Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 11 replies
  • Answers 1 answer
  • Subscribers 42 subscribers
  • Views 5867 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Sophos Firewall Change Port of VLANs via XML

IT_Team

I followed this helfull guide:

 Sophos Firewall: Interface / VLAN Migration via XML Import/Export 

I am facing a migration from SG (UTM) to XGS (SFOS) with hundrets of VLANs an DHCP-Server.

Sophos Migration Support converted the config of the SG and provided it to me as a .backup file that i successfully loaded in the XGS 2100.

I now have all the VLANs on the wrong interface.

I tried to replace all "Port3" to "PortA1" just for a few VLANs with this xml:

<?xml version="1.0" encoding="UTF-8"?>
<Configuration APIVersion="1905.1" IPS_CAT_VER="0">
  <VLAN transactionid="">
    <Zone>LAN</Zone>
    <Interface>PortA1</Interface>
    <Hardware>PortA1.102</Hardware>
    <Name>PortA1.102</Name>
    <VLANID>102</VLANID>
    <IPv4Configuration>Enable</IPv4Configuration>
    <IPv6Configuration>Disable</IPv6Configuration>
    <IPv4Assignment>Static</IPv4Assignment>
    <IPv6Address/>
    <IPv6Prefix/>
    <IPv6GatewayName/>
    <IPv6GatewayAddress/>
    <LocalIP/>
    <Status>Unplugged</Status>
    <IPv6Assignment/>
    <DHCPRapidCommit/>
    <IPAddress>10.101.2.1</IPAddress>
    <Netmask>255.255.255.0</Netmask>
  </VLAN>
  <VLAN transactionid="">
    <Zone>LAN</Zone>
    <Interface>PortA1</Interface>
    <Hardware>PortA1.103</Hardware>
    <Name>PortA1.103</Name>
    <VLANID>103</VLANID>
    <IPv4Configuration>Enable</IPv4Configuration>
    <IPv6Configuration>Disable</IPv6Configuration>
    <IPv4Assignment>Static</IPv4Assignment>
    <IPv6Address/>
    <IPv6Prefix/>
    <IPv6GatewayName/>
    <IPv6GatewayAddress/>
    <LocalIP/>
    <Status>Unplugged</Status>
    <IPv6Assignment/>
    <DHCPRapidCommit/>
    <IPAddress>10.101.3.1</IPAddress>
    <Netmask>255.255.255.0</Netmask>
  </VLAN>
  <VLAN transactionid="">
    <Zone>LAN</Zone>
    <Interface>Port4</Interface>
    <Hardware>Port4.101</Hardware>
    <Name>Port4.101</Name>
    <VLANID>101</VLANID>
    <IPv4Configuration>Enable</IPv4Configuration>
    <IPv6Configuration>Disable</IPv6Configuration>
    <IPv4Assignment>Static</IPv4Assignment>
    <IPv6Address/>
    <IPv6Prefix/>
    <IPv6GatewayName/>
    <IPv6GatewayAddress/>
    <LocalIP/>
    <Status>Unplugged</Status>
    <IPv6Assignment/>
    <DHCPRapidCommit/>
    <IPAddress>10.101.1.1</IPAddress>
    <Netmask>255.255.255.0</Netmask>
  </VLAN>
  <VLAN transactionid="">
    <Zone>LAN</Zone>
    <Interface>Port4</Interface>
    <Hardware>Port4.3333</Hardware>
    <Name>vl3333</Name>
    <VLANID>3333</VLANID>
    <IPv4Configuration>Enable</IPv4Configuration>
    <IPv6Configuration>Disable</IPv6Configuration>
    <IPv4Assignment>Static</IPv4Assignment>
    <IPv6Address/>
    <IPv6Prefix/>
    <IPv6GatewayName/>
    <IPv6GatewayAddress/>
    <LocalIP/>
    <Status>Unplugged</Status>
    <IPv6Assignment/>
    <DHCPRapidCommit/>
    <IPAddress>172.19.33.1</IPAddress>
    <Netmask>255.255.255.0</Netmask>
  </VLAN>
  </Configuration>

Please see attached apiparser.log:

Fullscreen apiparser.log Download 
INFO      Mar 20 12:10:34Z [19986]: Sanity check not required. And XML file is valid. xml: /sdisk/api-2023-03-20-13-10-34/Entities.xml.
INFO      Mar 20 12:10:34Z [19986]: Start Set Handler,Component : VLAN 
ERROR     Mar 20 12:10:34Z [19986]: Key:ISCrEntity is not found in RequestMap File for VLAN.
WARNING   Mar 20 12:10:34Z [19986]: Can't get the <Add/Update> element from map file, So Mode value is 'Add'.
ERROR     Mar 20 12:10:34Z [19986]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 20 12:10:34Z [19986]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 20 12:10:34Z [19986]: Parser Error: xmlvalue for jsonkey="gatewayname", xmlelement="/VLAN/GatewayName" cannot be found in request file.
ERROR     Mar 20 12:10:34Z [19986]: Parser Error: xmlvalue for jsonkey="gatewayip", xmlelement="/VLAN/GatewayAddress" cannot be found in request file.
ERROR     Mar 20 12:10:34Z [19986]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 20 12:10:34Z [19986]: Flag setting for this opcode is 18.
INFO      Mar 20 12:11:25Z [19986]: Opcode response: status:200
INFO      Mar 20 12:11:25Z [19986]: Import for this component is done sucessfully!!!INFO      Mar 20 12:11:25Z [19986]: End  SET Handler, Status : Success,  Component : VLAN, Transaction : , Operation : NONE.
MESSAGE   Mar 20 12:11:25Z [19986]: ENTITY 'VLAN' IMPORT Success
INFO      Mar 20 12:11:25Z [19986]: Start Set Handler,Component : VLAN 
ERROR     Mar 20 12:11:25Z [19986]: Key:ISCrEntity is not found in RequestMap File for VLAN.
WARNING   Mar 20 12:11:25Z [19986]: Can't get the <Add/Update> element from map file, So Mode value is 'Add'.
ERROR     Mar 20 12:11:25Z [19986]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 20 12:11:25Z [19986]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 20 12:11:25Z [19986]: Parser Error: xmlvalue for jsonkey="gatewayname", xmlelement="/VLAN/GatewayName" cannot be found in request file.
ERROR     Mar 20 12:11:25Z [19986]: Parser Error: xmlvalue for jsonkey="gatewayip", xmlelement="/VLAN/GatewayAddress" cannot be found in request file.
ERROR     Mar 20 12:11:25Z [19986]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 20 12:11:25Z [19986]: Flag setting for this opcode is 18.
INFO      Mar 20 12:11:43Z [19986]: Opcode response: status:500
WARNING   Mar 20 12:11:43Z [19986]: Opcode failed with 'Add' operation. So call opcode with 'Update'.
ERROR     Mar 20 12:11:43Z [19986]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 20 12:11:43Z [19986]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 20 12:11:43Z [19986]: Parser Error: xmlvalue for jsonkey="gatewayname", xmlelement="/VLAN/GatewayName" cannot be found in request file.
ERROR     Mar 20 12:11:43Z [19986]: Parser Error: xmlvalue for jsonkey="gatewayip", xmlelement="/VLAN/GatewayAddress" cannot be found in request file.
ERROR     Mar 20 12:11:43Z [19986]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 20 12:11:43Z [19986]: Flag setting for this opcode is 18.
INFO      Mar 20 12:11:43Z [19986]: Opcode response: status:500
ERROR     Mar 20 12:11:43Z [19986]: Opcode return status is neither 528 nor 200 for ImportSo Exiting.....
INFO      Mar 20 12:11:43Z [19986]: End  SET Handler, Status : Fail,  Component : VLAN, Transaction : , Operation : NONE.
MESSAGE   Mar 20 12:11:43Z [19986]: ENTITY 'VLAN' IMPORT Failed
INFO      Mar 20 12:11:43Z [19986]: Start Set Handler,Component : VLAN 
ERROR     Mar 20 12:11:43Z [19986]: Key:ISCrEntity is not found in RequestMap File for VLAN.
WARNING   Mar 20 12:11:43Z [19986]: Can't get the <Add/Update> element from map file, So Mode value is 'Add'.
ERROR     Mar 20 12:11:43Z [19986]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 20 12:11:43Z [19986]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 20 12:11:43Z [19986]: Parser Error: xmlvalue for jsonkey="gatewayname", xmlelement="/VLAN/GatewayName" cannot be found in request file.
ERROR     Mar 20 12:11:43Z [19986]: Parser Error: xmlvalue for jsonkey="gatewayip", xmlelement="/VLAN/GatewayAddress" cannot be found in request file.
ERROR     Mar 20 12:11:43Z [19986]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 20 12:11:44Z [19986]: Flag setting for this opcode is 18.
INFO      Mar 20 12:11:44Z [19986]: Opcode response: status:500
WARNING   Mar 20 12:11:44Z [19986]: Opcode failed with 'Add' operation. So call opcode with 'Update'.
ERROR     Mar 20 12:11:44Z [19986]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 20 12:11:44Z [19986]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 20 12:11:44Z [19986]: Parser Error: xmlvalue for jsonkey="gatewayname", xmlelement="/VLAN/GatewayName" cannot be found in request file.
ERROR     Mar 20 12:11:44Z [19986]: Parser Error: xmlvalue for jsonkey="gatewayip", xmlelement="/VLAN/GatewayAddress" cannot be found in request file.
ERROR     Mar 20 12:11:44Z [19986]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 20 12:11:44Z [19986]: Flag setting for this opcode is 18.
INFO      Mar 20 12:12:06Z [19986]: Opcode response: status:200
INFO      Mar 20 12:12:06Z [19986]: Import for this component is done sucessfully!!!INFO      Mar 20 12:12:06Z [19986]: End  SET Handler, Status : Success,  Component : VLAN, Transaction : , Operation : NONE.
MESSAGE   Mar 20 12:12:06Z [19986]: ENTITY 'VLAN' IMPORT Success
INFO      Mar 20 12:12:06Z [19986]: Start Set Handler,Component : VLAN 
ERROR     Mar 20 12:12:06Z [19986]: Key:ISCrEntity is not found in RequestMap File for VLAN.
WARNING   Mar 20 12:12:06Z [19986]: Can't get the <Add/Update> element from map file, So Mode value is 'Add'.
ERROR     Mar 20 12:12:06Z [19986]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 20 12:12:06Z [19986]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 20 12:12:06Z [19986]: Parser Error: xmlvalue for jsonkey="gatewayname", xmlelement="/VLAN/GatewayName" cannot be found in request file.
ERROR     Mar 20 12:12:06Z [19986]: Parser Error: xmlvalue for jsonkey="gatewayip", xmlelement="/VLAN/GatewayAddress" cannot be found in request file.
ERROR     Mar 20 12:12:06Z [19986]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 20 12:12:06Z [19986]: Flag setting for this opcode is 18.
INFO      Mar 20 12:12:07Z [19986]: Opcode response: status:500
WARNING   Mar 20 12:12:07Z [19986]: Opcode failed with 'Add' operation. So call opcode with 'Update'.
ERROR     Mar 20 12:12:07Z [19986]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 20 12:12:07Z [19986]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 20 12:12:07Z [19986]: Parser Error: xmlvalue for jsonkey="gatewayname", xmlelement="/VLAN/GatewayName" cannot be found in request file.
ERROR     Mar 20 12:12:07Z [19986]: Parser Error: xmlvalue for jsonkey="gatewayip", xmlelement="/VLAN/GatewayAddress" cannot be found in request file.
ERROR     Mar 20 12:12:07Z [19986]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 20 12:12:07Z [19986]: Flag setting for this opcode is 18.
INFO      Mar 20 12:12:29Z [19986]: Opcode response: status:200
INFO      Mar 20 12:12:29Z [19986]: Import for this component is done sucessfully!!!INFO      Mar 20 12:12:29Z [19986]: End  SET Handler, Status : Success,  Component : VLAN, Transaction : , Operation : NONE.
MESSAGE   Mar 20 12:12:29Z [19986]: ENTITY 'VLAN' IMPORT Success



This thread was automatically locked due to age.
  • 0

    Which version do you use? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    SFOS 19.5.1 MR-1-Build278

  • 0 in reply to IT_Team

    Check the XML File about those values:

     ERROR Mar 20 12:11:25Z [19986]: Parser Error: xmlvalue for jsonkey="gatewayname", xmlelement="/VLAN/GatewayName" cannot be found in request file.
    ERROR Mar 20 12:11:25Z [19986]: Parser Error: xmlvalue for jsonkey="gatewayip", xmlelement="/VLAN/GatewayAddress" cannot be found in request file.

    Something is oddly broken with a WAN VLAN you have. Do you have a VLAN as WAN? 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    No WAN VLAN: all VLANs are in the zone LAN.

    The only Interface in the zone WAN is Port2.

    I can't find an entry "gatewayname" in the XML-File?

    Maybe it is worth a try to delete all VLANs prior to the import? Is there a posibility to delete all with CLI or XML-Import, or must them be deleted via Web-Admin?

    Deleting the 460 VLAns via the web-Admin would otherwise take at least 2 hours, because listing the VLANs alone takes 30 seconds each time.

  • 0 in reply to IT_Team

    Something seems to be off in V19.5 MR1 at least. 

    I can reproduce this problem and looking into it. Seems to be related to the fact, that the VLAN is already available on the firewall. 

    So if you can delete the old VLAN, this should work as an upload. But the edit (move) of a VLAN seems to be break. 

    BTW: I can confirm, deleting the old VLAN works. The Name seems to be the problem. 

    Please create a Backup before doing this!

    We could try to workaround this. So if you edit the XML and add a 1 to all the VLANs, this could work. Verify you have only VLANs in your Import Export. Create a copy of your XML. 

    Then do the following in Notepad+: 

    This should add a 1 to all namens. 

    Upload this XML to your firewall with the new Port assigned. 

    Then upload the old XML (with the normal name but the Port Change). 

    Nevertheless, we are looking into this problem, why this occurs in the first place. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    Posted a Workaround in my initial response - in case   you did not see it. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    I not quite understand the workaround. Does adding a 1 to the VLAN change the bounding to the interface?

    Or did you mean, that i should test the adding for errorfinding?

    I tested adding new VLANs to the right Interface PortA1.

    That worked:

    The XML:

    <?xml version="1.0" encoding="UTF-8"?>
<Configuration APIVersion="1905.1" IPS_CAT_VER="0">
  <VLAN transactionid="">
    <Zone>LAN</Zone>
    <Interface>PortA1</Interface>
    <Hardware>PortA1.102</Hardware>
    <Name>PortA1.102</Name>
    <VLANID>102</VLANID>
    <IPv4Configuration>Enable</IPv4Configuration>
    <IPv6Configuration>Disable</IPv6Configuration>
    <IPv4Assignment>Static</IPv4Assignment>
    <IPv6Address/>
    <IPv6Prefix/>
    <IPv6GatewayName/>
    <IPv6GatewayAddress/>
    <LocalIP/>
    <Status>Unplugged</Status>
    <IPv6Assignment/>
    <DHCPRapidCommit/>
    <IPAddress>10.101.2.1</IPAddress>
    <Netmask>255.255.255.0</Netmask>
  </VLAN>
  <VLAN transactionid="">
    <Zone>LAN</Zone>
    <Interface>PortA1</Interface>
    <Hardware>PortA1.103</Hardware>
    <Name>PortA1.103</Name>
    <VLANID>103</VLANID>
    <IPv4Configuration>Enable</IPv4Configuration>
    <IPv6Configuration>Disable</IPv6Configuration>
    <IPv4Assignment>Static</IPv4Assignment>
    <IPv6Address/>
    <IPv6Prefix/>
    <IPv6GatewayName/>
    <IPv6GatewayAddress/>
    <LocalIP/>
    <Status>Unplugged</Status>
    <IPv6Assignment/>
    <DHCPRapidCommit/>
    <IPAddress>10.101.3.1</IPAddress>
    <Netmask>255.255.255.0</Netmask>
  </VLAN>
</Configuration>

    The apiparser.log:

    Fullscreen 7774.apiparser.log Download 
    INFO      Mar 21 13:14:01Z [28338]: Sanity check not required. And XML file is valid. xml: /sdisk/api-2023-03-21-14-14-01/Entities.xml.
INFO      Mar 21 13:14:01Z [28338]: Start Set Handler,Component : VLAN 
ERROR     Mar 21 13:14:01Z [28338]: Key:ISCrEntity is not found in RequestMap File for VLAN.
WARNING   Mar 21 13:14:01Z [28338]: Can't get the <Add/Update> element from map file, So Mode value is 'Add'.
ERROR     Mar 21 13:14:01Z [28338]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 21 13:14:01Z [28338]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 21 13:14:01Z [28338]: Parser Error: xmlvalue for jsonkey="gatewayname", xmlelement="/VLAN/GatewayName" cannot be found in request file.
ERROR     Mar 21 13:14:01Z [28338]: Parser Error: xmlvalue for jsonkey="gatewayip", xmlelement="/VLAN/GatewayAddress" cannot be found in request file.
ERROR     Mar 21 13:14:01Z [28338]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 21 13:14:02Z [28338]: Flag setting for this opcode is 18.
INFO      Mar 21 13:14:53Z [28338]: Opcode response: status:200
INFO      Mar 21 13:14:53Z [28338]: Import for this component is done sucessfully!!!INFO      Mar 21 13:14:53Z [28338]: End  SET Handler, Status : Success,  Component : VLAN, Transaction : , Operation : NONE.
MESSAGE   Mar 21 13:14:53Z [28338]: ENTITY 'VLAN' IMPORT Success
INFO      Mar 21 13:14:53Z [28338]: Start Set Handler,Component : VLAN 
ERROR     Mar 21 13:14:53Z [28338]: Key:ISCrEntity is not found in RequestMap File for VLAN.
WARNING   Mar 21 13:14:53Z [28338]: Can't get the <Add/Update> element from map file, So Mode value is 'Add'.
ERROR     Mar 21 13:14:53Z [28338]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 21 13:14:53Z [28338]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 21 13:14:53Z [28338]: Parser Error: xmlvalue for jsonkey="gatewayname", xmlelement="/VLAN/GatewayName" cannot be found in request file.
ERROR     Mar 21 13:14:53Z [28338]: Parser Error: xmlvalue for jsonkey="gatewayip", xmlelement="/VLAN/GatewayAddress" cannot be found in request file.
ERROR     Mar 21 13:14:53Z [28338]: type != const in logicaloperator.So string comparision is done.
ERROR     Mar 21 13:14:53Z [28338]: Flag setting for this opcode is 18.
INFO      Mar 21 13:15:46Z [28338]: Opcode response: status:200
INFO      Mar 21 13:15:46Z [28338]: Import for this component is done sucessfully!!!INFO      Mar 21 13:15:46Z [28338]: End  SET Handler, Status : Success,  Component : VLAN, Transaction : , Operation : NONE.
MESSAGE   Mar 21 13:15:46Z [28338]: ENTITY 'VLAN' IMPORT Success

    My initial problem is, that i have 460 VLANs on interface Port3 that should be on interface PortA1.

    My idea was to move the VLANs, or delete all VLANs and generate them on the interface PortA1.

    For the latter option, I would like to know if I can delete VLANs in bulk (or every VLAN on interface Port3) via CLI or import.

  • 0 in reply to IT_Team

    You need to have "every" VLAN deleted on Port3? 

    You can do an export of all VLANs, change the Port like above and then "unbind" the Interface in Webadmin by changing it to "None". This will delete ALL VLANs on this interface. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    If i understoud that right, for deleting all VLANs on Interface Port3, i changed the Port3s "Network Zone" to "None":

    Then i got a message "It will take time to complete. The Status can be viewed from the "Log viewer" page"

    In the Log "Admin" i can see about 30 of the follwing entys:

    22.03.2023 12:38    GUI    Successful    admin    192.168.129.226    Zone 'LAN' settings were changed by 'admin' from '192.168.129.226' using 'GUI'
    22.03.2023 12:38    GUI    Successful    admin    192.168.129.226    IP Host(s) were deleted by 'admin' from '192.168.129.226' using 'GUI'

    After 2 days the VLANs are still present.

  • 0 in reply to IT_Team

    I was looking into my recommended read once again: It state actually, that you have to unbind / delete the old VLANs first. Totally forgot about that part. 

    About your unbind issue: That is odd to me, sounds like there is a problem with your installation. Could you raise a support case and give the Support ID here? The unbind should work in a timely manner (could take some more minutes due the fact, you try to delete that many VLANs). 

    __________________________________________________________________________________________________________________

Unfiltered HTML