How to migrate a firewall

How to  migrate a firewall the ITX how to guide

Determine and document the firewall state
All too often, the exact state of a firewall is not well understood. Configurations grow and change over time – rules and networks added for specific purposes are often superseded or simply forgotten. You need to capture the state of any additional firewall features too. This is what you will use to recreate the policy behind the firewall rules.

Negotiate policy changes
But before you simply recreate the same rules and controls, decide if they’re what the customer needs. Firewall policy – in effect, the philosophy behind the construction of rule sets in the firewall – is not a subject that often comes up for discussion. The replacement of a key firewall is a perfect time to do this: to consider whether the current policy is current best practice and whether it still fits the security needs of the company.

Determine any rule changes
Once you’re agreed on policy, check the existing firewall rules and functions to see what is in conformance, what is superfluous, and what needs to be added.

Test the new configuration on the old firewall

This is an important step. Firstly, it lets you determine whether the new rules are complete and working. Secondly, it makes sure that the firewall to be replaced and the new firewall’s rule sets are as similar as possible making the exchange more seamless during the actual migration process.

Move to the new firewall
Now load the new firewall with the previously tested configuration. As previously discussed, you have to do this one rule at a time, by hand. When you bring it into service you will introduce network issues as the MAC addresses related to the firewall IP addresses change. Manual flushing of the ARP caches on the machines used for connectivity testing will allow quicker testing of whether the new firewall is correctly seated in the network or not. Once the firewall is in place, acceptance testing will of course need to be carried out.

In case of emergency, the fact that you have the old firewall and new firewall set up with the same configuration and rule sets allows you to quickly revert to the old firewall and pull the new one out of service for checking and reconfiguration. Having this option available should minimise network downtime if something doesn’t go entirely according to plan.

Add in new services
When you have replaced the old firewall with the new, complete the migration by adding in any new services that were requested. Delaying the addition of these services until the new firewall is stable with no new functions simplifies testing – since the configuration is known to be good and stable before adding the new services, any introduced instability should be easy to isolate and fix.


Share |
Write comment
security image
smaller | bigger



Subscribe and get the magazine in the post before it's online

Subscribe and get access to all of the back issues

To read a sample eMagazine - March 2010



None of your customers are complaining about viruses, their network being slow or strange things happening on their new PDAs and laptops; is it time to take the afternoon off? Maybe, but before you do, make sure things will look as good next week by making sure you know what you’re defending against. Microsoft has a set of resources at covering the current threat landscape and showing ways to help protect your clients and their customers, including analyses of data collected from millions of users, strategies, mitigations and countermeasures. read more


Unified communications


The #1 Bestseller for Only 77p