Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 9 replies
  • Answers 2 answers
  • Subscribers 41 subscribers
  • Views 1537 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upgrading 17 to 18 experiences would and criticism

SimoXGFW

Hi,

I'm looking for users advice and experience for upgrading to 18, especially directly from 17.5 to latest 18 .

I'm thinking about upgrading in the next days, but we have a critical organization and I'm reading of several criticism especially from NAT rules point of view, anyone can share his experience? I want to upgrade but I cannot disrupt connection or VPNs connections, we are 24/7 available organization, and we have a TON of Policies and NAT rules...

We have an XG330 Cluster in HA mode

Best Regards,

Simone



This thread was automatically locked due to age.
Parents
  • 0

    There is a good post about upgrades in general: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/129246/best-practice-for-sophos-firewall-firmware-upgrade

    But from 17.5 to V18.0/5, there are some specialties. 

    First of all, the HA will reboot at the same time. Therefore you will have a downtime of ~2-5 minutes until both appliances reboot. 

    The configuration should not change and it should not have impact on your configuration but the config will look messy. Therefore some cleanup should be follow up. 

    Linked NAT will be created for each and every firewall rule. This is generally speaking not needed, because you have a SNAT MASQ Rule at the bottom. 

    I recommend to disable the virtual fastpath, if something behavior oddly after upgrade. The new architecture is loaded after upgrade and the new DPI engine is loaded: You can disable this via console> system firewall-acceleration disable    and in the webadmin under TLS/SSL Inspection Rule. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Thanks for the quick answer.

    I use a lot of policies "grouping" , Do you think that this could lead to even more messy results?

    I have a couple of IPsec VPN connected offices that are on 17.5 version too, I will upgrade the main one first and after that the remote appliances, or maybe it's better the opposite way? 

    And the last question, will it be possibile to switch back in case of a disaster scenario ?

    Best Regards,

    Simone

  • 0 in reply to SimoXGFW

    Grouping should not be an issue. NAT will be placed into NAT. 

    I would always recommend to get some hands on experience with a smaller office first. 

    You can go back in the firmware, if you want by using the SFloader (Simply press "boot old firmware"). 

    __________________________________________________________________________________________________________________

Reply
  • 0 in reply to SimoXGFW

    Grouping should not be an issue. NAT will be placed into NAT. 

    I would always recommend to get some hands on experience with a smaller office first. 

    You can go back in the firmware, if you want by using the SFloader (Simply press "boot old firmware"). 

    __________________________________________________________________________________________________________________

Children
No Data
Unfiltered HTML