Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Sophos Firewall: Replace an XG Firewall with an XGS Firewall by using Zero Touch Deployment

Disclaimer: This information is provided as-is for the community's benefit. Kindly contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This recommended read describes migrating from XG appliances to XGS using Zero Touch Deployment.

Keynotes

Sophos XG Firewall appliances will go to End of Life on 31.03.2025.

Customers migrating and replacing the XG Firewall model can use the new Zero Touch Deployment to ease the process of migrating to the new Hardware. 

Since V20.0 MR2, Sophos has offered a Backup and Restore Assistant, which supports a Backup from an XG Firewall and helps migrate the Interfaces to new concepts.

Standalone

XG to XGS Appliances

Step1. Install the latest Firmware on your XG Firewall.

It must be at least V19.5 MR4 or later. Use the Firmware Update option on your Firewall. 


Step2. Install the latest Firmware available on your new XGS Firewall.

You can use the Reimage Option by using a USB Stick: 

So you can be sure the Firewall you’re about to install is the latest version.

 With a USB Stick, you don’t need a Serial Output (USB Console), but verifying that the latest Firmware was installed is recommended

Step3. Start the Zero Touch Process in Sophos Central by adding the new Firewall. 

As we installed the latest Firmware with a USB Stick, we’re sure all the requirements are met to start ZeroTouch. 


Step4.

Note: Step 3 is required before continuing.

Connect the Firewall via Port2 (WAN) to your existing Network. It will get an IP from your XG Firewall model and act like a Network device.

Ensure you DO NOT have DPI Engine, Interception, or anything enabled for the Firewall. Power On the Firewall as well. 


Step 5. The Firewall will register itself in Sophos Central and be reachable via Sophos Central. (This step can take 5-10 Minutes.) 


Step 6. Now that you have Access via Sophos Central to the WAN Interface of the Sophos XGS Appliance, you can SSO to the Firewall and restore your XG model Backup.

Note: You can change the Interface. After the restore, the firewall will no longer be reachable via Sophos Central. 


Step 7. Let the XGS Firewall Reboot and unplug the WAN Interface.

Your Firewall is now ready to replace the XG Firewall whenever you can migrate.

As Step 6 described, you cannot reach it via Sophos Central anymore, as the new Firewall needs a new registration to Sophos Central. But the Firewall will be reachable after migrating via the LAN / Management Ports, as you managed the XG Firewall before. 

HA Cluster

XG to XGS with HA Cluster 

Step1. Install the latest Firmware on your XG Firewall Cluster. You must have at least V19.5 MR4 or later on the XG Firewall.

Use the Firmware Update option on your Firewall. 


Step2. Install the latest Firmware available on both of the XGS Firewalls. You can use the Reimage Option by using a USB Stick: 

So you can be sure the Firewall you are about to install is the latest version.

You can find the Firmware here.

With a USB Stick, you do not need a Serial Output (USB Console), but it is recommended to verify that the latest Firmware was installed. 


Step3. Go to Sophos Central and start the Zero Touch Process by adding the new Firewall. 

As we installed the latest Firmware with an USB Stick first, we are sure, all the requirements are met to start ZeroTouch. Perform this step with both XGS Firewalls. 


Step4.

Note: Step 3 is required before continuing.

Connect the XGS Firewalls via Port2 (WAN) to your existing Network. Both will get an IP from your XG Firewall and act like a Network device. Be sure you don’t have a DPI Engine or Interception or anything turned on for the Firewall. Power On the Firewalls as well. 


Step 5. The XGS Firewalls will register in Sophos Central and be reachable via Sophos Central. (This step can take 5-10 Minutes.)

You can perform this at the same time. 


Step 6. Now that you have accessed the WAN Interface of the Sophos XGS Appliance via Sophos Central, you can SSO the firewalls and build a new cluster between them. Use the QuickHA Mode and only connect them with your HA Link (one or more Interfaces). 

Kindly change the HA Cluster ID from 0 to another Number.


Step 7. You now have a new XGS Cluster in Sophos Central, which is reachable. You can SSO via Sophos Central to the Cluster, Restoring the Backup of your XG Firewall.

As your XG Config has a Cluster and your new Cluster is a Cluster, it will restore the Cluster as well: 

After the restore, the firewall will be NOT reachable via Sophos Central anymore. 


Step8.
Let the XGS Firewall restart and unplug the WAN Interfaces. Your XGS Cluster is now ready to replace the XG Cluster whenever you are ready to migrate. As Step 6 described, you cannot reach it via Sophos Central anymore, as the new Firewall needs a new registration to Sophos Central. But the Firewall will be reachable after migrating via the LAN / Management Ports as you managed the XG Firewall before. 

In both scenarios, you don’t have to restore the Backup in Step 6 or 7. You can also configure a LAN Port and access the firewall via LAN port to configure / change the config etc. This gives you the way to migrate the XG to XGS Hardware without connecting a PC to the firewalls and start to do the process (Wizard) via 172.16.16.16 etc. 

FAQs

Q: In Sophos HA: Which of my appliances should be Primary? 
A: Please review the License Agreements first: You should see the license of the XGS Cluster in Sophos Central and your License pdf. This Serial should be Primary. You can also transfer the license from Appliance A to Appliance B, if needed. 

Q: Can i transfer the license from the XG Firewall to the XGS Firewall? 
A: In most cases, it is not possible. Please contact your Sophos Partner or Sophos Sales. 

Q: Which Ports need to be open for the new XGS to use Zero Touch?
A: SSO and Central Management need HTTPS (443) and SSH (22) outgoing (LAN to WAN). 

If you have questions or comments on any of those points, please use the comment section. 




Added.
[bearbeitet von: LuCar Toni um 7:38 AM (GMT -7) am 30 Sep 2024]
Parents Reply Children
  • We are not supporting this kind of movement between appliances. 
    Just wondering: Is Central Email a alternative for you, moving the Email communication (and license) to Central instead? 

    __________________________________________________________________________________________________________________