Thread Info
  • Replies 13 replies
  • Subscribers 32 subscribers
  • Views 15144 views
  • Users 0 members are here
Options
Suggested

Sophos Firewall: Interface / VLAN Migration via XML Import/Export

LuCar Toni

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Overview

This Recommended read describes migrating vLAN to another Interface using the Import/Export Feature of Sophos Firewall.

Moving vLAN configuration or Interface configuration in GUI  isn’t possible. Using the Import/Export feature in Sophos Firewall can perform the task.

Another workaround is to add many VLANs as another approach. You may refer to the following. 

Sophos Firewall: Creating XML Objects with Notepad++ for mass import 

Import/Export Configurations Step

Step 1. VLAN Interfaces 

To verify the Interfaces, Go to CONFIGURE>Network>Interfaces

Step 2. Export/Import Interfaces

Go to SYSTEM>Backup & Firmware>Import export

In the Export > Select Export Selective Configuration, choose Interface, then click Export.

Click Download

Step 3. Interface Configuration

Upon Exporting, this will download a TAR file. "Using 7Zip, unzip the .tar file.

Step 4. Editing Entities File

Using Notepad++, edit the Entities file.

To fasten the import process, remove every other configuration and only leave Port 3 and VLAN configurations.

Removing isn’t necessary. However, this will speed up the process.

Upon removing, the Tar file will only have the following

Step 5. Find & Replace

Using Notepad++, using the shortcut key, click Ctrl+H 

Or Click Search>Replace

This process in Notepad++ will replace the configuration

Step 6. Replacing the Tar File.

Opening the .tar File with 7zip 

Using Drag&Drop and copy&replace the new Entities.xml within the .tar

Note: Make sure, you saved the changes in Notepad++!
 

Step 7. Unbinding Old Port

in Sophos Firewall, unbind the old Port3 and remove the configuration

Step 8. Importing new.TAR File 

Upon replacing the new configuration in the .tar file and removing the configuration from the old port. We can now Import the new configuration.

Go back to SYSTEM>Backup & Firmware> Import export

Upload the edited/new .tar file by clicking "Choose File." 

Note: This can take some time, as Sophos Firewall will add all VLANs to the interface.
The upload speed will depend on your appliance and the number of VLANs.


Revamped RR Revised RR Upload new screenshots Added additional instructions Corrected Grammar Added Horizontal Lines
[edited by: Erick Jan at 12:40 PM (GMT -7) on 26 Sep 2023]

  • Thank you for this helfull guide!

    I am facing a migration from SG (UTM) to XGS (SFOS) with hundrets of VLANs an DHCP-Server.

    Its a firewall for internet access in a student hostel. So all the students have their own VLAN with an DHCP-Server.

    Sophos Migration Support converted the config of the SG and provided it to me as a .backup file that i successfully loaded in the XGS 2100.

    So far so good.

    I now have all the VLANs on the wrong interface.

    I tried to replace all "Port3" to "PortA1".

    The import lasts about 3 hours, but nothing changed.

    What did i wrong?

  • in reply to IT_Team

    Check the apiparser.log on the CLI. See: https://docs.sophos.com/nsg/sophos-firewall/latest/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Logs/LogFileDetails/index.html 
    Please create a own thread with the information to not flood this thread with investigations. 

    __________________________________________________________________________________________________________________

  • Hi, now in XG210 (SFOS 18.5.5 MR-5-Build509) if i download the Interface configuration file i have only the Physical Interfaces, the vlans are on a different file.

    Is this guide still valid? My aim is to move all vlans, that now spans across 3 physical ports, under one port only.

  • in reply to Execcr

    Yes you can do the same with different interfaces. But before uploading it to the firewall, you have to delete / remove the old VLANs. 

    __________________________________________________________________________________________________________________

  • in reply to LuCar Toni

    Thanks! But this way i will still loose anything that is referenced to the Vlan interface when i delete it, right? For Example, dhcp configuration for dhcp server or relay? I just tried and i see that.

    There is any log that shows what dependent item has been deleted? The aim is to check if i had lost something important (rule, dhcp configuration, etc) during this interface change Slight smile

    Edited: i had misundertstood that i have to DELETE the vlan from the configuration before importing the .tar file. So i've tried to import the tar file without deleting the vlan and i get in the apiparser.log file an error about GatewayName and GatewayAddress not found. Looking on google i found a post about that -> Sophos Firewall Change Port of VLANs via XML

    I'm not on 19.5.1 but on 18.5.5 MR-5 but i think i have the same problem. I've tried the workaround but it didn't work.

    This is the XML i'm trying to import. The VLAN 777 actually is binded to port 8. I want it on the LAG_CORE interface (is a LAG with 3 ports, 1 connected the others 2 not, we are waiting for DACs)

    <?xml version="1.0" encoding="UTF-8"?>
<Configuration APIVersion="1805.2" IPS_CAT_VER="1">
  <VLAN transactionid="">
    <Zone>LAN</Zone>
    <Interface>LAG_CORE</Interface>
    <Hardware>LAG_CORE.777</Hardware>
    <Name>test vlan 7771</Name>
    <VLANID>777</VLANID>
    <IPv4Configuration>Enable</IPv4Configuration>
    <IPv6Configuration>Disable</IPv6Configuration>
    <IPv4Assignment>Static</IPv4Assignment>
    <IPv6Address/>
    <IPv6Prefix/>
    <IPv6GatewayName/>
    <IPv6GatewayAddress/>
    <LocalIP/>
    <Status>Unplugged</Status>
    <IPv6Assignment/>
    <DHCPRapidCommit/>
    <IPAddress>172.16.77.1</IPAddress>
    <Netmask>255.255.255.0</Netmask>
  </VLAN>
</Configuration>

  • in reply to Execcr

    You could export the dependencies as well and change the name of the interface like described here. 

    __________________________________________________________________________________________________________________

  • in reply to LuCar Toni

    Right! I didn't thought to do it to get a view on what i could loose deleting the vlan interface.

    Thank you for responding on saturday xD

    By the way, any hint on how or what to try to get the VLAN only XML import to work? I should open a ticket?

    Have a nice weekend

  • Almost similar situation. I want to transfer the VLAN from Port1 to PortF1 (due to connecting to glass fibre).

    Is it the right way to export the DHCP and Interface items (as otherwise the whole configuration from the VLAN Interface under DHCP will  be lost)

    Then delete the VLAN

    And upload the modified configuration. Or will this not work on a XGS126?

    Note: for some reason I can not enter images (file embedding not allowed)

  • After 12 days with the Sophos Support i could confirm that this is not working when you are trying to move a VLAN from a Physical Interface to a LAG on 18.5.5 MR-5, no matter what (change name, add the tags for GatewayName and GatewayAddress

Unfiltered HTML