SG to XG Migration

You can use your SG230 Hardware going forward and migrate your valid license. You can also migrate only the base license, which has more features compared to UTM9. (UTM: Firewall, NAT   // XG: Firewall, NAT, IPsec (Remote access, Site to Site), SSLVPN (Remote Access), RED (Site to Site) Wireless.). Those features are there "forever", as long as the appliance is running. The resource consumption depends on the configuration. As you can configure the Hardware based on your needs in XG, you can do things like fine tuning IPS etc., which is not possible on UTM. 

There is a Migration Tool to move some features to XG. But likely you want to re evaluate your setup. XG is another approach to the network scheme. For example you have Zones in XG, which allows to build firewall rules based on Interfaces (compared to UTM, which uses IP Networks /hosts etc.). Much of the handling is different, so the WAF, Web proxy, DPI, IPS is completely different. Also XG can use Layer 8 authenticated firewalling (Allow User A to use SSH, as he is a Admin). The answer to import backup is No. To use such features, you need to rethink your firewall rule set anyways. 

The question on is the upgrade worth it, depends on your current situation and free time. There are benefits in using XG. There are some blockers in handling things different. For example, if you worked with UTM for the past X years, it could be challenging in finding certain configuration and do your tasks. There are certain things for free on the XG platform. For example Central management is completely free. 

Hope this clears some points. If you move forward, you can also use different system, called Heartbeat and Synchronized Security with XG. 

Most customers break their UTM9 HA, migrate one appliance and do a "step by step" migration inline. They move certain things to XG, test it and move the next module. This is possible with your Hardware.  

Salut Zak !

To expand on Toni's answer...

For me, the biggest advantage of moving from UTM to XG is the possibility of doing Synchronized Security when using Sophos Central Intercept X.  This is the reason that Sophos is at the upper-right in the Gartner graph.  In general, XG uses less of the hardware resources, but, as Toni says - that depends on the configurations.

I would renew the SG license as you can transition to the XG license for free at any time.  That will give you time to migrate using the approach below.

Rather than doing the development with a split system, I would do the following (I have yet to try this, but I'm working on the following plan for several of my clients):

1. Work on learning XG before continuing.
2. Obtain the ssi-9.705-3.1.iso at https://www.sophos.com/en-us/support/utm-downloads.aspx.
3. Up2Date the HA setup to 9.705 if not already there.
4. Install a software version of XG on something other than one of your 230s.
5. Work on your XG configuration in the software version.
6. When ready to try, break your HA and install XG V18 on one of the 230s.
7. Make sure you have a copy of your UTM license and then transform the license to XG and download it for use on the "new" XG 230.
8. Backup the software configuration, load it on the "new" XG 230 with your new XG license and see if it does what you need for your site.
9. If not, re-install the UTM  9.705 ISO on the 230 and re-start UTM HA.
10. Repeat 5-through-9 (skipping 7) until you're ready to switch permanently to XG.

Additions and corrections actively solicited!

Cheers - Bob

Hello

LuCar Toni BAlfson Thank you guys so much for these precious informations!