Migration from UTM Home Edition

Through trial and error, and much manipulation of excel spreadsheets, I have managed to shortcut some aspects of the migration process. DHCP reservations, Networks, Hosts, services and the like can be imported if you can create the appropriate XML. I just configured one of each type of object on the XG, and exported the config. That gave me a template for each object type to work from. I wrote short VBScripts that just populate the xml with the data I read from the UTM's config (copied from the 'printable config', pasted into excel, and manipulated to look like I needed it to. Create a tar file with the appropriate content (must have the./ folder in the archive!).

Having to manually add the rules has helped me reduce them significantly, I think I now only have 30, down from about 60, so a worthwhile exercise in itself. Hosts, networks and services have been reduced too (things like stopping the 8-year-old from playing Roblox are no longer required). If I did it again, I'd prune the objects *before* i added them to the XG config, but aside from that, I'd do the same again. Including writing the scripts and working out how it works, I've probably spent 10 hours - I could probably have done it more quickly by redoing everything by hand, but it was much more interesting my way.

I can see how difficult a migration tool would be for the rules, but the other objects are fairly straightforward. now just have to see if my config from my XG VM  will restore to my physical device and work.

Through trial and error, and much manipulation of excel spreadsheets, I have managed to shortcut some aspects of the migration process. DHCP reservations, Networks, Hosts, services and the like can be imported if you can create the appropriate XML. I just configured one of each type of object on the XG, and exported the config. That gave me a template for each object type to work from. I wrote short VBScripts that just populate the xml with the data I read from the UTM's config (copied from the 'printable config', pasted into excel, and manipulated to look like I needed it to. Create a tar file with the appropriate content (must have the./ folder in the archive!).

Having to manually add the rules has helped me reduce them significantly, I think I now only have 30, down from about 60, so a worthwhile exercise in itself. Hosts, networks and services have been reduced too (things like stopping the 8-year-old from playing Roblox are no longer required). If I did it again, I'd prune the objects *before* i added them to the XG config, but aside from that, I'd do the same again. Including writing the scripts and working out how it works, I've probably spent 10 hours - I could probably have done it more quickly by redoing everything by hand, but it was much more interesting my way.

I can see how difficult a migration tool would be for the rules, but the other objects are fairly straightforward. now just have to see if my config from my XG VM  will restore to my physical device and work.

I have given up, and I'm sticking with UTM for now.

My original plan was to make an appropriate virtual config, export it, and restore it to the hardware. I can't work out why it didn't work but the more I worked through it, the more I feel it should. I restored the full config, and that took about 90 minutes to process. interestingly, I was expecting a full 'replace the config' but that's not what I got. The default DHCP server, which I had deleted from the virtual, was still present. The firewall rule groups didn't make it (and it deleted the originals), nor did the rules themselves, and I could not add new rules. the DHCP server refused to stay running, because it couldn't map ranges to networks. Manual interface configuration didn't work either, as I couldn't add rules to allow the traffic to pass. Based on that, I went for factory defaults and started over.

This time, I exported parts of the config at a time, and imported them on the physical server.  IPHosts and groups first, services and service groups next, followed by DHCP, then the rules and rule groups. Once I put the right cables in the right ports, everything worked. When I was doing the exports, I did NOT use 'include dependencies' - if you do that with the firewall rules, it's the same size as a full config almost! 

I discovered that I had not configured my static DHCP assignments for one of my subnets. No real problem, I had a list and, after about 15 minutes of cut and paste, that worked too. Only then did I realise that there was no method with XG to convert static or dynamic DHCP addresses into DNS records. I regularly change hosts, and in UTM, it's all done at the host definition. On XG, it is a host, a DNS entry and a static assignment, all done in different places with a *very* much slower user interface. That overhead is too much. I have resolved to reduce my host count, as that was the driver for the change.

I looked through the Sophos Ideas page for XG, and the top 10, if implemented, would fix all of the challenges I have. Guess I should revisit when it is a little more mature, and hope in the meantime I can fix the user portal / IOS 14 issue on UTM. I've tried the widely accepted fix, and it still doesn't work.