Thread Info
  • State Not Answered
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 34 replies
  • Subscribers 31 subscribers
  • Views 15144 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG firewall migration to 18 : probably a BUG

Giorgio Premoli1

Here, the results of my trials:

I have at home an XG HOME firewall running the version 17.5.10-MR 10; I created and downloaded a backup file

When I tried to upgrade to the firmware version 18, the firewall restarted with the default configuration (Ver.18.0.0.GA running, but just the administrator password set, all other settings have been deleted -no users, no interfaces, no zones, no rules, etc.)

I have also a new XG115 to be prepared/configured for a customer of mine; I registered it, configured it for basic functions and I updated it to the latest firmware version shown (17.5.10-MR10); I also downloaded, from the Sophos site, the related new firmware version 17.5.11-MR11 and 18.0.0 GA Build 354-SF300); after, I configured it for customer environment (LAN IP address, WAN configuration, rules, hosts, etc.); at the end, I created and downloaded the configuration backup.

I tried to RESTORE, successfully, my Sophos XG Home configuration on customer’s XG

I tried to upgrade the firmware to version 18 and it started with the DEFAULT FACTORY configuration (Administrator password remained set)

I also tried to RESTORE the XG HOME configuration backup on version 18, but it didn’t work (I was able to restore, but, at the restart, it was still with the default factory configuration)

So I rollback the firewall, loading the other firmware image directly via GUI, and the configuration was back (and running, but on firmware 17.5.10-MR10)

Then I RESTORED the customer configuration, just created, on version/image 17.5.10-MR10 and it was OK; I updated the firmware version to the 18 and it was OK

I rolled back (boot) again to the version 17.5.10 using the second image on firewall, I RESTORED the XG HOME configuration and I tried to upgrade the firmware version to 17.5.11-MR11 just downloaded on the Sophos site, and IT WORKED WELL; it restarted with the firmware version 17.5.11-MR11 with the correct configuration.

So, I tried to UPGRADE (and boot) to the firmware version 18 and the firewall/GUI showed a message saying “It will restart with the default configuration, do you want to proceed?”

 

CONCLUSION:

The configuration of XG HOME firewall runs perfectly on version 17.5.10 and 17.5.11 (both on XG HOME device and on XG115 device), but cannot be migrated to the version18; I think there is something in these settings which the UPGRADE of firmware version 18 is NOT ABLE to RUN; in other words, the firmware 18 is NOT ABLE to migrate all parameters set and so it starts on factory default settings; migrating from the version 17.5.11-MR11, the issue persists, but is shown a message.

 

Is there a way to debug/understand why (or which part of configurtion)?

 

Many thanks in advance and best Regards  

Giorgio



This thread was automatically locked due to age.
Parents
  • 0

    Hi  

    As per our discussion on twitter, request you to share the backup file from v17 and also open a service request and share the service request number you will receive from the support.

  • 0 in reply to Keyur

    Case number #9822103

    Many thanks

  • 0 in reply to Giorgio Premoli1

    Just to be clear: This configuration of yours, which is not getting migrated, how old is the backup? 

    I am not talking about the current Software version or something like that. How old is the Backup? Or to rephrase this question, how long is this customer using XG? 

     

    There are many installation already on V18 and we found rare cases, which could not migrate. 

  • 0 in reply to LuCar Toni

    Hi dear LuCar,

    the backup is extremly recent, of course; let's say the same day I opened the question; but also the configuration is not "hystorical", it has been created on the second half of 2019; anyway, this is an active configuration, changed each time as new need arrives or is required. I understand what you mean, but each my customers' configuration is not "old", but mostly each of them is "alive", not only it is running today, but also because in each configuration have dinamically added new items, or deleted what is no longer needed; in other words, also if the first configuration has been created 1 year ago -or more, for some customers-, this configuration is alive and updated. If I have to create it from the beginning, I'll create exactly all as it is now.

    I can understand what you mean for "old" and is difficult for anyone to say "I'm sure, there isn't any 'not still used' parameter" (like Hosts or IPes, rules, etc.), "the configuration is clean and it doesn't contain any unused object brought by previous release versions", but is also true that all them are running on version 17.5 (also if they started in version 16 or older), but no longer on v.18

    I well understand that the (retro) compatibility is a big issue that requires an enormous debugging-work, but is totally unthinkable to rewrite from the beginning all the running configurations because otherwise the ver.18 doesn't support them (or what was accepted and running on 17.5.10); that means to not migrate anything

    My best Regards

    Giorgio

  • 0 in reply to Giorgio Premoli1

    Hi all

    Unfortunately I cannot upgrade either. Is this an known problem?

    Restore from my running Image SFOS 17.5.12 MR-12 to Image Version 18 failed. Also the Import function dosen't work (System/ Backup & Firmware/ Import)
    - my active OS: SFOS 17.5.12 MR-12
    - the whole configuration is running with this Image SFOS 17.5.12 MR-12.

    Why Upgrade to Version 18?
    Reason one: Im not sure, is my running configuration safe or not, why? The Sophos XG Firewall displays Alerts! 
    - Alert: Hotfix applied for SQL Injection and partially cleaned. Additional steps may be required to secure your network. Please read KBA-135412 for possible next steps
    - Alert: HF052220.1 applied. Local and guest user password reset required for accounts that have not reset their password since 2200 UTC on April 25, 2020. Local users will be disabled from    signing in to the user portal from the WAN zone until password is reset. Please read KBA-135493 for recommended next steps.
    - All admin and local user accounts must reset their passwords per KBA135412Click here to access the User page.

    Reason two: I find various settings strange
    - Active Sync: I'm not able to configure Microsoft Active Sync. I tried many configurations. In the end, I even deactivated the option "common threat filter" (protection policy for autodiscover) and in the Firewall rulte, i added all possible Points for exceptions - tested severals apps, but Microsoft Active-Sync wont work - never! It is not possible, very strange.
    - many protectin policies are grayed out (Protect/ Web Server/ Protection policies) and i'm not able to delete them and no, it doesn't matter whether you're in use or not.
    - The Firmware Check said: no records found (no Version 18.x for downloading)

    Idea
    i thought: Patch your System with the latest Firmware SFOS 18.0.0-379, after them, restore the config from SFOS 17.5.12 MR-12 (created bevor the upgrade).
    - But the Firmware Check said: no records found, so the newest Version of Sophos XG OS is SFOS 17.5.12 MR-12? No Version 18.x for downloading, why?
    - ok, so i can get another whay to find and download Version 18.x. Login to my Online Sopohos Portal https://id.sophos.com /Network Protection/ View Devices/ under the registered version on download and here, i was able to view all available versions for my Sophos XG. All right, fine.

    Problem
    - i had uploaded the version 18 to my Sophox XG
    - i had activated this Image, Version 18. So, my Firewall applies this image, restartet and i was not able to connect my sophos XG. Ok, i thought: No Problem, she is now configured with default settings. The Connection to IP 172.16.16.16 /24 was possible. All right, i thougt. But the default Password and username, if you reset or start a default image with Usrename = admin and password = admin dosen't work. The old Admin Password from my Configuration was still valid. 

    Nice new Sophos XG login page, very nice. Login with the old admin Credentials works, fine.
    - Only two NICs are available,
    - only the default Firewall Rules are available and so one.

    I was particularly interested for the config now under the Point: Web server/ Protection policies.
    - 6 of 10 guidelines were inactive (with Version OS: SFOS 17.5.12 MR-12).
    - now, with the Version 18 only the inactive guidelines appear. As mentioned: I cannot delete them, just edit them. i thought i had loaded the latest version and ALL Settings are now default and now? I have a mix configuration. I little bit default Settings with Settings, which are grayed out and not possible to delete them. What is going on?

    But what bothers me the most: Why can't I import the backup? i get an error and also import the File which have ALL SETTING dosen't work (error). What is going on?
    So, i had to activate my old version again - maybe, a hacked Version?! ...

  • 0 in reply to AndréAegerter

    Hello

    Much of the same here.  Importing from backup have allways been an act of faith with XG.  And particularly since they decided to lock it with a password.  It fails 80% of the time.  As far as I am concerned, it works only when it is very recent.

    Paul Jr

  • 0 in reply to AndréAegerter

    Quite simple: As V18.0 MR1 is not released yet, there is no migration path. 

    https://community.sophos.com/products/xg-firewall/b/blog/posts/xg-firewall-v18-mr1-is-now-available

    https://community.sophos.com/kb/en-us/135378

     

    V17.5 MR11-12 need V18.0 MR1 to upgrade, as most of the stuff in V18.0 are renamed and can not be migrated.

    Hence the Migration via API/XML does not work for everything. 

     

    About this WAF Issue, i would recomemnd to open a new thread with Screenshots, as i cannot follow up your issue. 

     

  • 0 in reply to Big_Buck

    thank you for answer. encrypting backups with a password makes sense or not? What do you mean? Sophos has a problem with that? (for accept the Backup Image an so on)

  • 0 in reply to AndréAegerter

    Hey Toni

    That means I have to wait until a newer 18 version appears?
    Toni, you again? but you can be seen here very often, I'm glad :-)

    Yes, i think, i must open a new area for my Microsoft Active-Sync Problem.
    But you didn't say anything that my firewall might have been hacked? So, this is also a reason to upgrade my Sophos XG or: Reinstall with the same Image and then make a restore the backup.

  • 0 in reply to AndréAegerter

    Makes sense when it is implemented properly.  With XG, thousands of things can go wrong, and sure enough, when it fails the error message is clueless.

    And you cannot opt out encrypting.

    Paul Jr

  • 0 in reply to AndréAegerter

    You should use V17.5 MR12 for an new installation. Restore the Backup should work smoothly. 

    Only the import into V18 does not work (right now). 

    So please reimage your installation with V17.5 MR12. 

    https://community.sophos.com/products/xg-firewall/b/blog/posts/xg-firewall-17-5-mr12-released

     

     

    Install V17.5. Complete the wizard until you get into the webadmin.

    Wait some minutes to get the latest Hotfixes installed.

    Import the backup with the Encryption password. 

     

  • 0 in reply to LuCar Toni

    All right. The post for Active Sync is coming, but not today ;)
    First, i will reinstall my Sophos with the same Version of Image. Maybe in a few days ...

Reply Children
No Data