How to migrate a firewall
Determine and document the firewall state
All too often, the exact state of a firewall is not well understood. Configurations grow and change over time – rules and networks added for specific purposes are often superseded or simply forgotten. You need to capture the state of any additional firewall features too. This is what you will use to recreate the policy behind the firewall rules.
Negotiate policy changes
But before you simply recreate the same rules and controls, decide if they’re what the customer needs. Firewall policy – in effect, the philosophy behind the construction of rule sets in the firewall – is not a subject that often comes up for discussion. The replacement of a key firewall is a perfect time to do this: to consider whether the current policy is current best practice and whether it still fits the security needs of the company.
Determine any rule changes
Once you’re agreed on policy, check the existing firewall rules and functions to see what is in conformance, what is superfluous, and what needs to be added.
Test the new configuration on the old firewall
This is an important step. Firstly, it lets you determine whether the new rules are complete and working. Secondly, it makes sure that the firewall to be replaced and the new firewall’s rule sets are as similar as possible making the exchange more seamless during the actual migration process.
Move to the new firewall
Now load the new firewall with the previously tested configuration. As previously discussed, you have to do this one rule at a time, by hand. When you bring it into service you will introduce network issues as the MAC addresses related to the firewall IP addresses change. Manual flushing of the ARP caches on the machines used for connectivity testing will allow quicker testing of whether the new firewall is correctly seated in the network or not. Once the firewall is in place, acceptance testing will of course need to be carried out.
In case of emergency, the fact that you have the old firewall and new firewall set up with the same configuration and rule sets allows you to quickly revert to the old firewall and pull the new one out of service for checking and reconfiguration. Having this option available should minimise network downtime if something doesn’t go entirely according to plan.
Add in new services
When you have replaced the old firewall with the new, complete the migration by adding in any new services that were requested. Delaying the addition of these services until the new firewall is stable with no new functions simplifies testing – since the configuration is known to be good and stable before adding the new services, any introduced instability should be easy to isolate and fix.