dougclingman
asked on
Sonicwall TZ170 moving to NSA3500
Short:
We have a customer using a TZ170 (Enhanced) that is moving to an NSA3500. What is the best methodology for transitioning (other than re-entering everything by hand).
Detail:
The TZ170 has started to give the customer problems. It worked great when he was a much smaller operation and quite honestly he outgrew it a long time ago. They have finally hit the painpoint that they have to replace it.
They have a large set of rules, objects, content filtering, etc that need to all be entered into the new firewall.
Has anyone done a transition from a TZ (enhanced - 3.2.x) to the newer NSA3500 (running 5.2.x)
Thanks.
We have a customer using a TZ170 (Enhanced) that is moving to an NSA3500. What is the best methodology for transitioning (other than re-entering everything by hand).
Detail:
The TZ170 has started to give the customer problems. It worked great when he was a much smaller operation and quite honestly he outgrew it a long time ago. They have finally hit the painpoint that they have to replace it.
They have a large set of rules, objects, content filtering, etc that need to all be entered into the new firewall.
Has anyone done a transition from a TZ (enhanced - 3.2.x) to the newer NSA3500 (running 5.2.x)
Thanks.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
How did the importing of the settings to your NSA3500 turn out?
Worst case, you will have to re-enter everything - but to aid you in this obtain the Tech Services Report from the TZ and print it. It contains EVERY setting you have made (and every default setting you havn't changed) on the TZ, including things like VPN shared keys. It can't be uploaded to a box, but it does give you a definitive resource for re-creating the config.
Bear in mind the 3500 is a more flexible box, more interfaces, possibility for more zones, etc., so you might not want to just clone up the TZ config.
I should certainly be interested to hear if you were able to import a config file...
Bear in mind the 3500 is a more flexible box, more interfaces, possibility for more zones, etc., so you might not want to just clone up the TZ config.
I should certainly be interested to hear if you were able to import a config file...
ASKER
Shadowlesss:
Start to prep to do the cloning remotely....then it dawned on me that after I rebooted the box it would have the same IP address as the functioning firewall. Since this client is 45 minutes away from my office and the only psuedo-IT person that they have (the owner of the company) is out of state right now. Leaving my house in a few to be on site to do the work.
ccomley:
I printed out the report. It was a only 134 pages.
I'm willing to try the cloning and then do a little cleanup. It has to be better than putting everything back in by hand. If doesn't work, well I'm back to doing it all by hand anyway.
Start to prep to do the cloning remotely....then it dawned on me that after I rebooted the box it would have the same IP address as the functioning firewall. Since this client is 45 minutes away from my office and the only psuedo-IT person that they have (the owner of the company) is out of state right now. Leaving my house in a few to be on site to do the work.
ccomley:
I printed out the report. It was a only 134 pages.
I'm willing to try the cloning and then do a little cleanup. It has to be better than putting everything back in by hand. If doesn't work, well I'm back to doing it all by hand anyway.
> only 134 pages
I didn't say it was short, I said it was *complete* :-)
But that's just about an entire page per item, where most of those items are either the default setting or only two or three mouse clicks.
I agree - if the cloning works, good! But at least if you have to go the hard way, the TSR means you won't miss anything out. :-)
I didn't say it was short, I said it was *complete* :-)
But that's just about an entire page per item, where most of those items are either the default setting or only two or three mouse clicks.
I agree - if the cloning works, good! But at least if you have to go the hard way, the TSR means you won't miss anything out. :-)
ASKER
I just did the import. Looking through all the settings now.
So far everything looks good. I had to change the 'unique identifier' under the VPN tab.
So far everything looks good. I had to change the 'unique identifier' under the VPN tab.
That's good to hear, I wouldn't have assumed it was possible. Deffo useful news. :-)
> VPN
Ah yes, that defaults to the MAC address which is also the serial number) of the hardware. I guess taht unless you put in a manual setting, it records "as default" not the actual data, so the new box sees "as default" and uses its OWN serial number.
> VPN
Ah yes, that defaults to the MAC address which is also the serial number) of the hardware. I guess taht unless you put in a manual setting, it records "as default" not the actual data, so the new box sees "as default" and uses its OWN serial number.
make sure to synchronize/transfer any of your licenses within mysonicwall
ASKER
just hit a big stumbling block ... of the WAN>LAN rules only 6 of the 21 rules transferred
also my laptop is (well 'was') the only item on X0 and I was unable to hit the internet. Moved my laptop back to the production firewall and I'm able to access the external interface of the new FW.
Didn't think it would be perfect....
also my laptop is (well 'was') the only item on X0 and I was unable to hit the internet. Moved my laptop back to the production firewall and I'm able to access the external interface of the new FW.
Didn't think it would be perfect....
ASKER
ultralites:
Later today I'm upgrading a 1260 from standard to enhanced. One of the engineers sent me this link: https://convert.global.sonicwall.com/ He openly stated that it wasn't perfect.
I'm going to try it this afternoon. The config on the 1260 is very straight forward and it will probably be easier to just recreate the few rules and the one VPN they have.
Doug
Later today I'm upgrading a 1260 from standard to enhanced. One of the engineers sent me this link: https://convert.global.sonicwall.com/ He openly stated that it wasn't perfect.
I'm going to try it this afternoon. The config on the 1260 is very straight forward and it will probably be easier to just recreate the few rules and the one VPN they have.
Doug
yeah, it can get kinda ugly making the move between OS's, but if your config is pretty straightforward and doesn't have too many shared secret VPNs, it shouldn't take too long. I recommend taking screenshots of your current config while logged into the web GUI. Given the std and enhanced gui's are not the same, but having the old configs right in front of you can help to keep you focused on what needs to be set up (and not thinking about what could also be setup).... Good luck. Glad to hear the TZ to NSA went smoothly for you.
just checked the link you attached... wow! I have never seen a Settings Converter before. All the same, if your config is not too complicated, I would still start from scratch. A straight tab by tab config sounds like less time then trying to figure out what the converter did...
ASKER
ultralites:
...fairly smoothly. Still have to manually rebuild some rules and the new firewall is not passing traffic outbound yet.
I'll let you guys know how it goes.
...need to go find a second monitor so I can look at both firewalls at the same time in a full-screen.
...fairly smoothly. Still have to manually rebuild some rules and the new firewall is not passing traffic outbound yet.
I'll let you guys know how it goes.
...need to go find a second monitor so I can look at both firewalls at the same time in a full-screen.
Your settings export/import probably would have been a little smoother if you had upgraded your current TZ firmware to the latest version 4.X before exporting/importing into your NSA. But I also understand the headaches and issues that could arise with your production firewall.
Keep us informed!
Keep us informed!
ASKER
Guys,
The cutover to the new firewall has been delayed...due to issues outside of firewall itself. I didn't want to keep the question open too much longer.
Anyway..it looks like most of the config came over and I will need to rebuild the rest of the stuff by hand.
The cutover to the new firewall has been delayed...due to issues outside of firewall itself. I didn't want to keep the question open too much longer.
Anyway..it looks like most of the config came over and I will need to rebuild the rest of the stuff by hand.
ASKER
thanks