Cisco PIX is dead.

Well, only mostly dead. Today, July 28th, 2008 is the last day you can purchase a PIX firewall appliance from Cisco, ending one of the longest and most successful lives of a gateway security product ever. The PIX (Private Internet Exchange) was the first Network Address Translation device and later evolved into a statefull firewall. See this introductory piece on the PIX by Johna Till Johnson in the January, 1995 issue of Data Communications Magazine. Cisco acquired the PIX with Network Translations, Inc. along with its inventors, John Mayes, Brantley Coile and Johnson Wu. From there the PIX grew into a multi-billion dollar franchise out selling its nearest competitors, Checkpoint, and Netscreen.

Incidently, the founder of Netscreen, Ken Xie, was actually a PIX firewall administrator at Phillips electronics when he thought up the idea of a hardware accelerated firewall appliance. Ken went on to found Fortinet as well, the latest evolution in the history of firewall appliances.

You may recall the early religious wars between proxy and statefull firewalls. Cisco PIX pretty much put a nail in that coffin. The Gauntlet proxy firewall died a rapid death in the hands of Network Associates (now McAffee) and the rest of the proxy firewalls, Sidewinder, Cyberguard, etc. have been rolled up into Secure Computing where they are serving a niche market within the defense department.

According to Cisco they will continue to sell add-ons to the PIX series until next year and will support the product until 2013, which has got to be one of the most responsible end-of-life programs in the history of networking and security. While the latest version of PIX is compatible with the first version of Cisco's replacement security appliance, the ASA, from here on they diverge as ASA moves to a Linux based OS.
Cisco, of course, means for its installed base of PIX customers to migrate to the newer, more expensive, ASA platform. While there is no need to panic at the EOS of PIX I would take this opportunity to re-evaluate your gateway security platforms. A lot has changed in network security in the 13 years since PIX was introduced.
Firewall migration can be fraught with risk. Rule sets are like new government agencies, they have a way of growing forever. I have not seen an installed firewall that did not have unused or redundant rules in it - things that detract from its auditability. I have talked to admins that have over a thousand individual rules on their firewalls.
But there is hope. Just in recent months I have started to see usable firewall rule analysis and management tools. I mentioned Algosec's product in my roundup of RSA this year. There are products from Tufin Technologies, another Israeli startup and Athena Security, based in Illinois, that could be used for not only firewall rule cleanup but a tool for transitioning off of PIX to a modern platform (even to ASA). But AlgoSec is the only one with a specific migration capability.  Solsoft is also used to manage multiple firewall platforms and could be used for migration purposes.  Many of the firewall vendors have tools for capturing and converting rule sets but so far AlgoSec is the only one that has built an easy to use tool set for accompishing the transition. 

Follow these steps when changing firewall platforms:

Step 1. Import the rule base from your legacy PIX.
Step 2. Clean up that rule base. Algosec can even identify rules that are never used so you can eliminate them. All of these products are building in compliance modules that allow you to compare your rules to best practices.
Step 3. Install the cleaned up rule base on the new platform.

Algosec has published a conversion guide from PIX to ASA. Here is a simple example of a conversion from Cisco PIX 535 to an ASA5500:

But why stop there? Now is your chance to evaluate the competition. Juniper, Checkpoint, and Fortinet would be my short list. ( I have to disclose my bias because of course you love the platform you know. I worked at Fortinet for a year and I just recently completed Fortigate certification training. )

Regardless of your eventual choice in security platform, treat the passing of PIX as an opportunity to upgrade to a modern system with higher through-put, enhanced security features, route-based IPSec, easy HA (high availability) and a useable web interface.