Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 5 replies
  • Answers 1 answer
  • Subscribers 8 subscribers
  • Views 7631 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

How to perform the actual migration from UTM to SFOS

Jeff x

I'm a long-time UTM home user but don't claim to be an expert. So how does one migrate from UTM to SFOS?

It would be very beneficial if the Sophos Engineers would provide a tutorial on everything from adding another Sophos appliance to a step-by-step comparison on how things are done differently, section by section when comparing the two. For instance, "This is how you set up WAF rules and policies in the UTM. This is how you accomplish the same thing in SFOS", using real examples. I truly believe a video tutorial series, which shows an actual migration, would help Sophos keep its customer base.

Maybe I'm wrong, but I don't think it is possible to create and maintain a set of 'UTM to SFOS' migration scripts which are100% reliable and work for all use-case scenarios. I think the best approach would be to add a SFOS box or VM to an existing UTM environment so that you can manually re-create your current setup on the new SFOS appliance--gradually, portion-by-portion, so that you can thoroughly test each piece that's been moved to the new SFOS appliance while maintaining the rest on the UTM.

So let's start with step one. How do you add a new SFOS box or VM to an existing UTM network so that you can access both. Which interfaces do you connect and are there any routes that need to be created?



This thread was automatically locked due to age.
  • 0

    Sophos works with a Partnerbase to install and migrate the firewalls. Sophos Partners are educated to get those migration in place. In the Channel /Partner business, Sophos educates Partners on the SFOS platform and how to do things there with real world examples. 

    You will actually find a lot of video / guides material on this forums for you use cases and there is no "Migrate A to B" Guide approach.

    The good part is, some modules are the same, like WAF for example, it takes the same approach of configuration, just via Firewall. You will find Guides on the online help with the approaches here. Another source of approach would be: https://techvids.sophos.com/categories/sophos-firewall

    The biggest challenge for migrations is the different approaches towards scenarios. For example: Firewall rules are a much more important role on SFOS than on UTM. You control most of the services like IPS, WAF, AppControl etc with a Firewall Rule, while this was modular based in UTM and each thing did it own. 

    How to start here? You find in the online help a guide for each platform: https://doc.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/VirtualAndSoftwareAppliancesHelp/vs_VirtualSoftwareApplianceIntro/index.html 

    SFOS needs two interfaces at start, one to access the webadmin, one to access the internet. Depending on your platform, there are different approaches. For examples in Vmware you could do a Host only adapter for the LAN interface and a NAT Adapter for the WAN. Then you follow the guide. 

    TLDR: Home usage varies highly on the applicable setup. Some home users do it bare metal, some with a hypervisor. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

      

    For my use-case, the ONT device provided by the ISP has one single RJ-45 port. That currently connects to my Sophos UTM's WAN interface. The Sophos UTM's LAN interface connects to a switch. How do you physically connect (add) a Sophos Firewall OS box so that both the UTM and SFOS are on the network together?

    I'm thinking that I will have to create new subnets and new VLAN's on the SFOS box and move the old ones from the UTM, one-by-one. Same for the public, static IP addresses that I lease from the ISP. So basically, the UTM will still be in use until everything is eventually migrated to the SFOS box. Which Sophos WAN and LAN interface gets connected to what and how do you delegate traffic to the new SFOS box? I can add another NIC to the UTM box to provide more interfaces/ports if needed. There must be a universal best practice for doing such a thing. I just don't know how to connect the new SFOS box and how to migrate certain traffic to it.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

  • 0

    its is hard to do a conversion when the product goes from intuitive to unintuitive. We tried hard on many firewalls, but SFOS is a broken product made for smb. We finally went to another vendor after to many failed tries

    As a product that that in most cases where better in design than a lot of product out there, we can hope that someone at Sophos would do the world and community a favor and opensource as much of the UTM/Astaro as possible.

    Thank you Sophos for the 10+ years.

  • 0 in reply to rMI

    From the first line on google.com
    -

    What happens when Thoma Bravo buys your company?
    Using history as a guide, when Thoma Bravo buys a company, the first impact is managerial turnover, layoffs and cut-backs. For the user of software, this translates to a redefinition of the relationship. 
  • 0 in reply to rMI
    rMI said:

    ...when the product goes from intuitive to unintuitive.

    I certainly agree on this point. However, I need IPS for ingress traffic and pfsense only does non-encrypted traffic which is useless. I'm not sure about Opnsense with the paid Zenarmor subscrption but I also don't want any cloud management. This is the main reason why I want to try and learn SFOS. Unless I'm wrong, you can terminate SSL traffic with the Sophos WAF and use IPS on the unencrypted traffic so that you do not have to do the MITM thing. This is how I was doing IPS with the UTM and it worked great. Caught a lot of bad traffic; just have to tweak the rules to minimize false-positives.

    What SFOS issues were you not able to fix, which caused you to go to another vendor? Unfortunately, I just don't see anything else out there for home lab user that want IPS.

    --------------------------------------------------------------------
    Sophos UTM 9.719-3 - Home User
    Virtual machine on Dell Optiplex 3070
    i3-9100 @ 3.60 GHz, 16 GB RAM
    --------------------------------------------------------------------

Unfiltered HTML