Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 25 replies
  • Answers 2 answers
  • Subscribers 30 subscribers
  • Views 11061 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Conversion Utility UTM 9 to XG

Jae Lupo

Does anyone know if Sophos ever released a Conversion Utility for UTM 9 to XG.  I was promised this over a year and a half ago and I still don't see it anywhere on this site.  I have a very complicated UTM 9 firewall that I don't want to retype from scratch.  Any help would be appreciated.  Thanks.



This thread was automatically locked due to age.
Parents
  • 0

    Hello Jae Lupo,

    A few months ago I was doing a usability analysis of this tool. I was asked for this analysis and I also wanted to personally know if this confguration conversion tool is usable. If you have a complicated UTM9 configuration (as you wrote) I can assure you that the SG To XG Migration Tool is unusable. 

    I have found four or five totally unacceptable bugs in this tool that in principle preclude the use of this tool for configuration conversion. Resp. after a migration of a configuration, such an extensive analysis of the migrated configuration is necessary that it is less time consuming to manually override the configuration than to migrate and then check the configuration. For example, some type of firewall rules are not migrated within the migration process and there is no record of it in the migration log! And nowhere in the release notes for this tool is absolutely no mention that this type of firewall rules are not migrated!

    In my opinion, this tool (in the current version) is only suitable for the migration of objects in the configuration. Unfortunately, the naming convention in UTM v9 and XG is not identical, so the names of network objects or network services do not match after migration.

    If you are interested in I can send you my findings to PM. 

    Regars

    alda

  • 0 in reply to alda

    Just to add some point to this post. 

    The challenge by migrating a UTM to XG is basically the switch of usability and handling traffic.

    While UTM uses different modules without any interaction, XG uses one firewall rule set for each module. 

    It is kinda complicated to migrate such configuration. Another big point is the interaction with certain interfaces.

    While XG uses the Zone based firewalling, UTM uses a network based firewalling. It is quite different.

    There are many other point, which will not work (for example how to migrate Web Policies?). 

    While i working for the past years for Sophos, i saw couple of UTM configuration, most likely much older than the hardware (UTM8 or earlier).

    Such backups are most likely not usable at all for migrations. I saw backups with 4000+ Objects on a SG210 or UTM220. Just because multiple people configured on this appliance in the past years and everybody simple create new objects etc... 

    I would take this opportunity to do a step by step migration from UTM to XG. Move one module at the time. 

  • 0 in reply to LuCar Toni

    I can understand how difficult it is is migrate from one software to another.  What makes me upset is we dropped 20K on this software with the promise this tool would be available soon and it was an easy transition.  Once we paid there was no tool to be found. 

    I agree this is a good time to do a clean install but the other issue I have is I only have 30 days to do it or the trial license expires.  Very frustrating as I need more time then that to configure a system like this.

  • 0 in reply to Jae Lupo

    I guess for a migration, you will get the trial extended. Just talk with your Sales Rep.

    Same for the migration tool. 

Reply Children
  • 0 in reply to LuCar Toni

    Hello LuCar Toni, I disagree with your view that migrating a configuration from UTM v9 to XG is very complicated. Does Sophos have such bad programmers that they can't write a migration tool? Very probably yes.

    I do not want a tool that would migrate email and web policies but a tool that can migrate firewall rules. Yes, such a tool I want because I don't want to rewrite every firewall rule as a slave. Yes, after migration I have to check every firewall rule, but I do not have to rewrite each rule as a slave.

    Your note that UTM v9 is not a zone firewall and therefore is not possible to correctly migrate the firewall rules to XG which zone firewall. Did Sophos think, how elegantly to solve this problem? I know nobody, because this problem can be elegantly solved at the beginning of the migration with a very simple translation table, for example

    Eth0-> LAN zone
    Eth1-> WAN zone
    Eth2-> DMZ zone

    What do you think, this would be such a big and difficult problem for your programmers ?!?

    Try to justify before a customer that they have to rewrite, for example, 500-600 firewall rules because Sophos does not have a migration tool.
    And do you know what he will answer?!? So, would not be better switch to another firewall manufacturer because I still have to manually override the configuration? And from another firewall vendor I will get a new firewall with a very significant discount as a competitive upgrade.

    Is it a really interesting policy to support partners and customers, right? How long do you think Sophos will be successful in the firewall market?

    Regards

    alda