Businesses often need to complete a firewall migration or replace firewalls for a variety of reasons. Firewall replacement can be caused by hardware reaching end–of–life or no longer meeting a business’s evolving needs.
Firewalls are a vital component of corporate IT security planning, blocking threats to the environment, and protecting sensitive data from breaches, unwanted access, and other intrusion attempts.
Firewall migrations shouldn’t be undergone lightly. Organizations should approach the endeavour with a detailed firewall migration plan covering vendor and product selection, current state analysis, pre-configuration planning, transition planning, and decommissioning of the old hardware. There is often some clean-up required after a firewall migration to carry over any missed firewall rules, policies, and configurations.
Here are some of the key areas to focus on when replacing or migrating firewalls.
How to Replace Your Firewall (Firewall Migration Plan)
1. Decide if a New Firewall or Hardware is Needed
Before searching for a brand-new firewall, investigate if new hardware is even required. Look into current firewall characteristics like age, performance, capabilities, warranty, and end–of–life.
If the current firewall is still holding up and under warranty, new features or additional security related to email and web filtering may be a better fit for your IT security spend.
2. Investigate What Type of Firewall to Go With – Gather Requirements
Not all firewalls will come equipped with the same set of features. Dive into what capabilities are needed to meet your business requirements. Capabilities typically include antivirus, IPS (Intrusion Prevention) / IDS (Intrusion Detection), web filtering data loss, and performance. As internet circuits speeds increase – firewalls aren’t always able to keep pace with the higher speeds. We’ve listed out some of the common types of firewalls, but in most cases, businesses will be looking at getting some type of Next Generation Firewall.
“In fact, next-generation firewalls held 52% of the security appliance market in 2017. The traditional network firewall came in second with 18%. “
Are you having concerns with your firewall? Are you not sure what it is or isn’t blocking? Contact us for a free assessment to determine if your current firewall is protecting your business.
3. Pick the Vendor and Hardware – Enterprise-Level vs. Mainstream
There are many firewall vendors and products in the marketplace, each with their own strengths and weaknesses. Examine your sizing, business requirements, network complexity, and other factors to determine which firewall is right for your organization.
During your procurement process, work with your team or IT partner to figure out if you’ll require extra features to maximize network performance such as redundancy and clustering or supporting dual connections.
4. Complete a Detailed Current State Analysis
A complete audit of the current firewall is required before a firewall migration. Crawl thru your current firewall and capture critical details including:
- IP Network Settings
- ISP details
- Network patching
- Anything that is published (published services)
- VPN (tunnels from site-to-site and VPN clients)
Firewall configurations tend to accumulate unnecessary details such as unused services, networks, and address objects. Analyze the existing rulebase to determine which policies are active and which are no longer needed. Often, there are old services that were never removed that will need to be cleared out. You can run firewall migration tools to collect some of this data in a more automated way.
As per Daniele Besana at Router Freak, “A simple way to perform a rulebase analysis is to check the hit counters (that is – how many times a policy has been hit by traffic) of each rule.”
Keep in mind two things:
- Hit counters have a CPU impact in most firewalls, so pay attention on the extra load. If the rulebase is quite long (ex. more than 100 rules) then it is better to enable the hit counters feature in blocks of a few rules each time and to keep the performance monitored.
- Some rules are hit every second, some once a day (backup?), some once a week (network scan?), and some once a month (payroll systems?). So, you got the idea: this process requires time for a complete assessment of the used rules!
Image source: https://www.varonis.com/blog/cybersecurity-statistics/
5. Review the Current State Analysis
Now that you have a complete picture of the current state, review everything to see what should be changed before configuring your new hardware.
Ensure that everything meets best practices from a security perspective and identify any areas that need to be modified. Remove any of the unused objects, policies, and services that you identified in the current state analysis.
If unsure about the origin of certain policies or services, check with other members of your infrastructure team. Depending on the business, you may luck out and speak with the person who did the original firewall configuration or modifications.
6. Pre-configure Your New Hardware
When working on your new firewall, you’ll need to develop a security policy that matches your current business requirements. Your current needs are likely different from what the previous firewall was originally designed for.
This requires migrating and converting the current-state details over to your new firewall including firewall rules, policies, web and app control, antivirus filtering, and reporting.
Part of this step also encompasses determining and configuring features you want to use that your new firewall comes with that your previous model may not have been equipped with.
7. Test and Transition to Production
Before you migrate your firewall into your live environment, run a series of tests to flag any problems caused by the new equipment and set-up. Test for internet access and ensure you can connect to cloud applications and core business systems. You can test manually, using scripts and by leveraging network analysis software.
If an issue is identified, modify the security policy and re-test until its resolved. If the issue persists and ends up being more difficult to resolve, you can roll–back and re-evaluate what might be causing the problem.
Once you’ve validated that the new firewall is operating correctly, ensure all documentation is up-to-date and alerts and monitoring are adjusted accordingly.
The final step in this phase should be to ensure warranties and support are current. Verify that reminders are set for renewals and key dates matched to the vendors release cycle.
8. During an Outage Window, Patch in Your New Hardware
It is always recommended to cut over to your new firewall during a maintenance window when minimal users and systems will be impacted. Determine when networks have the lowest utilization and target that period for the actual firewall migration.
Alert any other team members that may be directly impacted by the firewall migration so they can take necessary steps of testing applications and systems before and after the cut over. You don’t need to alert everyone, but if you have an application support team or other critical areas that will be impacted, they should be aware of when the migration is taking place.
9. Post-Migration Monitoring and Management
Once you’ve switched over to the new firewall, run another series of tests to verify the firewall replacement was successful. Minor configuration changes may be required that weren’t apparent in the initial testing phase. Through regular monitoring, you’ll likely come across some of these minor problems that need to be ironed out.
If you have a helpdesk, connection issues should get triaged through the support team so whoever is making the changes to the firewall is addressing the highest priority concerns first.
The types of problems that would require a full roll-back, would be if you can’t access critical services after the cut-over. If you have trouble getting critical services up and running during the maintenance window, and can’t quickly identify what is causing the problem – that may indicate you should roll-back, re-assess and modify the configuration, and plan another cut-over.
If your team doesn’t have the capacity or time to actively monitor and manage firewalls on a consistent basis, consider managed firewall services to outsource this function to a trusted partner.
10. Decommission Old Hardware
Now that the new firewall is in place and filtering traffic properly, it’s time to decommission the old hardware. Ensure the configuration is wiped and hardware is recycled appropriately.
Each firewall migration plan will be different based on the equipment you’re using, its age, and the specific network and filtering requirements inherent to your organization. The best practices approach is to develop your strategy or build off a firewall migration plan template to ensure you cover off each aspect of the firewall migration.
If you’re unsure what the right path forward with your existing firewall is, we can help. Our team has implemented firewalls for many different businesses and has the expertise to assess what you have today, make recommendations for future gear, and help you implement and monitor the new solution. Our managed services team has extensive experience with firewalls. Request a free consult today to get started.