UTM9 to XG migration

Hi,

check the GUI -> profiles fro setting up your own time based rules etc.

For host names in reports you will need to create clientless users.

For the network current activity reporting in realtime, join the queue.

Also you might like to try v18 EAP.

Ian

Hello Ian,

Thank for your reply.

I did check the GUI -> Profiles and it didn't let me create a single spanning time period from 21:00 to 07:00 but I have worked around this by creating a 21:00 to 23:59 and a 0:00 to 07:00 which should do the job.   

I was hoping to avoid having to fiddle with users as such and keeping it lower level with firewall rules and whole network blocks like I did with the UTM but I will look into this and experiment.

Gotchya on the reporting in realtime, queued.

I'm only new to the XG so i grabbed the latest release, wasn't aware of the EAP but I'll also have a looksee.

Thanks again.

Regards,

Terry

Hi Terry,

the UTM uses the UTM DNS for reporting where as the XG does not know about the DNS for reporting.You will find other limitations with userids and networks with regard to rule and 

Ian

Thanks Ian,

All good, the reporting is a nice to have and a minor issue.. Probably something that will be improved as time goes by.

In getting prepped to install the 18 EAP, I unfortunately made a mistake and tried to use my existing UTM9 Home license with the XG and it failed telling me to get an XG Home license.  Alas though its now also grayed out the existing serial number field and I cant change it, nor is it registered properly.  I've submitted a support ticket.

Regards,

Terry

Hi Terry,

I will be surprised if you get an answer from support because home licence support is these forums.

Just apply for a new home licence for the XG, it never expires, the only down side is you will have to re-install the XG software.

Ian

Yeah I guessed that would be the case so I've been attempting to build a new install of the XG with a home licence waiting.

I'm having that initial problem that no matter what I do, I cannot get internet connectivity

It installs as it should, gets a DHCP'd IP address on Port 2 (WAN) and DNS servers from my ISP but simply refuses to pass a packet.  The firewall is default and passing LAN to WAN but I get no connectivity alas. 

I'm frustrated at the end of rebuilding an XG firewall 3 times over from scratch and getting the same result.  It's making the one that I got working (same process) with the now bung licence a bit of a fluke.

EDIT:  Gonna give the 18 EAP a crack instead.

Regards,

Terry

When you login into the console what settings do you see for the network?

Also how many interfaces do you have installed? 

Ian

Just the defaults, nothing added or changed from the installer, so Port 1 with 172.16.16.16 and Port 2 which has an DHCP'd IP from my ISP.  If its not working before I change or add anything theres something amiss.   I'm not a novice with any aspects of the setup, but either I'm missing something simple through frustration or theres a bug.    Experience tells me it's time to take a break and take a fresh look later.

I've also got the 18 EAP3 release downloading right now so I might give that a go instead in a bit.

Appreciate the assistance :).

Regards,

Terry

EAP 3 is way better.

When you unplug the ports do the lights go out or more correctly are the lights on. XG has a perverse way of numbering its ports, way different to the UTM.

Ian

EAP 3 is way better.

When you unplug the ports do the lights go out or more correctly are the lights on. XG has a perverse way of numbering its ports, way different to the UTM.

Ian

I think I'm done with this XG firewall, after numerous attempts to get one going again with 17 or the 18 version I cannot get it to connect to the internet.   The one successful build I made that actually works is ruined due to the licence problem with it and even if I clone and reset it (dud licence remains anyway), it doesn't work.  I've tried all sorts of normal things as well as some whacky configs but the same issue remains every time.   Port 2 connects, gets a DHCP assign IP, gateway and 2 DNS servers from my ISP.    Cannot ping gateway or anything else on the internet, dns of course doesnt work and whilst link is up its useless.    I can unplug the connection and plug it into a physical machine, Virtual UTM9 or the Working XG i have and its flawless...  I'm stumped and I think im going to roll back to the UTM9 and look for another solution alas.

Thanks for your help Ian, i do appreciate it.

Hi,

there is another thread in the XG forum of users having trouble with XG in a VM with suggested and working solutions.

Ian

Can you show us a screenshot of your vmware Ports?

Please login as admin / admin into the shell on vmware and go to advanced shell (Option 5, Option 3).

Use ifconfig to see all ports.

Compare the MACs of ifconfig with vmware, if both interfaces are actually the same.

Righto, It's been a few days and I have found out what was going wrong and have Sophos XG SF01V (SFOS 18.0.0 EAP3) licenced and running on ESXi perfectly.   I thought I should come back and fill in the story.

After 5 or so complete re-installs and configures of XG 17 and 18 and the same issue occurring with no WAN connectivity I moved onto trying another product.  This time I had problems installing it due to the age of my ESXi server so I bit the bullet and did a complete ESXi re-install and setup everything nice and fresh.  I could now install the product but lo and behold, it did exactly the same thing with no WAN connectivity!!   Clearly this was a local issue, not Sophos XG.   After a lot of double double checking all my network/vlan configuration on physical and virtual switches and not finding fault I googled a lot more in frustration.

The interesting thing was that the WAN worked perfectly with my existing virtual UTM9 and did once with the SophosXG 17 install.   What it come down too was something I had not experienced before but people warned of was that some ISP's hold the MAC reservation on the connection for some time so if you swap from 1 device to another it simply won't work.  The solution was to simply unplug the WAN Ethernet cable and take a 10 minute break between switching the WAN from 1 device to another (I would guess possibly moving the MAC address from 1 VM to another would work too).   I've done this successfully several times now and it's flawless.

So the issue was me switching the WAN too quickly from firewall to firewall whilst testing, a simple gotchya.

The great thing is that I now have my ESX infrastructure all updated, a SophosXG 18 up and running and licenced and it all working off 2 NIC's Port 1 all my local vlans and Port 2 WAN working perfectly.

Thank you for your assistance and efforts and I'm writing this followup to possibly help someone else in the future.  I'd be happy to assist others with a similar setup if anyone has any questions.

PS.  The only drama I had so far was that the IPS settings stopped my son's PS4 connecting to the Playstation Network, resolved by turning off IPS.

Try this and see if it helps?

https://community.sophos.com/products/xg-firewall/f/intrusion-prevention/117459/recommended-ips-policies-for-soho

Ian