Solved

Migrating Setings to Sonicwall NSA 3500 using CLI

Posted on 2011-02-21
20
2,340 Views
Last Modified: 2012-05-11
I have an assignment to migrate settings from an old Juniper SSG140 firewall to a brand new Sonicwall HSA3500. I was given the configution file in the form of a .TXT file. It has almost 1000 line of code(commands). I don't want to have to sit for hours typing these commands into the Sonicwall (assuming the syntax and lanuguage are the same --Are they?). I know I can copy and paste from the TXT file to a hyperterminal window, but will this work and how many lines will I be able to copy and paste at a time? Is there a better way to handle this, like some conversion utilty?
0
Comment
Question by:PCGenieLA
  • 10
  • 10
20 Comments
 
LVL 33

Expert Comment

by:digitap
ID: 34943335
the sonicwall is configurable via the command line, but not in the sense you're looking for.  the primary interface is the web console.

here is a sonicwall KBs on the cli:

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6180

0
 

Author Comment

by:PCGenieLA
ID: 34943593
So this means I have to interprete the TXT file commands and then use the web console to enter the Sonicwall equivalents?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34943709
yes.  i can help with that if you like.
0
 

Author Comment

by:PCGenieLA
ID: 34943754
That would be a big help. I have the TXT file, if you want to see it.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34943864
you may want to sanitize it for security before you post it here.  i have alternate methods in my profile...if you wish.
0
 

Author Comment

by:PCGenieLA
ID: 34943985
It's a small file. I can send it to you directly. LMK where.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34944013
check my EE profile...the particulars are there.
0
 

Author Comment

by:PCGenieLA
ID: 34944083
I just sent it to you.
0
 

Author Comment

by:PCGenieLA
ID: 34944532
I have just posted a saniized version of the configuration file from the Juniper SSG140
bm01-fw01-sanitized.txt
0
 
LVL 33

Expert Comment

by:digitap
ID: 34944735
cool...give me some time to decipher and we'll get started...unless someone else jumps in, of course!
0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:PCGenieLA
ID: 34944874
Ready when you are, CB.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34944901
ok...i see 688.225.17.226 and 2066.40.220.135.  which is your primary WAN IP and what's the other one do?

i also see that you are NAT'ing in RDP to several user workstations and servers.  i'd recommend getting those users on a VPN, then you don't have to mess with setting up the NAT/firewall rules.  I'd enable the ssl-vpn interface on the sonicwall.  it uses a clientless client, Netextender.  here's a KB on how to set that up.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=6461

i see you are auth via RADIUS, is that correct?  the sonicwall can use LDAP, but let's establish what you're doing with RADIUS first.

i also see that you have an exchange server.  what i'd recommend here is to setup a service group for all the ports (sonicwall calls ports services) used by the Exchange server.  then, run the public server wizard selecting the service group instead of an individual service object.  the public server wizard will create the WAN > LAN firewall rules and three NAT policies; ingress, egress and loopback.  here's a KB on the public server wizard.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=7027

i think that's enough for now.
0
 

Author Comment

by:PCGenieLA
ID: 34945138
This is all great stuff, but I have a problem with this approach. I have to travel to the site to do this job. So, if possible, I'd like to do as much of the configuration as possible before. If there is a way to write all this today and then upload a file to the Sonicwall, that would save trips and time. Also, Changing the configuration (ie Radius vs LDAP) is something to consider later, after I get this thing up and running. I want to inerfere with operations as little as possible.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34945331
i understand.  so, do you have the sonicwall with you?  i still need the details fleshed out in my query above, http:#a34944901.

the only way to "upload" configuration settings within a sonicwall is to setup the sonicwall and export the settings as a backup.  sonicwall does not provide a method for setting up the hardware offline and uploading those settings at a later time.
0
 

Author Comment

by:PCGenieLA
ID: 34945535
I don't have the Sonicwall with me, but since the Sonicwall is brand new out of the box, is there a way to backup/export its settings ( factory default setting) and rewrite the file (EXP format, right?) and then import it?
0
 
LVL 33

Accepted Solution

by:
digitap earned 500 total points
ID: 34945812
you can export the settings as an export file (EXP) or as a backup as part of the existing firmware.  however, there isn't a way currently provided by sonicwall to edit the settings of either file and reimport it back to the sonicwall.
0
 

Author Comment

by:PCGenieLA
ID: 34946029
OK, I'll just bite the bullet, use the web interface and hopefully understand all the elements of each section (ie. services, groups, interfaces, etc.)  But I'm not going to put the sonicwall online until I've done all the configuring and remote administration is good to go. Hopefully, I don't have to have it plugged all in to do so. I'll also look at the white papers you mentioned above.
 Finally, do you see any show stoppers in the rpesent setup? I shoudl know about those now.
0
 
LVL 33

Expert Comment

by:digitap
ID: 34946117
you can setup the sonicwall without replacing the existing unit.  however and obviously, you'll not know for sure until you replace it.

not really.  i'll dig up some more KBs on things that i think you'll need as i look through your TXT file.  keep the question open so you can ask questions during the setup.

there isn't any reason why this should be a PIA to setup.  i think you'll find it pretty easy....minus the offline config of the files, of course...>GRIN<!
0
 

Author Comment

by:PCGenieLA
ID: 34953328
Well, I'm on the way to set this thing up this morning. A question has occurred to me. In the TXT file numerous passwords (including the admin logon)are defined by long alphnumeric strings, which I can assume are encryptions of normal passwords. In setting up the NSA, do I copy and paste those passwords from the TXT file to the NSA or is there another way to handle migrating passwords?
0
 
LVL 33

Expert Comment

by:digitap
ID: 34953441
you won't be able to migrate the passwords.  you'll want to just create new ones.  i assume the users in the TXT were in the juniper's local database.  you can setup users in the sonicwall's local database or use RADIUS.  my guess is VPN auth was once handled by the juniper and moved to RADIUS auth...just a guess though.
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Tired of waiting for your show or movie to load?  Are buffering issues a constant problem with your internet connection?  Check this article out to see if these simple adjustments are the solution for you.
Quality of Service (QoS) options are nearly endless when it comes to networks today. This article is merely one example of how it can be handled in a hub-n-spoke design using a 3-tier configuration.
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
After creating this article (http://www.experts-exchange.com/articles/23699/Setup-Mikrotik-routers-with-OSPF.html), I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now