Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Running 2 UTM firewalls in parallel

Owen

I am after some technical advice from the brains trust…
Basically, I need to know if it is possible to run 2 UTM firewalls in parallel.

I am currently upgrading my entire home environment, which will include replacing the existing UTM with a newer machine and a clean install.
I am also replacing my current server environment with something that is more current and actually supported by Microsoft.

Over the years I have not been very diligent in cleaning up the UTM when entries have become redundant. I figure it will be simpler to just start from scratch, adding only the settings that I require now.
Sounds simple, but as most would know, it’s probably going to be somewhat more involved than that.

As much as I only have a home environment, my configuration is not what would likely be expected, as I run a Windows domain that includes an Exchange mail server and I also have my own web server. A throwback from working as an IT contractor for over a decade. Sadly, that was over a decade ago, so my brain is hurting trying to get up to speed on current server technologies.

There are currently 4 interfaces configured on the UTM: External, Internal, DMZ and VOIP.

Some things I can obviously do in a lab style network setup, like setting up the AD integration with the UTM, but other things like testing my mail server or phone connectivity could be a challenge, if not impossible to do.

My modem is in bridge mode, so all of the authentication to the ISP is done by the UTM, which is also where my static IP address is defined.
If it helps, I can add another interface to the UTM.

Any advice would be appreciated.



This thread was automatically locked due to age.
  • 0

    Hi,

    What does running in "parallel" mean?

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
    • 0

      Basically, have 2 UTMs on the network and be able to migrate settings from the existing firewall to the new one and then test/confirm that those settings function, before finally cutting completely over to the new firewall.

      • 0 in reply to Owen

        ... if you choose different IP's ... it works..


        Dirk

        Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
        Sophos Solution Partner since 2003
        If a post solves your question, click the 'Verify Answer' link at this post.

        • 0 in reply to Owen

          Not wishing to be rude, but that is a pretty simplistic reply.

          What I really need to know is the "how".
          Also, I don't see how I could test mail flow by simply putting the 2nd UTM on a different IP subnet.

          • 0 in reply to Owen

            For Example, your actual UTM is 192.168.0.1

            Configure your Second UTM to 192.168.0.254

            Configure your Test Client to use Gateway 192.168.0.254

            On the WAN side you‘ll Need an Other WAN IP (no Problem it you‘re using your UTM behind a router).

            • 0 in reply to LKramer

              Sadly, I only have a single fixed IP address.

              • 0 in reply to Owen

                Hello,

                then you could use the "old" UTM as your gateway for the second "new" one until you switched over all services.

                You would need to DNAT all the things you want to use to the "new" box on the "old" box AND tell the internal clients or servers to use the internal address of the new box as gateway instead of the other one before.

                Mit freundlichem Gruß, best regards from Germany,

                Philipp Rusch

                New Vision GmbH, Germany
                Sophos Silver-Partner

                If a post solves your question please use the 'Verify Answer' button.

            • 0

              As I fully expected, it would seem that there is not really a simple way to do this.

              It would have been nice, but I guess that it is probably easier to just configure the new UTM as best I can and then do a cutover, fixing any issues that may arise.

              Thanks to all that replied.

              • 0 in reply to Owen

                It might be helpful to change the management ip addr on the existing one so you can at least refer to it while setting up the new one.

                • 0 in reply to Jay Jay

                  No need, as I have built a separate network infrastructure (basically a lab setup) and can access both UTMs at the same time, but thanks for the suggestion.

              • 0

                Okay... maybe a different tact is required here.
                Given that it is possible, I am now considering getting a additional WAN IP address as another way to go.

                My current configuration is a VDSL2 modem in bridge mode and the UTM does the PPPoE authentication to the ISP.

                Can anyone suggest a configuration method that would allow me to have the current UTM on one static IP address and my second UTM using the second IP address?
                The intent would be to effectively have two totally separate LANs; one for each of the UTMs, so I can run 2 different mail servers at the same time (for my configuration testing).

                I have a couple of domains that I do not currently use for email, so I can set them up on the new mail server for testing purposes.
                I would simply modify the A and MX records of those domains to point to the second IP address.
                Therefore, each mail sever would use their own email domains, with no crossover between the two of them.

                I assume that I would only need one of the UTMs to do the authentication to the ISP, so envisage that I may have to add the additional IP address (Interfaces & Routing > Interfaces > Additional Addresses) to the first UTM and then do some form of NAT to the other UTM.

                As stated initially, I only have 4 interfaces in the current UTM (all of which are being used), but I could add another one, or maybe I can put the second UTM on the DMZ vLAN.

                I really do not know which way to go here, but hope that this can be done.
                To that end, I would definitely appreciate some technical advice on this.