This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to test New Gateway without Disconnecting Old One

Hi,

We're making the switch (fingers crossed) from UTM to XGS, but I assume this question would apply even if switching from one UTM to another, or to a different brand: How do I t configure and, most importantly, test a new gateway when I cannot unplug our existing one for days at a time?

My UTM has a few WAN addresses (Web, email, etc).

I currently have my XGS connected to a DMZ on the UTM, figuring I can change the XGS's WAN interface IP when it goes live. I also have a couple web servers (via DNAT), email, VoIP (SIP), VPN, etc. Is there a way to pass the WAN port through the DMZ (some sort of mirroring ... or an old fashioned hub) so what the XGS sees on its WAN port is the same as what the UTM sees on its WAN? That way I can get things set up, then move a web server to the XGS for a minute, make sure it works, move it back. Move email to the XGS, make sure it works, move it back. etc.

Otherwise the only way I see to properly test a new gateway/router is to get it all set up as best I can, come into the office in the middle of the night, connect it, see what breaks, make notes, change it back, and spend the next day tweaking the settings then try it again the next night.

Is there a better way to do this, or is there a white paper or best practice on how to test new networking equipment before going live? And more immediately, is there a way to have the UTM's DMZ interface mirror its WAN interface?

Thanks,

Jeff



This thread was automatically locked due to age.
Parents
  • I don't "see" your setup, Jeff, but you may be making it hard on yourself.

    Refer to #2 in Rulz (last updated 2021-02-16).

    I assume that you have the Sophos Firewall configured with the same internal network subnet and that the DMZ only contains the XGS behind the UTM.  Why not just configure DNATs in the UTM that redirect traffic to the XGS?  These would need to be at the top of the list in the UTM. You could enable one briefly and see if the XGS handles that traffic correctly.  After the test, successful or not, disabling the DNAT in the UTM will return the functionality to the UTM.  After all of your tests have been shown to be successful, you can then change the WAN IPs on the XGS and replace the UTM with it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • I don't "see" your setup, Jeff, but you may be making it hard on yourself.

    Refer to #2 in Rulz (last updated 2021-02-16).

    I assume that you have the Sophos Firewall configured with the same internal network subnet and that the DMZ only contains the XGS behind the UTM.  Why not just configure DNATs in the UTM that redirect traffic to the XGS?  These would need to be at the top of the list in the UTM. You could enable one briefly and see if the XGS handles that traffic correctly.  After the test, successful or not, disabling the DNAT in the UTM will return the functionality to the UTM.  After all of your tests have been shown to be successful, you can then change the WAN IPs on the XGS and replace the UTM with it.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children