Configuring VPN Remote Access for the first time on your Sophos XG Firewall? Check out this useful Community post!
Advisory: Sophos XG Firewall - Antivirus service stopped due to failed pattern update. Please visit this KBA for the latest updates
We'd love to hear about it! Click here to go to the product suggestion community
As far as my partner told me, there is a tool... internal tool for migrating from SG to XG.
Is public accesible?
I don't believe so, stories go about in beta but nothing definite.
In reply to rfcat_vk:
My partner told me to send back a backup of my config to upgrade the config from SG to XG but its impossible. Because of this my question.
Hello we even search for this tool. Is there any Infos about the "Beta" i read some infos fom 2015 an so on. But nothing more than that the tool is in beta testing. Greetz
In reply to AR_CP:
As far as I am aware there is still no production tool. You would have to ask your reseller/partner not this forum for a definite answer.
2 different products so best to document your current config and create your rules from scratch.
Hi, everyone. It's true! The much anticipated SG to XG Migration Assistant is now available as part of an early access program for Sophos Partners.
I plan to write a full FAQ and some best-practice considerations on this whole topic very soon and will post it on the Sophos blog and link to it from here when it's ready, but here are some answers to the most immediate questions about how to get access...
How Does it Work, What Can I Expect?
As we all know, migration is a big undertaking and while we, at Sophos, strongly encourage migrating from scratch and using this as an opportunity to fully review your security posture and UTM/Firewall configuration, we realize that there are many time consuming objects and data entry tasks that can benefit from some automation assistance - hence the SG to XG Migration Assistant. Your partner will need an SG backup file from your Sophos UTM as input, and will use the Assistant to migrate and convert a lot of the objects, and many network settings - producing an XG compatible backup you can import into your XG Firewall after it's done. It will not migrate policies and firewall rules, as mentioned above, these are best reviewed and revisited from a fresh start and there are fundamental differences in the policy and firewall models that necessitate this anyway. It will save considerable hands-on-keyboard time if you have a lot of objects and network definitions, and other time consuming entries.
I'm a Sophos Customer, how do I get access to the SG to XG Migration Assistant?
The SG To XG Migration Tool is currently available to Sophos Partners only as part of an early access program at this time, so please reach out to your Sophos Partner or find a suitable Sophos Partner near you and if they don't already have access to the Migration Assistant, they can inquire with their Sophos channel manager who can get them access.
Sophos Partner Locator: https://www.sophos.com/en-us/partners/partner-locator.aspx
If you can't locate a partner willing to help you, Sophos Professional Services can help you with your migration needs.
If I'm a Sophos partner, how do I get access to the SG to XG Migration Assistant?
The SG To XG Migration Tool is currently available to Sophos Partners only as part of an early access program at this time, so please reach out to your Sophos Channel Account Manager who can get you access. As part of the early access program, we will ask you to provide feedback through a 3-question survey once you've had a chance to utilize it.
In reply to Chris McCormack:
How can I access to this tool at partner portal.? I can not see the option.
I´m testing a potential upgrade from SG to XG
In reply to Edgar Quintana1:
Please reach out to your Sophos Channel Account Manager and they will get you hooked up.
Any specific reason(s) why the tool is not available to the public? I am currently busy with a few SG to XG migrations would prefer to do some testing first.
Hi Chris. Can you please send me a copy of the migration tool? Thank you.
Unless you have a VERY serious reasons to leave the stability and easyness of SG. Don't migrate to XG already. It is NOT ready. I would say, wait at least two years.
DHCP is at its most basic. All goodies that comes with a DHCP server like Microsoft Windows, like time source, or whatever else source are none. The only thing it provides is an IP address. That's it, that's all.
NO NTP server or no NTP relay or whatever NTP.
HTTPS scaning will jam Windows and Chrome updating. ANd many others as well.
Logs are helpless and not on par with competing product.
In general, everything is very complicated to setup. And very often unintuitive.
They will get there I think. But for now, it is only suffering.
In reply to Big_Buck:
To a certain extent, I can concur as I am going through the growing pains post migration of 2 Sophos mid-range appliances. It's been challenging but have no choice because Sophos has disabled a "Rollback to UTM 9" button. On a more positive note, XG is a lot less intensive on system resources, specifically CPU and memory, than UTM 9. The firewall rules are more flexible and less rules are required. Enterprise features such as RADIUS SSO are included. Bandwidth throttling works unlike UTM 9.
However, I have been experiencing some rather strange issues and can be forgiven for also thinking that XG is not yet ready. These include, domain machines losing internet connectivity for no rhyme nor reason and wireless clients losing internet access when roaming from one AP to another. I have been spending a significant amount of time with Sophos support troubleshooting issues and will plod on for a bit longer but open to looking at another solution e.g. Fortigate.
I looked at the migration tool and imported the UTM 9 config files but decided it's best to start from scratch. A new firewall broom...
In reply to envercpt:
Forgot to mention, IPv6 in XG is like having TWO firewalls on you rack. In XG IPv4 and IPv6 are two separate worlds. Meaning you have to duplicate each and every rules and many other things.
Very annoying also, is the obligation to setup options like HTTPS scanning on each rule. Same for Sandboxing. Takes an eternity to put off and on in case of troubles, which happens often. Particularly on Microsoft's patch Tuesday were none of your updates will go trough if scanned. Like exactly what I am forced to do today, since were are Tuesday. And no, exceptions rules won't work.
Be warry of doing this:
Doing an 9.5 SG as a trail (quicker to deply) and installed an XG (converting the SG). Then converting it in the SG to XG converter deloys some unexpected things. The Default certificate, which is bank on the XG and needs to be filled out in order to log into the client portal is prefilled (from the trial) and has Sophos Head Office address default details. Once installed onsite no one can VPN to the Converted SG to XG site as these details are wrong. You have to filled the defualt cetetificate properly -- then regenerate it. (I think the regeneration here is thing really needed). Then regenerate your VPN client configuration. Then the SG to XG issues resolve them selves.
In other words check the default Certificate and fill it out right before configuring anything else. then regenerate it and add to the clients.
Is there any more documentation in regards to the assistant? I'm not finding anything on the Partner Portal.