Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 17 replies
  • Subscribers 28 subscribers
  • Views 35526 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Moving from one to another Sophos XG device

Posh Gardiye

Hi Everyone,

I'm trying to see if anyone here have experience or best practices to follow when moving from one sophos XG to another device. To give you guys a bit of a background, we have been using a XG310 device which was provided by our service provider. Recently we have moved to new WAN provider and have purchased a new XG310 to setup. Currently we have about 15 RED devices and quite a few business/firewall rules on the existing firewall. 

My questions is, can I take a backup and restore the config to new device? I understand that WAN IP details would require updating as we are using new links. However not quite sure if this is the best way? I would really appreciate your help.

Thank you.



This thread was automatically locked due to age.
Parents
  • 0

    Hi,

    should work without any issues except as you pointed out for your external interface.

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

    Thank you for your reply. What about the REDs? In order to migrate them I will possibly need to update 2nd WAN port to have the new public IP then move them across? when restoring backups, RED configuration will be carried across to new device including the unlock code etc...?

    Also with the restore process, do both XG310 needs to have same firmware? reason being, current XG I'm yet to migrate to the latest firmware. And the new XG has the latest.

    Regards,
    Posh

  • 0 in reply to Posh Gardiye

    Hi Posh,

    there are two things not stored in the backup, one is the licence and I can't remember the other but it is also to do with the physical component.

    So, your current WAN interface will be disabled after you do a restore, so be careful with your gateways.

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

    I have been trying to do the restore but nothing seems to have worked so far. I thought initially this was due to the different firmware that is running on the devices. Upgraded to match firmware, however, the restore process still fails. Then I was told that the new XG is rev2 whereas my current is rev1 and restore is not possible. Is this true?

     

    Thank you.

  • 0 in reply to Posh Gardiye

    Hi Posh,

    for that sort of information you would need to check with your reseller or maybe one of the forum mods might help?

    Ian

  • 0 in reply to Posh Gardiye

    Hi Posh,

    open a ticket with support. The only restriction during upgrade is the number of NIC must be equal or greater. For the RED, uhm...they are associated with the UTM/XG Customer ID, so they should work without any passcode reset.

    Let us know.

    Regards

  • 0 in reply to lferrara

    Hi Lferrara,

    Yes, I have opened a support ticket and awaiting confirmation. Looks like I have another issue with REDs then by reading your comments. Currently, our firewall is registered with our managed provider's account. However moving forward, the new firewall is registered under one of our accounts. So is this going to impact RED device migration?

    Regards.

  • 0 in reply to Posh Gardiye

    Pay attention with RED. Contact the Support and let them know this situation too. You need to enter the unlock code for every RED:

    https://community.sophos.com/kb/en-us/116573

    "Unlock Code

    Enter the unlock code. (Ignore this field if this RED is being deployed for the first time.)
    The unlock code is an 8-character string that is generated when a RED is added to a Sophos XG Firewall. If this RED has been deployed before, you must enter the unlock code here. The unlock code is generated during the deployment of a RED, and is emailed instantly to the address you provided when activating RED. This is a security feature, which ensures that a RED cannot simply be removed and installed elsewhere.
    For manual deployment through USB stick and for automatic deployment through Provisioning Service (see Device Deployment below), two separate unlock codes are generated. If you switch a RED from one deployment method to the other, make sure that you use the corresponding unlock code: For manual deployment, provide the unlock code of the previous manual deployment; for automatic deployment, provide the unlock code of the previous automatic deployment."
    This is from online XG help url
  • 0 in reply to lferrara

     Thank you for the reply lferrara. My issue got bit complicated. It seems that the current firewall hardware is actually SG device but coverted to XG through licensing. The new firewall is XG rev2. So according to support, backup/restore will never work given they are 2 different architectures. However I'm still working with support to see if there is a way at least to get some of the configs restored, otherwise, I'm looking at a manual setup.

  • 0 in reply to Posh Gardiye

    Posh,

    what about import/export feature from Backupk & Firmware menu?

  • 0 in reply to lferrara

    Hey Luk,

    Sorry for the late reply. I already tried that, but according to Sophos support, nothing will work given they are 2 different hardware devices. Even though it was running as XG after the license, the hardware is still SG. I'm waiting to hear back from support re-importing config. 

    Regards,
    Posh

  • 0 in reply to Posh Gardiye

    This is something that Sophos should address.

    did you think about issue like this? Customers moving to XG HW v2 are not able to import/Export config or restore a previous backup.

    A comment would help.

    Thanks

Reply Children
  • 0 in reply to lferrara

    Hi lferrara,

    I received a response from support. According to their findings, there is no way to restore the backup configuration from an SG to an XG hardware even if it's running SFOS due to some hard-coded restrictions. So pretty much nothing can be done. Arghh, I will have to setup everything manual :(

    Cheers.

  • 0 in reply to Posh Gardiye
    There is another solution which will get over most of your config without doing everything by hand.  Export the config in XML and then import it.
     
    Go to Backup and Firmware, then the Import Export tab.
    Export full configuration.
     
    This will result in an archive, in which is a large XML file.  Which might be interesting to look at anyway.
     
    Go to the new box and import.  This will take many minutes and you won't see anything in the UI.  Instead, check the logs.  There is chance that this fails.  There are known issues with export/import.  I know that all have been solved but I don't recall if one of the longstanding ones (CertificateAuthority) is resolved in 17.0 MR5 or 17.1.
     
    So if the import fails you now have a choice - edit the xml inside the archive to remove all the <CertificateAuthority> sections (making sure that you don't change the format of the archive), or do a selective export where you do a one by one selection of everything but the Certificate Authority.  Now import your new file.
     
     
    I don't know how well this Export/Import handles configuration related to hardware, etc.  I'm not positive but I think this may copy over any statically configured IP addresses, so you may need to shut down machine1 (to remove duplicate IPs on your network) to access machine2 and move it different IPs. 

    BTW, both backup/restore and import/export do not copy over reports and logs.
  • 0 in reply to Michael Dunn

    Hi Michael,

    Thank you for your reply. Unfortunately, that didn't work either. No matter what I select it won't let it restore. I have started setting it up manually now :(. 

    Cheers.