The six steps to an effective firewall migration.
Firewall technology longevity spans across a lifecycle of 5-7 years within the infrastructure; this duration is often dictated by growing security requirements within the organization, enhanced security feature requirements and more importantly firewall throughput performance.
We believe that using a proven migration framework and methodology the process of a firewall migration can be simplified without losing due diligence and due care.
So what are the 6 steps
The Audit Process of the Firewall Migration should ensures the existing infrastructure is reviewed and audited to identify any key prerequisites that may be required before the migration. As part of the audit process key responsibilities are identified and given ownership to the Professional Services Team or the Customer. Multiple workshops should be conducted by the migration team with the customer to ensure all risks are factored before any planning of the migration. Any significant business impact risks should be highlighted here and be considered as part of the next phase.
The Analyze Process of the Firewall Migration ensures consistency; by identifying key
existing firewall functions such as network interfaces, security firewall features, NAT, ALG, logging, failover etc will be translated in a consistent approach to the new firewall device. Any custom configuration or method of operation that may exist on the existing firewall will also need to be considered carefully before migrating the actual configuration.
The Migrate Configuration is where the existing firewall configuration file is converted and translated into the new firewall configuration. This process could be 70% – 80% automated using vendor tools which mainly cater for basic initial configuration such as network interface settings, security zones, security policies, static routing and NAT. The remaining 30% – 20% is manual advanced configuration such as dynamic routing, ALG, IPS policies etc. As part of this process firewall objects and groups should be optimised, unused objects are removed, over-shadowing security policies are also removed to ensure consistency.
The Validate Phase of the Firewall Migration ensures the configuration is tested, validated and sanitised to ensure there is no delta between the existing firewall and the new firewall configuration. In this phase it is preferable that the migrated configuration is uploaded to the new firewall to ensure there are no errors. This process also involves finalizing the details on the actual cutover with the Customer’s Operations Teams – success criteria, traffic benchmark and traffic services classification.
The Cutover Phase is where the actual firewall migration takes places and the production traffic is migrated from the old existing firewall infrastructure to the new firewall deployment. Advanced troubleshooting will quickly identify traffic that is experiencing impact. Services migrated are tested against the predefined benchmark in the previous step and validated against the success criteria to ensure a successful migration has been completed. Typically the actual migration takes place out of business hours where impact to the business is minimal and agreed upon with Customer Operations and Change Management Teams.