Hi,
As far as my partner told me, there is a tool... internal tool for migrating from SG to XG.
Is public accesible?
Regards
This thread was automatically locked due to age.
Hi,
As far as my partner told me, there is a tool... internal tool for migrating from SG to XG.
Is public accesible?
Regards
Unless you have a VERY serious reasons to leave the stability and easyness of SG. Don't migrate to XG already. It is NOT ready. I would say, wait at least two years.
DHCP is at its most basic. All goodies that comes with a DHCP server like Microsoft Windows, like time source, or whatever else source are none. The only thing it provides is an IP address. That's it, that's all.
NO NTP server or no NTP relay or whatever NTP.
HTTPS scaning will jam Windows and Chrome updating. ANd many others as well.
Logs are helpless and not on par with competing product.
et.c.
In general, everything is very complicated to setup. And very often unintuitive.
They will get there I think. But for now, it is only suffering.
Paul Jr
To a certain extent, I can concur as I am going through the growing pains post migration of 2 Sophos mid-range appliances. It's been challenging but have no choice because Sophos has disabled a "Rollback to UTM 9" button. On a more positive note, XG is a lot less intensive on system resources, specifically CPU and memory, than UTM 9. The firewall rules are more flexible and less rules are required. Enterprise features such as RADIUS SSO are included. Bandwidth throttling works unlike UTM 9.
However, I have been experiencing some rather strange issues and can be forgiven for also thinking that XG is not yet ready. These include, domain machines losing internet connectivity for no rhyme nor reason and wireless clients losing internet access when roaming from one AP to another. I have been spending a significant amount of time with Sophos support troubleshooting issues and will plod on for a bit longer but open to looking at another solution e.g. Fortigate.
I looked at the migration tool and imported the UTM 9 config files but decided it's best to start from scratch. A new firewall broom...
Forgot to mention, IPv6 in XG is like having TWO firewalls on you rack. In XG IPv4 and IPv6 are two separate worlds. Meaning you have to duplicate each and every rules and many other things.
Very annoying also, is the obligation to setup options like HTTPS scanning on each rule. Same for Sandboxing. Takes an eternity to put off and on in case of troubles, which happens often. Particularly on Microsoft's patch Tuesday were none of your updates will go trough if scanned. Like exactly what I am forced to do today, since were are Tuesday. And no, exceptions rules won't work.
Be warry of doing this:
Doing an 9.5 SG as a trail (quicker to deply) and installed an XG (converting the SG). Then converting it in the SG to XG converter deloys some unexpected things. The Default certificate, which is bank on the XG and needs to be filled out in order to log into the client portal is prefilled (from the trial) and has Sophos Head Office address default details. Once installed onsite no one can VPN to the Converted SG to XG site as these details are wrong. You have to filled the defualt cetetificate properly -- then regenerate it. (I think the regeneration here is thing really needed). Then regenerate your VPN client configuration. Then the SG to XG issues resolve them selves.
In other words check the default Certificate and fill it out right before configuring anything else. then regenerate it and add to the clients.
Is there any more documentation in regards to the assistant? I'm not finding anything on the Partner Portal.
Hi,
Please get in touch with your Sophos sales Rep, he can point you the documentation.
__________________________________________________________________________________________________________________
The tool will probably list numerous items that it could not migrate for multiple reasons, including the fact that numerous features are missing in XG. There’s also the fact it would have to make numerous educated guesses resulting in somewhat hard to understand setups. It may have to recreate names “the computer way” with no real human meaning.
The best way is certainly to re do it manually. Months of work and learning curve.
More Issues with converting from UTM 9.5 to XG (whatever) and testing on a like 135W device using the Tool as supplied to us as a Partner.
The X509 Certificate is still default on the device when an XG which means lots of stuff does not work.
Delete all the certs (before) importing user or creating users. What I mean here is under certificates delete all the X509 certs if they came over during the conversion. These are the older certs from the UTM 9.5. When you bring over your domain users they map to the X509 certs. If you build a remote VPN solution for users they get the X509 Cert. This means the Remote VPN solution wont work. Solution: delete users with X509 Certs. Then make sure Default Certificate is completely filled out with your details -- Not Sophos Details in the UK. This is found under Certificates--> Certificate Authorities--> default. If it registered to Sophos in the UK its not you. Fill it out as your firm and save changes.
Make sure ANY of the users have a "Per User Certificate" from the newly regenerated CA/Applicance Cert (both need regenerating as I said above).
Make sure the VPN certificate is "ApplianceCertificate" (not the UTM Cert type)
Make sure the HTTPS Scanning Cert is the "Security Appliance SSL CA Cert" and not any other certificate.
Without doing the above on your Converted XG:
Also. we converted UTM 9.5 to XG 171MR2. Another gotcha is we used a licensed and synchronized secured device -- bad move. Under Synchronized Security --> Clear Registration before modeling or testing. This is very important!!!!!! Otherwise the XG, if you clone it, says it is registered in the backend and not show in the GUI.
Hope this helps,
Fixed the cloning issue we had. Thus far we converted UTM9.5 to XG17.1Mr2. This might need to become another string but this is how this was fixed. The client firewalls were 135W. We used a XG135W in our lab to build the client's firewall from the Convert file from the UTM 9.5--> 17. What I did not do was clear the Synchronized Security tic from the previous build on the First Test XG 135W Build. So my test router had Syncronized Securty when I restored the client build to it from the converter. Every 125W and 135W there after we could not get Synchronized Security to work (once deployed). Raised a ticket with Sophos. They advised rebooting to fix, which did not fix. They peered into one machine on SSH and found the cloned device, running in the clients site, stated it was registered. In the Gui it was not.
I restored the Source XG135W to the time when it was Registered for Syncronized Security. Made sure it was on the Internet and could be seen from Sophos Central.
Lesson: Dont clone a XG Firewall without clearing the registration.
