This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upgrading UTM 120 to new SG 125: Lessons Learned (IMPORTANT: SAVE YOUR CONFIG BACKUPS STARTING NOW!)

TL;DR: THE MOST IMPORTANT LESSON LEARNED: If you plan to continue with Sophos, start making regular configuration backups now and save ALL the backup files where you can recover them in the future. When we got the UTM 120 three years ago, I configured it to email an encrypted configuration backup to me once a week. I saved them, which proved to be very fortunate. I needed a much older backup, and was lucky that it was available.

DETAILS: The licenses for our company UTM 120 expire on Friday. Yesterday, we replaced the UTM 120 with a new SG 125. I would like to share our experience upgrading from the UTM 120 to a new SG 125. Some of the issues described here were also discussed in this thread:

community.sophos.com/.../migrating-from-utm-220-to-sg-230

Here are the LESSONS LEARNED:

* UNDERSTAND YOUR SOPHOS LICENSES - DO IT NOW!

NOW, while you are thinking about it: Find your Sophos license expiration date(s) and make an entry in your calendar six months in advance, to give yourself time to review options and complete the renewal or upgrade process. It may be as simple as a license renewal, or you may be REQUIRED to replace your hardware.

We were required to replace our hardware. According to Sophos' website, Sophos declared the UTM 120 to be end of life (EOL) in June 2017. We could have renewed our licenses for one more year if we had done it before the EOL date in June, but it felt like good money after bad. According to the Sophos website, the one year renewal was the absolute limit before the UTM 120 would become a doorstop. I did not ask whether Sophos could have extended our licenses another three years under some kind of waiver. The UTM 120 was underpowered anyway, and future software updates were not likely to run faster, so it made sense to replace the firewall. Frankly, we are a small customer, without much pull.

* START THE RENEWAL EARLY

I casually emailed our Sophos partner (distributor) last June, but they did not respond. I got busy and didn't notice. I sent a couple more emails over the next two months, before escalating to phone calls to get their attention. Once I got their attention, the renewal was stressful (due to lack of time) but smooth. I wonder whether the Sophos partner was deliberately slow to respond, in order to put more pressure on us at renewal time.

Before committing to a Sophos renewal, we did a serious evaluation of Palo Alto Networks firewalls. Our conclusion was that they have superior firewall products, but are considerably more expensive. A comparably priced Palo Alto Networks firewall would have been significantly underpowered compared with a similarly priced Sophos firewall. Furthermore, we felt that there was not enough time to learn the new Palo Alto paradigms and replace the UTM before its licenses expired.

* UNDERSTAND YOUR REGULATORY ENVIRONMENT

Our company handles a lot of personal health information (PHI), which is subject to HIPAA in the United States. HIPAA regulations require a business associate agreement (BAA) between companies that share data with PHI, so that the associate is contractually obligated to protect PHI under HIPAA, just as the primary company would do.

The issue is that newer firewalls have features that automatically upload customer files to the firewall company's servers for further analysis. Sophos Sandstorm is one example. We asked Sophos to sign the standard, boilerplate BAA, but they refused, so we did not test or buy Sandstorm. We would have liked to try it because we handle lots of documents from outside sources, but without the BAA, no can do.

On a personal note, I wonder how many companies in the healthcare sector are exposing themselves to regulatory liability by not getting signed BAAs in place. I wonder how many executives of companies subject to HIPAA actually realize that company files are being uploaded to outside servers by their firewalls or how many IT people understand the regulatory implications of offloading malware analysis to outside servers.

By the way, Palo Alto Networks told us that they would sign the BAA. We did not put it to the test, because we chose Sophos, but without Sandstorm. It is sad to see Sophos leave easy money on the table. In my opinion, Sophos will have to start signing BAAs or give up the healthcare sector.

 

* START SAVING CONFIGURATION BACKUPS NOW, IN CASE YOU NEED THEM IN THE FUTURE!

* OUR INITIAL SG 125 UTM SOFTWARE WAS OLD AND NOT COMPATIBLE WITH OUR CONFIGURATION BACKUP!

Last Friday, I brought the old UTM 120 firewall up to the most current version of the UTM software (9.503-4), anticipating that the new firewall would arrive with the latest version. I was wrong. In fact, the new firewall was manufactured in May 2017. Even so, it had an older version of the UTM software - as in “much older than May 2017”. The SG 125 had version 9.409 of the UTM software. The current version is 9.503, which is about seven or eight updates past the version that was delivered on the SG 125.

Yesterday morning, I made a configuration backup, expecting to load it on the SG 125. I was wrong. The SG 125 refused to load our configuration backup, saying that that the latest configuration backup was an incompatible newer version.

Fortunately, I had configured the old firewall to email encrypted configuration backups once a week, and I had kept those emails. I tried several older versions of our configuration backups, but the SG 125 would not load them. The oldest backup that failed was March 2017. The configuration backup from 1 October 2016 (!) worked, but it was over a year old. I did not try to refine whether more recent configuration backups (but still older than the failed March 2017 backup) might have worked.

 

* NEW PLAN: UPDATE FIREWALL TO THE LATEST VERSION, THEN LOAD MOST RECENT CONFIGURATION BACKUP.

* RECONFIGURE THE LAN PORT ON THE SG 125 WITH A NON-CONFLICTING IP ADDRESS, THEN LET IT UPDATE ITSELF

I reconfigured the LAN port on the SG 125 with a new IP address, so that it would not conflict with the running UTM 120. This didn't work. I was able to connect to SG 125 on its new IP address, but it refused to update itself.

I looked at the Up2Date logs and realized that the SG 125 did not know about the UTM 120 gateway, so the SG 125 could not find the Sophos update servers on the internet.

* MAKE THE LAN PORT THE GATEWAY (THAT’S THE SECRET)

Once I understood the update problem, I edited the WAN port and disabled its gateway status. Next, I edited the LAN port, enabling its gateway status and setting the gateway IP address to the LAN address of the UTM 120, same as any other device on the LAN. Once I made the interface edits, the SG 125 started downloading updates, more than 1 Gigabyte of them. Once they were all downloaded, I updated the SG 125.

* FINALLY - THE CORRECT CONFIGURATION

Once the SG 125 was fully updated, I was able to reload the backup configuration file from early that morning. We powered up the SG 125 and it worked. I ran all my tests, and they passed.

* AT LEAST ONE KEY ON THE FIREWALL CHANGED

I logged into the SG 125 from the console interface over SSH, and my client (the Terminal on my Mac) refused to connect because it noticed that the public key had changed. Sophos technical support had told me earlier that all keys were restored. I know for a fact that at least one key changed.

I hope this helps someone.



This thread was automatically locked due to age.
Parents
  • What I could have done differently:

    * I could have done an initial setup on the SG 125, just enough to get the SG 125 to update itself, then loaded the newest configuration backup.

    In my defense, I was surprised when the latest configuration backup didn't load. Our configuration does not change that much, so my initial thought was that if the process described in my post above didn't work, I could have at least restored the older backup and manually compared settings and made changes. After the fact, it was clearly not necessary.

  • Hi,

     

    Thank you for your very interesting post. And also for giving us a reason to start investigating other products then Sophos unfortunately, (due to potential new customer needing HIPA compliancy)

Reply Children
No Data