Logo
Get A Demo
Get A Demo
  1. Home
  2. Blog
  3. Data Center Migration and Consolidation
  4. 5 Best Practices in Migrating Firewall Rules with Tufin

Last updated January 9th, 2025 by Avigdor Book

At some point in your life, you probably had to move from one home to another. When packing, you realized that while you wanted to keep that family vacation photo from high school but not the random trinket your great aunt brought back from her trip. During the move process, you looked at what you had, tossed unnecessary items, and packed up the things that mattered most.

Migrating your firewalls rules is a similar process. You have some rulesets that you want to keep because you know they help secure your networks. However, if you’ve had that firewall around for a while, you probably have rules that are the network security equivalent of your great aunt’s trinket. Similarly, just like going through all your belongings when packing, you have some network security policies that are indispensable.

Having a firewall migration plan is like having that “to do” checklist when you’re packing up to move. However, having automation that helps you complete these tasks is the digital equivalent of hiring a moving company to pack and unpack for you. With Tufin to help you implement these five best firewall rule migration practices, you can declutter your network security policies while improving your network security and compliance posture. 

Audit Current Firewall Rules 

Auditing your current firewall rules is the start of the sorting and packing process where you review the current state of your network security policies, configurations, and settings. If you’re putting in the effort to migrate your firewall rules, you don’t want to transfer any risky rules or compliance violations when you move.

Your firewall audit process should include: 

  • Reviewing access and authentication for users and applications 
  • Proactively assessing risk to identify violations and exceptions  
  • Remediating compliance issues to prevent them from carrying over 
  • Comparing current and future firewall vendor rulesets to identify differences that could create security and compliance risks

For a complex network infrastructure, the firewall audit process can be time-consuming and resource-intensive. By engaging in an on-demand firewall audit and viewing your network topology, you can gain insight into your current network rules and data flows.

With Tufin, you can streamline these activities by leveraging our vendor agnostic Unified Security Policies (USPs) for centralized network security policy management. With our USPs, you can create, define, and enforce consistent allow and deny rules across various firewall vendor naming conventions to maintain effective network segmentation .  

Best Practice Audits allow you to define baseline policies based on industry best practices then run on-demand audits across your environment. By engaging in these audits prior to migrating your firewalls rules, you can identify potential security risks or policy violations to keep them from transferring with the new device.  

Optimize and Cleanup Rulesets 

Moving to a new home is an opportunity to throw away those items that no longer bring you joy. Similarly, when you migrate your firewall rules, you want to take only the ones that actively align with and support your business objectives. Your migration is your opportunity to review and remove rules so you can improve your network security and performance. As part of the optimization and cleanup process, you should: 

  • Identify and review the need for unused or low-use rules 
  • Document business reasons for maintaining low-use rules 
  • Identify and decommission unused, shadowed, or outdated rules 
  • Remove duplicate objects 
  • Delete old and unused policies 
  • Remove unused connections 
  • Tighten up overly permissive rules

Tufin’s automation is the Marie Kondo of network security policies. Our automation comes with a defined set of cleanups and produces a security score based on the choices you make. Our cleanup types include: 

  • Duplicate rules, network objects, and services, like protocols and ports 
  • Empty groups 
  • Fully shadowed and redundant rules 
  • Unmatched network objects 
  • Unused network objects

To easily optimize your rulesets, you can use our Automatic Policy Generator (APG) that analyzes traffic logs from your firewalls to understand how people use your policies. You can use the APG to tighten overly permissive rules and create a new rule base that reduces the attack surface when migrating or deploying a new firewall. APG uses traffic history to design least-privilege rule sets to block communications from systems that don’t regularly require access, enabling you to rapidly create new rule bases for new firewalls or add an interface to a firewall. 

Prepare the New Firewall 

If you’re a planner, you understand that using graph paper can help you optimize furniture placement when moving to a new space. Similarly, preparing your new firewall by configuring the initial settings and rules makes the migration easier. When preparing your new firewall, you typically need to: 

  • Configure rules, network security policies, and antivirus filtering 
  • Configure new features that your previous firewall lacked 
  • Compare these configurations with your compliance requirements

With Tufin, you have the network security equivalent of graph paper to organize and streamline this process. Our platform automates time-consuming tasks, like: 

  • Cloning existing servers so you can migrate rules faster 
  • Automatically provisioning policies and changes across a diverse vendor implementation 
  • Reviewing risk for accurate change implementation

Once you prepare the new firewall, you can use our APG to compare the new firewall’s rulesets against the original configurations to ensure continuous compliance. If you use the APG during a firewall migration, you can leave a relatively permissive policy in place long enough to produce logs, then translate those logs into a secure, optimized rule base. APGs allow you to define and refine the network traffic that users need so you can interactively determine a rule base’s granularity.

Testing and Validation 

The testing and validation process is like doing the final walk-through of a new home to make sure all the locks and fixtures work as intended.  You confirm that all settings, policies, and rules work as expected, hopefully in a controlled environment. Some typical steps include: 

  • Confirming firewall setting and access rules 
  • Analyzing security rules for potential vulnerabilities 
  • Validating network connectivity for business-critical applications  
  • Evaluating inbound traffic and remote access VPN configurations 
  • Verifying traffic from source IP addresses to prevent malicious traffic infiltration 

Automating processes with Tufin can streamline these steps, enabling you to complete your project faster. Our rule recertification workflows document and verify the need for a rule, allowing you to ensure that approved rules are transferred over while marking rules you no longer need as decertified so you can automatically decommission them. Combined with our Best Practices Audits, you can engage in a comprehensive review of all rules prior to deploying them live to your network.

Tufin minimizes business disruption and migration costs by providing visibility into and control over configurations and application connectivity changes. Acting as a centralized console for managing firewalls, Tufin ensure high availability and seamless functionality by enabling: 

  • Collaboration between application owners and network administrators for all network-related application connectivity changes 
  • Faster misconfiguration troubleshooting and root cause investigation  
  • Automated processes for defining, implementing, and decommissioning application connectivity 

Audit and Optimize Again

As you unpack boxes, you probably realized that you didn’t have space or need for some of those items you took with you. Your firewall migration works similarly. Once you have your new rulesets up and running, you want to audit and optimize them again. While everyone has connectivity, you should do another on-demand audit to ensure that all your rules and configurations work as intended by: 

  • Comparing current firewall rules against compliance requirements 
  • Reviewing for unintended rule bloat 
  • Identifying misconfigurations and potential vulnerabilities

If you use Tufin for centralized network security policy management, our platform automates this process as soon as you implement the new rules. Whenever you make changes to your network, Tufin automatically detects and reviews them to ensure compliance against our pre-defined templates. Our alerts identify critical security policy violations so you can effectively remediate or exempt changes that impact your security posture. 

Tufin: Continuous Compliance when Migrating Firewall Rules

Many people hire movers to help them when moving into a new home. With Tufin, you have the network version to help review, sort, organize, and migrate firewall rules. Our automation helps you streamline your firewall migration process every step of the way. From decommissioning old rules to cloning existing policies to populate new firewalls, Tufin helps you complete your project faster, even across a multi-vendor, hybrid network. Our vendor agnostic USPs enable you to maintain compliance across key firewall vendors, including Cisco, Palo Alto, Check Point, Fortinet, Microsoft Azure, Google Cloud Platform, and Amazon Web Services. When transferring security rules within an existing system or switching vendors, our suite of solutions reduces the time and cost of your migration. 

To see how Tufin can assist your firewall migration plan, contact us today for a demo. 

Don't miss out on more Tufin blogs

Subscribe to our weekly blog digest

Ready to Learn More

Get a Demo

In this post:

Background Image

Related Posts

Firewall Design Best Practices
Firewall Design Best Practices
Firewall Deployment Best Practices
Firewall Deployment Best Practices
Application Firewall Review: Understanding WAFs and How They Protect Your Applications
Application Firewall Review: Understanding WAFs and How They Protect Your Applications
Enhancing Network Security with Tufin and Microsoft: Top Use Cases and Innovations in from Tufin and Microsoft
Enhancing Network Security with Tufin and Microsoft: Top Use Cases and Innovations in from Tufin and Microsoft

Top Posts

How to Perform a Firewall Audit – Policy Rules Review Checklist
How to Perform a Firewall Audit – Policy Rules Review Checklist
Understanding AWS Route Table: A Practical Guide
Understanding AWS Route Table: A Practical Guide
What is a Firewall Ruleset? How can it help me?
What is a Firewall Ruleset? How can it help me?
Inbound vs Outbound Firewall Rules: Simplifying Network Security
Inbound vs Outbound Firewall Rules: Simplifying Network Security
Close