Second migration successful (well, kind of)
This morning I did the second (and final) Firewall-1 management server migration at this site. It wasn't as successful as the last one, in that it didn't Just Work.
With some help from Jonathan, the problem was traced back to the Get Topology function getting it wrong. I have to do a Get Topology after I've migrated the configuration as the new hardware has different Ethernet device names to the old one (gotta love how Solaris has hardware specific Ethernet device names). Unfortunately, in the process of doing the Get Topology, Firewall-1 decided to mark one of the interfaces as External, when it really should have been Internal, so then the anti-spoofing stuff kicked in and it decided that connections that were legitimate were actually spoofed, and dropped them.
It made matters worse (but was probably a blessing in disguise in that it highlighted the problem immediately) because the interface in question was the one that connected this management server to the rest of the management network, you couldn't get through the management server (which is also an enforcement module) to other hosts behind it.
Update
It wasn't so much a case of the Get Topology function getting it wrong. It seems that Firewall-1 will assume that the interface with the default route going out it is external. So for this particular firewall, I just need to redo the routing so there are specific routes and no default route, and in theory everything should be considered internal.