Solved

Sonicwall TZ170 moving to NSA3500

Posted on 2009-06-30
17
854 Views
Last Modified: 2012-05-07
Short:
We have a customer using a TZ170 (Enhanced) that is moving to an NSA3500.  What is the best methodology for transitioning (other than re-entering everything by hand).

Detail:

The TZ170 has started to give the customer problems.  It worked great when he was a much smaller operation and quite honestly he outgrew it a long time ago.  They have finally hit the painpoint that they have to replace it.

They have a large set of rules, objects, content filtering, etc that need to all be entered into the new firewall.

Has anyone done a transition from a TZ (enhanced - 3.2.x) to the newer NSA3500 (running 5.2.x)

Thanks.
0
Comment
Question by:dougclingman
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
  • +1
17 Comments
 
LVL 13

Accepted Solution

by:
shadowlesss earned 125 total points
ID: 24749214
I have moved a TZ170 and TZ180 to NSA 3500. If you are moving from Enhanced OS to Enhanced OS on the NSA3500 you will have no problems. I will note that my TZ's had the 4.0 EnhancedOS not 3.0 EnhancedOS
0
 
LVL 13

Assisted Solution

by:Ugo Mena
Ugo Mena earned 125 total points
ID: 24749636
as shadowlesss stated, moving to the same OS is pretty painless, from within the TZ's GUI, you will need to create a backup of the TZ170's current setup, then download it to your desktop, From within the NSA's GUI, you then upload the TZ's backup file into the NSA, then boot the NSA from the uploaded version. Viola you are up and running. As long as you are migrating the same or up in firmware versions you should be ok....which means you might have to update the TZ170 to a version that the NSA can use...?
If you are migrating between Standard and Enhanced OS versions, unfortunately you will have to re-enter all settings manually, there is no quick way to setup via this path....not to mention you will probably need to get familiar with the Enhanced OS's GUI, which is somewhat different from the Standard OS GUI.
0
 

Author Comment

by:dougclingman
ID: 24753221
I will try it later today.  Being such different hardware I didn't think the transition would be as simple as backing it up and restoring it.  Some days the obvious just may smack you in the back of the head!

thanks
0
How to Defend Against the WCry Ransomware Attack

On May 12, 2017, an extremely virulent ransomware variant named WCry 2.0 began to infect organizations. Within several hours, over 75,000 victims were reported in 90+ countries. Learn more from our research team about this threat & how to protect your organization!

 
LVL 13

Expert Comment

by:shadowlesss
ID: 24759464
How did the importing of the settings to your NSA3500 turn out?
0
 
LVL 17

Expert Comment

by:ccomley
ID: 24762025
Worst case, you will have to re-enter everything - but to aid you in this obtain the Tech Services Report from the TZ and print it. It contains EVERY setting you have made (and every default setting you havn't changed) on the TZ, including things like VPN shared keys. It can't be uploaded to a box, but it does give you a definitive resource for re-creating the config.

Bear in mind the 3500 is a more flexible box, more interfaces, possibility for more zones, etc., so you might not want to just clone up the TZ config.

I should certainly be interested to hear if you were able to import a config file...

0
 

Author Comment

by:dougclingman
ID: 24762273
Shadowlesss:

Start to prep to do the cloning remotely....then it dawned on me that after I rebooted the box it would have the same IP address as the functioning firewall.  Since this client is 45 minutes away from my office and the only psuedo-IT person that they have (the owner of the company) is out of state right now.  Leaving my house in a few to be on site to do the work.

ccomley:

I printed out the report. It was a only 134 pages.  

I'm willing to try the cloning and then do a little cleanup.  It has to be better than putting everything back in by hand.   If doesn't work, well I'm back to doing it all by hand anyway.
0
 
LVL 17

Expert Comment

by:ccomley
ID: 24763454
> only 134 pages

I didn't say it was short, I said it was *complete* :-)

But that's just about an entire page per item, where most of those items are either the default setting or only two or three mouse clicks.

I agree - if the cloning works, good! But at least if you have to go the hard way, the TSR means you won't miss anything out. :-)

0
 

Author Comment

by:dougclingman
ID: 24763576
I just did the import.  Looking through all the settings now.  

So far everything looks good.  I had to change the 'unique identifier' under the VPN tab.
0
 
LVL 17

Expert Comment

by:ccomley
ID: 24763605
That's good to hear, I wouldn't have assumed it was possible. Deffo useful news. :-)

> VPN

Ah yes, that defaults to the MAC address which is also the serial number) of the hardware. I guess taht unless you put in a manual setting, it records "as default" not the actual data, so the new box sees "as default" and uses its OWN serial number.
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 24763613
make sure to synchronize/transfer any of your licenses within mysonicwall
0
 

Author Comment

by:dougclingman
ID: 24763723
just hit a big stumbling block ... of the WAN>LAN rules only 6 of the 21 rules transferred

also my laptop is (well 'was') the only item on X0 and I was unable to hit the internet.  Moved my laptop back to the production firewall and I'm able to access the external interface of the new FW.

Didn't think it would be perfect....
0
 

Author Comment

by:dougclingman
ID: 24763753
ultralites:

Later today I'm upgrading a 1260 from standard to enhanced.  One of the engineers sent me this link: https://convert.global.sonicwall.com/  He openly stated that it wasn't perfect.

I'm going to try it this afternoon.  The config on the 1260 is very straight forward and it will probably be easier to just recreate the few rules and the one VPN they have.

Doug
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 24763867
yeah, it can get kinda ugly making the move between OS's, but if your config is pretty straightforward and doesn't have too many shared secret VPNs, it shouldn't take too long. I recommend taking screenshots of your current config while logged into the web GUI. Given the std and enhanced gui's are not the same, but having the old configs right in front of you can help to keep you focused on what needs to be set up (and not thinking about what could also be setup).... Good luck. Glad to hear the TZ to NSA went smoothly for you.    
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 24763907
just checked the link you attached... wow! I have never seen a Settings Converter before. All the same, if your config is not too complicated, I would still start from scratch.  A straight tab by tab config sounds like less time then trying to figure out what the converter did...
0
 

Author Comment

by:dougclingman
ID: 24763920
ultralites:

...fairly smoothly.  Still have to manually rebuild some rules and the new firewall is not passing traffic outbound yet.

I'll let you guys know how it goes.

...need to go find a second monitor so I can look at both firewalls at the same time in a full-screen.
0
 
LVL 13

Expert Comment

by:shadowlesss
ID: 24765012
Your settings export/import probably would have been a little smoother if you had upgraded your current TZ firmware to the latest version 4.X before exporting/importing into your NSA.  But I also understand the headaches and issues that could arise with your production firewall.  

Keep us informed!
0
 

Author Comment

by:dougclingman
ID: 24803170
Guys,

The cutover to the new firewall has been delayed...due to issues outside of firewall itself.  I didn't want to keep the question open too much longer.

Anyway..it looks like most of the config came over and I will need to rebuild the rest of the stuff by hand.
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

We sought a budget ($5,000) firewall solution that would provide all the performance we needed with no single point of failure.  Hosting a SAAS web application in our datacenter, it was critical that we find a way to keep connectivity up and inbound…
Optimal Xbox 360 connectivity requires "OPEN NAT". If you use Juniper Netscreen or SSG firewall products in a home setting, the following steps will allow you get rid of the dreaded warning screen below and achieve the best online gaming environment…
In a recent question (https://www.experts-exchange.com/questions/29004105/Run-AutoHotkey-script-directly-from-Notepad.html) here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

737 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question