Migration guide: Sophos Migration AssistantBefore reimaging the production Sophos SG/UTM appliance,...

Sophos Migration Assistant

migration guide

ContentsPreface..................................................................................................................................................... 1Prerequisites.............................................................................................................................................2Convert SG/UTM configuration to Sophos XG Firewall-compatible configuration................................... 3Reimaging and applying configuration.....................................................................................................8

Reimage Sophos SG/UTM to Sophos XG Firewall...................................................................... 8Apply Sophos XG Firewall configuration on the reimaged box.................................................... 8

Appendix A: Conversions and limitations................................................................................................ 9Appendix B: Improvements....................................................................................................................10Appendix C: Download UTM configuration............................................................................................11Appendix D: Sophos SG/UTM modules: Migration status.....................................................................12Appendix E: Install Sophos Migration Assistant on Oracle VM VirtualBox............................................22Appendix F: View and resolve exception list.........................................................................................30Notice......................................................................................................................................................32

(2019/01/17)

Migration guide: Sophos Migration Assistant

1 PrefaceThis guide describes how to migrate from Sophos SG/UTM to Sophos XG Firewall. It enables you todo the following:

• Convert your Sophos SG/UTM configuration (on version 9.4 or later) on SG series and virtual/software appliances to Sophos XG Firewall-compatible configuration (v16 or later).

• Reimage your Sophos SG/UTM appliance toSophos XG Firewall.

• Upload the Sophos SG/UTM license file.

• Upload the converted Sophos XG Firewall configuration file.

Copyright © Sophos Limited 1


2 Prerequisites

Hardware compatibility

• SG: SG series hardware appliances support Sophos XG Firewall.

• UTM appliance: If you have a SG/UTM series appliance, you need to upgrade the hardware.Contact your Sophos Partner or Sophos representative.

• Virtual or Software appliance: Appliances with 2 GB RAM or higher support Sophos XG Firewall.

Firmware version

Sophos Migration Assistant allows you to convert configuration backup for SG/UTM appliances onversion 9.4 or later.

Data backup

• UTM configuration backup. Refer to Appendix C: Download UTM configuration (page 11).

• License file backup

• Logs from your SG/UTM appliance

Number of interfaces

Number of SG/UTM interfaces should not be more than those supported on the Sophos XG Firewallappliance.

2 Copyright © Sophos Limited


3 Convert SG/UTM configurationto Sophos XG Firewall-compatibleconfiguration1. Install Sophos Migration Assistant on a virtual machine. For more information, refer to Appendix E:

Install Sophos Migration Assistant on Oracle VM VirtualBox (page 22).

2. In Oracle VM VirtualBox, click Start and enter “admin” as password to login.

3. Go to https://172.16.16.16 and log in with the following credentials:


https://172.16.16.16


• Username: (Default) admin

• Password: (Default) admin

4. Accept the terms of service and then click Next.

A screen appears listing the category and its sub-category along with the configuration that getsmigrated. Click Next.

5. (Optional) Go to admin > About product from top right corner of the screen if you wish to see theproduct information.

6. (Optional) Click Firmware management to see and configure the available firmware version.



7. Click Start New Migration to begin migration.

For previous migration sessions, you can manage the following: Continue migration, downloadlogs, view migration logs, view audit logs, and discard migration.

8. Upload the Sophos UTM configuration file.

a) Enter a session name and description.

b) Click Choose File and upload the Sophos UTM configuration file.

c) Enter password for the Sophos UTM configuration file (if the file is encrypted).

To download the Sophos UTM configuration file, refer to Appendix C: Download UTM configuration(page 11).

9. Click Next to start migration. The following screen appears:



Sophos Migration Assistant auto-migrates Sophos UTM configuration for the supported modules.For more information, refer to Appendix D: Sophos SG/UTM modules: Migration status (page12). You can skip the next step, if you do not have any exception.

10. Click Continue with exception handling to resolve the exceptions.

The number of exceptions (errors or warnings) is displayed. You must resolve these conflictsmanually to complete the migration process.

To view and resolve exceptions, refer to Appendix F: View and resolve exception list (page 30).

11. Click Download migrated config to download the configuration file converted from Sophos SG/UTM to Sophos XG Firewall. The downloaded file will be of “device.backup” file extension.



Conversion of Sophos SG/UTM configuration to Sophos XG Firewall-compatible configuration iscomplete.



4 Reimaging and applying configurationBefore reimaging the production Sophos SG/UTM appliance, it is recommended that you takeadvantage of the free 30-day trial for Sophos XG Firewall. To test the migration and configuration,you can set up a parallel virtual or software instance.

4.1 Reimage Sophos SG/UTM to Sophos XGFirewallAfter you downloaded the Sophos XG Firewall configuration, you need to prepare your SophosSG/UTM device for migration. Reimage your SG/UTM appliance and install Sophos XG Firewallon it. For details, refer to the articles https://community.sophos.com/kb/en-us/126906 and https://community.sophos.com/kb/en-us/124588.

To migrate the Sophos SG/UTM license to Sophos XG Firewall license, you need to upload the UTMconfiguration file on the reimaged Sophos XG Firewall device.

High-availability setups (HA)

If you have an HA setup, re-image both devices and then deploy the migrated configuration toone of the devices. The second device receives its configuration from the migrated device duringsynchronization after the HA configuration. For more information on HA configuration refer to thefollowing guides:

• Active-active: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Active-Active-HA-Configuration.pdf?la=en.

• Active-passive: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Active-Passive-HA-Configuration.pdf?la=en.

4.2 Apply Sophos XG Firewall configuration on thereimaged box1. Log in to Sophos XG Firewall Admin Console as administrator with Read-Write permissions for the

relevant features.

2. Go to System > Backup & firmware > Backup & restore.

3. Click Choose file and select the converted Sophos XG Firewall configuration file.

Reimaging and applying configuration is complete. For more administrative configuration, refer toSophos XG Firewall web interface reference and admin guide.


https://community.sophos.com/kb/en-us/126906



https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Active-Active-HA-Configuration.pdf?la=en

https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Active-Active-HA-Configuration.pdf?la=en

https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Active-Passive-HA-Configuration.pdf?la=en

https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Active-Passive-HA-Configuration.pdf?la=en


5 Appendix A: Conversions and limitationsThe following conversions will take place for the entities during migration from Sophos SG/UTM toSophos XG Firewall:

• Maximum character length supported in Sophos XG Firewall is less than that supported in SG/UTM: Value will be trimmed to the upper limit supported in Sophos XG Firewall.

• Duplicate records in SG/UTM (Sophos XG Firewall does not support duplicate records): Uniquenumber will be added as suffix to the name of the entity.

• Value is valid in Sophos SG/UTM but not in Sophos XG Firewall: Value of the entity will be set toits default value in Sophos XG Firewall.

• Entity is not mandatory in Sophos SG/UTM but is mandatory in Sophos XG Firewall: Value of theentity will be its default value in Sophos XG Firewall.

• Firewall rule numbering: In SG/UTM, firewall rules are numbered in the order in which theyare applied to traffic (i.e. according to their priority). In Sophos XG Firewall, firewall rules arenumbered in the order of their creation.

There are some limitations to what can be (automatically) configured. For example, there are somesettings that are mandatory in Sophos XG Firewall which were not in SG/UTM. In this case, you willget an exception which you need to resolve during the exception handling stage. Here are someexamples:

• “Hostname” must not contain a space or special character.

• VLAN on bridge interfaces are not supported by Sophos XG Firewall.

• Static IP-MAC binding in the range of DHCP IP scope is not supported by Sophos XG Firewall.

• SNMP: Location is mandatory in Sophos XG Firewall.

• IPv6 in L2TP is not supported in Sophos XG Firewall.

• “Group attribute” in RADIUS server configuration is mandatory in Sophos XG Firewall.



6 Appendix B: Improvements

Improvements: MR1

• Profiles that are configured with a single event schedule will be migrated for All days of the week.

• For all web categories, the Override Default Notification page will be disabled.

• System zone configured under Network > Zone is migrated as is.

• When you delete a VLAN host in Sophos XG Firewall, the VLAN host-based firewall rules aredeleted.

• Special characters in DHCP server hostname are replaced with “_”.



7 Appendix C: Download UTMconfiguration1. Sign in to Sophos UTM Web Admin console.

2. In Management, click Backup/Restore.

3. In Create Backup, click Create backup now.

Migration is supported only on full backups. Do not select the following options while creatingbackups:

• Unique site data (License, passwords, certificates/keys, endpoints)

• Administrative mail addresses

Available backups will appear in a list.

4. Click the download button to download the configuration file.

5. Click Download backup to download the configuration file.

The downloaded configuration file will have “.abf” file extension.

NoteIf you select Encrypt before downloading, the configuration file will have “.ebf” extension.



8 Appendix D: Sophos SG/UTM modules:Migration statusFor the current release, the following components from the Firewall section are not supported formigration:

• SUM user-created firewall rules.

• SUM automatic firewall rules.

• Automatic firewall rules.

Section Sub-section Is migrated?

System settings Organizational No

Hostname Yes

Shell access No

Scan settings No

Scan settings > Antivirus enginePreferences

Yes

Scan settings > Advanced threatprotection options

No

Scan settings > Antispamengine preferences

No

Reset configuration No

WebAdmin settings General > WebAdmin language No

General > WebAdmin accessconfiguration

Yes

Access control > Role No

User preferences No

Licensing Licensing No

Up2Date Overview No

Configuration No

Advanced No

Backup/Restore Backup/Restore No

Automatic backups Yes

User portal Global No

Advanced > Language No

Advanced > Security No

Advanced > Disable portal items No

Advanced > Network settings No




Advanced > Welcome message No

Notifications Global Yes

Notifications No

Advanced No

Customization Global > Company logo No

Global > Custom company text No

Web messages > End usermessages

No

Web messages > administratorinformation

No

Web templates No

Email messages No

SNMP Query Yes

Traps Yes

Central Management Sophos UTM Manager No

Sophos Mobile Control Sophos Mobile Control No

HA / Auto-scaling Configuration No

Definition & users > Servicedefinitions

ESP No

AH No

Definition & users > Users &groups > Users

Local No

None No

Remote No

Definition & users > Users &groups > Groups

Static members No

IPsec X509 DN mask No

Backend membership No

Definition & users >Authentication Services

Global settings (Automatic usercreation)

No

Single sign-on No

Definition & users >Authentication services > OTP

OTP tokens No

OTP settings No

Definition & users >Authentication services >Advanced

Active Directory groupMembership synchronization

No

Prefetch directory users No




Definition & users > Clientauthentication

Client authentication options No

Other No

Interfaces & routing > Interfaces> Interfaces

PPPOA/PPTP No


3G/UMTS No


Modem (PPP) No


Ethernet bridge Yes


DSL (PPPoE) Yes


Group No

Interfaces & routing > Interfaces> Link aggregation

Link aggregation Yes

Interfaces & routing > Interfaces> Multi-path rules

Multi-path rules No

Interfaces & routing > Interfaces Status No

Interfaces & routing > QoS Status No

Interfaces & routing > QoS >Traffic selector

Traffic selector No

Application selector No

Group No

Interfaces & routing > QoS >Bandwidth pool

Bandwidth pool No

Interfaces & routing > QoS >Download throttling

Download throttling No

Interfaces & routing > QoS >Advanced

Advanced No

Interfaces & routing > Uplinkmonitoring

Global No

Interfaces & routing > Uplinkmonitoring > Actions

IPsec tunnel No

Interfaces & routing > Uplinkmonitoring > Actions

Additional address No

Interfaces & routing > IPv6 Global No

Renumbering No

6to4 No

Tunnel broker No




Interfaces & routing > Staticrouting > Standard static routes

Blackhole route No

Interfaces & routing > Policyroutes

Interface route Yes

Gateway route Yes

Interfaces & routing > Dynamicrouting (OSPF)

Global No

Area > Normal No

Area > Stub No

Area > NSSA No

Area > Stub - No summary No

Area > NSSA - No summary No

Interfaces No

Message digests No

Debug No

Advanced (Redistribution) No

Interfaces & routing > BGP Global No

Systems No

Neighbor No

Route map No

Filter list No

Advanced No

Interfaces & routing > Multicastrouting (PIM SM)

Routes > Gateway route No

Routes > Interface route No

Advanced No

Network services > DNS Global No

Static entries Yes

Network services > DHCP DHCPv6 relay No

Static mappings Yes

IPv4 lease table No

IPv6 lease table No

Network services > NTP Server status No

NTP Options No

Network protection > Firewall >Country blocking

Country blocking No




Network protection > Firewall >Country blocking exceptions

Country blocking exceptions No

Network protection > Firewall >ICMP

Global ICMP settings No

Ping settings No

Traceroute settings No

Network protection > Firewall >Advanced

Connection tracking helpers No

Protocol handling No

Logging options No

Network protection > NAT >Masquerading

Masquerading No

Network protection > NAT >NAT > Rule

SNAT (source) No

DNAT (destination) No

1:1 NAT (whole networks) No

Full NAT (source + destination) No

No NAT No

Network protection > Intrusionprevention > Global

Global IPS settings No

Network protection > Intrusionprevention > Attack patterns

Attack patterns No

Network protection > Intrusionprevention > Anti-DoS/Flooding

TCP SYN flood protection Yes

UDP flood protection Yes

ICMP flood protection Yes

Network protection > Intrusionprevention > Anti-port scan

Portscan detection No

Network protection > Intrusionprevention > Exceptions

Exceptions No

Network protection > Intrusionprevention > Advanced

Pattern set optimization No

Manual rule modification No

Performance tuning No

Network protection > Serverload balancing > Balancing rules

Check type: TCP No

Check type: UDP No

Check type: Ping No

Check type: HTTP Host No




Check type: HTTPS Host No

Network protection > VoIP > SIP Global SIP settings No

Network protection > VoIP >H.323

Global H.323 settings No

Network protection > Advanced> Generic proxy

Generic proxy No

Network protection > Advanced> Socks proxy

SOCKS proxy options No

Network protection > Advanced> Ident reverse proxy

Global settings No

Web protection > Web filtering >Global

Default web filter profile No

Web protection > Web filtering >HTTP

HTTPS scan settings No

Web protection > Web filtering >policies

Active policies No

Web protection > Web filterprofiles > Filter profiles

Web filter profiles No

HTTPS No

Policies No

Web protection > Filteringoptions > Exceptions

Exceptions list No

Web protection > Filteringoptions > Websites

Websites No

Web protection > Filteringoptions > Bypass users

Bypass blocking No

Web protection > Filteringoptions > PUAs

Potentially unwantedapplications authorization

No

Web protection > filteringoptions > Categories

Filter category list No

Web protection > Filteringoptions > HTTPS CA

Signing CA No

Verification CAs No

Web protection > Filteringoptions > MISC

Misc settings No

Transparent mode skiplist No

Proxy auto configuration No

URL categorization parent proxy No

Web caching No

Streaming settings No




Transparent mode ActiveDirectory single sign-on

No

Apple OpenDirectory singlesign-on

No

Certificate for end user pages No

Pharming protection No

Web protection > Policyhelpdesk > Policy test

Request details No

Web protection > Policyhelpdesk > Quota status

Quota status No

Web protection >Applicationcontrol > Network visibility

Flow monitor No

Web protection > Applicationcontrol > Application controlrules

Application control rules No

Web protection > Applicationcontrol > Advanced

Application control skiplist No

Web protection > FTP > Global FTP settings No

Web protection > FTP >Antivirus

Antivirus scanning No

File extension filter No

Web protection > FTP >Exceptions

Exceptions list No

Web protection > FTP >Advanced

FTP proxy skiplist No

FTP Servers No

Email protection > SMTP SMTP No

Email protection > SMTPprofiles

SMTP profiles No

Email protection > POP3 POP3 No

Email protection > Encryption Encryption No

Email protection > SPXEncryption

SPX Encryption No

Email protection > QuarantineReport

Quarantine report No

Email protection > Mail manager Mail manager No

Advanced protection > SophosSandstorm

Sophos Sandstorm No

Advanced protection >Advanced Threat Protection

Advanced Threat Protection Yes




Wireless protection > Globalsettings > Global settings

Global settings No

Wireless protection > Globalsettings > Advanced

Global settings No

Wireless protection > Wirelessnetworks

Wireless networks No

Wireless protection > Accesspoints

Access points No

Wireless protection > Meshnetworks

Mesh networks No

Wireless protection > Wirelessclients

Wireless clients No

Wireless protection > Hotspots >Hotspots

Hotspots No

Wireless protection > Hotspots >Voucher definition

Voucher definition No

Wireless protection > Hotspots >Advanced

Advanced No

Web server protection > Webappliance firewall

Web appliance firewall No

Web server protection >Reverse authentication

Reverse authentication No

RED management > Globalsettings

RED global settings No

RED management > [Server]Client management

[Server] Client management No

RED management > [Server]Deployment helper

[Server] Deployment helper No

RED management > [Client]Tunnel management

[Client] Tunnel management No

Site-to-site VPN > Amazon VPC Amazon VPC No

Site-to-site VPN > Certificatemanagement > Advanced

Regenerate signing CA No

Site-to-site VPN > Ipsec > LocalRSA Key

Re-generate local RSA key. No

Site-to-site VPN >IPsec >Advanced

Dead Peer Detection (DPD) No

CRL handling No

Site-to-site VPN > IPSec >Debug

IKE debugging No

Site-to-site VPN > SSL >Connections

SSL server No




SSL client No

Site-to-site VPN > SSL >Settings

Server settings Yes

Virtual IP pool Yes

Duplicate CN Yes

Site-to-site VPN > SSL >Advanced

Cryptographic settings Yes

Compression settings Yes

Debug settings Yes

Remote access > SSL > Profiles Remote access profiles No

Remote access > SSL >Settings

Server settings Yes

Virtual IP pool Yes

Duplicate CN Yes

Remote access > SSL >Advanced

Cryptographic settings Yes

Compression settings Yes

Debug settings Yes

Remote access > PPTP >Global

Main settings Yes

Remote access > PPTP > iOS™devices

iOS™ settings No

Remote access > PPTP >Advanced

Encryption strength No

Debug mode No

Remote access > L2TP OverIPsec > iOS™ devices

iOS™ settings No

Remote access > L2TP overIPsec > Advanced

IKE debugging No

L2TP debugging No

Remote access > IPsec >Advanced

Dead Peer Detection (DPD) No

CRL handling No

Remote access > IPsec >Debug

IKE debugging No

Remote access > HTML5 VPNportal

HTML5 VPN portal No

Remote access > Cisco VPNportal > Global

Server settings No




Remote access > Cisco VPNportal > iOS™ devices

iOS™ settings No

Remote access > Cisco VPNportal > Debug

IKE debugging No



9 Appendix E: Install Sophos MigrationAssistant on Oracle VM VirtualBox1. Click New in Oracle VM VirtualBox and enter the following:

• Name: Enter a name for VM.

• Operating System: Select Linux.

• Version: Select Linux 2.6 (64 bit).

2. Set the base virtual memory (vRAM) to 2 GB or higher.

3. Select the following to set the start-up disk size:

• Start-up Disk

• Create new hard disk



a) Select File type as VMDK (Virtual Machine Disk).

b) Set Storage details to Dynamically allocated.

c) Set the disk size to 32 GB or higher.

d) View summary and click Create.

4. Click Settings > Storage. Select the Sophos Migration Assistant image file (ISO).

a) Click Settings > Network and set the following:

• Attached to: Host-only Adapter



• Name: Select the host-only adpater from the list.

• Promiscuous Mode: Deny

b) (Optional) Go to Files > Preferences > Network. Click Add.

Enter the IP address and mask, if you have not configured a network in your host system.



5. Click Start to proceed with the installation.

a) Enter y to continue with installation.



b) Remove the ISO file, which you have added.

c) Enter y to reboot when prompted after the installation.



6. Click Start to login after installation and to access Sophos Migration Assistant.

For password, enter admin.

7. (Optional) To set a new interface address (update default interface address), log in with theadministrator password as discussed earlier.

a) In console, Enter 1 for network configuration.

b) Again, enter 1 for interface configuration.



A screen displaying IP addresses for both Port A and Port B appears.

c) Enter y to proceed and change the IP address.

d) Similarly, follow the on-screen instructions for netmask and gateway IP address.



To change the default administrator password, you can select option 2 System Configuration from themain menu and proceed with the on-screen instructions.

For other VMs, refer to the following:

• Sophos XG Firewall Virtual Appliance Microsoft Hyper-V: http://docs.sophos.com/nsg/sophos-firewall/vm-guides/Sophos%20XG%20Firewall%20Virtual%20Appliance%20-%20Getting%20Started%20Guide%20-%20Hyper-V.pdf.

• Sophos XG Firewall Virtual Appliance - KVM: http://docs.sophos.com/nsg/sophos-firewall/vm-guides/Sophos%20XG%20Firewall%20Virtual%20Appliance%20-%20Getting%20Started%20Guide%20-%20KVM.pdf.

• Sophos XG Firewall Virtual Appliance XenApp: http://docs.sophos.com/nsg/sophos-firewall/vm-guides/Sophos%20XG%20Firewall%20Virtual%20Appliance%20-%20Getting%20Started%20Guide%20-%20XenApp.pdf.


http://docs.sophos.com/nsg/sophos-firewall/vm-guides/Sophos%20XG%20Firewall%20Virtual%20Appliance%20-%20Getting%20Started%20Guide%20-%20Hyper-V.pdf



http://docs.sophos.com/nsg/sophos-firewall/vm-guides/Sophos%20XG%20Firewall%20Virtual%20Appliance%20-%20Getting%20Started%20Guide%20-%20KVM.pdf



http://docs.sophos.com/nsg/sophos-firewall/vm-guides/Sophos%20XG%20Firewall%20Virtual%20Appliance%20-%20Getting%20Started%20Guide%20-%20XenApp.pdf




10 Appendix F: View and resolveexception listThe list of unsolved exceptions with the reason for error or warning is displayed. Exceptions are oftwo types and must be resolved manually:

• Errors: Conflicts between Sophos SG/UTM and Sophos XG Firewall configurations.

• Warnings: Migrated configuration entities, which pose a connectivity or security risk.

Exception handling

• Click Resolve (appears against errors) against the exception to resolve it.

— Sophos XG Firewall configuration page for the particular entity will be displayed. Details ofthe exception appear to the far-right.

— Change the configurations to resolve the exception based on your requirement.

• If you are an advanced user, you can update configurations in Preview XG configuration (Foradvanced users).

• Click Accept (appears against warnings) to accept migration of the entity.

Logs handling

• Click View logs for details of the migrated configuration.

• Click Download logs if you wish to:

— Trace the resolved exceptions for troubleshooting.

— Send them to Sophos Support if you require help.

— Refer to resolved exceptions later in offline mode.

Preview XG configuration (for advanced users)

Preview XG configuration appears for advanced users. Click this to preview and add aconfiguration in the modules supported for migration. Configuration changes that you make here willbe applied in the converted Sophos XG Firewall configuration file.



Click Close preview to go back to configure the exceptions.

To filter the logs, select any of the options under Show status:

• Auto-migrated

• Accepted

• Auto-resolved

• Resolved

• Deleted

• Unresolved

• All



11 NoticeCopyright © 2019 Sophos Limited. All rights reserved. No part of this publication may be reproduced,stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical,photocopying, recording or otherwise unless you are either a valid licensee where the documentationcan be reproduced in accordance with the license terms or you otherwise have the prior permissionin writing of the copyright owner.

Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, SophosGroup and Utimaco Safeware AG, as applicable. All other product and company names mentionedare trademarks or registered trademarks of their respective owners.


Migration guide: Sophos Migration AssistantBefore reimaging the production Sophos SG/UTM appliance,...

Documents

Transcript of Migration guide: Sophos Migration AssistantBefore reimaging the production Sophos SG/UTM appliance,...