Any of those three options is feasible. Really depends on what you want to do.
Given the difference between the two versions is relatively minor (not like trying to take an old v7 installation and transfer it to new hardware which will be shipped with v8) I would personally look at either the 2nd of your two options - as long as it is still in maintenance, otherwise you won't be able to install the patches. Or, I'd take the new appliance, retro-install 8.1 (which you can download from the McAfee Product Downloads section of their web site using your grant number to gain access). Backup and transfer the config from the old box to the new one and then upgrade to the latest 8.3 patch level.
One more question here. If one was to take a backup on 8.1 version, and import into another firewall that has been downgraded to 8.1 what kind of steps are required to modify the network interfaces. Because obviously they would be different. Does the import still go through even though they have different interface names?
Based on experience, I would say that much of that would depend on how different the old and new hardware appliances are. McAfee now appear to have standardized their interface naming convention starting 1-0 and then 1-1, 1-2, etc... This means that you can actually transfer a configuration between two appliances and aside from needing to re-enter the serial number & re-activate the license, the network configuration shouldn't be affected.
But if the source appliance had interfaces which were identified by the operating system as em1, em2 and such like when restoring the configuration to an appliance with different interface types, you will find that the target appliance won't be able to communicate over the network. This isn't a disaster as you will still be able to access the command line (either with a screen and keyboard attached directly or via a serial connection, depending on which appliance you are dealing with).
The "ifconfig" command can be used to identify the physical interfaces on the appliance and the labels assigned to them by the operating system.
Then you can use the cf interface command to alter one of Firewall interface definitions so that it ties in with a physical interfaces.
So, imagine the internal interface on the old firewall appliance was called "em1" and the corresponding interface on the new device is "1-1", you should be able to use the following command to link the logical interface definition with the physical device:-
cf interface modify name=internal_network hwdevice=1-1
- substitute "internal_network" with whatever name the interface definition is actually called - a "cf interface query entrytype=interface" will tell you what the interface definitions are acutally called.
This will allow you to communicate again with the Firewall over network connection and establish an Admin Console session, from which you will then be able to modify & re-assign all the other interfaces on the box.
I have done exactly what Phil said to do, when we moved from 2150D to a 5032. Moving the config file disabled the named interfaces. I had to issue a cf int mod command to enable the interface and to assign the interface to the interface I wanted.
cf interface modify name=internal hwdevice=1-0 enabled=yes
This got all my burbs back on line, took me about 1 hour to reconfigure, apply license and update patches.