diff --git a/src/migration-scripts/firewall/16-to-17 b/src/migration-scripts/firewall/16-to-17
index 9ad7a30f8..ad0706f04 100755
--- a/src/migration-scripts/firewall/16-to-17
+++ b/src/migration-scripts/firewall/16-to-17
@@ -1,60 +1,60 @@
 # Copyright (C) 2024 VyOS maintainers and contributors
 #
 # This program is free software; you can redistribute it and/or modify
 # it under the terms of the GNU General Public License version 2 or later as
 # published by the Free Software Foundation.
 #
 # This program is distributed in the hope that it will be useful,
 # but WITHOUT ANY WARRANTY; without even the implied warranty of
 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
 # GNU General Public License for more details.
 #
 # You should have received a copy of the GNU General Public License
 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
 
 #
 # T4694: Adding rt ipsec exists/missing match to firewall configs.
 # This involves a syntax change for IPsec matches, reflecting that different 
 # nftables expressions are required depending on whether we're matching a 
 # decrypted packet or a packet that will be encrypted - it's directional. 
 # The old rules only matched decrypted packets, those matches are now *-in:
     # from: set firewall <family> <chainspec> rule <rule#> ipsec match-ipsec|match-none
     #   to: set firewall <family> <chainspec> rule <rule#> ipsec match-ipsec-in|match-none-in
 #
 # The <chainspec> positions this match allowed were:
 # name (any custom chains), forward filter, input filter, prerouting raw.
 # There are positions where it was possible to set, but it would never commit 
 # (nftables rejects 'meta ipsec' in output hooks), they are not considered here.
 #
 
-import sys
-
 from vyos.configtree import ConfigTree
 
 firewall_base = ['firewall']
 
 def migrate_chain(config: ConfigTree, path: list[str]) -> None:
+    if not config.exists(path + ['rule']):
+        return 
+
     for rule_num in config.list_nodes(path + ['rule']):
         tmp_path = path + ['rule', rule_num, 'ipsec']
         if config.exists(tmp_path + ['match-ipsec']):
             config.delete(tmp_path + ['match-ipsec'])
             config.set(tmp_path + ['match-ipsec-in'])
         elif config.exists(tmp_path + ['match-none']):
             config.delete(tmp_path + ['match-none'])
             config.set(tmp_path + ['match-none-in'])
 
 def migrate(config: ConfigTree) -> None:
     if not config.exists(firewall_base):
         # Nothing to do
         return
 
     for family in ['ipv4', 'ipv6']:
         tmp_path = firewall_base + [family, 'name']
         if config.exists(tmp_path):
             for custom_fwname in config.list_nodes(tmp_path):
                 migrate_chain(config, tmp_path + [custom_fwname])
 
         for base_hook in [['forward', 'filter'], ['input', 'filter'], ['prerouting', 'raw']]:
             tmp_path = firewall_base + [family] + base_hook
-            if config.exists(tmp_path):
-                migrate_chain(config, tmp_path)
+            migrate_chain(config, tmp_path)