This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM to SG Migration

We will be moving from a UTM appliance to an SG appliance.  I have read some threads about migrating using an unencrypted backup on a flash drive.  I just want to make sure I have all my ducks in a row before I proceed.

  • Update the SG to the same firmware as the UTM
  • Factory reset the SG
  • Backup the existing UTM (unencrypted), download it and copy it to the root of a USB stick
  • Plug the USB stick into the SG and power it on

Does the USB stick need to be formatted as FAT32?  Does the UTM backup need to be renamed?  Is there anything else that I am missing?



This thread was automatically locked due to age.
  • The new device can be Up2Dated to a newer version than the old device.

    I have a slightly different process that results in only a few seconds of downtime:

    1. Do a quick, temporary install so that the new device can download Up2Dates if needed.
    2. Apply the desired Up2Dates (stop at 9.506 today) and do a factory reset.
    3. On the current UTM in use, on the 'Hardware' tab of 'Interfaces', assign the MAC as the Virtual MAC for the NICs in use.
    4. Create a backup and load it onto a USB memory stick.
    5. Reboot the new device with the USB memory stick in place and remove the memory stick after the boot is complete.
    6. Connect a PC to the new device, upload the license for the new device and then disconnect the PC, leaving the new device powered up.
    7. Power down the old device and move the cables to the new device.  Done.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob...

    I'm going to be upgrading our UTM to an SG here in a few days also.  I was going to complete all of the steps you indicated prior to reading your replay except for one.  I didn't think to do the MAC address assignment you indicated in step 4 of your directions.  Can you please elaborate for me what step 3 is about and why it should be done?  What would happen if you didn't do that step?

    Thanks for your valuable time!

     

    Josh

  • Hi Josh, #3 lets you do a virtually-instantaneous switchover because you don't have to reboot the switches and other directly-connected devices to clear their ARP tables.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks Bob!  I really appreciate your response.  Any other tips you can suggest?  We purchased Sandstorm and some other new licensed features.  Do you know if when migrating using the method in this thread if we need to enable those new features?  I guess I'm wondering if Sandstorm will just automatically work.

     

    Regards,

    Josh

  • If it doesn't work, Josh, it will mean that it's not selected in WebAdmin.  If you need help with that, open a new thread in the Web Protection or Mail Protection forum.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hi Bob...

    One additional question regarding the virtual Mac addresses.  Instead of assigning the physical MAC addresses of the in use interfaces on the existing ASG to virtual ones on that device.  Can I just enter those MAC addresses as virtual addresses on the new SG.  So in other words, ASG eth0 physical MAC to SG eth0 virtual MAC, ASG eth1 physical MAC to SG virtual MAC?  etc.

    I'm assuming you make the changes on the existing device only to have them saved in a backup which is restored to the new device.  Thus, you don't have to manually assign the virtual MAC address to the matching interface - correct?  But you could do it manually if you wanted to?

     

    Thanks,

    Josh

  • You're right, Josh - the result would be the same.  I'm lazy so I like to cut and paste inside one window.[;)]

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA