Switching firewall for the first time
Posted by GreatRyujin@reddit | sysadmin | View on Reddit | 16 comments
Heya,
I'm going to switch our firewall next week and have never done this before, what are the pitfalls I could encounter?
Environment is mainly windows clients/servers, a few Linux-VMs, all in all around 30 hosts.
My plan is to plug the cables from the old one in the new one, and give the new one the same IP (x.x.x.1).
Interfaces, VLANs, hosts and rules are set up and are tested as well as I could.
DHCP runs on the firewall, so should I shut down all servers and clients beforehand or will they just accept a new device under the same IP-address?
Work will be done on the weekend.
My backup plan if nothing works, is to plug the old one back in.
Is there anything else I can prepare beforehand?
Thanks for reading!
Lucar_Toni@reddit
[Sophos Employee here]
If you move from Sophos UTM (SG) to Sophos Firewall (XGS), you can "chain" two tools to help you:
On the UTM Firewall, use this tool: https://github.com/sophos/Sophos-Migration-Utility-CLI It will give you an "Entities.xml" File, which is already all supported config settings for Sophos Firewall.
But as most UTM Firewalls are pretty old, it makes sense to use this other new tool from Sophos to "Adjust" the configuration: https://docs.sophos.com/nsg/sophos-firewall/config-studio/index.html
Here you put the Entities.xml into the "Configuration editor".
This gives you the option to interact with the full UTM Configuration in "SFOS Sophos Firewall language" before touching the new firewall. You can adjust the DHCP Server, the Interfaces, the firewall Rules etc.
This new Tool gives you the option to Delete stuff like unneeded Objects before importing it.
As soon as you are done, save this as a ".tar" File, which you can push to the Firewall via "Import/Export".
This saves time and also gives you a clean cut.
Library_IT_guy@reddit
I did this a while back. I went from a homebrew pfsense box the previous IT guy had cobbled together to a pfsense box made by netgate. Similar interface, exported/imported all the rules, doubled checked everything, switch was pretty seamless. If you are moving to a new solution and have to set everything up from scratch, that can be a pain.
Do it when the organization is closed if possible. Never know what might go wrong. And yeah, keep the old one nearby so you can swap back if you need to.
MunchyMcCrunchy@reddit
what are the old and new devices?
GreatRyujin@reddit (OP)
Sophos SG210 to Sophos XGS 107
MunchyMcCrunchy@reddit
Can you not import the config from the old to the new?
GreatRyujin@reddit (OP)
Only to a degree.
The Sg-series is based on the devices from a company called Astaro, which Sophos bought and rebranded.
The XG and XGS models are a newly developed design which has (unfortunately) very little in common with the SG models.
There is a migration tool, which I used, but some parts of the config can't be copied 1 to 1.
TheGenericUser0815@reddit
I've done this several times over the last months, always coming from Cisco switching to Sophos. They are different in their philosophy, so translating the rules was kind of complicated. I ended up configuring somevery generic rules making everything work and then configuring more detailed rules step by step.
Expensive-Rhubarb267@reddit
1) Whenever you're replacing core network hardware, always proceed with caution. It sounds like you're going for a 'big bang' approach. So plan time to troubleshoot things if they go wrong. I'd say at least a day for this.
2)DHCP should be fine. Just extend the lease time on the old firewall. Then once the new firewalls are connected forcibly renew dhcp leases on lots of test clients to make sure they can obtain an IP address successfully. Severs should be on static IPs so they'll be fine.
3) Triple check NAT. Make sure NAT rules are the same
4) DNS - Check that DNS works on the new firewalls before you disconnect the old firewalls.
TheGenericUser0815@reddit
No 3)!!!!
The_NorthernLight@reddit
Make sure you have an exported list of ALL policies, zones, vpn info, dns, wan ip info, etc.
KB4MTO@reddit
Reservations and rules, those are the usual catch ya's.
dt989898@reddit
One tip that helped me out was to use a label maker and label the critical cabling in the event you need to revert back at all. Not sure how many cables you’re dealing with, but I found it handy . Especially if you’re nervous . Helps with not needing to think as much.
Good luck !
Anxious-Community-65@reddit
Main things to watch IMO
- ARP cache, MAC address changes even if IP doesn't. Most devices sort themselves out in seconds but if something goes dark after cutover run arp -d * to flush it. DHCP leases carry over fine, no need to shut clients down. Double check any site to site VPN configs, NAT hairpin rules and DNS forwarders as could break in prod.
And something i do personally is screenshot every page of the old firewall config before you start!
I_turned_it_off@reddit
i have done a number of firewall replacements in various parts of our buseness, and the fallbackof just plugging the old one in is usually a good start.
I have always started preping by configuring the new firewall on a test bench (spare desk with power and a laptop or two) so that i can make sure that the new firewall's configuration like the WAN side settings, DHCP ranges, DNS configurations, any needed VPN configs etcetera can be pre-configured.
Regarding your concern about DHCP leases, check to see if there is a setting in the new firewall to check an address is free before, look for an option like "Conflict detection"
Once I'm happy with it, then i move the new device to sit side by suide the old one, and make sure there is enough power to have them all connected.
At go time, it's then just a case of swapping cables from old firewall to new.
Regarding DHCP leases, anything that is already powered on should work without issue, any device that is not powered on will reach out for a DHCP from the new firewall, and you should test this.
tensorfish@reddit
DHCP clients will mostly cope with the same gateway IP. The usual outage is the boring stuff you forgot lived on the old firewall: reservations, NAT/VPN rules, DNS forwarders, certs, and any management ACLs. I’d drop lease times before the cut, keep console access to both boxes, and expect a bit of ARP-cache ugliness before everything settles.
gixo89@reddit
Be ready to clear ARP cache on networking devices!