This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SG330 to SG450 migration - what about Logfiles?

Hello Community,

we have two SG330 Nodes with UTM version 9.705.

I want to migrate the configuration from the SG330 nodes to two new Sophos SG450 nodes to replace the SG330 cluster. 

My steps:

1. Create backup on the SG330 cluster, shutdown and remove from rack 

2. Put in SG450 nodes to rack 

3. Do a initial configuration on one of the SG450 nodes and after that restore the configuration backup of the SG330 cluster

4. Check interface cabling on SG450 node

5. Transfer important logfiles (Firewall / Webproxy) via WinSCP (from SG330 to SG450)

--> What abpout Email Quarantine Messages? 

6. Check functionality (network connections, protection modules...)

7. Connect second SG450 node to configured SG450 node (HA interface) and let them sync

8. On "UNLINKED State", connect all other network interfaces to second Sg450 node

9. Check functionality

Now i have some questions:

--> Would you copy the logfiles before restoring the configuration backup? Or after restoring the configuration backup?

--> Would you copy the logiles to both SG450 nodes? 

I think in the migreation state it does to much time to copy the files. 

--> Should i copy some email specific settings / logfiles or not? (Email Quarantine?) / SMTP Log? 

What do you mean?

Best regards

Bepo



This thread was automatically locked due to age.
Parents
  • Hello Bob,

    this are the steps of the migration:

    ------ Migration Pre-Steps 1 ------

    1. Update SG450 Nodes to newest UTM software version 

    2. Update SG330 Nodes to newest UTM software version

    3. Run Factory Reset on both SG450 Nodes

    ------------------------------------------

    --------- Migration Steps ---------

    Step

    Todo

    1.

    Pause notifications of monitoring systems + SMS-Gateway

    2.

    Manually check the health status on: SG330 Cluster (Logfile-Checks)

    If system status is healthy:

    Create a Configuration Full-Backup of the SG330 Cluster 

    3.

    Connect via WinSCP to the SG330 cluster IP and export the needed logfiles from /var/log 
    (folders)

    4.

    Check the network interface objects mapping to the physical network interfaces in "Definitions & Users"

    5.

    Shutdown the SG330 cluster via HA

    - First - SLAVE Node

    - Second - MASTER Node

    6.

    Remove the SG330 Cluster Node #1 from server rack

    7.

    Disconnect cables from SG330 Cluster Node #2 

    8.

    Set up Rack rails and install SG450 Node #1 in server rack

    9.

    Start SG450 Node #1 

    10.

    Connect to: SG450 Node #1 via https://192.168.0.1:4444 (ETH0)

    11.

    Initial Configuration Wizard ausführen + Restore the Fullbackup of the SG330 cluster

    12.

    Connect to: SG450 Node #1 via: https://10.46.0.34:4444

    - AttentionSubnetzmaske: 255.255.255.224!

    - Attention! Netzwerkinterface ETH4!

    13.

    Import the Trial-EVAL-License 

    14.

    Login with local Admin-Account

    ------------------------------------------

    --------- Functionality Checks ---------

    Steps

    Todo

    1.

    Was the license accepted and all protection are modules available? 

    2.

    Check if HA-Configuration is resettet

    3.

    Check the network interface objects mapping to the physical network interfaces in "Definitions & Users"

    4.

    Connect the interfaces: ETH4 (INET-Uplink) + ETH5 (WAN-Uplink) + ETH2 (DMZ) 

    5.

    check Core-Routing

    6.

    check Core-router Logfiles + Backbone Routers – Wait: 10-15 minutes

    7.

    Check internet connectivity + NTP + DNS

    8.

    Check Authentication Services  (Active Directory)

    9.

    Check Web Protection

    ·         Proxy erreichbar?

    ·         Single-Sign On funktionsfähig

    ·         Content-Filter funktionsfähig

    ·         Logfile funktionsfähig? (auch AD-Erkennung)

    10.

    Check Email Protection

    ·         Emails von intern nach extern + von extern nach intern ok?

    ·         Verbindung zu Emailservern ok? (High-Availability Group)

    11.

    Check Webservers (WAF)

    ·         DMZ-Servers

    ·         CITRIX

    ·         Email-SYNC

    12.

    Check Site-to-Site VPNs (IPSec)

    ·         Sind die IPSec Sites erreichbar?

    ·         Ist ein Zugriff über das Hotline-System möglich?

    13.

    Check SSL-VPNs (End-to-Site)

    ·         Kann man sich einwählen?

    ·         Funktioniert das Userportal?

    14.

    Check Wireless Protection

    ·         Sind die Access Points erreichbar?

    ·         Werden die WLANs ausgestrahlt?

    ·         Kann man sich ins WLAN einloggen?

    15.

    Create Fullbackup auf SG450 Node #1 

    16. 

    Import all exported logfiles --> Copy the exported log folders to /var/log and check in: "Logging & Reporting" if the logfiles are shown in: "archived logfiles"

    ------------------------------------------

    --------- Connect SG450 Node #2 and build active-passive Cluster (HA)---------

    Schritt

    Todo

    1.

    Configure HA on: SG450 Node #1:

    1. Operation mode: active-passive

    2. SYNC NIC: eth3

    3. Device Name: node1

    4. Set Encryption Key

    5. Check: "Enable automatic configuration of new devices"

    6. Set "preferred master" to: node 1

    2.

    Remove SG330 Node #2 from server rack 

    3.

    Install SG450 Node #2 in server rack

    4.

    Start SG450 Node #2 (without cables!)

    5.

    Connect to SG450 Node #2 via https://192.168.0.1:4444 (ETH0)

    6.

    Run Initial Configuration Wizard and login

    7.

    Configure the following in the HA-Menu of: SG450 Node #2 

    1. Operation mode: "Automatic configuration"

    2. SYNC NIC: "eth3"

    8.

    Connect HA-Cable SG450 Node #1 and SG450 Node #2  (ETH3)

    9.

    Wait until HA-SYNC is ready and SG450 Node #2 shows the state: „UNLINKED“:

    10.

    Connect all cables to  SG450 Node #2 

    11.

    check all functions

    12.

    The HA Status should be: SG450 Node #1 is MASTER and SG450 Node #2 is SLAVE. 

    13.

    Trigger a manual HA-Failover HA-Overview. --> Shutdown the SG450 Node #1 .and check if   SG450 Node #2 takeover.

     

    After reboot of SG450 Node #1  this node should be the MASTER node again. 

    ------------------------------------------

Reply
  • Hello Bob,

    this are the steps of the migration:

    ------ Migration Pre-Steps 1 ------

    1. Update SG450 Nodes to newest UTM software version 

    2. Update SG330 Nodes to newest UTM software version

    3. Run Factory Reset on both SG450 Nodes

    ------------------------------------------

    --------- Migration Steps ---------

    Step

    Todo

    1.

    Pause notifications of monitoring systems + SMS-Gateway

    2.

    Manually check the health status on: SG330 Cluster (Logfile-Checks)

    If system status is healthy:

    Create a Configuration Full-Backup of the SG330 Cluster 

    3.

    Connect via WinSCP to the SG330 cluster IP and export the needed logfiles from /var/log 
    (folders)

    4.

    Check the network interface objects mapping to the physical network interfaces in "Definitions & Users"

    5.

    Shutdown the SG330 cluster via HA

    - First - SLAVE Node

    - Second - MASTER Node

    6.

    Remove the SG330 Cluster Node #1 from server rack

    7.

    Disconnect cables from SG330 Cluster Node #2 

    8.

    Set up Rack rails and install SG450 Node #1 in server rack

    9.

    Start SG450 Node #1 

    10.

    Connect to: SG450 Node #1 via https://192.168.0.1:4444 (ETH0)

    11.

    Initial Configuration Wizard ausführen + Restore the Fullbackup of the SG330 cluster

    12.

    Connect to: SG450 Node #1 via: https://10.46.0.34:4444

    - AttentionSubnetzmaske: 255.255.255.224!

    - Attention! Netzwerkinterface ETH4!

    13.

    Import the Trial-EVAL-License 

    14.

    Login with local Admin-Account

    ------------------------------------------

    --------- Functionality Checks ---------

    Steps

    Todo

    1.

    Was the license accepted and all protection are modules available? 

    2.

    Check if HA-Configuration is resettet

    3.

    Check the network interface objects mapping to the physical network interfaces in "Definitions & Users"

    4.

    Connect the interfaces: ETH4 (INET-Uplink) + ETH5 (WAN-Uplink) + ETH2 (DMZ) 

    5.

    check Core-Routing

    6.

    check Core-router Logfiles + Backbone Routers – Wait: 10-15 minutes

    7.

    Check internet connectivity + NTP + DNS

    8.

    Check Authentication Services  (Active Directory)

    9.

    Check Web Protection

    ·         Proxy erreichbar?

    ·         Single-Sign On funktionsfähig

    ·         Content-Filter funktionsfähig

    ·         Logfile funktionsfähig? (auch AD-Erkennung)

    10.

    Check Email Protection

    ·         Emails von intern nach extern + von extern nach intern ok?

    ·         Verbindung zu Emailservern ok? (High-Availability Group)

    11.

    Check Webservers (WAF)

    ·         DMZ-Servers

    ·         CITRIX

    ·         Email-SYNC

    12.

    Check Site-to-Site VPNs (IPSec)

    ·         Sind die IPSec Sites erreichbar?

    ·         Ist ein Zugriff über das Hotline-System möglich?

    13.

    Check SSL-VPNs (End-to-Site)

    ·         Kann man sich einwählen?

    ·         Funktioniert das Userportal?

    14.

    Check Wireless Protection

    ·         Sind die Access Points erreichbar?

    ·         Werden die WLANs ausgestrahlt?

    ·         Kann man sich ins WLAN einloggen?

    15.

    Create Fullbackup auf SG450 Node #1 

    16. 

    Import all exported logfiles --> Copy the exported log folders to /var/log and check in: "Logging & Reporting" if the logfiles are shown in: "archived logfiles"

    ------------------------------------------

    --------- Connect SG450 Node #2 and build active-passive Cluster (HA)---------

    Schritt

    Todo

    1.

    Configure HA on: SG450 Node #1:

    1. Operation mode: active-passive

    2. SYNC NIC: eth3

    3. Device Name: node1

    4. Set Encryption Key

    5. Check: "Enable automatic configuration of new devices"

    6. Set "preferred master" to: node 1

    2.

    Remove SG330 Node #2 from server rack 

    3.

    Install SG450 Node #2 in server rack

    4.

    Start SG450 Node #2 (without cables!)

    5.

    Connect to SG450 Node #2 via https://192.168.0.1:4444 (ETH0)

    6.

    Run Initial Configuration Wizard and login

    7.

    Configure the following in the HA-Menu of: SG450 Node #2 

    1. Operation mode: "Automatic configuration"

    2. SYNC NIC: "eth3"

    8.

    Connect HA-Cable SG450 Node #1 and SG450 Node #2  (ETH3)

    9.

    Wait until HA-SYNC is ready and SG450 Node #2 shows the state: „UNLINKED“:

    10.

    Connect all cables to  SG450 Node #2 

    11.

    check all functions

    12.

    The HA Status should be: SG450 Node #1 is MASTER and SG450 Node #2 is SLAVE. 

    13.

    Trigger a manual HA-Failover HA-Overview. --> Shutdown the SG450 Node #1 .and check if   SG450 Node #2 takeover.

     

    After reboot of SG450 Node #1  this node should be the MASTER node again. 

    ------------------------------------------

Children
No Data