Upload
others
View
5
Download
0
Embed Size (px)
Citation preview
Sophos Migration Assistant
migration guide
ContentsPreface..................................................................................................................................................... 1Prerequisites.............................................................................................................................................2Convert SG/UTM configuration to Sophos XG Firewall-compatible configuration................................... 3Reimaging and applying configuration.....................................................................................................8
Reimage Sophos SG/UTM to Sophos XG Firewall...................................................................... 8Apply Sophos XG Firewall configuration on the reimaged box.................................................... 8
Appendix A: Conversions and limitations................................................................................................ 9Appendix B: Improvements....................................................................................................................11Appendix C: Download UTM configuration............................................................................................12Appendix D: Sophos SG/UTM modules: Migration status.....................................................................13Appendix E: Install Sophos Migration Assistant on Oracle VM VirtualBox............................................23Appendix F: View and resolve exception list.........................................................................................26Appendix G: View dropped entities....................................................................................................... 28Notice......................................................................................................................................................29
(2019/03/14)
Migration guide: Sophos Migration Assistant
1 PrefaceThis guide describes how to migrate from Sophos SG/UTM to Sophos XG Firewall. It enables you todo the following:
• Convert your Sophos SG/UTM configuration (on version 9.4 or later) on SG series and virtual/software appliances to Sophos XG Firewall-compatible configuration (v16 or later).
• Reimage your Sophos SG/UTM appliance toSophos XG Firewall.
• Upload the Sophos SG/UTM license file.
• Upload the converted Sophos XG Firewall configuration file.
Copyright © Sophos Limited 1
Migration guide: Sophos Migration Assistant
2 Prerequisites
Hardware compatibility
• SG: SG series hardware appliances support Sophos XG Firewall.
• UTM appliance: If you have a SG/UTM series appliance, you need to upgrade the hardware.Contact your Sophos Partner or Sophos representative.
• Virtual or Software appliance: Appliances with 2 GB RAM or higher support Sophos XG Firewall.
Firmware version
Sophos Migration Assistant allows you to convert configuration backup for SG/UTM appliances onversion 9.4 or later.
Data backup
• UTM configuration backup. Refer to Appendix C: Download UTM configuration (page 12).
• License file backup
• Logs from your SG/UTM appliance
Number of interfaces
Number of SG/UTM interfaces should not be more than those supported on the Sophos XG Firewallappliance.
2 Copyright © Sophos Limited
Migration guide: Sophos Migration Assistant
3 Convert SG/UTM configurationto Sophos XG Firewall-compatibleconfiguration1. Install Sophos Migration Assistant on a virtual machine. For more information, refer to Appendix E:
Install Sophos Migration Assistant on Oracle VM VirtualBox (page 23).
2. In Oracle VM VirtualBox, click Start and enter “admin” as password to login.
FIRMWARE LOADER (press <enter> to display list of images)
Starting 17_0_0_xxx.Loading firstboot configurationInstalling default configFirstboot completed successfullyPassword: _
3. Go to https://172.16.16.16 and sign in with the following credentials:
• Username: (Default) admin
• Password: (Default) admin
4. Accept the terms of service and then click Next.
5. Click Prepare for UTM migration to begin.
6. (Optional) Go to admin > About product from top right corner of the screen if you want to see theproduct information.
Copyright © Sophos Limited 3
Migration guide: Sophos Migration Assistant
7. (Optional) Click Firmware management to see and configure the available firmware version.
8. Click Start new migration to start a new migration session.
For previous pending migration sessions, you can manage the following: Continue migration, viewmigration logs, view audit logs, download logs, view dropped entities, and discard migration.
For previous completed migration sessions, you can manage the following: Edit configuration,download migrated configuration, view migrations logs, view audit logs, download logs, viewdropped entities, and delete.
4 Copyright © Sophos Limited
Migration guide: Sophos Migration Assistant
9. Upload the Sophos UTM configuration file.
a) Enter a migration session name and description.
b) Click Browse and upload the Sophos UTM configuration file.
c) Enter password for the Sophos UTM configuration file (if the file is encrypted).
To download the Sophos UTM configuration file, refer to Appendix C: Download UTM configuration(page 12).
10. Click Start migration to start the migration.
Sophos Migration Assistant auto-migrates Sophos UTM configuration for the supported modules.For more information, refer to Appendix D: Sophos SG/UTM modules: Migration status (page13).
11. Click Continue with exception handling to resolve the exceptions.
The number of exceptions (errors or warnings) is displayed. You must resolve these conflictsmanually to complete the migration process. You can skip this step, if you don’t have anyexception.
Copyright © Sophos Limited 5
Migration guide: Sophos Migration Assistant
To view and resolve exceptions, refer to Appendix F: View and resolve exception list (page 26).
12. Click Download migrated config to download the configuration file converted from Sophos SG/UTM to Sophos XG Firewall. The downloaded file will be of “device.backup” file extension.
13. (Optional) Click View dropped entities to view the logs for entities that aren’t migrated.
6 Copyright © Sophos Limited
Migration guide: Sophos Migration Assistant
For more information, refer to Appendix G: View dropped entities (page 28).
14. (Optional) Click Download logs to see the logs for this session.
Conversion of Sophos SG/UTM configuration to Sophos XG Firewall-compatible configuration iscomplete.
Copyright © Sophos Limited 7
Migration guide: Sophos Migration Assistant
4 Reimaging and applying configurationBefore reimaging the production Sophos SG/UTM appliance, it is recommended that you takeadvantage of the free 30-day trial for Sophos XG Firewall. To test the migration and configuration,you can set up a parallel virtual or software instance.
4.1 Reimage Sophos SG/UTM to Sophos XGFirewallAfter you downloaded the Sophos XG Firewall configuration, you need to prepare your SophosSG/UTM device for migration. Reimage your SG/UTM appliance and install Sophos XG Firewallon it. For details, refer to the articles https://community.sophos.com/kb/en-us/126906 and https://community.sophos.com/kb/en-us/124588.
To migrate the Sophos SG/UTM license to Sophos XG Firewall license, you need to upload the UTMconfiguration file on the reimaged Sophos XG Firewall device.
High-availability setups (HA)
If you have an HA setup, re-image both devices and then deploy the migrated configuration toone of the devices. The second device receives its configuration from the migrated device duringsynchronization after the HA configuration. For more information on HA configuration refer to thefollowing guides:
• Active-active: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Active-Active-HA-Configuration.pdf?la=en.
• Active-passive: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Active-Passive-HA-Configuration.pdf?la=en.
4.2 Apply Sophos XG Firewall configuration on thereimaged box1. Log in to Sophos XG Firewall Admin Console as administrator with Read-Write permissions for the
relevant features.
2. Go to System > Backup & firmware > Backup & restore.
3. Click Choose file and select the converted Sophos XG Firewall configuration file.
Reimaging and applying configuration is complete. For more administrative configuration, refer toSophos XG Firewall web interface reference and admin guide.
8 Copyright © Sophos Limited
Migration guide: Sophos Migration Assistant
5 Appendix A: Conversions and limitationsThe following conversions will take place for the entities during migration from Sophos SG/UTM toSophos XG Firewall:
• Maximum character length supported in Sophos XG Firewall is less than that supported in SG/UTM: Value will be trimmed to the upper limit supported in Sophos XG Firewall.
• Duplicate records in SG/UTM (Sophos XG Firewall does not support duplicate records): Uniquenumber will be added as suffix to the name of the entity.
• Value is valid in Sophos SG/UTM but not in Sophos XG Firewall: Value of the entity will be set toits default value in Sophos XG Firewall.
• Entity is not mandatory in Sophos SG/UTM but is mandatory in Sophos XG Firewall: Value of theentity will be its default value in Sophos XG Firewall.
• Firewall rule numbering: In SG/UTM, firewall rules are numbered in the order in which theyare applied to traffic (i.e. according to their priority). In Sophos XG Firewall, firewall rules arenumbered in the order of their creation.
Table 1: Conversion scenarios
SG/UTM Sophos XG Firewall
DHCP lease range:
Interface IP address is in the DHCP lease rangerange
DHCP lease range splits automatically duringmigration
Interface IP address: 23.2.3.3 with netmask 24
DHCP lease range is from 23.2.3.1 to 23.2.3.254 DHCP lease range splits into: 23.2.3.1 to 23.2.3.2and 23.2.3.4 to 23.2.3.254
Host MAC address:
Host 1 has two MAC addresses:11:22:aa:bb:33:12 and 32:32:aa:bb:12:11
Host 1 has only one MAC address:11:22:aa:bb:33:12
Host 2 has two MAC addresses:22:A2:33:08:12:AA and 32:32:aa:bb:12:11
Host 2 has only one MAC address:22:A2:33:08:12:AA
You can’t configure all fields automatically. For example, some settings are mandatory in SophosXG Firewall, but not in SG/UTM. These will generate an exception. You need to resolve them whenhandling exceptions. Examples:
• “Hostname” must not contain a space or special character.
• VLAN on bridge interfaces are not supported by Sophos XG Firewall.
• Static IP-MAC binding in the range of DHCP IP scope is not supported by Sophos XG Firewall.
• SNMP: Location is mandatory in Sophos XG Firewall.
• IPv6 in L2TP is not supported in Sophos XG Firewall.
• “Group attribute” in RADIUS server configuration is mandatory in Sophos XG Firewall.
• Maximum allowed FQDN entries: 1024.
Copyright © Sophos Limited 9
Migration guide: Sophos Migration Assistant
NoteTo remove unreferenced FQDN entries, use Delete all exceptions. Resolve referencedentries manually, using Preview XG configuration.
10 Copyright © Sophos Limited
Migration guide: Sophos Migration Assistant
6 Appendix B: Improvements
Improvements: MR1
• Profiles that are configured with a single event schedule will be migrated for All days of the week.
• For all web categories, the Override Default Notification page will be disabled.
• System zone configured under Network > Zone is migrated as is.
• When you delete a VLAN host in Sophos XG Firewall, the VLAN host-based firewall rules aredeleted.
• Special characters in DHCP server hostname are replaced with “_”.
Copyright © Sophos Limited 11
Migration guide: Sophos Migration Assistant
7 Appendix C: Download UTMconfiguration1. Sign in to Sophos UTM Web Admin console.
2. In Management, click Backup/Restore.
3. In Create Backup, click Create backup now.
Migration is supported only on full backups. Do not select the following options while creatingbackups:
• Unique site data (License, passwords, certificates/keys, endpoints)
• Administrative mail addresses
Available backups will appear in a list.
4. Click the download button to download the configuration file.
5. Click Download backup to download the configuration file.
The downloaded configuration file will have “.abf” file extension.
NoteIf you select Encrypt before downloading, the configuration file will have “.ebf” extension.
12 Copyright © Sophos Limited
Migration guide: Sophos Migration Assistant
8 Appendix D: Sophos SG/UTM modules:Migration statusFor the current release, the following components from the Firewall section are not supported formigration:
• SUM user-created firewall rules.
• SUM automatic firewall rules.
• Automatic firewall rules.
Section Sub-section Is migrated?
System settings Organizational No
Hostname Yes
Shell access No
Scan settings No
Scan settings > Antivirus enginePreferences
Yes
Scan settings > Advanced threatprotection options
No
Scan settings > Antispamengine preferences
No
Reset configuration No
WebAdmin settings General > WebAdmin language No
General > WebAdmin accessconfiguration
Yes
Access control > Role No
User preferences No
Licensing Licensing No
Up2Date Overview No
Configuration No
Advanced No
Backup/Restore Backup/Restore No
Automatic backups Yes
User portal Global No
Advanced > Language No
Advanced > Security No
Advanced > Disable portal items No
Advanced > Network settings No
Copyright © Sophos Limited 13
Migration guide: Sophos Migration Assistant
Section Sub-section Is migrated?
Advanced > Welcome message No
Notifications Global Yes
Notifications No
Advanced No
Customization Global > Company logo No
Global > Custom company text No
Web messages > End usermessages
No
Web messages > administratorinformation
No
Web templates No
Email messages No
SNMP Query Yes
Traps Yes
Central Management Sophos UTM Manager No
Sophos Mobile Control Sophos Mobile Control No
HA / Auto-scaling Configuration No
Definition & users > Servicedefinitions
ESP No
AH No
Definition & users > Users &groups > Users
Local No
None No
Remote No
Definition & users > Users &groups > Groups
Static members No
IPsec X509 DN mask No
Backend membership No
Definition & users >Authentication Services
Global settings (Automatic usercreation)
No
Single sign-on No
Definition & users >Authentication services > OTP
OTP tokens No
OTP settings No
Definition & users >Authentication services >Advanced
Active Directory groupMembership synchronization
No
Prefetch directory users No
14 Copyright © Sophos Limited
Migration guide: Sophos Migration Assistant
Section Sub-section Is migrated?
Definition & users > Clientauthentication
Client authentication options No
Other No
Interfaces & routing > Interfaces> Interfaces
PPPOA/PPTP No
Interfaces & routing > Interfaces> Interfaces
3G/UMTS No
Interfaces & routing > Interfaces> Interfaces
Modem (PPP) No
Interfaces & routing > Interfaces> Interfaces
Ethernet bridge Yes
Interfaces & routing > Interfaces> Interfaces
DSL (PPPoE) Yes
Interfaces & routing > Interfaces> Interfaces
Group No
Interfaces & routing > Interfaces> Link aggregation
Link aggregation Yes
Interfaces & routing > Interfaces> Multi-path rules
Multi-path rules No
Interfaces & routing > Interfaces Status No
Interfaces & routing > QoS Status No
Interfaces & routing > QoS >Traffic selector
Traffic selector No
Application selector No
Group No
Interfaces & routing > QoS >Bandwidth pool
Bandwidth pool No
Interfaces & routing > QoS >Download throttling
Download throttling No
Interfaces & routing > QoS >Advanced
Advanced No
Interfaces & routing > Uplinkmonitoring
Global No
Interfaces & routing > Uplinkmonitoring > Actions
IPsec tunnel No
Interfaces & routing > Uplinkmonitoring > Actions
Additional address No
Interfaces & routing > IPv6 Global No
Renumbering No
6to4 No
Tunnel broker No
Copyright © Sophos Limited 15
Migration guide: Sophos Migration Assistant
Section Sub-section Is migrated?
Interfaces & routing > Staticrouting > Standard static routes
Blackhole route No
Interfaces & routing > Policyroutes
Interface route Yes
Gateway route Yes
Interfaces & routing > Dynamicrouting (OSPF)
Global No
Area > Normal No
Area > Stub No
Area > NSSA No
Area > Stub - No summary No
Area > NSSA - No summary No
Interfaces No
Message digests No
Debug No
Advanced (Redistribution) No
Interfaces & routing > BGP Global No
Systems No
Neighbor No
Route map No
Filter list No
Advanced No
Interfaces & routing > Multicastrouting (PIM SM)
Routes > Gateway route No
Routes > Interface route No
Advanced No
Network services > DNS Global No
Static entries Yes
Network services > DHCP DHCPv6 relay No
Static mappings Yes
IPv4 lease table No
IPv6 lease table No
Network services > NTP Server status No
NTP Options No
Network protection > Firewall >Country blocking
Country blocking No
16 Copyright © Sophos Limited
Migration guide: Sophos Migration Assistant
Section Sub-section Is migrated?
Network protection > Firewall >Country blocking exceptions
Country blocking exceptions No
Network protection > Firewall >ICMP
Global ICMP settings No
Ping settings No
Traceroute settings No
Network protection > Firewall >Advanced
Connection tracking helpers No
Protocol handling No
Logging options No
Network protection > NAT >Masquerading
Masquerading No
Network protection > NAT >NAT > Rule
SNAT (source) No
DNAT (destination) No
1:1 NAT (whole networks) No
Full NAT (source + destination) No
No NAT No
Network protection > Intrusionprevention > Global
Global IPS settings No
Network protection > Intrusionprevention > Attack patterns
Attack patterns No
Network protection > Intrusionprevention > Anti-DoS/Flooding
TCP SYN flood protection Yes
UDP flood protection Yes
ICMP flood protection Yes
Network protection > Intrusionprevention > Anti-port scan
Portscan detection No
Network protection > Intrusionprevention > Exceptions
Exceptions No
Network protection > Intrusionprevention > Advanced
Pattern set optimization No
Manual rule modification No
Performance tuning No
Network protection > Serverload balancing > Balancing rules
Check type: TCP No
Check type: UDP No
Check type: Ping No
Check type: HTTP Host No
Copyright © Sophos Limited 17
Migration guide: Sophos Migration Assistant
Section Sub-section Is migrated?
Check type: HTTPS Host No
Network protection > VoIP > SIP Global SIP settings No
Network protection > VoIP >H.323
Global H.323 settings No
Network protection > Advanced> Generic proxy
Generic proxy No
Network protection > Advanced> Socks proxy
SOCKS proxy options No
Network protection > Advanced> Ident reverse proxy
Global settings No
Web protection > Web filtering >Global
Default web filter profile No
Web protection > Web filtering >HTTP
HTTPS scan settings No
Web protection > Web filtering >policies
Active policies No
Web protection > Web filterprofiles > Filter profiles
Web filter profiles No
HTTPS No
Policies No
Web protection > Filteringoptions > Exceptions
Exceptions list No
Web protection > Filteringoptions > Websites
Websites No
Web protection > Filteringoptions > Bypass users
Bypass blocking No
Web protection > Filteringoptions > PUAs
Potentially unwantedapplications authorization
No
Web protection > filteringoptions > Categories
Filter category list No
Web protection > Filteringoptions > HTTPS CA
Signing CA No
Verification CAs No
Web protection > Filteringoptions > MISC
Misc settings No
Transparent mode skiplist No
Proxy auto configuration No
URL categorization parent proxy No
Web caching No
Streaming settings No
18 Copyright © Sophos Limited
Migration guide: Sophos Migration Assistant
Section Sub-section Is migrated?
Transparent mode ActiveDirectory single sign-on
No
Apple OpenDirectory singlesign-on
No
Certificate for end user pages No
Pharming protection No
Web protection > Policyhelpdesk > Policy test
Request details No
Web protection > Policyhelpdesk > Quota status
Quota status No
Web protection >Applicationcontrol > Network visibility
Flow monitor No
Web protection > Applicationcontrol > Application controlrules
Application control rules No
Web protection > Applicationcontrol > Advanced
Application control skiplist No
Web protection > FTP > Global FTP settings No
Web protection > FTP >Antivirus
Antivirus scanning No
File extension filter No
Web protection > FTP >Exceptions
Exceptions list No
Web protection > FTP >Advanced
FTP proxy skiplist No
FTP Servers No
Email protection > SMTP SMTP No
Email protection > SMTPprofiles
SMTP profiles No
Email protection > POP3 POP3 No
Email protection > Encryption Encryption No
Email protection > SPXEncryption
SPX Encryption No
Email protection > QuarantineReport
Quarantine report No
Email protection > Mail manager Mail manager No
Advanced protection > SophosSandstorm
Sophos Sandstorm No
Advanced protection >Advanced Threat Protection
Advanced Threat Protection Yes
Copyright © Sophos Limited 19
Migration guide: Sophos Migration Assistant
Section Sub-section Is migrated?
Wireless protection > Globalsettings > Global settings
Global settings No
Wireless protection > Globalsettings > Advanced
Global settings No
Wireless protection > Wirelessnetworks
Wireless networks No
Wireless protection > Accesspoints
Access points No
Wireless protection > Meshnetworks
Mesh networks No
Wireless protection > Wirelessclients
Wireless clients No
Wireless protection > Hotspots >Hotspots
Hotspots No
Wireless protection > Hotspots >Voucher definition
Voucher definition No
Wireless protection > Hotspots >Advanced
Advanced No
Web server protection > Webappliance firewall
Web appliance firewall No
Web server protection >Reverse authentication
Reverse authentication No
RED management > Globalsettings
RED global settings No
RED management > [Server]Client management
[Server] Client management No
RED management > [Server]Deployment helper
[Server] Deployment helper No
RED management > [Client]Tunnel management
[Client] Tunnel management No
Site-to-site VPN > Amazon VPC Amazon VPC No
Site-to-site VPN > Certificatemanagement > Advanced
Regenerate signing CA No
Site-to-site VPN > Ipsec > LocalRSA Key
Re-generate local RSA key. No
Site-to-site VPN >IPsec >Advanced
Dead Peer Detection (DPD) No
CRL handling No
Site-to-site VPN > IPSec >Debug
IKE debugging No
Site-to-site VPN > SSL >Connections
SSL server No
20 Copyright © Sophos Limited
Migration guide: Sophos Migration Assistant
Section Sub-section Is migrated?
SSL client No
Site-to-site VPN > SSL >Settings
Server settings Yes
Virtual IP pool Yes
Duplicate CN Yes
Site-to-site VPN > SSL >Advanced
Cryptographic settings Yes
Compression settings Yes
Debug settings Yes
Remote access > SSL > Profiles Remote access profiles No
Remote access > SSL >Settings
Server settings Yes
Virtual IP pool Yes
Duplicate CN Yes
Remote access > SSL >Advanced
Cryptographic settings Yes
Compression settings Yes
Debug settings Yes
Remote access > PPTP >Global
Main settings Yes
Remote access > PPTP > iOS™devices
iOS™ settings No
Remote access > PPTP >Advanced
Encryption strength No
Debug mode No
Remote access > L2TP OverIPsec > iOS™ devices
iOS™ settings No
Remote access > L2TP overIPsec > Advanced
IKE debugging No
L2TP debugging No
Remote access > IPsec >Advanced
Dead Peer Detection (DPD) No
CRL handling No
Remote access > IPsec >Debug
IKE debugging No
Remote access > HTML5 VPNportal
HTML5 VPN portal No
Remote access > Cisco VPNportal > Global
Server settings No
Copyright © Sophos Limited 21
Migration guide: Sophos Migration Assistant
Section Sub-section Is migrated?
Remote access > Cisco VPNportal > iOS™ devices
iOS™ settings No
Remote access > Cisco VPNportal > Debug
IKE debugging No
22 Copyright © Sophos Limited
Migration guide: Sophos Migration Assistant
9 Appendix E: Install Sophos MigrationAssistant on Oracle VM VirtualBox1. Click New in Oracle VM VirtualBox and enter the following:
• Name: Enter a name for VM.
• Operating system: Select Linux.
• Version: Select Linux 2.6 (64 bit).
2. Set the base virtual memory (vRAM) to 2 GB or higher.
3. Select Create new hard disk to set the start-up disk size:
a) Select File type as VMDK (Virtual machine disk).
b) Set Storage details to Dynamically allocated.
c) Set the disk size to 32 GB or higher.
d) View summary and click Create.
4. Click Settings > Storage > IDE controller > Empty. Select the Sophos Migration Assistant imagefile (ISO).
a) Click Settings > Network > Adapter 1 and set the following:
• Attached to: Host-only adapter
• Name: Select the host-only adpater from the list.
• Promiscuous mode: Deny
b) Click Settings > Network > Adapter 2 and set the following:
• Attached to: Bridged adapter
• Name: Select the bridged adpater from the list.
• Promiscuous mode: Deny
c) (Optional) Go to Files > Preferences > Network. Click Add.
Enter the IP address and mask, if you have not configured a network in your host system.
5. Click Start to proceed with the installation.
a) Enter y to continue with installation.
b) Remove the ISO file, which you have added.
c) Enter y to restart when prompted after the installation.
6. Enter admin to sign in after installation and to access Sophos Migration Assistant.
7. (Optional) To set a new interface address (update default interface address), log in with theadministrator password as discussed earlier.
Copyright © Sophos Limited 23
Migration guide: Sophos Migration Assistant
a) In console, Enter 1 for network configuration.
Sophos Migration Assistant SMAOS 17.0.0. Beta-2Main menu 1. Network configuration 2. System configuration 3. Device management 4. Device console 5. Shutdown / Reboot 6: Exit Select menu number [0-5]: 1_
b) Again, enter 1 for interface configuration.
Sophos Migration Assistant SMAOS 17.0.0. Beta-2Network configuration menu
1. Interface configuration 2. DNS configuration 3. Exit Select menu number [0-2]: 1_
A screen displaying IP addresses for both Port A and Port B appears.
c) Enter y to proceed and change the IP address.
Sophos Migration Assistant SMAOS 17.0.0. Beta-2
Set IPv4 address (y/n) : No (Enter) > y_
d) Similarly, follow the on-screen instructions for netmask and gateway IP address.
Sophos Migration Assistant SMAOS 17.0.0. Beta-2
Network configuration menu
Network configuration of Ethernet PortA
Current IP address : 172.16.16.16 New IP address : _
To change the default administrator password, you can select option 2 System Configuration from themain menu and proceed with the on-screen instructions.
For other VMs, refer to the following:
• Sophos XG Firewall Virtual Appliance Microsoft Hyper-V: http://docs.sophos.com/nsg/sophos-firewall/vm-guides/Sophos%20XG%20Firewall%20Virtual%20Appliance%20-%20Getting%20Started%20Guide%20-%20Hyper-V.pdf.
• Sophos XG Firewall Virtual Appliance - KVM: http://docs.sophos.com/nsg/sophos-firewall/vm-guides/Sophos%20XG%20Firewall%20Virtual%20Appliance%20-%20Getting%20Started%20Guide%20-%20KVM.pdf.
24 Copyright © Sophos Limited
Migration guide: Sophos Migration Assistant
• Sophos XG Firewall Virtual Appliance XenApp: http://docs.sophos.com/nsg/sophos-firewall/vm-guides/Sophos%20XG%20Firewall%20Virtual%20Appliance%20-%20Getting%20Started%20Guide%20-%20XenApp.pdf.
Copyright © Sophos Limited 25
Migration guide: Sophos Migration Assistant
10 Appendix F: View and resolveexception listThe list of unsolved exceptions with the reason for error or warning is displayed. Exceptions are oftwo types and must be resolved manually:
• Errors: Conflicts between Sophos SG/UTM and Sophos XG Firewall configurations.
• Warnings: Migrated configuration entities, which pose a connectivity or security risk.
Exception handling
• Click Resolve (appears against errors) against the exception to resolve it.
— Sophos XG Firewall configuration page for the particular entity will be displayed. Details ofthe exception appear to the far-right.
— Change the configurations to resolve the exception based on your requirement.
• If you are an advanced user, you can update configurations in Preview XG configuration (Foradvanced users).
• Click Accept (appears against warnings) to accept migration of the entity.
• Click Delete removable exceptions to delete all unreferenced exceptions.
• Click Accept all suggestions to automatically resolve and accept exceptions.
Logs handling
• Click View logs for details of the migrated configuration.
• Click View dropped entities to see and download entities that aren’t migrated.
• Click Download logs if you want to:
— Trace the resolved exceptions for troubleshooting.
26 Copyright © Sophos Limited
Migration guide: Sophos Migration Assistant
— Send them to Sophos Support if you require help.
— Refer to resolved exceptions later in offline mode.
Preview XG configuration (for advanced users)
Preview XG configuration appears for advanced users. Click this to preview and add a configurationin the modules supported for migration. Configuration changes that you make here will be applied inthe converted Sophos XG Firewall configuration file.
Click Close preview to go back to configure the exceptions. To filter the logs, select any of theoptions under Show status:
• Auto-migrated
• Accepted
• Auto-resolved
• Resolved
• Deleted
• Unresolved
• All
Copyright © Sophos Limited 27
Migration guide: Sophos Migration Assistant
11 Appendix G: View dropped entitiesSophos XG Firewall doesn’t support the following entities for migration:
Categories Entities
Management > SNMP > Traps SNMP V3 traps and SNMP traps with duplicate IPaddress.
Definitions and Users > Network definitions
Interface address Auto-generated interface host
User/Groups System generated user or group hosts
Any Hosts with IPv4 address “0.0.0.0” and IPv6 address“::”
Definitions and Users > Service definitions Authentication Header (AH) or EncapsulatingSecurity Payload (ESP) services
Definitions and Users > Client authentication Sophos Transparent Authentication Suite (STAS)collectors with duplicate IP address
Interface and routing Group, 3G/UMTS, DSL (PPPoA/PPTP), and modem(PPP) interface and its alias
NoteOne PPoE interface per hardware is supported.
VLAN over bridge
Static routing Disabled static routes
Unicast blackhole routes
User or group host-based static routes
Network services
DNS-O-Matic, DNSdynamic, DNS Park, DtDNS,Dyn custom, FreeDNS, Namecheap, No-IP.com,OpenDNS IP update, selfHOST, STRATO AG.
Unsupported interface of DHCP server and DHCPrelay
Multiple DHCP options with same code
NoteOne DHCP option with code is supported.Duplicate entries are unsupported.
Site-to-Site VPN User-based certificates and other unreferencedcertificates
28 Copyright © Sophos Limited
Migration guide: Sophos Migration Assistant
12 NoticeCopyright © 2019 Sophos Limited. All rights reserved. No part of this publication may be reproduced,stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical,photocopying, recording or otherwise unless you are either a valid licensee where the documentationcan be reproduced in accordance with the license terms or you otherwise have the prior permissionin writing of the copyright owner.
Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, SophosGroup and Utimaco Safeware AG, as applicable. All other product and company names mentionedare trademarks or registered trademarks of their respective owners.
Copyright © Sophos Limited 29