How to migrate a firewall

How to  migrate a firewall the ITX how to guide

Determine and document the firewall state
All too often, the exact state of a firewall is not well understood. Configurations grow and change over time – rules and networks added for specific purposes are often superseded or simply forgotten. You need to capture the state of any additional firewall features too. This is what you will use to recreate the policy behind the firewall rules.

Negotiate policy changes
But before you simply recreate the same rules and controls, decide if they’re what the customer needs. Firewall policy – in effect, the philosophy behind the construction of rule sets in the firewall – is not a subject that often comes up for discussion. The replacement of a key firewall is a perfect time to do this: to consider whether the current policy is current best practice and whether it still fits the security needs of the company.

Determine any rule changes
Once you’re agreed on policy, check the existing firewall rules and functions to see what is in conformance, what is superfluous, and what needs to be added.

Test the new configuration on the old firewall

This is an important step. Firstly, it lets you determine whether the new rules are complete and working. Secondly, it makes sure that the firewall to be replaced and the new firewall’s rule sets are as similar as possible making the exchange more seamless during the actual migration process.

Move to the new firewall
Now load the new firewall with the previously tested configuration. As previously discussed, you have to do this one rule at a time, by hand. When you bring it into service you will introduce network issues as the MAC addresses related to the firewall IP addresses change. Manual flushing of the ARP caches on the machines used for connectivity testing will allow quicker testing of whether the new firewall is correctly seated in the network or not. Once the firewall is in place, acceptance testing will of course need to be carried out.

In case of emergency, the fact that you have the old firewall and new firewall set up with the same configuration and rule sets allows you to quickly revert to the old firewall and pull the new one out of service for checking and reconfiguration. Having this option available should minimise network downtime if something doesn’t go entirely according to plan.

Add in new services
When you have replaced the old firewall with the new, complete the migration by adding in any new services that were requested. Delaying the addition of these services until the new firewall is stable with no new functions simplifies testing – since the configuration is known to be good and stable before adding the new services, any introduced instability should be easy to isolate and fix.


Share |
Write comment
security image
smaller | bigger



Subscribe and get the magazine in the post before it's online

Subscribe and get access to all of the back issues

To read a sample eMagazine - March 2010



Need to fit more memory, a new hard drive or a replacement optical drive to a Mac? Even if you're experienced with Macs it can be tricky to deal with the range of cases and connectors used in different models, and if you only deal with a handful of Macs across all your clients it’s hard to stay up to date. This site has installation videos going back to the G4 PowerBook and G3 blue&white desktop Mac. read more


Unified communications


The #1 Bestseller for Only 77p