This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Best method to move from Software Appliance to Hardware SG 550s

Hi All.

After using Software appliances on Dell servers for years, we have decided to move to Hardware appliances.  We currently have an HA setup running on identical Dell 2950 servers.  We have purchased and received two new SG550s.  My question to those of you gurus out there is what is my best (read smoothest and easiest) course of action to migrate to these new boxes.  My current setup (version 9.353-4)  has four active interfaces out of 6 physical ethernet ports.  The new Sg550s have 8 ports and two "maintenance ports"


I know from experience with my home machine that you cannot import a backup file from a NEWER version into an OLDER one.  I have no idea what version is currently on the 550s from the factory, but I am confident it is older.  Should I download the the latest iso for the SG550s and boot it with a USB stick inserted to instant update, or fire it up and give it a temporary ip address and do an up2date?  Once I get a current version installed and import my backup, How will I know what physical ports get mapped to my interface definitions?  Will it match eth0-eth3 and leave 4-7 unused, or randomly assign them?

Beyond getting the new unit up and running with my current config via backup restore, I am also assuming that once it is humming along, all i need to do is turn on HA and connect the other and fire it up (with all the proper identical cabling into my VLANs) unconfigured, correct?  The "Master" should see the unconfigured unit connected and command it to be a slave unit, right?

Thanks in advance for any assistance.



This thread was automatically locked due to age.
Parents
  • Erik, the version of software should be listed on the outside of the box the unit came in.  The easiest thing to do if older is to do quick setups on both units, let them download the Up2Dates and then apply them.

    After you have them at the right version and you restore your backup to the Master, you will immediately need to upload a 550 license. In WebAdmin, check to see which NICs were assigned to which interfaces and note that to simplify the cabling job.

    Before you make the changeover, prepare to bounce all connected routers/switches to clear their ARP tables as well as prepare your ISP to have them be ready to clear the ARP table in their last-hop router. *

    When you're ready:

    1. Make all Ethernet and power connections to the new 550s, but leave them powered down.
    2. Power down the current Slave.
    3. Power Down the current Master.
    4. Power up the New 550 Master.
    5. Bounce routers/switches as planned.
    6. Confirm that the new 550 is doing its job.
    7. Power up the new 550 Slave.

    Cheers - Bob

    * Bouncing the routers/switches can be avoided if you assign Virtual MACs to the 550's NICs that match the existing ones in your Dell servers.  Going from one manufacturer's hardware to another's could well cause this workaround to be more trouble, so I didn't suggest it.  This is however a good trick for replacing a non-HA Sophos appliance.

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Thanks for the info, Bob.   The 550s are installed in the rack.  I'll simply bring them up later this week, do a quick setup with temporary addresses and let them update as you suggest.    After that I'll import the current backups, add a license, then perform the cut-over.   One quick question - should I use one of the maintenance ports for connecting to webadmin while I am configuring the new ones (I don't have equivalent maintenance ports for webadmin connectivity on my current Dells).  I assume this would allow me to use a new vlan and not interfere with the current running UTMs 

Reply
  • Thanks for the info, Bob.   The 550s are installed in the rack.  I'll simply bring them up later this week, do a quick setup with temporary addresses and let them update as you suggest.    After that I'll import the current backups, add a license, then perform the cut-over.   One quick question - should I use one of the maintenance ports for connecting to webadmin while I am configuring the new ones (I don't have equivalent maintenance ports for webadmin connectivity on my current Dells).  I assume this would allow me to use a new vlan and not interfere with the current running UTMs 

Children
  • Only restore the backup to the Master. After the Slave has Up2Dated, Factory Reset it before powering it down. Without that, the Master can't take it over.

    When doing the initial setup, there is no VLAN, just straight ethernet on eth0 with an IP of 192.168.0.1.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA