Migrating configuration from existing UTM 9 to new XG hardware appliance

Hi Grifter,

Don't worry about licensing, you have bought separate boxes so the licensing is independent from the other. The only time this would be a concerns is if you are upgrading the SG hardware with XG firmware (officially any existing UTM licensing should no longer be used).

My recommended steps for your upgrade is as follows:

• Plug laptop into Port1 and Port2 into your "LAN" so it can reach the internet (may need exceptions) for licensing
• Once both XGs are licensed, make sure the XG you are configuring is the one with the full licensing you have purchased, one of the XGs may only be trial/base because it is an HA spare
• Remove Port 2 configuration by setting its zone from WAN to none
• Configure Port1 with an IP that is on the range that you want to access it on for configuration. Ideally, on the same range as the existing internal primary subnet as your SG230s
• Migrate the configuration over. With the exception that if there are any VLANs on Port1, make sure they are configured with a different IP to the 230 so you do not get an IP clash (you will change these later)
• Once you are satisfied you have configured a relative facsimile to the SG230s with all Firewall Rules, NATs and Interface/Routing configuration then we are ready to switchover
• Shut down the auxillary node of the SG230s to make switchover easier and unplug its cables, leave them loose nearby if you need to revery
• Unplug the SG230 from its placement in the network
• Reconfigure all of Port1 VLANs and primary interface IP to replicate what the SG230 was using on eth0
• Move all the cables that the SG230 was using to the XG230 (unplug the cable you were using for config access)
  • You may find ARP tables may not update quickly, especially for Alias IPs. Reboot the XG once it is in place will help else it will take a little bit of time
• Resolve any issues using a single node on the XG230

Once you are satisfied that you have got the interfaces, routing, Firewall rules and natting etc at a good point where you can pop the cork for champagne, then you can configure HA on the XG230 auxillary node, use the cabling from the SG230 auxillary and enable it.

I always do HA last because in the moment of switchover, it's an uncertainty I can't be bothered to deal with! (just remember the mac addresses update so you may have to failover to and from the nodes a couple of times to promiscuous arp all the surrounding devices.

That should give you the least downtime and the most satisfactory switchover.

Emile

Hi Grifter,

Don't worry about licensing, you have bought separate boxes so the licensing is independent from the other. The only time this would be a concerns is if you are upgrading the SG hardware with XG firmware (officially any existing UTM licensing should no longer be used).

My recommended steps for your upgrade is as follows:

• Plug laptop into Port1 and Port2 into your "LAN" so it can reach the internet (may need exceptions) for licensing
• Once both XGs are licensed, make sure the XG you are configuring is the one with the full licensing you have purchased, one of the XGs may only be trial/base because it is an HA spare
• Remove Port 2 configuration by setting its zone from WAN to none
• Configure Port1 with an IP that is on the range that you want to access it on for configuration. Ideally, on the same range as the existing internal primary subnet as your SG230s
• Migrate the configuration over. With the exception that if there are any VLANs on Port1, make sure they are configured with a different IP to the 230 so you do not get an IP clash (you will change these later)
• Once you are satisfied you have configured a relative facsimile to the SG230s with all Firewall Rules, NATs and Interface/Routing configuration then we are ready to switchover
• Shut down the auxillary node of the SG230s to make switchover easier and unplug its cables, leave them loose nearby if you need to revery
• Unplug the SG230 from its placement in the network
• Reconfigure all of Port1 VLANs and primary interface IP to replicate what the SG230 was using on eth0
• Move all the cables that the SG230 was using to the XG230 (unplug the cable you were using for config access)
  • You may find ARP tables may not update quickly, especially for Alias IPs. Reboot the XG once it is in place will help else it will take a little bit of time
• Resolve any issues using a single node on the XG230

Once you are satisfied that you have got the interfaces, routing, Firewall rules and natting etc at a good point where you can pop the cork for champagne, then you can configure HA on the XG230 auxillary node, use the cabling from the SG230 auxillary and enable it.

I always do HA last because in the moment of switchover, it's an uncertainty I can't be bothered to deal with! (just remember the mac addresses update so you may have to failover to and from the nodes a couple of times to promiscuous arp all the surrounding devices.

That should give you the least downtime and the most satisfactory switchover.

Emile

First thanks for the detailed response!

When you say migrate the configuration over, is there a tool for this or process or is it recommended to manually migrate everything over?

Here is the reply I got from Support-

Thank you for contacting technical support.  We do not really have a best practice when it comes to swapping out the firewall.  If you have a test environment, I would suggest setting up the XG configured in the test network to confirm it works with the config settings of your customer.  When it is working, then bring it to site to iron out any issue that may arise when put into production.

As a reseller, you should be to sign up to use our migration tool to convert the SG configuration to an XG config file.  The tool is not perfect so you would need to verify the various parts of the firewall configuration to confirm all the settings are in place.  Please contact you account manager to see about getting access to the migration tool.

If you have any additional questions, please let us know.

Regards,

Hi Grifter,

There is a migration tool but it literally only does Firewalls and little else. I would recommend doing a full rebuild manually because that is also the best way to learn the XG and know exactly what you're looking at.

Also gives an opportunity to clean up the ruleset!

Bit of advice, bin the UTM webfilter config when migrating, only take the exceptions and websites you've allowed/blocked over because there is no point replicating the UTM. The XG is just too different for the Web Filtering principles.

If you come across something i  the UTM you don't know how to replicate, throw a thread here, there are many who can help :)

Plus, we're engineers, we don't need migration tools, we love pain :P

Emile