Firewall Migration Plan + Checklist

Migrating to a new firewall can be a daunting task, and this is exactly why you need a plan. A firewall migration plan helps to ensure that the changes you make are tested and implemented correctly, minimizing the risk of disrupting the already running network. It also provides a roadmap for everyone involved in the process, so that they know what needs to be done and when.

Furthermore, a migration plan can help to identify any potential problems in advance, allowing you to fix them before they cause any issues in the course of migration.

These are the steps that make up a successful firewall migration plan:

1. Define the current setup and needs

Additionally, this information can help to identify any potential issues that could arise during the migration process. Without this information, it would be difficult to ensure that the migration goes smoothly and that all of the necessary features are properly migrated.

Take a look at your network and identify which systems need to be protected. You'll also need to assess your risk level and identify any potential threats including attacks from the dark web. Once you have a good understanding of your current environment, you can start looking for a new firewall solution that meets those needs.

The most common types of firewalls in the market today are packet-filtering firewalls, proxy firewalls, NAT firewalls, web application firewalls, and next-gen firewalls.

  • Packet-filtering firewalls are the most basic type of firewall. They examine each incoming packet of data and decide whether to allow it through based on a set of predefined rules. 
  • Proxy firewalls work by intercepting all traffic between the user and the Internet. All requests for web pages and files must go through the proxy server, which checks to make sure that the content is safe before sending it back to the user. 
  • NAT firewalls are similar to proxy firewalls, but they also provide a level of protection for the internal network by hiding the IP addresses of the devices on the network.
  • Web application firewalls (WAFs) protect web applications from attacks such as SQL injection and cross-site scripting (XSS). WAFs work by inspecting incoming traffic and blocking or changing anything that looks like malicious code. 
  • Next-gen firewalls (NGFWs) are a newer type of firewall that combines packet filtering with other features such as intrusion detection and prevention, application control, and VPN functionality. NGFWs can be more effective than other types of firewalls at protecting against sophisticated attacks, but they can also be more expensive and complex to deploy.

2. Determine the type of firewall migration

This is all about deciding the type or approach of migration you'll be using. There are three major approaches: cutover, staged, and parallel.

Cutover: This is the simplest and most direct approach, involving a complete switchover from the old firewall to the new one. This can be disruptive, however, and is best suited for small networks.

Staged: A staged migration involves switching over sections of the network to the new firewall one at a time, which minimizes disruption but can take longer to complete. 

Parallel: Parallel migration is the most complex approach, involving running both firewalls side-by-side until the entire network has been switched over. This approach minimizes disruptions but requires careful planning and coordination.

As you can see each approach has its own benefits and drawbacks, so it's important to decide which one is right for your organization. Consult widely with your provider or IT consultant. 

3.  Understand the new firewall technology

By now you know the vendor you want to use, the type of firewall you want to migrate to and the approach you want to take. Well, the truth is that unless you learn the new firewall inside out, you won't be able to take full advantage of all the features the new firewall has to offer. And that could mean that your migration might not be as successful as you'd hoped. You also don't want to end up with this ‘nice’ firewall that you’ll struggle to use. How will you troubleshoot, for example, when you encounter issues?

The easiest way to learn is by going through the vendor’s training, which they should have. Take a look at the product documentation. This is a great place to start, as it will give you an overview of the firewall and how it works. Second, check out the video tutorials. These are a great way to see the firewall in action. Finally, head over to the forums. This is a great place to ask questions and get help from other users of the firewall.

You can also request customized training from cybersecurity firms or consultants with knowledge of the firewall that you intend to migrate to.

4. Review configuration of the current firewall

Failure to review your current firewall configuration could lead to a number of risks upon migration. For example, you may not be aware of all the devices that are currently connected to your network, and if you don't take them into account when migrating your firewall, you could end up leaving some out and expose your network to security threats.

A rulebase analysis is one of the most critical aspects of this review and there are a few key things to look for when performing a rulebase analysis:

  • First, check to see if there are any redundant rules. If so, remove them to simplify the configuration.
  • Second, take note of any special circumstances that may require additional rules or manual configuration during the migration. For example, if there are certain IP addresses or ports that need to be blocked, make sure that these are accounted for in the new firewall configuration.
  • Finally, pay attention to the order of the rules. In some cases, it may be necessary to rearrange the order of the rules to achieve the desired results. For example, if you want to allow traffic from a specific IP address range, you'll need to make sure that the allow rule is above any deny rules in the configuration.

5. Simulate the configuration

Configuration translation reproduction is the process of converting configuration files from one format to another, making them ready for transfer to the new firewall. This is an important step in the migration as it allows you to easily ensure that all of the settings are correctly converted and that there are no errors in the new configuration.

Follow these general steps:

  • Do you want to go the manual way, the automated route or both? Obviously the automated approach is the best especially if you have many rules. You can bring in the manual method for those configurations that prove impossible to simulate via the automated method. 
  • Set up the simulation environment. This should be as close as possible to your actual production environment.
  • Run the simulations. Try out different scenarios and see how the new configurations impact performance.
  • Analyze the results. Be sure to review both the positive and negative outcomes of the simulations. Use what you've learned to improve your plan for actual migration.

The basic translation simulation setup should include the below components:

  • Routing: Both dynamic and static. Take note of how the data packets should be sent through the router.
  • Clustering: Also known as high availability, this setup guarantees that service will be available even if a hardware failure occurs. Typically, this involves setting up multiple firewalls to create a single, more powerful unit.
  • Interface settings: This refers to the way that the firewall interacts with machines on your network. Which machines are allowed to communicate with each other, and what kind of communication is allowed (such as incoming or outgoing traffic). These settings should be both physical and logical, not forgetting IPs. 
  • User management: This allows you to control which users have access to the firewall, what remote access methods they can use, and how the firewall will handle authentication, authorization, and accounting (AAA). The management settings also control which Simple Network Management Protocol (SNMP) information and syslog messages the firewall will send.

Please note that the components above may not change so much even if you move from the old firewall to the new one. 

Another area you are going to work on in this stage are the policies,  objectives and other items such as VPNs and NATs. As the rules here might be humongous, it’s advisable to do it with automated tools.  

For NAT, be sure to have a clear understanding of both the current and new packet flows. Remember that some firewalls actually do NATs prior to policy checks while others don't go through this. So you want to check this out.

For service timeouts, be aware that most firewalls rely on custom timeouts for particular applications. So you want to ensure this is properly translated in the new firewall. Otherwise you are likely to have connectivity issues.

Ensure all application extensions are enabled and determine their configurations in both the old and new firewall, then synchronize the settings.

6.  Perform acceptance testing

In the context of firewall migration, an acceptance test is basically a way to check that the new configurations conducted in step 5 above actually do meet your intended requirements. The whole point of a migration is to move to a new system that's going to work better than the old one. But you can't be sure it's going to work properly until you've actually tested it. That's where acceptance tests come in.

Begin by creating a test plan that outlines the different types of tests you'll be running. This test  plan should include both manual and automated tests. Automated tests are especially important, because they can help you identify issues that might not be caught by manual tests. And the earlier you catch these issues, the easier and less expensive they will be to fix.

7. Demarcate a frozen zone

A frozen zone is a portion of a network that is not accessible during the firewall migration. This is important because it ensures that any changes that are made to the firewall during the migration process do not affect the rest of the network. 

The frozen zone provides a safety net that allows for a controlled and safe migration. Without a frozen zone, there is a risk that the entire network could be affected by the changes, which could lead to major disruptions. 

The frozen zone is typically a small portion of the network, and is only inaccessible for a short period of time. However, during that time, it is essential to have a backup plan in place so that the rest of the network can continue to function normally.

8. Translate the configuration

You already simulated the configuration earlier in step 5 and verified that indeed it can work well in the new environment. Now is the time to translate it for real. The process of translating the old configuration files into a format that the new firewall can understand is a critical step.

If this step is done incorrectly, it can mean the difference between a successful migration and a total disaster. 

Follow these steps for a smooth configuration translation:

  1. Make a backup of the old firewall configuration files.
  2. Convert the old firewall configuration files to a format that is compatible with the new firewall.
  3. Import the files into the new firewall.
  4. Test the new firewall configuration.

Keep these best practices in mind when conducting configuration translation:

  1. Make sure you have all the necessary information before you begin. This includes the old firewall's configuration, user accounts, and passwords.
  2. Create a test environment to test the translation before rolling it out in production.
  3. Be patient. This is a valuable step and should not be rushed.
  4. Test, test, test! Once the translation is complete, make sure to test the configurations thoroughly to ensure that it's working correctly.

9. Migrate

You are now ready to make the complete switch. Please follow the procedures given by the new firewall vendor alongside the old firewall’s manual on migration. The actual firewall migration must be conducted on the maintenance window. This is because the migration might disrupt network availability and therefore must be conducted during times when the system can be taken offline with the least amount of impact. 

Even as you go to maintenance mode, don’t make the mistake of informing everyone that you are migrating the firewall. Some members of staff tend to get afraid when given so much information about what is going on in the systems. Some might imagine something is terribly wrong with the network, while others can use it as an opportunity to give excuses for not doing their work. The best practice is to simply announce that you will be having routine maintenance on the network and some services might be interrupted during this time. Keep it simple, not alarming. 

Have a roll-back procedure in place. Things can still fail at the last minute  and you must be able to rollback so the normal network can continue to run as you figure out what went wrong and come back to the process. 

10. Post migration monitoring

Post-firewall migration monitoring allows you to ensure that the new firewall is properly configured and working as expected. Additionally, monitoring can help you to identify any potential security issues that may arise after the migration. 

Some of the most popular post-firewall migration monitoring methods include logging analysis, rule auditing, traffic analysis, change management, and performance monitoring. 

  • Logging analysis helps to identify any unauthorized or unexpected activity on the new firewall. 
  • Rule auditing ensures that all rules are correct and up-to-date. 
  • Traffic analysis helps to identify any potential traffic bottlenecks or anomalies. 
  • Change management helps to ensure that changes to the firewall are properly tracked and approved. 
  • Performance monitoring helps to ensure that the firewall is meeting all Service Level Agreements (SLAs) and performance expectations. 

Ideally, you'll want someone who's familiar with the new firewall to be on call 24/7. It’s advisable that you structure the monitoring in such a way that you really don't interrupt the routine work of your team. Everyone should still be able to do their regular work. This might mean getting help from experienced managed IT service providers to offer round the clock support to make sure the monitoring is 100% efficient. 

The monitoring phase should kick in as soon as the maintenance window is complete. It can last 2-3 days for small to medium organizations and up to one week or more for large organizations, depending on the complexity and sensitivity of the network.

The firewall migration checklist

The plan is the high level guide on how to go about the migration. But you need a checklist to tick off all the nitty gritty items that make the difference. It's a way to ensure that you don't forget anything important and that you're prepared for anything that comes your way. Remember there are a lot of things to remember, and it’s impossible to keep them all fresh in your mind.  A good checklist will help you stay organized and make sure that nothing falls through the cracks. 

Use this checklist to ensure you are not missing out on anything during the migration. Please tailor it to your environment:



Acquire all the necessary licenses for the new firewall


Ensure the new firewall can support the critical functionalities that were supported by the old firewall

User ID

Ensure that the new firewall can support user ID configurations without interrupting the current setup


It’s impossible to migrate logs, so ensure the old firewall can forward all the logs you would want to retain


Label all cables before disconnecting to avoid mix up

Maintenance period

Schedule and announce the maintenance period in advance to to all concerned parties

IP addresses

Use temporary IP addresses during the migration window and avoid connecting the ethernet cables to the new firewall until you are completely ready to make the move. Otherwise you will create IP conflict


Backup the entire configuration of the current firewall


Ensure that the team, especially IT administrators, are properly trained on the new firewall


Document all changes made during the migration process


Create an actionable roll-back plan in case of emergencies


Critical servers should be properly assigned


Once the new firewall is up and running at 100%, the old firewall can be decommissioned

Explore top firewalls for small organizations

Concluding remarks 

The firewall migration process can be fraught with danger if not properly executed, and many companies have discovered this when it’s too late. One of the dangers is data loss. This can occur when old firewall configurations are not properly transferred to the new platform, or when mismatched hardware causes compatibility issues.

Businesses may also experience significant downtime during a migration. So you want to work with experienced migration professionals to ensure a smooth process that does not stall the normal operations.

No comments yet. Be the first to add a comment!
Our site uses cookies