This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

UTM to SFOS Migration Utility

Hi Sophos UTM community,

There's plenty of interest in a simple yet reliable migration tool to convert core portions of configuration from UTM9 to SFOS. We've released a number of tools in the past, and while they have been somewhat successful, they were also complex to setup, error prone for some users, and challenging to update. We went back to the drawing board, with pure lightweight simplicity in mind, and have come up with a new migration utility to make this process a bit more accessible, and I'm pleased to announce the initial public launch of the Sophos Migration Utility.

This new utility is open-source, and published on GitHub, so experienced users who want to customize aspects of the process, now have access to the tools to do so. This utility is run on the shell of your UTM9 firewall, and outputs an XML config export file in the format expected by SFOS. It can be uploaded directly into a new SFOS firewall to move configuration from UTM9 to SFOS. With that in mind, we've prepared instructions for everyone to use, and are making this tool available for everyone. 

Sophos UTM to Sophos Firewall OS (SFOS) Migration Utility CLI Instructions

Compatibility:

This utility supports Sophos UTM v9.7xx to Sophos Firewall OS (SFOS) 19.5.1+

Supported exports:

  • Web Filter Action Allow and Block lists -> URL Groups
  • Website tags -> URL Groups
  • TCP, UDP, and TCP/UDP Services -> TCPorUDP Services
  • ICMP Services -> ICMP Services
  • ICMPv6 Services -> ICMPv6 Services
  • IP Services -> IP Services
  • Host Definitions -> FQDN Hosts, IP Hosts IPs (IPv4 and IPv6), and MACs
  • Network Definitions -> IP Host Networks (IPv4 and IPv6)
  • IP Ranges -> IP Host Ranges (IPv4 and IPv6)
  • DNS Group hostname -> FQDNHost
  • Gateway Hosts -> Gateways (IPv4)

Known issues / limitations:

  • Tag and FilterAction List Website -> URL Group export
    • Regexes are not exported (SFOS restriction)
    • CIDR URLs are not exported (SFOS restriction)
    • URLs containing paths are not exported (SFOS restriction)
    • UTM's "include subdomains" is ignored. URL Groups always include subdomains on SFOS
    • SFOS only allows 128 URLs per group. This tool will split them and create multiple URL Groups when necessary.
  • SFOS generally allows shorter names for objects than UTM. Names are truncated where necessary.
  • DNS Groups -> IPLists is disabled - See DNSGrouptoIPLIST in sub parse_hosts() to re-enable
  • Gateway hosts -> Gateways only supports IPv4 (SFOS restriction)

Unsupported exports (to be considered in future updates):

  • VPN Settings
  • Routes
  • VLANs
  • Firewall rules

Please note: This utility requires some experience using shell environments, and assumes knowledge on the following:

  • How to extract a zip archive on your preferred desktop OS
  • How to use SCP to transfer files and folders to and from a remote host
  • How to use SSH to access a remote shell

If you are unsure how to use any of these, we highly recommend that you seek assistance from your Sophos Partner.

Set up Shell Access on Sophos UTM:

  • Enable SSH access on your Sophos UTM 9 system. If it isn’t enabled:
    • Login to Sophos UTM WebAdmin interface
    • Navigate to Management > System Settings > Shell Access
    • Enable the SSH shell access switch if it is not already turned on  
  • Ensure you have working credentials to access the Sophos UTM over SSH.
    Sophos UTM allows for only two shell accounts: loginuser and root. If using username and password, you must first login as the less privileged loginuser, then escalate to root privileges using the su command and entering the root password when prompted. You may also use ssh keys if preferred, and it is possible to allow direct login as the root user, if using an ssh key rather than username and password. If you are not familiar with using ssh keys, choose strong passwords for the loginuser and root
    • If you don’t know the credentials, you can reset the loginuser and/or root passwords on the Shell Access
    • Alternately, you can use an SSH key to access the shell if you’re familiar with creating and using SSH keys.

Migration Instructions:

  1. Access the migration utility at this link, where you can review its source and additional instructions for advanced use cases: https://github.com/sophos/Sophos-Migration-Utility-CLI
  2. Download script from https://github.com/sophos/Sophos-Migration-Utility-CLI/archive/refs/heads/master.zip to your computer
  3. Extract the downloaded zip file (Sophos-Migration-Utility-CLI-master.zip)
  4. Using your preferred SCP utility, (for example, WinSCP on Microsoft Windows) transfer all extracted contents from the above download to your Sophos UTM system’s /home/login
    1. If using username and password, use the username loginuser and the correct password
      1. Once logged in as loginuser, enter the following command to switch to root permissions:

    su -

    <enter the root password>

    1. The uploaded files should be in a folder created in the /home/login/ folder. Make note of the full path of the pl script. For this example, we’ll assume it is in /home/login/sma.cli-master/
    2. If using root with SSH key authentication, use the username

 

  1. To run the migration, enter the following commands:

cd /home/login/sma.cli-master/

perl migrate.pl

The output should look like this:

Using confd snapshot /var/confd/var/storage/snapshots/cfg_17202_1680560553

Exporting objects from /var/confd/var/storage/snapshots/cfg_17202_1680560553 to Export.tar

Exporting to Entities.xml

Creating output file archive Export.tar

Export complete

 

  1. SCP copy the Export.tar file from/home/login/sma.cli-master/ to your local computer.
  2. (Optional) SCP copy the Entities.XML from the same location to your local computer.
  3. (Optional) Review the contents of Entites.XML to review what will be imported
  4. Log into the SFOS WebAdmin interface
  5. Navigate to Backup & firmware > Import export
  6. Import the Export.tar file by clicking Choose File, and browsing to where it is saved, then click Import
    1. The import will progress in the background, and may take a few minutes, depending on the size of the configuration being imported.
    2. Monitor progress by selecting Log Viewer at the top of the page, then select Admin from the top-right dropdown menu.
    3. You will see objects and settings being imported, and once logs stop appearing, you can check to see that all expected configuration has been imported.
    4. If the file was manually edited before importing, any formatting errors will appear in this log, which may help you troubleshoot any mistakes.

If you need assistance with migration:



This thread was automatically locked due to age.
Parents
  • Just to cross reference another approach:  Sophos Firewall: PowerShell Script Library for migrating Sophos UTM to Sophos Firewall 

    There you will find a way to migrate (SD)-REDs as well.  

    __________________________________________________________________________________________________________________

  • Hello again LuCar. :) Would this work in your opinion:

    1. Configure a XGS with any temporary changes, or to be port configurations (example: in my case it would be the secondary WAN I'm using, as it exists on the UTM (ETH4) but the interface is off and has been physically moved to get the XGS (ETH1) we're migrating to, to get it online.   UTM: WANS on ETH4 and ETH2, LAN on ETH1    XGS: WANS to be on  ETH1 and ETH3, LAN on ETH2)
    2. Export the XGS configuration configuration.
    3. Export the UTM configuration using the pearl script for import into the XGS.
    4. Add/Modify the entries of the XML Entities file (would it be best to use the XGS or UTM export file?)
    5. Import the configuration file to the XGS (does the file have to be a .tar?)
Reply
  • Hello again LuCar. :) Would this work in your opinion:

    1. Configure a XGS with any temporary changes, or to be port configurations (example: in my case it would be the secondary WAN I'm using, as it exists on the UTM (ETH4) but the interface is off and has been physically moved to get the XGS (ETH1) we're migrating to, to get it online.   UTM: WANS on ETH4 and ETH2, LAN on ETH1    XGS: WANS to be on  ETH1 and ETH3, LAN on ETH2)
    2. Export the XGS configuration configuration.
    3. Export the UTM configuration using the pearl script for import into the XGS.
    4. Add/Modify the entries of the XML Entities file (would it be best to use the XGS or UTM export file?)
    5. Import the configuration file to the XGS (does the file have to be a .tar?)
Children