Migrating tool from SG to XG



As far as my partner told me, there is a tool... internal tool for migrating from SG to XG.


Is public accesible?



  • In reply to Breakingcustom:


    Please get in touch with your Sophos sales Rep, he can point you the documentation. 

  • In reply to LuCar Toni:

    The tool will probably list numerous items that it could not migrate for multiple reasons, including the fact that numerous features are missing in XG.  There’s also the fact it would have to make numerous educated guesses resulting in somewhat hard to understand setups.  It may have to recreate names “the computer way” with no real human meaning.  

    The best way is certainly to re do it manually.  Months of work and learning curve.

  • Here's the list of what is converted with the UTM to XG conversion tool.

  • More Issues with converting from UTM 9.5 to XG (whatever) and testing on a like 135W device using the Tool as supplied to us as a Partner.

    The X509 Certificate is still default on the device when an XG which means lots of stuff does not work. 

    Delete all the certs (before) importing user or creating users.  What I mean here is under certificates delete all the X509 certs if they came over during the conversion.  These are the older certs from the UTM 9.5.  When you bring over your domain users they map to the X509 certs.  If you build a remote VPN solution for users they get the X509 Cert.  This means the Remote VPN solution wont work.  Solution:  delete users with X509 Certs.  Then make sure Default Certificate is completely filled out with your details -- Not Sophos Details in the UK.  This is found under Certificates--> Certificate Authorities--> default.  If it registered to Sophos in the UK its not you.  Fill it out as your firm and save changes.

    • Then Regenerate the Certificate Authority. 
    • Then regenerate the Appliance Certificate. 
    • Then recreate the users (perhaps you domain attached--re-import etc).

    Make sure ANY of the users have a "Per User Certificate" from the newly regenerated CA/Applicance Cert (both need regenerating as I said above).

    Make sure the VPN certificate is "ApplianceCertificate" (not the UTM Cert type)

    Make sure the HTTPS Scanning Cert is the "Security Appliance SSL CA Cert" and not any other certificate.

    Without doing the above on your Converted XG:

    • VPN wont work
    • SSL Scanning wont work
    • 2 form authentication wont work

    Also.  we converted UTM 9.5 to XG 171MR2.  Another gotcha is we used a licensed and synchronized secured device -- bad move.  Under Synchronized Security --> Clear Registration before modeling or testing.  This is very important!!!!!!    Otherwise the XG, if you clone it, says it is registered in the backend and not show in the GUI.

    Hope this helps,


  • In reply to DomusRegis:

    Fixed the cloning issue we had.  Thus far we converted UTM9.5 to XG17.1Mr2.  This might need to become another string but this is how this was fixed.  The client firewalls were 135W.  We used a XG135W in our lab to build the client's firewall from the Convert file from the UTM 9.5--> 17.   What I did not do was clear the Synchronized Security tic from the previous build on the First Test XG 135W Build.  So my test router had Syncronized Securty when I restored the client build to it from the converter.  Every 125W and 135W there after we could not get Synchronized Security to work (once deployed).  Raised a ticket with Sophos.  They advised rebooting to fix, which did not fix.  They peered into one machine on SSH and found the cloned device, running in the clients site, stated it was registered.  In the Gui it was not. 

    I restored the Source XG135W to the time when it was Registered for Syncronized Security.  Made sure it was on the Internet and could be seen from Sophos Central. 

    • I purged the registration.
    • Deleted that Firewall from Sophos Central (where it was registered).
    • Rebooted it. 
    • I restored every configuration from each client site Firewall which had the "failure to regiester Syncronized Security" error to the orginal test XG Firewall Device. 
    • Exposed it to the Internet in RAW form when booted (rebooted to get a green tick). 
    • After about 10 minutes I turned the Test XG Firewall Off. 
    • Went to the client's firewall and was able to register the device with Sychronized Security.
    • Repeated with each client with issue with success.

    Lesson:  Dont clone a XG Firewall without clearing the registration. 


  • In reply to Breakingcustom:

    The document for the tool is linked within the Help:About section of the tool.

  • Is there any consensus if you plan just to just use the base firewall is there any advantage to upgrade to XG? thx

  • In reply to JohnMarzich:


    XG has VPN (Ipsec etc.) and Wireless in the Base License.