Sonicwall TZ170 moving to NSA3500

Short:
We have a customer using a TZ170 (Enhanced) that is moving to an NSA3500.  What is the best methodology for transitioning (other than re-entering everything by hand).

Detail:

The TZ170 has started to give the customer problems.  It worked great when he was a much smaller operation and quite honestly he outgrew it a long time ago.  They have finally hit the painpoint that they have to replace it.

They have a large set of rules, objects, content filtering, etc that need to all be entered into the new firewall.

Has anyone done a transition from a TZ (enhanced - 3.2.x) to the newer NSA3500 (running 5.2.x)

Thanks.
dougclingmanAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

shadowlesssCommented:
I have moved a TZ170 and TZ180 to NSA 3500. If you are moving from Enhanced OS to Enhanced OS on the NSA3500 you will have no problems. I will note that my TZ's had the 4.0 EnhancedOS not 3.0 EnhancedOS
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Ugo MenaCommented:
as shadowlesss stated, moving to the same OS is pretty painless, from within the TZ's GUI, you will need to create a backup of the TZ170's current setup, then download it to your desktop, From within the NSA's GUI, you then upload the TZ's backup file into the NSA, then boot the NSA from the uploaded version. Viola you are up and running. As long as you are migrating the same or up in firmware versions you should be ok....which means you might have to update the TZ170 to a version that the NSA can use...?
If you are migrating between Standard and Enhanced OS versions, unfortunately you will have to re-enter all settings manually, there is no quick way to setup via this path....not to mention you will probably need to get familiar with the Enhanced OS's GUI, which is somewhat different from the Standard OS GUI.
0
dougclingmanAuthor Commented:
I will try it later today.  Being such different hardware I didn't think the transition would be as simple as backing it up and restoring it.  Some days the obvious just may smack you in the back of the head!

thanks
0
Challenges in Government Cyber Security

Has cyber security been a challenge in your government organization? Are you looking to improve your government's network security? Learn more about how to improve your government organization's security by viewing our on-demand webinar!

shadowlesssCommented:
How did the importing of the settings to your NSA3500 turn out?
0
ccomleyCommented:
Worst case, you will have to re-enter everything - but to aid you in this obtain the Tech Services Report from the TZ and print it. It contains EVERY setting you have made (and every default setting you havn't changed) on the TZ, including things like VPN shared keys. It can't be uploaded to a box, but it does give you a definitive resource for re-creating the config.

Bear in mind the 3500 is a more flexible box, more interfaces, possibility for more zones, etc., so you might not want to just clone up the TZ config.

I should certainly be interested to hear if you were able to import a config file...

0
dougclingmanAuthor Commented:
Shadowlesss:

Start to prep to do the cloning remotely....then it dawned on me that after I rebooted the box it would have the same IP address as the functioning firewall.  Since this client is 45 minutes away from my office and the only psuedo-IT person that they have (the owner of the company) is out of state right now.  Leaving my house in a few to be on site to do the work.

ccomley:

I printed out the report. It was a only 134 pages.  

I'm willing to try the cloning and then do a little cleanup.  It has to be better than putting everything back in by hand.   If doesn't work, well I'm back to doing it all by hand anyway.
0
ccomleyCommented:
> only 134 pages

I didn't say it was short, I said it was *complete* :-)

But that's just about an entire page per item, where most of those items are either the default setting or only two or three mouse clicks.

I agree - if the cloning works, good! But at least if you have to go the hard way, the TSR means you won't miss anything out. :-)

0
dougclingmanAuthor Commented:
I just did the import.  Looking through all the settings now.  

So far everything looks good.  I had to change the 'unique identifier' under the VPN tab.
0
ccomleyCommented:
That's good to hear, I wouldn't have assumed it was possible. Deffo useful news. :-)

> VPN

Ah yes, that defaults to the MAC address which is also the serial number) of the hardware. I guess taht unless you put in a manual setting, it records "as default" not the actual data, so the new box sees "as default" and uses its OWN serial number.
0
Ugo MenaCommented:
make sure to synchronize/transfer any of your licenses within mysonicwall
0
dougclingmanAuthor Commented:
just hit a big stumbling block ... of the WAN>LAN rules only 6 of the 21 rules transferred

also my laptop is (well 'was') the only item on X0 and I was unable to hit the internet.  Moved my laptop back to the production firewall and I'm able to access the external interface of the new FW.

Didn't think it would be perfect....
0
dougclingmanAuthor Commented:
ultralites:

Later today I'm upgrading a 1260 from standard to enhanced.  One of the engineers sent me this link: https://convert.global.sonicwall.com/  He openly stated that it wasn't perfect.

I'm going to try it this afternoon.  The config on the 1260 is very straight forward and it will probably be easier to just recreate the few rules and the one VPN they have.

Doug
0
Ugo MenaCommented:
yeah, it can get kinda ugly making the move between OS's, but if your config is pretty straightforward and doesn't have too many shared secret VPNs, it shouldn't take too long. I recommend taking screenshots of your current config while logged into the web GUI. Given the std and enhanced gui's are not the same, but having the old configs right in front of you can help to keep you focused on what needs to be set up (and not thinking about what could also be setup).... Good luck. Glad to hear the TZ to NSA went smoothly for you.    
0
Ugo MenaCommented:
just checked the link you attached... wow! I have never seen a Settings Converter before. All the same, if your config is not too complicated, I would still start from scratch.  A straight tab by tab config sounds like less time then trying to figure out what the converter did...
0
dougclingmanAuthor Commented:
ultralites:

...fairly smoothly.  Still have to manually rebuild some rules and the new firewall is not passing traffic outbound yet.

I'll let you guys know how it goes.

...need to go find a second monitor so I can look at both firewalls at the same time in a full-screen.
0
shadowlesssCommented:
Your settings export/import probably would have been a little smoother if you had upgraded your current TZ firmware to the latest version 4.X before exporting/importing into your NSA.  But I also understand the headaches and issues that could arise with your production firewall.  

Keep us informed!
0
dougclingmanAuthor Commented:
Guys,

The cutover to the new firewall has been delayed...due to issues outside of firewall itself.  I didn't want to keep the question open too much longer.

Anyway..it looks like most of the config came over and I will need to rebuild the rest of the stuff by hand.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Hardware Firewalls

From novice to tech pro — start learning today.