Perhaps the most important work that can be done to ensure that a firewall can effectively protect the resources it should is done before the firewall is even out of the box: by making the best decision on what it needs to protect and where to place it. It's important to understand which type of firewall design will best protect the resources that need protection. Although a single firewall will do an adequate job of protecting most resources, certain high security environments may warrant using a dual-firewall architecture to minimize exposure and risk.
As important as the design is, it is just as important to determine which firewall best provides the functionality required. Not all firewalls are equal, and an application firewall may be less effective than a transparent firewall in certain circumstances. Similarly, if you require HA from your firewall implementation, you need to ensure that the design solution supports operating in an HA mode.
The most important thing to remember, however, is that a firewall is not a device. It is a system of devices that, if properly implemented, provides multiple layers of defense between the resources you want to protect and malicious users and traffic that want to gain access to them.