Does anyone know if Sophos ever released a Conversion Utility for UTM 9 to XG. I was promised this over a year and a half ago and I still don't see it anywhere on this site. I have a very complicated UTM 9 firewall that I don't want to retype from scratch. Any help would be appreciated. Thanks.
Hello Jae Lupo,
A few months ago I was doing a usability analysis of this tool. I was asked for this analysis and I also wanted to personally know if this confguration conversion tool is usable. If you have a complicated UTM9 configuration (as you wrote) I can assure you that the SG To XG Migration Tool is unusable.
I have found four or five totally unacceptable bugs in this tool that in principle preclude the use of this tool for configuration conversion. Resp. after a migration of a configuration, such an extensive analysis of the migrated configuration is necessary that it is less time consuming to manually override the configuration than to migrate and then check the configuration. For example, some type of firewall rules are not migrated within the migration process and there is no record of it in the migration log! And nowhere in the release notes for this tool is absolutely no mention that this type of firewall rules are not migrated!
In my opinion, this tool (in the current version) is only suitable for the migration of objects in the configuration. Unfortunately, the naming convention in UTM v9 and XG is not identical, so the names of network objects or network services do not match after migration.
If you are interested in I can send you my findings to PM.
Regars
alda
Just to add some point to this post.
The challenge by migrating a UTM to XG is basically the switch of usability and handling traffic.
While UTM uses different modules without any interaction, XG uses one firewall rule set for each module.
It is kinda complicated to migrate such configuration. Another big point is the interaction with certain interfaces.
While XG uses the Zone based firewalling, UTM uses a network based firewalling. It is quite different.
There are many other point, which will not work (for example how to migrate Web Policies?).
While i working for the past years for Sophos, i saw couple of UTM configuration, most likely much older than the hardware (UTM8 or earlier).
Such backups are most likely not usable at all for migrations. I saw backups with 4000+ Objects on a SG210 or UTM220. Just because multiple people configured on this appliance in the past years and everybody simple create new objects etc...
I would take this opportunity to do a step by step migration from UTM to XG. Move one module at the time.
I can understand how difficult it is is migrate from one software to another. What makes me upset is we dropped 20K on this software with the promise this tool would be available soon and it was an easy transition. Once we paid there was no tool to be found.
I agree this is a good time to do a clean install but the other issue I have is I only have 30 days to do it or the trial license expires. Very frustrating as I need more time then that to configure a system like this.
Hello LuCar Toni, I disagree with your view that migrating a configuration from UTM v9 to XG is very complicated. Does Sophos have such bad programmers that they can't write a migration tool? Very probably yes.
I do not want a tool that would migrate email and web policies but a tool that can migrate firewall rules. Yes, such a tool I want because I don't want to rewrite every firewall rule as a slave. Yes, after migration I have to check every firewall rule, but I do not have to rewrite each rule as a slave.
Your note that UTM v9 is not a zone firewall and therefore is not possible to correctly migrate the firewall rules to XG which zone firewall. Did Sophos think, how elegantly to solve this problem? I know nobody, because this problem can be elegantly solved at the beginning of the migration with a very simple translation table, for example
Eth0-> LAN zone
Eth1-> WAN zone
Eth2-> DMZ zone
What do you think, this would be such a big and difficult problem for your programmers ?!?
Try to justify before a customer that they have to rewrite, for example, 500-600 firewall rules because Sophos does not have a migration tool.
And do you know what he will answer?!? So, would not be better switch to another firewall manufacturer because I still have to manually override the configuration? And from another firewall vendor I will get a new firewall with a very significant discount as a competitive upgrade.
Is it a really interesting policy to support partners and customers, right? How long do you think Sophos will be successful in the firewall market?
Regards
alda
[Moderated - FloSupport]
Everything can be scripted. The only limitation is resources.
Sophos is trying to fight with Fortigate, Checkpoint and Palo Alto. Stop with marketing to attract customers or keeping them.
It is a shame that Sophos does not even have a tool to migrate their internal products. Other vendors provide customers migration tools from one brand to another and this is more attractive than marketing.
If this is the way new Sophos era is treating old and new customers, Sophos Networking products are not going to succeed. "Well done!"
WE ARE TIRED OF EXCUSES!
Thanks!
Hello Lucar Toni, have you ever try to write into web browser next sentence:
How to migrate from Sophos to Fort..t?
I can assure you that you won't like it. There is something like FortiConverter and this migration tool can migrate more features than your own migration tool! For example, it can migrate users and user groups.
That is something unimaginable! How can the competitor tool migrate objects that even the vendor itself cannot migrate?!?
Sophos, please wake up!
Regards
alda
P.S. I used a few dots in the name of your competitor so that someone could not accuse me of bias.
;-)
Hello Lucar Toni, have you ever try to write into web browser next sentence:
How to migrate from Sophos to Fort..t?
I can assure you that you won't like it. There is something like FortiConverter and this migration tool can migrate more features than your own migration tool! For example, it can migrate users and user groups.
That is something unimaginable! How can the competitor tool migrate objects that even the vendor itself cannot migrate?!?
Sophos, please wake up!
Regards
alda
P.S. I used a few dots in the name of your competitor so that someone could not accuse me of bias.
;-)
It is interesting. I always flag something as my personal opinion and post stuff here as my person, not the company. I am not hired to respond any of your topics nor do i have to, i am here in my free time to help other people.
Interesting enough, that some people always try to interpret my responses as a statement by Sophos.
I am quite aware of all those points. I just tried to interpret the reasons behind such limitations to you.
I know, how those migration tools work, they use most likely XML migration calls and interpret those steps from the API to get a proper configuration.
I would recommend to interact with your Sophos peer to address this, if you want.
I will be quite in this topic for now. Thanks for your feedback.
[Moderated - FloSupport]
I can only see that Sophos XG is just an awarded product from your website but try to use it as professionist and you can see how bad and inaccurate it is after several years. I know that you cannot say "sorry guys, the product is bad and choose another one" but Sophos could retire the product in 2015 after few months and appear on the market later with a complete new product instead of wasting time on fixing something that is not fixable!
We are very technical and not stupid!
