Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 34 replies
  • Subscribers 31 subscribers
  • Views 15144 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG firewall migration to 18 : probably a BUG

Giorgio Premoli1

Here, the results of my trials:

I have at home an XG HOME firewall running the version 17.5.10-MR 10; I created and downloaded a backup file

When I tried to upgrade to the firmware version 18, the firewall restarted with the default configuration (Ver.18.0.0.GA running, but just the administrator password set, all other settings have been deleted -no users, no interfaces, no zones, no rules, etc.)

I have also a new XG115 to be prepared/configured for a customer of mine; I registered it, configured it for basic functions and I updated it to the latest firmware version shown (17.5.10-MR10); I also downloaded, from the Sophos site, the related new firmware version 17.5.11-MR11 and 18.0.0 GA Build 354-SF300); after, I configured it for customer environment (LAN IP address, WAN configuration, rules, hosts, etc.); at the end, I created and downloaded the configuration backup.

I tried to RESTORE, successfully, my Sophos XG Home configuration on customer’s XG

I tried to upgrade the firmware to version 18 and it started with the DEFAULT FACTORY configuration (Administrator password remained set)

I also tried to RESTORE the XG HOME configuration backup on version 18, but it didn’t work (I was able to restore, but, at the restart, it was still with the default factory configuration)

So I rollback the firewall, loading the other firmware image directly via GUI, and the configuration was back (and running, but on firmware 17.5.10-MR10)

Then I RESTORED the customer configuration, just created, on version/image 17.5.10-MR10 and it was OK; I updated the firmware version to the 18 and it was OK

I rolled back (boot) again to the version 17.5.10 using the second image on firewall, I RESTORED the XG HOME configuration and I tried to upgrade the firmware version to 17.5.11-MR11 just downloaded on the Sophos site, and IT WORKED WELL; it restarted with the firmware version 17.5.11-MR11 with the correct configuration.

So, I tried to UPGRADE (and boot) to the firmware version 18 and the firewall/GUI showed a message saying “It will restart with the default configuration, do you want to proceed?”

 

CONCLUSION:

The configuration of XG HOME firewall runs perfectly on version 17.5.10 and 17.5.11 (both on XG HOME device and on XG115 device), but cannot be migrated to the version18; I think there is something in these settings which the UPGRADE of firmware version 18 is NOT ABLE to RUN; in other words, the firmware 18 is NOT ABLE to migrate all parameters set and so it starts on factory default settings; migrating from the version 17.5.11-MR11, the issue persists, but is shown a message.

 

Is there a way to debug/understand why (or which part of configurtion)?

 

Many thanks in advance and best Regards  

Giorgio



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    As per our discussion on twitter, request you to share the backup file from v17 and also open a service request and share the service request number you will receive from the support.

  • 0 in reply to Keyur

    Case number #9822103

    Many thanks

  • 0 in reply to LuCar Toni

    Hi LuCar,

    I'll try to do what you suggested and I'll keep you updated

    Yesterday I sent to Sophos Engineers the configuration backup file taht failed the migration; this morning I received an SMS by Sophos annuncing tha the rel. 18.0.1_MR1 (HW-18.0.1_MR-1.SF300-367.sig) has been released (already downloaded from MYID Sophos site), so I'll try as first what you suggested and after the "direct" migration to 18 MR1.

    Of course, after, I'll keep you updated and informed about that.

    Regards

  • 0 in reply to Giorgio Premoli1

    Hi,

    I have just finished other trials:

    - I tried to clone all the business rules and I deleted the old ones; I tried to upgrade to 18.0.0 GA, but unsuccessfully

    - So, rolled back to 17.5.10-MR10 and I tried to upgrade to ver. 18.0.1-MR1, but it still fails (I checked the migration.log file, but the error is still the same as previous posts)

  • 0 in reply to Giorgio Premoli1

    Do not install MR1.  Traffic jams.  v18 354 is the only v18 version reliable for now.

    Paul Jr

  • 0 in reply to Big_Buck

    Thanks Big_Buck,

    Just a trial because the v18 354 doesn't work with this config. But there is opened an official support case and I know the Sophos Engineers are already working about it.

    Many thanks again.

  • 0 in reply to Giorgio Premoli1

    Assuming the issue is in the database and your Configuration is older, this needs to be investigated by a Support engineer. 

    Lets wait for the Feedback but it is not a general issue.

  • 0 in reply to LuCar Toni
    Hi LuCar,

    I totally agree with you, we have to wait for an answer by engineers team
    But, what do you mean for "is not a general issue" or "older configuration"? We are speaking of migration, not about new installation/configuration.

    This is not an "old configuration"; it is a current configuration running on a current XG115 device with firmware version 17.5.10-MR10! Mostly, it was THE FIRST firewall configuration that I tried to migrate, and it means that the migration process to version 18 is not 100% secure, not so ready to be sure that all configurations can be migrated yet.
    Honestly, I'm quite worried for that
    I'm not going to make "dangerous experiments" on my customers' skin and on their mission-critical firewalls. And not at all, I'm going to rewrite every single configuration manually on the new firmware version. Until the migration process is not totally safe, I will not migrate any of my customers' firewalls.
    For that, I'm putting all my effort making tests and trials in order to help or put in evidence critical situations.

    Since I have an updated configuration backup of each of my clients, in the next days, where possible (for hardware requirements), I will test the import process on version 18 of all the running configurations, hoping to not find other situations so bad (and, as you can easy understand, it isn't a fast work to do and it will be really time-expensive -we are speaking of an amount of more than 40 customers, minimum...)

    As you can see (in post statistics), another user has already the same problem .... probably the migration process works quite well, but not entirely.

    Of course, if any other configuration will fail, I'll send it to the customer support /engineers team and I am very optimistic that they will find the solution early.
    I really want to try/test the new version 18 that seems to be really great, but, on the other side, I cannot risck to stop/loose my customers

    Sincerly yours,
    Giorgio
     
     
  • 0 in reply to Giorgio Premoli1

    Just to be clear: This configuration of yours, which is not getting migrated, how old is the backup? 

    I am not talking about the current Software version or something like that. How old is the Backup? Or to rephrase this question, how long is this customer using XG? 

     

    There are many installation already on V18 and we found rare cases, which could not migrate. 

  • 0 in reply to LuCar Toni

    Hi dear LuCar,

    the backup is extremly recent, of course; let's say the same day I opened the question; but also the configuration is not "hystorical", it has been created on the second half of 2019; anyway, this is an active configuration, changed each time as new need arrives or is required. I understand what you mean, but each my customers' configuration is not "old", but mostly each of them is "alive", not only it is running today, but also because in each configuration have dinamically added new items, or deleted what is no longer needed; in other words, also if the first configuration has been created 1 year ago -or more, for some customers-, this configuration is alive and updated. If I have to create it from the beginning, I'll create exactly all as it is now.

    I can understand what you mean for "old" and is difficult for anyone to say "I'm sure, there isn't any 'not still used' parameter" (like Hosts or IPes, rules, etc.), "the configuration is clean and it doesn't contain any unused object brought by previous release versions", but is also true that all them are running on version 17.5 (also if they started in version 16 or older), but no longer on v.18

    I well understand that the (retro) compatibility is a big issue that requires an enormous debugging-work, but is totally unthinkable to rewrite from the beginning all the running configurations because otherwise the ver.18 doesn't support them (or what was accepted and running on 17.5.10); that means to not migrate anything

    My best Regards

    Giorgio

  • 0 in reply to Giorgio Premoli1

    Hi all

    Unfortunately I cannot upgrade either. Is this an known problem?

    Restore from my running Image SFOS 17.5.12 MR-12 to Image Version 18 failed. Also the Import function dosen't work (System/ Backup & Firmware/ Import)
    - my active OS: SFOS 17.5.12 MR-12
    - the whole configuration is running with this Image SFOS 17.5.12 MR-12.

    Why Upgrade to Version 18?
    Reason one: Im not sure, is my running configuration safe or not, why? The Sophos XG Firewall displays Alerts! 
    - Alert: Hotfix applied for SQL Injection and partially cleaned. Additional steps may be required to secure your network. Please read KBA-135412 for possible next steps
    - Alert: HF052220.1 applied. Local and guest user password reset required for accounts that have not reset their password since 2200 UTC on April 25, 2020. Local users will be disabled from    signing in to the user portal from the WAN zone until password is reset. Please read KBA-135493 for recommended next steps.
    - All admin and local user accounts must reset their passwords per KBA135412Click here to access the User page.

    Reason two: I find various settings strange
    - Active Sync: I'm not able to configure Microsoft Active Sync. I tried many configurations. In the end, I even deactivated the option "common threat filter" (protection policy for autodiscover) and in the Firewall rulte, i added all possible Points for exceptions - tested severals apps, but Microsoft Active-Sync wont work - never! It is not possible, very strange.
    - many protectin policies are grayed out (Protect/ Web Server/ Protection policies) and i'm not able to delete them and no, it doesn't matter whether you're in use or not.
    - The Firmware Check said: no records found (no Version 18.x for downloading)

    Idea
    i thought: Patch your System with the latest Firmware SFOS 18.0.0-379, after them, restore the config from SFOS 17.5.12 MR-12 (created bevor the upgrade).
    - But the Firmware Check said: no records found, so the newest Version of Sophos XG OS is SFOS 17.5.12 MR-12? No Version 18.x for downloading, why?
    - ok, so i can get another whay to find and download Version 18.x. Login to my Online Sopohos Portal https://id.sophos.com /Network Protection/ View Devices/ under the registered version on download and here, i was able to view all available versions for my Sophos XG. All right, fine.

    Problem
    - i had uploaded the version 18 to my Sophox XG
    - i had activated this Image, Version 18. So, my Firewall applies this image, restartet and i was not able to connect my sophos XG. Ok, i thought: No Problem, she is now configured with default settings. The Connection to IP 172.16.16.16 /24 was possible. All right, i thougt. But the default Password and username, if you reset or start a default image with Usrename = admin and password = admin dosen't work. The old Admin Password from my Configuration was still valid. 

    Nice new Sophos XG login page, very nice. Login with the old admin Credentials works, fine.
    - Only two NICs are available,
    - only the default Firewall Rules are available and so one.

    I was particularly interested for the config now under the Point: Web server/ Protection policies.
    - 6 of 10 guidelines were inactive (with Version OS: SFOS 17.5.12 MR-12).
    - now, with the Version 18 only the inactive guidelines appear. As mentioned: I cannot delete them, just edit them. i thought i had loaded the latest version and ALL Settings are now default and now? I have a mix configuration. I little bit default Settings with Settings, which are grayed out and not possible to delete them. What is going on?

    But what bothers me the most: Why can't I import the backup? i get an error and also import the File which have ALL SETTING dosen't work (error). What is going on?
    So, i had to activate my old version again - maybe, a hacked Version?! ...

  • 0 in reply to AndréAegerter

    Hello

    Much of the same here.  Importing from backup have allways been an act of faith with XG.  And particularly since they decided to lock it with a password.  It fails 80% of the time.  As far as I am concerned, it works only when it is very recent.

    Paul Jr

Reply Children