Manual Migration to XG?

Hi Jen,

There isn't really any documentation as such for a manual migration as this is normally reserved to the Engineer and Architect training to understand the core principles of the XG, it's functions and how operate it.

However I'll try to summarise, in the UTM, you would generally make multiple firewall rules to apply individually to the hosts/networks and services and destinations. The principle is fairly the same with the XG however in the policies (not firewall rules) you would apply multiple sets of functionality in the same place like Intrusion Prevention, Application Control, Web Filtering and Shaping (QoS).

Now you can directly convert the firewall rules in the UTM to the XG but this wouldn't be a very efficient use of the XGs architecture so what you should do is identify all the rules that have the same source and destinations for grouping together. A common case of this is that on the UTM I'd create a firewall rule for web surfing and separate one for email access but in the XG it would be better to group them together. So you would create User/Network Policy and disable the "Match Known Users" so it will only match conditions on the network.

In the XG, like other competitor appliances the XG has the concept of "zones", what a zone is at it's most basic is the classification of the traffic on the interface that it's coming in on. So for instance if you have your LAN interface connected to a port designated in the LAN zone then you can simply make a rule that applies the to the source zone LAN and you won't have to define the source subnet like you do on the UTM (I prefer to just in case, but that's just me). Again, the WAN zone definition when bound to the Port used to connect to the internet (default gateway) then automatically classifies the firewall rule it's enabled on as requiring a Masquerading rule and will be enabled for you.

Now, then we have the bit of fun, you can apply Intrusion Prevention Policies per Firewall Policy so what this means is that if you have a firewall rule allowing standard endpoint traffic out to the web like HTTP/S and similar traffics you can tailor make an IPS rule that only applies the Snort rules to client traffic using the neatly done network IPS policy rule setup. This allows a far greater streamlining of the network and hardware resources over the UTM because in the UTM it applies all Snort rules to all traffic with the exception of the performance tuning system.

This takes a bit of getting used to as it is a very different way of doing things but in essence you can directly replicate the firewalls to the XG but you have to remember that the policies are the egress point for about 6 functions of the UTM (Masquerade, Firewall, Web Filtering Profiles, Intrusion Prevention, QoS and Application Control) and you have to pre-create the policies that you're going to apply to the firewall policies.

Next is NAT rules, these are very different, but yet not at the same time. With the Business application rules, there is the concept of the "Protected Servers" which is the host you're wanting to 'present' to the internet (in a DNAT on the UTM this would be change destination address). With the Protected Server you can define if it's in the LAN or the DMZ zone and use the host object that you create inside it. Then you have the definition of the Source connection zone which would be WAN and this is where you can define WAN and Any (Internet IPV4 definition of the UTM) or remove any and enter in country definitions to apply country restrictions. You can then select the service ports to forward either as a single port, list or range and modify them by enabling it in the later section or leaving it as default so the port is transparently passed through.

The XG is vastly different to the UTM but once you've played with it you start to see what is the same and what is slightly different. What I've just smeared across the page above is the ramblings of how I perceive the similarities to the UTM within the XG and is the result of a horrific amount of playing with XGs over the past 12 months. I hope it helps and it is reasonably well laid out and am happy to answer any other questions if I can.

What may help you most is if you post a couple of NAT rules you have and firewalls you have and we can translate them for you so you can see how it's done :)

Emile

Jens, as Emile wrote XG uses a different philosophy.

Play with XG using a 30 day of trial on a VM or spare HW before moving to it. If you do not feel confident with XG stay with SG and then move to XG when you are ready. You license will allow you to upgrade to XG at any time (before the license expires). Check you HW and make sure it can support XG. You can find all the supported HW on Sophos Website or inside the Community.

Hope this helps!

Thank you Emile!

Your reply is very helpful. I did play around with a test version that I installed on a VM. Since our environment is quite small and since we don't use too many rules, it seemed doable to me. I just wanted to double check if there isn't any missing or completely different functionality. From what I am hearing it is different, but similar.

Since I am also using Sophos at home, I am thinking of manually upgrading that one as an exercise to prepare me for the company upgrade in the data center. Our company essentially uses the following services:

1. Email Server with web access

2. VOIP Server

3. RED Server with RED10 and, occasionally, Site-to-Site RED

The only issues normally come from the VOIP server.

If I can't translate a rule myself, I might come back to your offer to help me with the translation!

Thank you Luk!

I have played with a trial version and, as mentioned in my other reply, will now manually upgrade my Sophos home environment as a trial run. Hopefully, that will prepare for the manual upgrade for my company later on.

Cheers,

Jens