Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Keynotes:
Sophos XG Firewall will go End of Life on the 31.03.2025. See: XG Series Hardware: End of Life (EOL) Frequently Asked Questions
Customer migrating and replacing the XG Firewall can use the new Zero Touch Deployment, to ease the process of migrating to the new Hardware. New Techvids Release - Sophos Firewall v20: Zero Touch Configuration
Since V20.0 MR2, Sophos offers a Backup and Restore Assistant, which supports a Backup from a XG Firewall and helps to migrate the Interfaces to new concepts. New Techvids Releases - Sophos Firewall v20: XG to XGS Migration Videos
Sophos XG to XGS in Standalone:
1. Install the latest Firmware on your XG Firewall. You should have at least V19.5 MR4 or later on the XG Firewall. Use the Firmware Update option on your Firewall.
2. Install the latest Firmware available on your new XGS Firewall. You can use the Reimage Option by using an USB Stick: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/Firmware/FirmwareReimageXGFirewall/index.html So you can be sure, the Firewall, you are about to install, is on the latest version. You find the Firmware here: https://support.sophos.com/support/s/article/KB-000043162?language=en_US With an USB Stick, you do not need a Serial Output (USB Console), but it is recommended to verify, the latest Firmware was installed.
3. Go to Sophos Central and start the Zero Touch Process by adding the new Firewall. https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/FirewallManagement/Firewalls/FirewallAdd/FirewallZeroTouch/index.html Or see the Video above. As we installed the latest Firmware with an USB Stick first, we are sure, all the requirements are met to start ZeroTouch.
4. (Please do Step 3 first, before continuing) Connect the Firewall via Port2 (WAN) to your existing Network. It will get an IP from your XG Firewall and act like a Network device. Be sure, you do not have DPI Engine or Interception or anything enabled for the Firewall. Power On the Firewall as well.
5. The Firewall will register itself in Sophos Central and be reachable via Sophos Central. (This step can take 5-10 Minutes).
6. As you have Access via Sophos Central to the WAN Interface of the Sophos XGS Appliance, you can now SSO to the Firewall and restore your XG Backup. Be aware: You can change the Interface. After the restore, the firewall will be NOT reachable via Sophos Central anymore.
7. Let the XGS Firewall Reboot and unplug the WAN Interface. Your XGS Firewall is now ready to replace the XG Firewall, whenever you are ready to migrate. As Step 6 described, you cannot reach it via Sophos Central anymore, as the new Firewall needs a new registration to Sophos Central. But the Firewall will be reachable after migrating via the LAN / Management Ports as you managed the XG Firewall before.
Sophos XG to XGS HA Cluster
1. Install the latest Firmware on your XG Firewall Cluster. You should have at least V19.5 MR4 or later on the XG Firewall. Use the Firmware Update option on your Firewall.
2. Install the latest Firmware available on both of the XGS Firewalls. You can use the Reimage Option by using an USB Stick: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/Firmware/FirmwareReimageXGFirewall/index.html So you can be sure, the Firewall, you are about to install, is on the latest version. You find the Firmware here: https://support.sophos.com/support/s/article/KB-000043162?language=en_US With an USB Stick, you do not need a Serial Output (USB Console), but it is recommended to verify, the latest Firmware was installed.
3. Go to Sophos Central and start the Zero Touch Process by adding the new Firewall. https://docs.sophos.com/central/customer/help/en-us/ManageYourProducts/FirewallManagement/Firewalls/FirewallAdd/FirewallZeroTouch/index.html Or see the Video above. As we installed the latest Firmware with an USB Stick first, we are sure, all the requirements are met to start ZeroTouch. Perform this step with both XGS Firewalls.
4. (Please do Step 3 first, before continuing) Connect the XGS Firewalls via Port2 (WAN) to your existing Network. Both will get an IP from your XG Firewall and act like a Network device. Be sure, you do not have DPI Engine or Interception or anything enabled for the Firewall. Power On the Firewalls as well.
5. The XGS Firewalls will register itself in Sophos Central and be reachable via Sophos Central. (This step can take 5-10 Minutes). You can perform this at the same time.
6. As you have Access via Sophos Central to the WAN Interface of the Sophos XGS Appliance, you can now SSO to the Firewalls and build a new Cluster between both of them. Use the QuickHA Mode and only connect them with your HA Link (one or more Interfaces). https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/HighAvailablityStartupGuide/HAConfiguration/HAQuickHAConfigureActivePassive/index.html Please change the HA Cluster ID from 0 to another Number!
7. You have now a new XGS Cluster in Sophos Central, which is reachable and can SSO via Sophos Central to the Cluster, Restoring the Backup of your XG Firewall. As your XG Config has a Cluster and your new Cluster is a Cluster, it will restore the Cluster as well: https://docs.sophos.com/nsg/sophos-firewall/20.0/help/en-us/webhelp/onlinehelp/HighAvailablityStartupGuide/HAManage/HABackupRestore/index.html After the restore, the firewall will be NOT reachable via Sophos Central anymore.
8. Let the XGS Firewall Reboot and unplug the WAN Interfaces. Your XGS Cluster is now ready to replace the XG Cluster, whenever you are ready to migrate. As Step 6 described, you cannot reach it via Sophos Central anymore, as the new Firewall needs a new registration to Sophos Central. But the Firewall will be reachable after migrating via the LAN / Management Ports as you managed the XG Firewall before.
In both scenarios, you do not have to restore the Backup in Step 6 or 7. You can also configure a LAN Port and access the firewall via LAN port to configure / change the config etc. This gives you the way to migrate the XG to XGS Hardware without connecting a PC to the firewalls and start to do the process (Wizard) via 172.16.16.16 etc.
FAQ:
Q: In Sophos HA: Which of my appliances should be Primary?
A: Please review the License Agreements first: You should see the license of the XGS Cluster in Sophos Central and your License pdf. This Serial should be Primary. You can also transfer the license from Appliance A to Appliance B, if needed.
Q: Can i transfer the license from the XG Firewall to the XGS Firewall?
A: In most cases, it is not possible. Please contact your Sophos Partner or Sophos Sales.
If you have questions or comments on any of those points, please use the comment section.
Corrected and typos.
[bearbeitet von: LuCar Toni um 9:43 AM (GMT -7) am 29 Sep 2024]