This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upgrade UTM 220 devices to SG230 in HA mode

We currently have a set of UTM220 devices in a cluster. We recently received a pair of SG 230s to upgrade to since the UTM220 is end of life. What are some steps to follow in order to upgrade to the new units? Can anyone give a step by step or a summary of what needs to be done to have a "flawless" upgrade?

 

Thank you in advance.



This thread was automatically locked due to age.
Parents
  • Hey Sam and welcome to the UTM Community.

    Here's the prescription I give to my clients around the world:

    1. If needed, do a quick, temporary install so that the new device can download Up2Dates, apply the desired Up2Dates (if possible, stop at 9.509 today) and do a factory reset.
    2. On the current UTM in use, on the 'Hardware' tab of 'Interfaces', assign the MAC as the Virtual MAC for the NICs in use.  This prevents having to reboot directly-connected devices.
    3. Create a backup and load it onto a USB memory stick.
    4. Reboot the new device with the USB memory stick in place and remove the memory stick after the boot is complete.
    5. Connect a PC to the new device, upload the license for the new device and then disconnect the PC, leaving the new device powered up.
    6. Power down the old device and move the cables to the new device.  Done.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Hey Bob. Thank you for the response. 

     

    Since this is unit in HA, I managed to come up with these rules with the help of a colleague. 

    1. Create a full unencrypted backup from the master UTM220
    2. Plug in the new SG 230 firewall separate from the UTM220 setup. Go through the initial setup of the unit. Make sure that the unit is up to date or at least the same release as the one on UTM220. If it is not, update the firewall to the latest version or to the version that matches the UTM 220.
    3. Import the config backup from the UTM220. This option should be available during the initial setup of the device.
    4. Verify that the configuration on the SG 230 is correct (The ports and interfaces could potentially be in a different order, re-configure them as necessary)
    5. Schedule downtime to swap the network cables going into the old UTM 220 pair to the new SG 230 pair
    6. Verify functionality and connectivity on the “Primary” SG 230. You may need to reboot to update the ARP tables. Hopefully everything is working correctly.
    7. Head over to Management > High Availability > Configuration. Choose Hot Standby and allow the second unit to sync.

     

    Aside from assigning the MAC addresses, does this look about right?

    This a rough guide that I am writing.

Reply
  • Hey Bob. Thank you for the response. 

     

    Since this is unit in HA, I managed to come up with these rules with the help of a colleague. 

    1. Create a full unencrypted backup from the master UTM220
    2. Plug in the new SG 230 firewall separate from the UTM220 setup. Go through the initial setup of the unit. Make sure that the unit is up to date or at least the same release as the one on UTM220. If it is not, update the firewall to the latest version or to the version that matches the UTM 220.
    3. Import the config backup from the UTM220. This option should be available during the initial setup of the device.
    4. Verify that the configuration on the SG 230 is correct (The ports and interfaces could potentially be in a different order, re-configure them as necessary)
    5. Schedule downtime to swap the network cables going into the old UTM 220 pair to the new SG 230 pair
    6. Verify functionality and connectivity on the “Primary” SG 230. You may need to reboot to update the ARP tables. Hopefully everything is working correctly.
    7. Head over to Management > High Availability > Configuration. Choose Hot Standby and allow the second unit to sync.

     

    Aside from assigning the MAC addresses, does this look about right?

    This a rough guide that I am writing.

Children
  • Ah yes, I scanned your post too quickly and didn't "see" that you're in HA.  I would do this a little differently.  Downtime is just the time it takes to move the cables to the new SG Master:

    1. If needed, do quick, temporary installs so that the new devices can download Up2Dates, apply the desired Up2Dates (if possible, stop at 9.509 today), do a factory reset and power both units off.  If the new units are at the same level higher than the current UTMs, this step is unnecessary.
    2. Create a backup and load it onto a USB memory stick.
    3. With the USB memory stick in place, power up the device that will begin as the new Master and remove the memory stick after the boot is complete.
    4. Connect a PC to the new Master, upload the license for the new SG, leaving the new Master powered up.
    5. Verify that the configuration on the new SG Master is correct (The ports and interfaces could potentially be in a different order, re-configure them as necessary), and then disconnect the PC.
    6. Power down the current UTM Slave and move its cables to the new SG Slave which remains powered down.
    7. Power down the current UTM Master and move the cables to the new SG Master.
    8. Wait for the new SG Master to be READY.
    9. Power up the new SG Slave.  Done.

    In fact, in HA, the Virtual MACs are already set, so the step to set them is not necessary.  I've adopted your language in my step 5 - thanks!

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA