client to remote workers
  • Configure roaming client policies
  • Enable device posture checks
  • Integrate Umbrella with SecureX (from Week 4)
  • Validate full coverage (campus, branch, remote)
  • Monitor and optimize policies

Exit Criteria: - [ ] DIA operational at all 13 branches - [ ] Roaming client deployed to remote workers - [ ] Full coverage achieved - [ ] Umbrella telemetry flowing to SecureX

Phase 1C Overall Exit Criteria: - [ ] Umbrella SIG operational (campus, branch, remote) - [ ] DNS security active for all users - [ ] Cloud firewall policies enforced - [ ] SD-WAN DIA integrated (13 branches) - [ ] Roaming client deployed - [ ] SecureX integration complete


Phase 1D: Validation & FTD Branch Migration (Weeks 13-16)

Week 13: Branch FTD Migration (First 7 Branches)

  • Deploy FTD at 7 branch sites (standalone or HA based on size)
  • Migrate ASA configurations to FTD
  • Configure SGT enforcement
  • Cutover traffic sequentially
  • Decommission 7 ASA branch units
  • Validate connectivity and policies

Exit Criteria: - [ ] 7 branch sites migrated to FTD - [ ] ASA units decommissioned

Week 14: Branch FTD Migration (Remaining 6 Branches)

  • Deploy FTD at 6 remaining branch sites
  • Migrate ASA configurations to FTD
  • Configure SGT enforcement
  • Cutover traffic sequentially
  • Decommission 6 ASA branch units
  • Validate connectivity and policies

Exit Criteria: - [ ] All 13 branch sites migrated to FTD - [ ] All 18 ASA units decommissioned (total)

Week 15: End-to-End Testing & Validation

XDR Validation: - [ ] Test all 5 automated response workflows - [ ] Validate UEBA detections (14+ day baseline complete) - [ ] Test threat correlation across platforms - [ ] Validate incident response times (<15 minutes)

Duo Validation: - [ ] Verify 100% user coverage (3,200 users) - [ ] Test device trust enforcement (4 tiers) - [ ] Validate SSO for 4 applications - [ ] Test risk-based step-up authentication - [ ] Verify helpdesk ticket volume is manageable

FTD Validation: - [ ] Verify SGT enforcement on all 18 FTD units - [ ] Test SGACLs (permit and deny scenarios) - [ ] Validate IPS signatures - [ ] Test HA failover - [ ] Validate FMC central management

Umbrella Validation: - [ ] Test DNS security (malicious domain blocking) - [ ] Validate cloud firewall policies - [ ] Test DIA at all 13 branches - [ ] Validate roaming client functionality - [ ] Test application-aware routing on SD-WAN

Exit Criteria: - [ ] All component validations passed - [ ] Zero critical issues - [ ] Performance baselines documented

Week 16: Documentation, Training & Handover

Documentation: - [ ] Update network architecture diagrams - [ ] Document all configurations (XDR, Duo, FTD, Umbrella) - [ ] Create operational runbooks - [ ] Document troubleshooting procedures - [ ] Update disaster recovery procedures

Training: - [ ] Train security team on XDR/SecureX operations - [ ] Train NOC on FTD management - [ ] Train helpdesk on Duo support - [ ] Conduct user awareness sessions - [ ] Provide vendor contacts and escalation paths

Handover: - [ ] Transfer operations to NOC/SOC - [ ] Conduct knowledge transfer sessions - [ ] Validate 24/7 monitoring coverage - [ ] Close project activities - [ ] Obtain stakeholder sign-off

Exit Criteria: - [ ] All documentation complete - [ ] All teams trained - [ ] Operations transferred to BAU - [ ] Project sign-off obtained

Phase 1D Overall Exit Criteria: - [ ] All 13 branch sites migrated to FTD - [ ] All 18 ASA units decommissioned (complete) - [ ] End-to-end validation complete - [ ] Documentation and training complete - [ ] Operational handover complete


Phase 1 Overall Exit Criteria (16 Weeks)

XDR Platform

  • SecureX tenant operational with 8 ribbons
  • 5 automated threat response workflows operational
  • UEBA baseline complete (14+ days)
  • Mean time to respond (MTTR) < 15 minutes

Duo Beyond

  • 100% user coverage (3,200 users)
  • 4 device trust tiers operational
  • 4 SSO integrations complete
  • Authentication success rate > 98%

FTD Migration

  • 18 FTD units deployed (6 hubs, 13 branches)
  • All 18 ASA units decommissioned
  • SGT enforcement operational on all FTD
  • HA validated at all hub sites

Secure Access (Umbrella)

  • Umbrella SIG operational (all locations)
  • DNS security active
  • Cloud firewall policies enforced
  • SD-WAN DIA integrated (13 branches)
  • Roaming client deployed

Integration

  • pxGrid integration between ISE and SecureX
  • FMC API integration with SecureX
  • Umbrella API integration with SecureX
  • Duo SSO for all platforms

Compliance

  • PCI-DSS controls implemented
  • SOC2 controls implemented
  • GDPR controls implemented
  • Audit logs centralized in SecureX/SIEM

Appendix: Reference Documents

Document Cross-Reference

Document Content
ABHAVTECH-DOCUMENT-1-ZERO-TRUST-ARCHITECTURE Architecture, implementation phases
ABHAVTECH-DOCUMENT-1B-DETAILED-IMPLEMENTATION-GUIDE Detailed configurations, scenarios
DNAC-ISE-MASTER-CHECKLIST ISE/pxGrid deployment tasks
SDWAN-MASTER-CHECKLIST SD-WAN DIA integration tasks

Detailed Implementation Guides (Document 1B)

  • Section 1: XDR/SecureX Platform Implementation
  • Section 2: FTD Deployment & ASA Migration
  • Section 3: Duo Beyond Implementation
  • Real-World Scenarios (6.1-6.4)
  • Hardware BOM & Procurement (Appendix A)
  • Migration Checklists (Appendix B)
  • Configuration Examples (Appendix C)

Key Appendices from Document 1

  • Appendix A: Duo Policy Templates by User Group
  • Appendix B: XDR Playbook Library (YAML)
  • Appendix C: SASE Policy Matrix
  • Appendix D: Risk Scoring Reference Table
  • Appendix E: Integration API Reference
  • Appendix F: Troubleshooting Guide
  • Appendix G: Compliance Mapping

Sign-Off

Phase 1 Completion Checklist

  • All 4 phases (1A, 1B, 1C, 1D) complete
  • All exit criteria met
  • Zero critical issues outstanding
  • Documentation complete
  • Training delivered
  • Operations team handover complete

Approvals

Role Name Signature Date
CISO
Security Architect
Network Architect
IT Director
Project Manager

Document Version: 1.0
Last Updated: January 2026
Organization: abhavtech.com


End of Checklist