Just a follow up :
We made the switch 9 days ago and it's been a painless process. Everything was well planned, if I may say ;)
Cerberus (the new firewall) was carefully tested by a few selected people before that. The only remaining issue was NAT related, because the servers were not using the new gateway.
We chose a saturday to put the new firewall in production.
We basically :
deactivated the LAN DHCP server on the "old" firewall
activated the LAN DHCP server on Cerberus.
Turned off the "old" firewall.
Shut down and restarted all the servers / VM / network printers / wifi AP so they could use the new gateway.
We had to tinker with the vHost/domain server/Terminal server DNS configuration, but it was solved in under an hour. Mainly because I never touch those servers (this is outsourced to a private company), so I had to google my way around to find where to make according changes.
I'm now in the process of configuring CARP / pfsync / XML-RPC between the 2 pfsense appliances.
Thanks to everyone for their help !
fabrice