Replacing faulty SG210 in HA setup

Hi,

I have a set of SG210 running UTM 9.510-5 firmware with active subscription.

Recently 1 of the SG210 had problem and we RMA the unit, a replacement unit was sent to us, but with a higher firmware version (9.705). I checked the Sophos UTM download page and seems UTM 9.510-5 is no longer available for download any more.

May I know what is the correct procedure to join the replacement unit back to the HA cluster?

1. Backup config file from existing working SG210
2. Go to MyUTM, license for the old faulty unit and change the serial number to the new unit
3. Go to High Availability setting in the existing working SG210 and change the operation mode to Off
4. Upgrade existing SG210 to same firmware as the replacement unit (downtime expected)
5. Connect the HA ports for both units
6. Configure HA setting at existing unit
7. Connect the WAN and LAN port of replacement unit

Is the above steps correct?

Thanks.

Patrick.

Parents
  • Thanks guys, I may be going for Dirk's way as it may have a shorter down time?

    Questions:

    1. can the config file of the existing version (9.510-5) be loaded to the newer version (9.705 or newer)?
    2. will the subscription be active once I power up the replacement unit and load the config file? or I just need to download the license file from MyUTM website and upload to the replacement unit?

    My revised steps should be?

    1. Power up the replacement unit, update to latest firmware version.
    2. Load the config file to replacement unit, from existing unit
    3. Load the license file to replacement unit.
    4. Switch LAN and WAN cable to the replacement unit.
    5. Disable HA at the existing unit
    6. Update existing unit firmware to be the same as the replacement unit.
    7. Reset existing unit to factory default (required?)
    8. Connect HA cables between the 2 units and configure HA from replacement unit

    I've checked and both units are on the same hardware revision, so I guess should be fine.

    Thanks.

    Patrick.

  • 1. Yes, you can load the config file to devices running newer versions

    2. License is included within config-backup.

    3. your steps are ok --- Toms steps for Option 3 are great

    4. YES ... using Toms way (Option 1 or 2) you keep your data.


    Dirk

    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Reply
  • 1. Yes, you can load the config file to devices running newer versions

    2. License is included within config-backup.

    3. your steps are ok --- Toms steps for Option 3 are great

    4. YES ... using Toms way (Option 1 or 2) you keep your data.


    Dirk

    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

Children
  • Great posts, Thom and Dirk - very thoughtful.

    Patrick, you can also keep your logs, reporting and quarantine by backing them up and restoring with WinSCP:

    • Logs & Reporting in /var/log
    • Quarantine in /var/chroot-smtp/spool/quarantine

    Indeed, if the SMTP Proxy is in use, you will want to temporarily remove the domains on the 'Routing' tab to prevent the proxy from receiving further mails.  Then use the Mail Manager to ensure that mails in the spool are delivered.  You will want to do this just before you power down the existing unit and connect and power up the new unit

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA