Guest User!

You are not Sophos Staff.

Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 26 subscribers
  • Views 3277 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Need to upgrade several production firewalls from ver 15 to ver 16

JohnSmock

I have 11 remote sites that all currently run ver 15.01.0 MR-3.

I have one XG430 as a hub and 11 XG230's as spokes.

I have setup IPSEC/GRE tunnels between all of these remote sites and the hub firewall.  I have setup static routes to send traffic where it needs to go.

Is it possible to upgrade all of my 15s to 16 and just keep my IPSEC/GRE tunnels functioning?

I have been told this is fine to do, but I wanted to see if anyone has actually done this with a production setup and if it worked.

Once I have this all upgraded, my goal is to setup new RED tunnels between sites and stop using the IPSEC/GRE tunnels.

Any feedback or advice would be appreciated.

Thanks!



This thread was automatically locked due to age.
  • 0

    John,

    first I hope that you have Sophos Firewall Manager to update all of them, so you can control all of them remotely from one console.

    Once your XG has been upgraded, it will reboot so the IPSec tunnel will go down. You have to plan for a downtime.

    Regards,

  • 0 in reply to lferrara

    I do have the SFM and I am running the latest version that I think is compatible with ver 16 firewalls.

    I understand there will be down time for the reboot/upgrade.  Each site has a second connection that will carry traffic when this goes down.  Only exception is local Internet access, but I can do it at night.

    So, my main concern is maintaining all of my working IPSEC/GRE tunnels, those will still function after the reboots?

    Also, I have seen where sometimes I have to re-apply my static IP routes when my IPSEC tunnels go bad.  Is that normal?

    Thanks

  • 0 in reply to JohnSmock

    John,

    XG should XG routing even if IPSec goes down. IPSec should work even after the upgrade. I advise you to upgrade only one XG and check what is happening to that one. Remember that on XG you can easily revert back to previous firmware version from GUI.

    For the IPSec routing you should open a ticket with the support.

    Let us know for both the upgrade and the ticket.

    Regards

  • 0 in reply to lferrara

    My upgrades from 15 to 16 went well.  I was able to get them all done over this last weekend.  Having a secondary connection to each site made it very easy to do after hours.

    One thing I have noticed when I made the changes and the IPSEC tunnels came back up (and I have seen this before), I always have to re-save my static routes on my firewalls.  Why is that?  Is that normal?  If I was using RED site to site tunnels, would this be an issue?

    That is my next plan is to deploy RED S2S connections and stop using the GRE/IPSEC tunnels.  In that vein, can RED connections be setup to forma mesh WAN so that remote sites that communicate with each other can go directly between sites and not all back through a hub site?  Is this possible?  Has it been done?

    Thanks!