Playbook
SASE deployment cheat sheet
Five phases from first DNS query to full SD-WAN rollout. Each phase includes key tasks, realistic timelines, watch-outs from real deployments, and clear success criteria. Print it, pin it to your wall, check things off.
Printable PDF version
Same content, formatted for print. One page per phase.
01
DNS-layer security
Hours – 1 dayDeploy cloud DNS resolution to block malicious and unwanted domains before any connection is established. This is the lowest-friction first step — no TLS decryption, no agent required, no user-visible changes.
Deep dive: SWG component →Key tasks
Point recursive DNS to your SASE vendor's DNS resolver (conditional forwarders for split-horizon domains)
Enable default block lists: malware, phishing, C2, cryptomining, newly registered domains
Create allow-list for business-critical domains that might be miscategorized
Enable DNS query logging to establish a baseline of your traffic patterns
Watch out
!Split-horizon DNS for internal domains — make sure internal .corp or .local zones still resolve internally
!DNS-over-HTTPS (DoH) in browsers can bypass your DNS resolver — consider blocking DoH endpoints or deploying agents
+
SUCCESSAll DNS queries route through SASE, malicious domain blocks are active, zero user-reported breakage.
02
SWG web inspection
1 – 3 weeksDeploy the Secure Web Gateway with TLS decryption to inspect web traffic inline. This gives you URL filtering, malware scanning, and visibility into encrypted traffic.
Deep dive: SWG component →Key tasks
Deploy endpoint agents (or PAC files for agentless) to route web traffic through the SWG proxy
Roll out TLS decryption with a custom root CA — push via MDM/GPO to managed devices
Start in monitor-only mode for 1–2 weeks to identify false positives before enforcing blocks
Build TLS bypass list: certificate-pinned apps, healthcare/finance portals, personal banking
Enable URL filtering policies: block high-risk categories, warn on uncategorized
Enable inline malware scanning and file type controls (block executables from unknown sources)
Watch out
!TLS decryption breaks certificate-pinned applications — build your bypass list before enforcement
!Expect 5-10% of sites to need bypass rules; track user-reported issues in a shared channel
!macOS and Linux require explicit root CA trust store configuration — test across all OS variants
+
SUCCESS80%+ web traffic inspected, TLS decryption active without major breakage, URL filtering enforced.
03
VPN to ZTNA migration
1 – 3 monthsReplace VPN concentrators with Zero Trust Network Access. Start with low-risk internal web apps to build user confidence, then onboard critical applications.
Deep dive: ZTNA component →Key tasks
Inventory all internal applications currently accessed via VPN — categorize by risk and user count
Deploy ZTNA connectors in your data center and cloud VPCs (outbound-only, no inbound ports)
Pilot with 3–5 internal web apps and a friendly user group of 50–100 users
Define posture policies per application tier: strict for admin/production, permissive for general apps
Run VPN and ZTNA in parallel for 4–8 weeks — track VPN usage weekly and migrate app-by-app
Decommission VPN access for each application as ZTNA adoption reaches 90%+
Watch out
!Legacy thick-client apps may need VPN fallback — catalog these exceptions explicitly
!UDP-based applications (VoIP, some ERP clients) may not work with all ZTNA implementations
!Contractor and BYOD users need clientless browser-based ZTNA — test this flow separately
+
SUCCESS80%+ internal app access via ZTNA, VPN reserved only for documented legacy exceptions.
04
CASB + DLP
2 – 4 monthsEnable Cloud Access Security Broker for SaaS visibility and control, plus Data Loss Prevention to classify and protect sensitive data in motion.
Deep dive: CASB component →Key tasks
Run shadow IT discovery for 2–4 weeks to identify all SaaS applications in use
Categorize discovered SaaS into sanctioned, tolerated, and unsanctioned tiers
Enable CASB inline controls: block uploads to unsanctioned cloud storage, enforce DRM on downloads
Connect API-based CASB to your sanctioned SaaS (Microsoft 365, Google Workspace, Salesforce)
Define DLP policies starting with high-confidence patterns: credit card numbers, SSNs, API keys
Start DLP in alert-only mode, review incidents for 2–3 weeks, then switch to block mode
Watch out
!DLP false positives erode user trust fast — start narrow with high-confidence patterns only
!API-based CASB requires OAuth app permissions in each SaaS tenant — get admin consent early
!Shadow IT discovery will surface 200–500+ SaaS apps — focus enforcement on the top 20 by usage
+
SUCCESSShadow IT visibility complete, DLP blocking active for top-3 data patterns, CASB controls on sanctioned SaaS.
05
SD-WAN rollout
3 – 6 monthsDeploy SD-WAN at branch locations to replace or augment MPLS with application-aware routing, automated failover, and direct internet breakout for SaaS traffic.
Key tasks
Audit current MPLS contracts — identify renewal dates, bandwidth costs, and SLA terms
Deploy SD-WAN edge appliances at pilot branches (start with 3–5 sites, include one remote location)
Configure application-aware routing: direct-to-internet for SaaS (Microsoft 365, Salesforce), backhaul for internal
Set per-application SLA thresholds for latency, jitter, and packet loss with automatic failover
Establish dual-transport at each site: broadband + LTE/5G backup (or MPLS + broadband hybrid)
Monitor for 30 days, then begin MPLS reduction at sites where broadband SLA meets requirements
Watch out
!Do not decommission MPLS until SD-WAN has proven 30+ days of stable operation at each site
!Real-time applications (voice, video) need QoS policies with packet duplication or FEC enabled
!Zero-touch provisioning depends on reliable internet at branch — ship pre-staged for sites with poor connectivity
+
SUCCESSSD-WAN active at pilot branches, application SLAs met, MPLS reduction plan in progress.
Ready to evaluate vendors?
See how Cisco, Fortinet, Palo Alto, and Check Point stack up across all SASE components.