Solved

Migrating Setings to Sonicwall NSA 3500 using CLI

Posted on 2011-02-21
20
2,374 Views
Last Modified: 2012-05-11
I have an assignment to migrate settings from an old Juniper SSG140 firewall to a brand new Sonicwall HSA3500. I was given the configution file in the form of a .TXT file. It has almost 1000 line of code(commands). I don't want to have to sit for hours typing these commands into the Sonicwall (assuming the syntax and lanuguage are the same --Are they?). I know I can copy and paste from the TXT file to a hyperterminal window, but will this work and how many lines will I be able to copy and paste at a time? Is there a better way to handle this, like some conversion utilty?
0
Comment
Question by:PCGenieLA
  • 10
  • 10
20 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34943335
the sonicwall is configurable via the command line, but not in the sense you're looking for.  the primary interface is the web console.

here is a sonicwall KBs on the cli:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6180

0
 

Author Comment

by:PCGenieLA
ID: 34943593
So this means I have to interprete the TXT file commands and then use the web console to enter the Sonicwall equivalents?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34943709
yes.  i can help with that if you like.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 

Author Comment

by:PCGenieLA
ID: 34943754
That would be a big help. I have the TXT file, if you want to see it.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34943864
you may want to sanitize it for security before you post it here.  i have alternate methods in my profile...if you wish.
0
 

Author Comment

by:PCGenieLA
ID: 34943985
It's a small file. I can send it to you directly. LMK where.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34944013
check my EE profile...the particulars are there.
0
 

Author Comment

by:PCGenieLA
ID: 34944083
I just sent it to you.
0
 

Author Comment

by:PCGenieLA
ID: 34944532
I have just posted a saniized version of the configuration file from the Juniper SSG140
bm01-fw01-sanitized.txt
0
 
LVL 33

Expert Comment

by:digitap
ID: 34944735
cool...give me some time to decipher and we'll get started...unless someone else jumps in, of course!
0
 

Author Comment

by:PCGenieLA
ID: 34944874
Ready when you are, CB.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34944901
ok...i see 688.225.17.226 and 2066.40.220.135.  which is your primary WAN IP and what's the other one do?

i also see that you are NAT'ing in RDP to several user workstations and servers.  i'd recommend getting those users on a VPN, then you don't have to mess with setting up the NAT/firewall rules.  I'd enable the ssl-vpn interface on the sonicwall.  it uses a clientless client, Netextender.  here's a KB on how to set that up.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6461

i see you are auth via RADIUS, is that correct?  the sonicwall can use LDAP, but let's establish what you're doing with RADIUS first.

i also see that you have an exchange server.  what i'd recommend here is to setup a service group for all the ports (sonicwall calls ports services) used by the Exchange server.  then, run the public server wizard selecting the service group instead of an individual service object.  the public server wizard will create the WAN > LAN firewall rules and three NAT policies; ingress, egress and loopback.  here's a KB on the public server wizard.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7027

i think that's enough for now.
0
 

Author Comment

by:PCGenieLA
ID: 34945138
This is all great stuff, but I have a problem with this approach. I have to travel to the site to do this job. So, if possible, I'd like to do as much of the configuration as possible before. If there is a way to write all this today and then upload a file to the Sonicwall, that would save trips and time. Also, Changing the configuration (ie Radius vs LDAP) is something to consider later, after I get this thing up and running. I want to inerfere with operations as little as possible.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34945331
i understand.  so, do you have the sonicwall with you?  i still need the details fleshed out in my query above, http:#a34944901.

the only way to "upload" configuration settings within a sonicwall is to setup the sonicwall and export the settings as a backup.  sonicwall does not provide a method for setting up the hardware offline and uploading those settings at a later time.
0
 

Author Comment

by:PCGenieLA
ID: 34945535
I don't have the Sonicwall with me, but since the Sonicwall is brand new out of the box, is there a way to backup/export its settings ( factory default setting) and rewrite the file (EXP format, right?) and then import it?
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 34945812
you can export the settings as an export file (EXP) or as a backup as part of the existing firmware.  however, there isn't a way currently provided by sonicwall to edit the settings of either file and reimport it back to the sonicwall.
0
 

Author Comment

by:PCGenieLA
ID: 34946029
OK, I'll just bite the bullet, use the web interface and hopefully understand all the elements of each section (ie. services, groups, interfaces, etc.)  But I'm not going to put the sonicwall online until I've done all the configuring and remote administration is good to go. Hopefully, I don't have to have it plugged all in to do so. I'll also look at the white papers you mentioned above.
 Finally, do you see any show stoppers in the rpesent setup? I shoudl know about those now.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34946117
you can setup the sonicwall without replacing the existing unit.  however and obviously, you'll not know for sure until you replace it.

not really.  i'll dig up some more KBs on things that i think you'll need as i look through your TXT file.  keep the question open so you can ask questions during the setup.

there isn't any reason why this should be a PIA to setup.  i think you'll find it pretty easy....minus the offline config of the files, of course...>GRIN<!
0
 

Author Comment

by:PCGenieLA
ID: 34953328
Well, I'm on the way to set this thing up this morning. A question has occurred to me. In the TXT file numerous passwords (including the admin logon)are defined by long alphnumeric strings, which I can assume are encryptions of normal passwords. In setting up the NSA, do I copy and paste those passwords from the TXT file to the NSA or is there another way to handle migrating passwords?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34953441
you won't be able to migrate the passwords.  you'll want to just create new ones.  i assume the users in the TXT were in the juniper's local database.  you can setup users in the sonicwall's local database or use RADIUS.  my guess is VPN auth was once handled by the juniper and moved to RADIUS auth...just a guess though.
0

Featured Post

Free Tool: ZipGrep

ZipGrep is a utility that can list and search zip (.war, .ear, .jar, etc) archives for text patterns, without the need to extract the archive's contents.

One of a set of tools we're offering as a way to say thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Port Forwarding on Cisco 881 14 63
Cisco RV 130 - No internet on wired connections, wireless clients ok 32 87
Cisco WRVS4400N 11 38
Home internet speed 20 32
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question