Migrating tool from SG to XG

Question

Hi, 
 
 As far as my partner told me, there is a tool... internal tool for migrating from SG to XG. 
 
 Is public accesible? 
 
 Regards

Chris McCormack · Accepted Answer

Hi, everyone. It's true! The much anticipated SG to XG Migration Assistant is now available as part of an early access program for Sophos Partners. 
 I plan to write a full FAQ and some best-practice considerations on this whole topic very soon and will post it on the Sophos blog and link to it from here when it's ready, but here are some answers to the most immediate questions about how to get access... 
 How Does it Work, What Can I Expect? 
 As we all know, migration is a big undertaking and while we, at Sophos, strongly encourage migrating from scratch and using this as an opportunity to fully review your security posture and UTM/Firewall configuration, we realize that there are many time consuming objects and data entry tasks that can benefit from some automation assistance - hence the SG to XG Migration Assistant. Your partner will need an SG backup file from your Sophos UTM as input, and will use the Assistant to migrate and convert a lot of the objects, and many network settings - producing an XG compatible backup you can import into your XG Firewall after it's done. It will not migrate policies and firewall rules, as mentioned above, these are best reviewed and revisited from a fresh start and there are fundamental differences in the policy and firewall models that necessitate this anyway. It will save considerable hands-on-keyboard time if you have a lot of objects and network definitions, and other time consuming entries. 
 I'm a Sophos Customer, how do I get access to the SG to XG Migration Assistant? 
 The SG To XG Migration Tool is currently available to Sophos Partners only as part of an early access program at this time, so please reach out to your Sophos Partner or find a suitable Sophos Partner near you and if they don't already have access to the Migration Assistant, they can inquire with their Sophos channel manager who can get them access. 
 Sophos Partner Locator: https://www.sophos.com/en-us/partners/partner-locator.aspx 
 If you can't locate a partner willing to help you, Sophos Professional Services can help you with your migration needs. 
 If I'm a Sophos partner, how do I get access to the SG to XG Migration Assistant? 
 The SG To XG Migration Tool is currently available to Sophos Partners only as part of an early access program at this time, so please reach out to your Sophos Channel Account Manager who can get you access. As part of the early access program, we will ask you to provide feedback through a 3-question survey once you've had a chance to utilize it.

rfcat_vk · Answer

Hi, 
 I don't believe so, stories go about in beta but nothing definite. 
 Ian

DomusRegis · Answer

More Issues with converting from UTM 9.5 to XG (whatever) and testing on a like 135W device using the Tool as supplied to us as a Partner. 
 The X509 Certificate is still default on the device when an XG which means lots of stuff does not work. 
 Delete all the certs (before) importing user or creating users. What I mean here is under certificates delete all the X509 certs if they came over during the conversion. These are the older certs from the UTM 9.5. When you bring over your domain users they map to the X509 certs. If you build a remote VPN solution for users they get the X509 Cert. This means the Remote VPN solution wont work. Solution: delete users with X509 Certs. Then make sure Default Certificate is completely filled out with your details -- Not Sophos Details in the UK. This is found under Certificates--> Certificate Authorities--> default. If it registered to Sophos in the UK its not you. Fill it out as your firm and save changes. 
 
 Then Regenerate the Certificate Authority. 
 Then regenerate the Appliance Certificate. 
 Then recreate the users (perhaps you domain attached--re-import etc). 
 
 Make sure ANY of the users have a "Per User Certificate" from the newly regenerated CA/Applicance Cert (both need regenerating as I said above). 
 Make sure the VPN certificate is "ApplianceCertificate" (not the UTM Cert type) 
 Make sure the HTTPS Scanning Cert is the "Security Appliance SSL CA Cert" and not any other certificate. 
 Without doing the above on your Converted XG: 
 
 VPN wont work 
 SSL Scanning wont work 
 2 form authentication wont work 
 
 Also. we converted UTM 9.5 to XG 171MR2. Another gotcha is we used a licensed and synchronized secured device -- bad move. Under Synchronized Security --> Clear Registration before modeling or testing. This is very important!!!!!! Otherwise the XG, if you clone it, says it is registered in the backend and not show in the GUI. 
 Hope this helps,