Next-gen firewall licensing stacks per-appliance costs with threat-subscription bundles (IPS, URL filtering, sandboxing) and renewal uplifts. Open firewalls — OPNsense, pfSense, or Linux nftables — run on commodity hardware with Suricata-based IDS/IPS, removing the subscription tax for many edge and segmentation use cases.
Inventory first
Export the rulebase, NAT, objects, and VPN configuration, document IDS/IPS profiles and threat features in use, and note HA and logging/SIEM integrations. Be honest about NGFW features you depend on — advanced app-ID, cloud-delivered threat intel, and central management have varying open equivalents.
Sizing matters more here
Size on NGFW (threat-protection) throughput, not raw firewall throughput — and remember TLS inspection can cut effective throughput by 50–70%. Account for IPSec VPN throughput, concurrent sessions, and connections/sec. Under-sizing is the classic firewall migration mistake.
Rebuild and pilot
Deploy the open firewall in HA (CARP), recreate rules/aliases/NAT, import VPN tunnels (IPsec/OpenVPN/WireGuard) and remote-access users, and enable Suricata IDS/IPS with the relevant rulesets. Wire logging to your SIEM.
Cut over per site
Pilot at a low-risk site first, validate an allow/deny matrix and VPN connectivity live, then roll out site-by-site with rollback ready. Monitor logs and IPS for anomalies during hypercare. Roll back by re-pointing traffic to the source firewall.
Validation
Rule/NAT verification (allow + deny), VPN connectivity (site-to-site and remote), IDS/IPS detection and throughput tests, and an HA failover test.
Open a source→target page for the rulebase-migration steps and a per-firewall TCO model.