How to migrate a firewall

How to  migrate a firewall the ITX how to guide

Determine and document the firewall state
All too often, the exact state of a firewall is not well understood. Configurations grow and change over time – rules and networks added for specific purposes are often superseded or simply forgotten. You need to capture the state of any additional firewall features too. This is what you will use to recreate the policy behind the firewall rules.

Negotiate policy changes
But before you simply recreate the same rules and controls, decide if they’re what the customer needs. Firewall policy – in effect, the philosophy behind the construction of rule sets in the firewall – is not a subject that often comes up for discussion. The replacement of a key firewall is a perfect time to do this: to consider whether the current policy is current best practice and whether it still fits the security needs of the company.

Determine any rule changes
Once you’re agreed on policy, check the existing firewall rules and functions to see what is in conformance, what is superfluous, and what needs to be added.

Test the new configuration on the old firewall

This is an important step. Firstly, it lets you determine whether the new rules are complete and working. Secondly, it makes sure that the firewall to be replaced and the new firewall’s rule sets are as similar as possible making the exchange more seamless during the actual migration process.

Move to the new firewall
Now load the new firewall with the previously tested configuration. As previously discussed, you have to do this one rule at a time, by hand. When you bring it into service you will introduce network issues as the MAC addresses related to the firewall IP addresses change. Manual flushing of the ARP caches on the machines used for connectivity testing will allow quicker testing of whether the new firewall is correctly seated in the network or not. Once the firewall is in place, acceptance testing will of course need to be carried out.

In case of emergency, the fact that you have the old firewall and new firewall set up with the same configuration and rule sets allows you to quickly revert to the old firewall and pull the new one out of service for checking and reconfiguration. Having this option available should minimise network downtime if something doesn’t go entirely according to plan.

Add in new services
When you have replaced the old firewall with the new, complete the migration by adding in any new services that were requested. Delaying the addition of these services until the new firewall is stable with no new functions simplifies testing – since the configuration is known to be good and stable before adding the new services, any introduced instability should be easy to isolate and fix.


Share |
Write comment
security image
smaller | bigger



Subscribe and get the magazine in the post before it's online

Subscribe and get access to all of the back issues

To read a sample eMagazine - March 2010



You want the PCs you support to have the right time for more reasons than keeping the users happy; for one thing, if every PC has a slightly different time, finding which version of a file was updated most recently gets much more complicated. Get your head around the Windows Time Service at, get the commands for making a PC get its time from the domain at and if you want a an alternative time server use to get the time from a random time server in the NTP Pool Project (read about the project at read more


Unified communications


The #1 Bestseller for Only 77p