Solved

Sonicwall TZ170 moving to NSA3500

Posted on 2009-06-30
17
848 Views
Last Modified: 2012-05-07
Short:
We have a customer using a TZ170 (Enhanced) that is moving to an NSA3500.  What is the best methodology for transitioning (other than re-entering everything by hand).

Detail:

The TZ170 has started to give the customer problems.  It worked great when he was a much smaller operation and quite honestly he outgrew it a long time ago.  They have finally hit the painpoint that they have to replace it.

They have a large set of rules, objects, content filtering, etc that need to all be entered into the new firewall.

Has anyone done a transition from a TZ (enhanced - 3.2.x) to the newer NSA3500 (running 5.2.x)

Thanks.
0
Comment
Question by:dougclingman
  • 7
  • 4
  • 3
  • +1
17 Comments
 
LVL 13

Accepted Solution

by:
shadowlesss earned 125 total points
ID: 24749214
I have moved a TZ170 and TZ180 to NSA 3500. If you are moving from Enhanced OS to Enhanced OS on the NSA3500 you will have no problems. I will note that my TZ's had the 4.0 EnhancedOS not 3.0 EnhancedOS
0
 
LVL 13

Assisted Solution

by:Ugo Mena
Ugo Mena earned 125 total points
ID: 24749636
as shadowlesss stated, moving to the same OS is pretty painless, from within the TZ's GUI, you will need to create a backup of the TZ170's current setup, then download it to your desktop, From within the NSA's GUI, you then upload the TZ's backup file into the NSA, then boot the NSA from the uploaded version. Viola you are up and running. As long as you are migrating the same or up in firmware versions you should be ok....which means you might have to update the TZ170 to a version that the NSA can use...?
If you are migrating between Standard and Enhanced OS versions, unfortunately you will have to re-enter all settings manually, there is no quick way to setup via this path....not to mention you will probably need to get familiar with the Enhanced OS's GUI, which is somewhat different from the Standard OS GUI.
0
 

Author Comment

by:dougclingman
ID: 24753221
I will try it later today.  Being such different hardware I didn't think the transition would be as simple as backing it up and restoring it.  Some days the obvious just may smack you in the back of the head!

thanks
0
 
LVL 13

Expert Comment

by:shadowlesss
ID: 24759464
How did the importing of the settings to your NSA3500 turn out?
0
 
LVL 16

Expert Comment

by:ccomley
ID: 24762025
Worst case, you will have to re-enter everything - but to aid you in this obtain the Tech Services Report from the TZ and print it. It contains EVERY setting you have made (and every default setting you havn't changed) on the TZ, including things like VPN shared keys. It can't be uploaded to a box, but it does give you a definitive resource for re-creating the config.

Bear in mind the 3500 is a more flexible box, more interfaces, possibility for more zones, etc., so you might not want to just clone up the TZ config.

I should certainly be interested to hear if you were able to import a config file...

0
 

Author Comment

by:dougclingman
ID: 24762273
Shadowlesss:

Start to prep to do the cloning remotely....then it dawned on me that after I rebooted the box it would have the same IP address as the functioning firewall.  Since this client is 45 minutes away from my office and the only psuedo-IT person that they have (the owner of the company) is out of state right now.  Leaving my house in a few to be on site to do the work.

ccomley:

I printed out the report. It was a only 134 pages.  

I'm willing to try the cloning and then do a little cleanup.  It has to be better than putting everything back in by hand.   If doesn't work, well I'm back to doing it all by hand anyway.
0
 
LVL 16

Expert Comment

by:ccomley
ID: 24763454
> only 134 pages

I didn't say it was short, I said it was *complete* :-)

But that's just about an entire page per item, where most of those items are either the default setting or only two or three mouse clicks.

I agree - if the cloning works, good! But at least if you have to go the hard way, the TSR means you won't miss anything out. :-)

0
 

Author Comment

by:dougclingman
ID: 24763576
I just did the import.  Looking through all the settings now.  

So far everything looks good.  I had to change the 'unique identifier' under the VPN tab.
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 
LVL 16

Expert Comment

by:ccomley
ID: 24763605
That's good to hear, I wouldn't have assumed it was possible. Deffo useful news. :-)

> VPN

Ah yes, that defaults to the MAC address which is also the serial number) of the hardware. I guess taht unless you put in a manual setting, it records "as default" not the actual data, so the new box sees "as default" and uses its OWN serial number.
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 24763613
make sure to synchronize/transfer any of your licenses within mysonicwall
0
 

Author Comment

by:dougclingman
ID: 24763723
just hit a big stumbling block ... of the WAN>LAN rules only 6 of the 21 rules transferred

also my laptop is (well 'was') the only item on X0 and I was unable to hit the internet.  Moved my laptop back to the production firewall and I'm able to access the external interface of the new FW.

Didn't think it would be perfect....
0
 

Author Comment

by:dougclingman
ID: 24763753
ultralites:

Later today I'm upgrading a 1260 from standard to enhanced.  One of the engineers sent me this link: https://convert.global.sonicwall.com/  He openly stated that it wasn't perfect.

I'm going to try it this afternoon.  The config on the 1260 is very straight forward and it will probably be easier to just recreate the few rules and the one VPN they have.

Doug
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 24763867
yeah, it can get kinda ugly making the move between OS's, but if your config is pretty straightforward and doesn't have too many shared secret VPNs, it shouldn't take too long. I recommend taking screenshots of your current config while logged into the web GUI. Given the std and enhanced gui's are not the same, but having the old configs right in front of you can help to keep you focused on what needs to be set up (and not thinking about what could also be setup).... Good luck. Glad to hear the TZ to NSA went smoothly for you.    
0
 
LVL 13

Expert Comment

by:Ugo Mena
ID: 24763907
just checked the link you attached... wow! I have never seen a Settings Converter before. All the same, if your config is not too complicated, I would still start from scratch.  A straight tab by tab config sounds like less time then trying to figure out what the converter did...
0
 

Author Comment

by:dougclingman
ID: 24763920
ultralites:

...fairly smoothly.  Still have to manually rebuild some rules and the new firewall is not passing traffic outbound yet.

I'll let you guys know how it goes.

...need to go find a second monitor so I can look at both firewalls at the same time in a full-screen.
0
 
LVL 13

Expert Comment

by:shadowlesss
ID: 24765012
Your settings export/import probably would have been a little smoother if you had upgraded your current TZ firmware to the latest version 4.X before exporting/importing into your NSA.  But I also understand the headaches and issues that could arise with your production firewall.  

Keep us informed!
0
 

Author Comment

by:dougclingman
ID: 24803170
Guys,

The cutover to the new firewall has been delayed...due to issues outside of firewall itself.  I didn't want to keep the question open too much longer.

Anyway..it looks like most of the config came over and I will need to rebuild the rest of the stuff by hand.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Imagine you have a shopping list of items you need to get at the grocery store. You have two options: A. Take one trip to the grocery store and get everything you need for the week, or B. Take multiple trips, buying an item at a time, to achieve t…
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
This video discusses moving either the default database or any database to a new volume.

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now