Businesses migrate their firewalls for a number of reasons. Maybe your business needs have changed or perhaps you need a hardware upgrade to improve your IT security. Regardless, firewalls are a key line of defense for any business to keep its data safe and secure. When you decide to go ahead with firewall migration, you need to go into the process with a complete understanding of what needs to be done.
Poorly managed firewall migration has a tendency to take longer than initially estimated. Getting each of the seven OSI layers to work is critical to success. And issues with existing infrastructure, budget overruns, and network disruption are all too common.
These can cause your firewall to stop protecting your business, instead, making it a vulnerability that’s just waiting to be exploited.
Before you begin your firewall migration, let’s take a look at the best practices to keep in mind when you undertake this project.
1. Starting a Firewall Migration
When you start to search for a brand new firewall, take note of your firewall configuration and characteristics. Its capabilities, warranty, age, and overall performance are all important aspects to understand. By doing so, you can establish a baseline as you look for a firewall that fits your current and future needs.
Create a firewall migration plan template that everyone who is involved in the migration should follow. Ensure that they are familiar with the capabilities of the old firewall and that they understand how to troubleshoot problems that may arise.
Successful migrations are difficult to pull off for those who are inexperienced. Unless your in-house team or vendor has expertise migrating firewalls, it’s best to entrust it to IT specialists.
2. Choosing the Right Firewall for Your Business
If you’re in the market for a firewall, there are plenty of options to choose from. Each has its own strengths and weaknesses that make finding the best fit for your business difficult.
What characteristics are you looking for in a firewall? Common capabilities include:
- Antivirus
- Intrusion prevention and detection
- Web filtering
- And more
Some firewalls may become outdated quicker as internet circuit speeds continue to increase. Others may require complementary security tools in order to function effectively.
Do you choose a traditional firewall that offers standardized traffic filtering? Or should you choose something that’s more cutting edge, such as Fortigate’s or Palo Alto’s next-generation firewall, which offers enhanced speed at a premium price point.
Whatever the case, you need to be absolutely positive in your firewall choice to prevent headaches caused during your migration.
3. Audit Your Current Firewall Using Firewall Migration Tools
A complete and detailed analysis of your current firewall is required before beginning your migration project. Ensure that you and everyone involved in the firewall migration knows the policies, configurations, ISP details, published services, among other information.
As time goes on, firewalls tend to accrue a number of unnecessary details that impact your security. For instance, removing unused addresses and networks is one of the most effective ways of improving your IT security. By using firewall migration tools, you can rectify that problem in no time at all.
Firewall migration is also a great time to look at your processes; specifically, look at your current ruleset and determine which ones are outdated. If you have someone on staff who is an expert and knows the ins and outs of your firewall, this can be a simple task. Otherwise, brace yourself for a lot of analysis.
A rulebase analysis will also be necessary. There are two things to pay attention to during this process:
- Hit counters impact the CPU of firewall’s, creating extra load. If the rulebase is particularly long, enable the hit counters feature in blocks so as not to reduce performance.
- Rules require a different amount of time to be hit. Some are hit every few seconds, while others can take days or even weeks to be completed. In short: this is going to take a lot of time, so prepare in advance.
When reviewing your current configuration, remember that you should change one element at a time to allow yourself the ability to roll back to a previous state if an error occurs. Be patient; configuring a network firewall can be tricky, and any mistakes made tend to create more mistakes further down the line.
Here are some questions you should ask yourself at this stage:
- Do you understand the NAT rules on your firewall? If you don’t understand how packet flow works with your current firewall, you’re going to encounter problems very soon.
- Are your NAT rules enabled for your VPN Gateway? Whatever the answer is, the same settings should be used on your new firewall to create a smoother transition.
- Does your firewall have specific service timeouts for applications? If so, you have to make sure that these are translated to your new firewall to avoid connectivity issues.
Do you have application extensions installed? Application-level gateways (ALG), Fixup protocols, and Resources are used to open dynamic ports for protocols like SLQ and h232. Figure out if they are enabled, and transfer them over to the new firewall.
4. Configure Your New Hardware in Advance
Before installing your new firewall, you must develop a security policy that fits your business. After all, what utility you expect out of a firewall will be different from what your old firewall offered.
You must transfer your current firewall details to your new firewall. This means transferring:
- Firewall rules
- Policies
- App control
- Antivirus filtering
- VPN
And any other information that is needed to ensure a hassle-free transition. At the same time, the new features that were not part of your old firewall need to be configured for the first time as well.
This is also an opportunity to reconfigure your current firewall to ensure that the migration goes smoothly. Whether you manually reconfigure it or use an automated tool, you will need to test the process to guarantee that everything can transfer over to the new firewall.
5. Test Your Firewall Before Transition
Before you implement what you’ve outlined in your firewall migration plan template, run tests on your new firewall to check for problems that may have crept in during the set-up process.
Test for internet access, whether you can connect to a cloud network, and if other core business services are functioning. This can be done either manually or with the assistance of network analysis software.
Large migrations, where there are hundreds or thousands of rules that need to be configured, pose a difficult challenge if attempted manually. However, even automated tools designed for configuration often leave errors behind, necessitating manual review on top of everything else.
Remember to get your basic setup working before moving on. This includes, but is not limited to, the following elements:
- Interface Settings
- Dynamic Routing Protocols
- Static Routing Protocols
- High Availability Setup
- Simple Network Management Protocol (SNMP)
- AAA
- And any other management settings.
If an issue is found, change the policy causing the error and re-test. If the issue persists, you will need to continually change and run the test again until either the error is fixed or roll back the firewall and analyze what could cause the problem.
Get the IT Support You Need
Find out how we help businesses cut IT costs and complexity
It’s also important to test your firewall with edge cases to see if everything runs smoothly. High Availability (HA) testing will be used to check if your backup systems are working and that things such as a link failure don’t cascade into a complete shutdown.
If everything is validated and the firewall runs without issue, double-check that your warranties and support are updated. When the new firewall is installed, it’s also the best time to set reminders and notes for key dates, such as renewals, that match your vendor’s cycle.
6. Patch Your New Hardware During a Maintenance Window
It goes without saying that your new hardware should be installed during a maintenance window, when your network is being utilized the least. This may take place overnight or over the weekend, but it is critical that you do not interrupt your business hours with a firewall migration.
Not every employee needs to be notified of the migration; only those who are responsible for the various services on your network, such as email or databases, need to be informed. That’s because their work may be affected by the new firewall, and advance warning will enable them to better deal with any disruptions to service that may arise.
Be sure to test every application both before and after the migration process in order to guarantee that every aspect of your network is working. If something isn’t functioning properly, you may need to roll back to your previous firewall to search for and deal with the problem.
7. Monitor Your Firewall Post Migration
If only a firewall migration plan ended after the migration was complete. No matter how perfect you think your migration plan was, there will always be issues that arise that need to be monitored and taken care of.
Even if there were no major problems during your migration, continual monitoring of your firewall will detect minor issues that need to be resolved in due time.
If you have an IT helpdesk, they will need proper support from the firewall migration team to address concerns that result from the migration. Organizing problems in terms of severity is essential to dealing with this.
Close monitoring of your firewall should last for no more than a week, as that will typically be enough time for any issues to make themselves known. That being said, problems can manifest later on down the line depending on how rarely certain applications are used.
If a major problem arose during the migration, such as an inability to use critical services through which your business operates, you will have to roll back and plan for another migration. During this time, you should reassess every aspect of your firewall migration plan template, so that you can minimize additional disruption to your network security.
Once your new firewall is installed and working properly, it’s time to sunset your old one. Wipe your configuration and recycle your hardware in the appropriate method.
Fusion Computing Can Take Charge Of Your Business’s Firewall Replacement
Every business’s firewall migration is different. No two businesses have the same needs, hardware, or network. By carefully plotting out your strategy using a firewall migration plan template, you can greatly reduce the risk of errors while maintaining protection for your business’s network.
If you’re unsure whether your firewall migration plan is the right move for your business, consult industry experts.
At Fusion Computing, our skilled team has 25+ years of experience successfully migrating firewalls for businesses both large and small. We handle everything from small professional networks to enterprise-grade firewalls.
Our specialists can assess your existing network security and recommend a firewall that fits your requirements. Contact us today to get your IT projects back on track.