Migration from UTM Home Edition

Hi,

you cannot restore a UTM backup to an XG image. You can I believe export the host list in XML format and import that list into XG.

All groups and networks will have to be created from scratch.

The DHCP function on the XG is very simple, you cannot have the same MAC on different networks, you cannot assign multiple names to the same device. All static assignments have to be outside the DHCP scope. XG treats IP4 and IPv6 as two seperate firewalls in most instances except with the SSL/TLS (DPI) functions.

I don't understand the requirement for 200 hosts, you can use wild cards in the FQDN and FQDN groups and the XG has an extensive host list built-in.

Ian

Thanks. I think you may have misunderstood what i meant about the backup - I've built an XG VM, and I was planning to configure that ahead of time and restore a backup of that to the actual hardware after installing XG fresh. It's not going to be quick to build this, and with lots of schooling and working from home going on, minimising downtime is quite important!

I wanted a real firewall as I wanted to protect my young son from the bad stuff as much as I could, as well as to learn more about firewalls and networking. The only way I can really do that is to have static DHCP entries (i have 49) and control what those devices can get access to (roblox has 18 host / network entries, netflix 6, etc). I group together all my bluray players (as an example) to manage their connectivity, my son's kit, all our apple devices etc, they all mount up, but i do see a number of them already in XG, and that will help. I'm looking for *anything* that makes life easier than copying data between two web GUIs. 

rfcat_vk said:

You can I believe export the host list in XML format and import that list into XG

I've worked out how to export in confd format, struggling a bit with importing - having copy/paste data in a text file is a huge time saver in itself though, so thanks for the pointer.

rfcat_vk said:

you cannot have the same MAC on different networks

Really? That's an interesting design choice - unnecessary extra work that can result in a negative impact (I want to plug my laptop into different networks and get fixed addresses each time). Any idea why it's like that? I can live without it, but it seems an odd thing to do. Interesting to see that the static addresses need to be outside the scopes on XG - coming from a Microsoft background I never did understand why UTM did it the other way. 

Dave

Hi Dave,

the DHCP server is global, not network based and yes it ia pain when debugging network issues.

You should investigate clientless users to be able to manage access and limit ports and web sites that devices can access.

Further you will need to be ruthless with your ports (services) in your firewall rules to control and stop unwanted access to various proxies and tunnels.

Ian

Through trial and error, and much manipulation of excel spreadsheets, I have managed to shortcut some aspects of the migration process. DHCP reservations, Networks, Hosts, services and the like can be imported if you can create the appropriate XML. I just configured one of each type of object on the XG, and exported the config. That gave me a template for each object type to work from. I wrote short VBScripts that just populate the xml with the data I read from the UTM's config (copied from the 'printable config', pasted into excel, and manipulated to look like I needed it to. Create a tar file with the appropriate content (must have the./ folder in the archive!).

Having to manually add the rules has helped me reduce them significantly, I think I now only have 30, down from about 60, so a worthwhile exercise in itself. Hosts, networks and services have been reduced too (things like stopping the 8-year-old from playing Roblox are no longer required). If I did it again, I'd prune the objects *before* i added them to the XG config, but aside from that, I'd do the same again. Including writing the scripts and working out how it works, I've probably spent 10 hours - I could probably have done it more quickly by redoing everything by hand, but it was much more interesting my way.

I can see how difficult a migration tool would be for the rules, but the other objects are fairly straightforward. now just have to see if my config from my XG VM  will restore to my physical device and work.

I have given up, and I'm sticking with UTM for now.

My original plan was to make an appropriate virtual config, export it, and restore it to the hardware. I can't work out why it didn't work but the more I worked through it, the more I feel it should. I restored the full config, and that took about 90 minutes to process. interestingly, I was expecting a full 'replace the config' but that's not what I got. The default DHCP server, which I had deleted from the virtual, was still present. The firewall rule groups didn't make it (and it deleted the originals), nor did the rules themselves, and I could not add new rules. the DHCP server refused to stay running, because it couldn't map ranges to networks. Manual interface configuration didn't work either, as I couldn't add rules to allow the traffic to pass. Based on that, I went for factory defaults and started over.

This time, I exported parts of the config at a time, and imported them on the physical server.  IPHosts and groups first, services and service groups next, followed by DHCP, then the rules and rule groups. Once I put the right cables in the right ports, everything worked. When I was doing the exports, I did NOT use 'include dependencies' - if you do that with the firewall rules, it's the same size as a full config almost! 

I discovered that I had not configured my static DHCP assignments for one of my subnets. No real problem, I had a list and, after about 15 minutes of cut and paste, that worked too. Only then did I realise that there was no method with XG to convert static or dynamic DHCP addresses into DNS records. I regularly change hosts, and in UTM, it's all done at the host definition. On XG, it is a host, a DNS entry and a static assignment, all done in different places with a *very* much slower user interface. That overhead is too much. I have resolved to reduce my host count, as that was the driver for the change.

I looked through the Sophos Ideas page for XG, and the top 10, if implemented, would fix all of the challenges I have. Guess I should revisit when it is a little more mature, and hope in the meantime I can fix the user portal / IOS 14 issue on UTM. I've tried the widely accepted fix, and it still doesn't work.