Migration guide: Sophos Migration Assistant...Mar 14, 2019 · Migration guide: Sophos Migration Assistant 4 Reimaging and applying configuration Before reimaging the production Sophos

Sophos Migration Assistant

migration guide

ContentsPreface..................................................................................................................................................... 1Prerequisites.............................................................................................................................................2Convert SG/UTM configuration to Sophos XG Firewall-compatible configuration................................... 3Reimaging and applying configuration.....................................................................................................8

Reimage Sophos SG/UTM to Sophos XG Firewall...................................................................... 8Apply Sophos XG Firewall configuration on the reimaged box.................................................... 8

Appendix A: Conversions and limitations................................................................................................ 9Appendix B: Improvements....................................................................................................................11Appendix C: Download UTM configuration............................................................................................12Appendix D: Sophos SG/UTM modules: Migration status.....................................................................13Appendix E: Install Sophos Migration Assistant on Oracle VM VirtualBox............................................23Appendix F: View and resolve exception list.........................................................................................26Appendix G: View dropped entities....................................................................................................... 28Notice......................................................................................................................................................29

(2019/03/14)

Migration guide: Sophos Migration Assistant

1 PrefaceThis guide describes how to migrate from Sophos SG/UTM to Sophos XG Firewall. It enables you todo the following:

• Convert your Sophos SG/UTM configuration (on version 9.4 or later) on SG series and virtual/software appliances to Sophos XG Firewall-compatible configuration (v16 or later).

• Reimage your Sophos SG/UTM appliance toSophos XG Firewall.

• Upload the Sophos SG/UTM license file.

• Upload the converted Sophos XG Firewall configuration file.

Copyright © Sophos Limited 1


2 Prerequisites

Hardware compatibility

• SG: SG series hardware appliances support Sophos XG Firewall.

• UTM appliance: If you have a SG/UTM series appliance, you need to upgrade the hardware.Contact your Sophos Partner or Sophos representative.

• Virtual or Software appliance: Appliances with 2 GB RAM or higher support Sophos XG Firewall.

Firmware version

Sophos Migration Assistant allows you to convert configuration backup for SG/UTM appliances onversion 9.4 or later.

Data backup

• UTM configuration backup. Refer to Appendix C: Download UTM configuration (page 12).

• License file backup

• Logs from your SG/UTM appliance

Number of interfaces

Number of SG/UTM interfaces should not be more than those supported on the Sophos XG Firewallappliance.

2 Copyright © Sophos Limited


3 Convert SG/UTM configurationto Sophos XG Firewall-compatibleconfiguration1. Install Sophos Migration Assistant on a virtual machine. For more information, refer to Appendix E:

Install Sophos Migration Assistant on Oracle VM VirtualBox (page 23).

2. In Oracle VM VirtualBox, click Start and enter “admin” as password to login.

FIRMWARE LOADER (press <enter> to display list of images)

Starting 17_0_0_xxx.Loading firstboot configurationInstalling default configFirstboot completed successfullyPassword: _

3. Go to https://172.16.16.16 and sign in with the following credentials:

• Username: (Default) admin

• Password: (Default) admin

4. Accept the terms of service and then click Next.

5. Click Prepare for UTM migration to begin.

6. (Optional) Go to admin > About product from top right corner of the screen if you want to see theproduct information.


https://172.16.16.16


7. (Optional) Click Firmware management to see and configure the available firmware version.

8. Click Start new migration to start a new migration session.

For previous pending migration sessions, you can manage the following: Continue migration, viewmigration logs, view audit logs, download logs, view dropped entities, and discard migration.

For previous completed migration sessions, you can manage the following: Edit configuration,download migrated configuration, view migrations logs, view audit logs, download logs, viewdropped entities, and delete.



9. Upload the Sophos UTM configuration file.

a) Enter a migration session name and description.

b) Click Browse and upload the Sophos UTM configuration file.

c) Enter password for the Sophos UTM configuration file (if the file is encrypted).

To download the Sophos UTM configuration file, refer to Appendix C: Download UTM configuration(page 12).

10. Click Start migration to start the migration.

Sophos Migration Assistant auto-migrates Sophos UTM configuration for the supported modules.For more information, refer to Appendix D: Sophos SG/UTM modules: Migration status (page13).

11. Click Continue with exception handling to resolve the exceptions.

The number of exceptions (errors or warnings) is displayed. You must resolve these conflictsmanually to complete the migration process. You can skip this step, if you don’t have anyexception.



To view and resolve exceptions, refer to Appendix F: View and resolve exception list (page 26).

12. Click Download migrated config to download the configuration file converted from Sophos SG/UTM to Sophos XG Firewall. The downloaded file will be of “device.backup” file extension.

13. (Optional) Click View dropped entities to view the logs for entities that aren’t migrated.



For more information, refer to Appendix G: View dropped entities (page 28).

14. (Optional) Click Download logs to see the logs for this session.

Conversion of Sophos SG/UTM configuration to Sophos XG Firewall-compatible configuration iscomplete.



4 Reimaging and applying configurationBefore reimaging the production Sophos SG/UTM appliance, it is recommended that you takeadvantage of the free 30-day trial for Sophos XG Firewall. To test the migration and configuration,you can set up a parallel virtual or software instance.

4.1 Reimage Sophos SG/UTM to Sophos XGFirewallAfter you downloaded the Sophos XG Firewall configuration, you need to prepare your SophosSG/UTM device for migration. Reimage your SG/UTM appliance and install Sophos XG Firewallon it. For details, refer to the articles https://community.sophos.com/kb/en-us/126906 and https://community.sophos.com/kb/en-us/124588.

To migrate the Sophos SG/UTM license to Sophos XG Firewall license, you need to upload the UTMconfiguration file on the reimaged Sophos XG Firewall device.

High-availability setups (HA)

If you have an HA setup, re-image both devices and then deploy the migrated configuration toone of the devices. The second device receives its configuration from the migrated device duringsynchronization after the HA configuration. For more information on HA configuration refer to thefollowing guides:

• Active-active: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Active-Active-HA-Configuration.pdf?la=en.

• Active-passive: https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Active-Passive-HA-Configuration.pdf?la=en.

4.2 Apply Sophos XG Firewall configuration on thereimaged box1. Log in to Sophos XG Firewall Admin Console as administrator with Read-Write permissions for the

relevant features.

2. Go to System > Backup & firmware > Backup & restore.

3. Click Choose file and select the converted Sophos XG Firewall configuration file.

Reimaging and applying configuration is complete. For more administrative configuration, refer toSophos XG Firewall web interface reference and admin guide.


https://community.sophos.com/kb/en-us/126906



https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Active-Active-HA-Configuration.pdf?la=en

https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Active-Active-HA-Configuration.pdf?la=en

https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Active-Passive-HA-Configuration.pdf?la=en

https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket-Guides/Active-Passive-HA-Configuration.pdf?la=en


5 Appendix A: Conversions and limitationsThe following conversions will take place for the entities during migration from Sophos SG/UTM toSophos XG Firewall:

• Maximum character length supported in Sophos XG Firewall is less than that supported in SG/UTM: Value will be trimmed to the upper limit supported in Sophos XG Firewall.

• Duplicate records in SG/UTM (Sophos XG Firewall does not support duplicate records): Uniquenumber will be added as suffix to the name of the entity.

• Value is valid in Sophos SG/UTM but not in Sophos XG Firewall: Value of the entity will be set toits default value in Sophos XG Firewall.

• Entity is not mandatory in Sophos SG/UTM but is mandatory in Sophos XG Firewall: Value of theentity will be its default value in Sophos XG Firewall.

• Firewall rule numbering: In SG/UTM, firewall rules are numbered in the order in which theyare applied to traffic (i.e. according to their priority). In Sophos XG Firewall, firewall rules arenumbered in the order of their creation.

Table 1: Conversion scenarios

SG/UTM Sophos XG Firewall

DHCP lease range:

Interface IP address is in the DHCP lease rangerange

DHCP lease range splits automatically duringmigration

Interface IP address: 23.2.3.3 with netmask 24

DHCP lease range is from 23.2.3.1 to 23.2.3.254 DHCP lease range splits into: 23.2.3.1 to 23.2.3.2and 23.2.3.4 to 23.2.3.254

Host MAC address:

Host 1 has two MAC addresses:11:22:aa:bb:33:12 and 32:32:aa:bb:12:11

Host 1 has only one MAC address:11:22:aa:bb:33:12

Host 2 has two MAC addresses:22:A2:33:08:12:AA and 32:32:aa:bb:12:11

Host 2 has only one MAC address:22:A2:33:08:12:AA

You can’t configure all fields automatically. For example, some settings are mandatory in SophosXG Firewall, but not in SG/UTM. These will generate an exception. You need to resolve them whenhandling exceptions. Examples:

• “Hostname” must not contain a space or special character.

• VLAN on bridge interfaces are not supported by Sophos XG Firewall.

• Static IP-MAC binding in the range of DHCP IP scope is not supported by Sophos XG Firewall.

• SNMP: Location is mandatory in Sophos XG Firewall.

• IPv6 in L2TP is not supported in Sophos XG Firewall.

• “Group attribute” in RADIUS server configuration is mandatory in Sophos XG Firewall.

• Maximum allowed FQDN entries: 1024.



NoteTo remove unreferenced FQDN entries, use Delete all exceptions. Resolve referencedentries manually, using Preview XG configuration.



6 Appendix B: Improvements

Improvements: MR1

• Profiles that are configured with a single event schedule will be migrated for All days of the week.

• For all web categories, the Override Default Notification page will be disabled.

• System zone configured under Network > Zone is migrated as is.

• When you delete a VLAN host in Sophos XG Firewall, the VLAN host-based firewall rules aredeleted.

• Special characters in DHCP server hostname are replaced with “_”.



7 Appendix C: Download UTMconfiguration1. Sign in to Sophos UTM Web Admin console.

2. In Management, click Backup/Restore.

3. In Create Backup, click Create backup now.

Migration is supported only on full backups. Do not select the following options while creatingbackups:

• Unique site data (License, passwords, certificates/keys, endpoints)

• Administrative mail addresses

Available backups will appear in a list.

4. Click the download button to download the configuration file.

5. Click Download backup to download the configuration file.

The downloaded configuration file will have “.abf” file extension.

NoteIf you select Encrypt before downloading, the configuration file will have “.ebf” extension.



8 Appendix D: Sophos SG/UTM modules:Migration statusFor the current release, the following components from the Firewall section are not supported formigration:

• SUM user-created firewall rules.

• SUM automatic firewall rules.

• Automatic firewall rules.

Section Sub-section Is migrated?

System settings Organizational No

Hostname Yes

Shell access No

Scan settings No

Scan settings > Antivirus enginePreferences

Yes

Scan settings > Advanced threatprotection options

No

Scan settings > Antispamengine preferences

No

Reset configuration No

WebAdmin settings General > WebAdmin language No

General > WebAdmin accessconfiguration

Yes

Access control > Role No

User preferences No

Licensing Licensing No

Up2Date Overview No

Configuration No

Advanced No

Backup/Restore Backup/Restore No

Automatic backups Yes

User portal Global No

Advanced > Language No

Advanced > Security No

Advanced > Disable portal items No

Advanced > Network settings No




Advanced > Welcome message No

Notifications Global Yes

Notifications No

Advanced No

Customization Global > Company logo No

Global > Custom company text No

Web messages > End usermessages

No

Web messages > administratorinformation

No

Web templates No

Email messages No

SNMP Query Yes

Traps Yes

Central Management Sophos UTM Manager No

Sophos Mobile Control Sophos Mobile Control No

HA / Auto-scaling Configuration No

Definition & users > Servicedefinitions

ESP No

AH No

Definition & users > Users &groups > Users

Local No

None No

Remote No

Definition & users > Users &groups > Groups

Static members No

IPsec X509 DN mask No

Backend membership No

Definition & users >Authentication Services

Global settings (Automatic usercreation)

No

Single sign-on No

Definition & users >Authentication services > OTP

OTP tokens No

OTP settings No

Definition & users >Authentication services >Advanced

Active Directory groupMembership synchronization

No

Prefetch directory users No




Definition & users > Clientauthentication

Client authentication options No

Other No

Interfaces & routing > Interfaces> Interfaces

PPPOA/PPTP No


3G/UMTS No


Modem (PPP) No


Ethernet bridge Yes


DSL (PPPoE) Yes


Group No

Interfaces & routing > Interfaces> Link aggregation

Link aggregation Yes

Interfaces & routing > Interfaces> Multi-path rules

Multi-path rules No

Interfaces & routing > Interfaces Status No

Interfaces & routing > QoS Status No

Interfaces & routing > QoS >Traffic selector

Traffic selector No

Application selector No

Group No

Interfaces & routing > QoS >Bandwidth pool

Bandwidth pool No

Interfaces & routing > QoS >Download throttling

Download throttling No

Interfaces & routing > QoS >Advanced

Advanced No

Interfaces & routing > Uplinkmonitoring

Global No

Interfaces & routing > Uplinkmonitoring > Actions

IPsec tunnel No

Interfaces & routing > Uplinkmonitoring > Actions

Additional address No

Interfaces & routing > IPv6 Global No

Renumbering No

6to4 No

Tunnel broker No




Interfaces & routing > Staticrouting > Standard static routes

Blackhole route No

Interfaces & routing > Policyroutes

Interface route Yes

Gateway route Yes

Interfaces & routing > Dynamicrouting (OSPF)

Global No

Area > Normal No

Area > Stub No

Area > NSSA No

Area > Stub - No summary No

Area > NSSA - No summary No

Interfaces No

Message digests No

Debug No

Advanced (Redistribution) No

Interfaces & routing > BGP Global No

Systems No

Neighbor No

Route map No

Filter list No

Advanced No

Interfaces & routing > Multicastrouting (PIM SM)

Routes > Gateway route No

Routes > Interface route No

Advanced No

Network services > DNS Global No

Static entries Yes

Network services > DHCP DHCPv6 relay No

Static mappings Yes

IPv4 lease table No

IPv6 lease table No

Network services > NTP Server status No

NTP Options No

Network protection > Firewall >Country blocking

Country blocking No




Network protection > Firewall >Country blocking exceptions

Country blocking exceptions No

Network protection > Firewall >ICMP

Global ICMP settings No

Ping settings No

Traceroute settings No

Network protection > Firewall >Advanced

Connection tracking helpers No

Protocol handling No

Logging options No

Network protection > NAT >Masquerading

Masquerading No

Network protection > NAT >NAT > Rule

SNAT (source) No

DNAT (destination) No

1:1 NAT (whole networks) No

Full NAT (source + destination) No

No NAT No

Network protection > Intrusionprevention > Global

Global IPS settings No

Network protection > Intrusionprevention > Attack patterns

Attack patterns No

Network protection > Intrusionprevention > Anti-DoS/Flooding

TCP SYN flood protection Yes

UDP flood protection Yes

ICMP flood protection Yes

Network protection > Intrusionprevention > Anti-port scan

Portscan detection No

Network protection > Intrusionprevention > Exceptions

Exceptions No

Network protection > Intrusionprevention > Advanced

Pattern set optimization No

Manual rule modification No

Performance tuning No

Network protection > Serverload balancing > Balancing rules

Check type: TCP No

Check type: UDP No

Check type: Ping No

Check type: HTTP Host No




Check type: HTTPS Host No

Network protection > VoIP > SIP Global SIP settings No

Network protection > VoIP >H.323

Global H.323 settings No

Network protection > Advanced> Generic proxy

Generic proxy No

Network protection > Advanced> Socks proxy

SOCKS proxy options No

Network protection > Advanced> Ident reverse proxy

Global settings No

Web protection > Web filtering >Global

Default web filter profile No

Web protection > Web filtering >HTTP

HTTPS scan settings No

Web protection > Web filtering >policies

Active policies No

Web protection > Web filterprofiles > Filter profiles

Web filter profiles No

HTTPS No

Policies No

Web protection > Filteringoptions > Exceptions

Exceptions list No

Web protection > Filteringoptions > Websites

Websites No

Web protection > Filteringoptions > Bypass users

Bypass blocking No

Web protection > Filteringoptions > PUAs

Potentially unwantedapplications authorization

No

Web protection > filteringoptions > Categories

Filter category list No

Web protection > Filteringoptions > HTTPS CA

Signing CA No

Verification CAs No

Web protection > Filteringoptions > MISC

Misc settings No

Transparent mode skiplist No

Proxy auto configuration No

URL categorization parent proxy No

Web caching No

Streaming settings No




Transparent mode ActiveDirectory single sign-on

No

Apple OpenDirectory singlesign-on

No

Certificate for end user pages No

Pharming protection No

Web protection > Policyhelpdesk > Policy test

Request details No

Web protection > Policyhelpdesk > Quota status

Quota status No

Web protection >Applicationcontrol > Network visibility

Flow monitor No

Web protection > Applicationcontrol > Application controlrules

Application control rules No

Web protection > Applicationcontrol > Advanced

Application control skiplist No

Web protection > FTP > Global FTP settings No

Web protection > FTP >Antivirus

Antivirus scanning No

File extension filter No

Web protection > FTP >Exceptions

Exceptions list No

Web protection > FTP >Advanced

FTP proxy skiplist No

FTP Servers No

Email protection > SMTP SMTP No

Email protection > SMTPprofiles

SMTP profiles No

Email protection > POP3 POP3 No

Email protection > Encryption Encryption No

Email protection > SPXEncryption

SPX Encryption No

Email protection > QuarantineReport

Quarantine report No

Email protection > Mail manager Mail manager No

Advanced protection > SophosSandstorm

Sophos Sandstorm No

Advanced protection >Advanced Threat Protection

Advanced Threat Protection Yes




Wireless protection > Globalsettings > Global settings

Global settings No

Wireless protection > Globalsettings > Advanced

Global settings No

Wireless protection > Wirelessnetworks

Wireless networks No

Wireless protection > Accesspoints

Access points No

Wireless protection > Meshnetworks

Mesh networks No

Wireless protection > Wirelessclients

Wireless clients No

Wireless protection > Hotspots >Hotspots

Hotspots No

Wireless protection > Hotspots >Voucher definition

Voucher definition No

Wireless protection > Hotspots >Advanced

Advanced No

Web server protection > Webappliance firewall

Web appliance firewall No

Web server protection >Reverse authentication

Reverse authentication No

RED management > Globalsettings

RED global settings No

RED management > [Server]Client management

[Server] Client management No

RED management > [Server]Deployment helper

[Server] Deployment helper No

RED management > [Client]Tunnel management

[Client] Tunnel management No

Site-to-site VPN > Amazon VPC Amazon VPC No

Site-to-site VPN > Certificatemanagement > Advanced

Regenerate signing CA No

Site-to-site VPN > Ipsec > LocalRSA Key

Re-generate local RSA key. No

Site-to-site VPN >IPsec >Advanced

Dead Peer Detection (DPD) No

CRL handling No

Site-to-site VPN > IPSec >Debug

IKE debugging No

Site-to-site VPN > SSL >Connections

SSL server No




SSL client No

Site-to-site VPN > SSL >Settings

Server settings Yes

Virtual IP pool Yes

Duplicate CN Yes

Site-to-site VPN > SSL >Advanced

Cryptographic settings Yes

Compression settings Yes

Debug settings Yes

Remote access > SSL > Profiles Remote access profiles No

Remote access > SSL >Settings

Server settings Yes

Virtual IP pool Yes

Duplicate CN Yes

Remote access > SSL >Advanced

Cryptographic settings Yes

Compression settings Yes

Debug settings Yes

Remote access > PPTP >Global

Main settings Yes

Remote access > PPTP > iOS™devices

iOS™ settings No

Remote access > PPTP >Advanced

Encryption strength No

Debug mode No

Remote access > L2TP OverIPsec > iOS™ devices

iOS™ settings No

Remote access > L2TP overIPsec > Advanced

IKE debugging No

L2TP debugging No

Remote access > IPsec >Advanced

Dead Peer Detection (DPD) No

CRL handling No

Remote access > IPsec >Debug

IKE debugging No

Remote access > HTML5 VPNportal

HTML5 VPN portal No

Remote access > Cisco VPNportal > Global

Server settings No




Remote access > Cisco VPNportal > iOS™ devices

iOS™ settings No

Remote access > Cisco VPNportal > Debug

IKE debugging No



9 Appendix E: Install Sophos MigrationAssistant on Oracle VM VirtualBox1. Click New in Oracle VM VirtualBox and enter the following:

• Name: Enter a name for VM.

• Operating system: Select Linux.

• Version: Select Linux 2.6 (64 bit).

2. Set the base virtual memory (vRAM) to 2 GB or higher.

3. Select Create new hard disk to set the start-up disk size:

a) Select File type as VMDK (Virtual machine disk).

b) Set Storage details to Dynamically allocated.

c) Set the disk size to 32 GB or higher.

d) View summary and click Create.

4. Click Settings > Storage > IDE controller > Empty. Select the Sophos Migration Assistant imagefile (ISO).

a) Click Settings > Network > Adapter 1 and set the following:

• Attached to: Host-only adapter

• Name: Select the host-only adpater from the list.

• Promiscuous mode: Deny

b) Click Settings > Network > Adapter 2 and set the following:

• Attached to: Bridged adapter

• Name: Select the bridged adpater from the list.

• Promiscuous mode: Deny

c) (Optional) Go to Files > Preferences > Network. Click Add.

Enter the IP address and mask, if you have not configured a network in your host system.

5. Click Start to proceed with the installation.

a) Enter y to continue with installation.

b) Remove the ISO file, which you have added.

c) Enter y to restart when prompted after the installation.

6. Enter admin to sign in after installation and to access Sophos Migration Assistant.

7. (Optional) To set a new interface address (update default interface address), log in with theadministrator password as discussed earlier.



a) In console, Enter 1 for network configuration.

Sophos Migration Assistant SMAOS 17.0.0. Beta-2Main menu 1. Network configuration 2. System configuration 3. Device management 4. Device console 5. Shutdown / Reboot 6: Exit Select menu number [0-5]: 1_

b) Again, enter 1 for interface configuration.

Sophos Migration Assistant SMAOS 17.0.0. Beta-2Network configuration menu

1. Interface configuration 2. DNS configuration 3. Exit Select menu number [0-2]: 1_

A screen displaying IP addresses for both Port A and Port B appears.

c) Enter y to proceed and change the IP address.

Sophos Migration Assistant SMAOS 17.0.0. Beta-2

Set IPv4 address (y/n) : No (Enter) > y_

d) Similarly, follow the on-screen instructions for netmask and gateway IP address.

Sophos Migration Assistant SMAOS 17.0.0. Beta-2

Network configuration menu

Network configuration of Ethernet PortA

Current IP address : 172.16.16.16 New IP address : _

To change the default administrator password, you can select option 2 System Configuration from themain menu and proceed with the on-screen instructions.

For other VMs, refer to the following:

• Sophos XG Firewall Virtual Appliance Microsoft Hyper-V: http://docs.sophos.com/nsg/sophos-firewall/vm-guides/Sophos%20XG%20Firewall%20Virtual%20Appliance%20-%20Getting%20Started%20Guide%20-%20Hyper-V.pdf.

• Sophos XG Firewall Virtual Appliance - KVM: http://docs.sophos.com/nsg/sophos-firewall/vm-guides/Sophos%20XG%20Firewall%20Virtual%20Appliance%20-%20Getting%20Started%20Guide%20-%20KVM.pdf.


http://docs.sophos.com/nsg/sophos-firewall/vm-guides/Sophos%20XG%20Firewall%20Virtual%20Appliance%20-%20Getting%20Started%20Guide%20-%20Hyper-V.pdf



http://docs.sophos.com/nsg/sophos-firewall/vm-guides/Sophos%20XG%20Firewall%20Virtual%20Appliance%20-%20Getting%20Started%20Guide%20-%20KVM.pdf




• Sophos XG Firewall Virtual Appliance XenApp: http://docs.sophos.com/nsg/sophos-firewall/vm-guides/Sophos%20XG%20Firewall%20Virtual%20Appliance%20-%20Getting%20Started%20Guide%20-%20XenApp.pdf.


http://docs.sophos.com/nsg/sophos-firewall/vm-guides/Sophos%20XG%20Firewall%20Virtual%20Appliance%20-%20Getting%20Started%20Guide%20-%20XenApp.pdf




10 Appendix F: View and resolveexception listThe list of unsolved exceptions with the reason for error or warning is displayed. Exceptions are oftwo types and must be resolved manually:

• Errors: Conflicts between Sophos SG/UTM and Sophos XG Firewall configurations.

• Warnings: Migrated configuration entities, which pose a connectivity or security risk.

Exception handling

• Click Resolve (appears against errors) against the exception to resolve it.

— Sophos XG Firewall configuration page for the particular entity will be displayed. Details ofthe exception appear to the far-right.

— Change the configurations to resolve the exception based on your requirement.

• If you are an advanced user, you can update configurations in Preview XG configuration (Foradvanced users).

• Click Accept (appears against warnings) to accept migration of the entity.

• Click Delete removable exceptions to delete all unreferenced exceptions.

• Click Accept all suggestions to automatically resolve and accept exceptions.

Logs handling

• Click View logs for details of the migrated configuration.

• Click View dropped entities to see and download entities that aren’t migrated.

• Click Download logs if you want to:

— Trace the resolved exceptions for troubleshooting.



— Send them to Sophos Support if you require help.

— Refer to resolved exceptions later in offline mode.

Preview XG configuration (for advanced users)

Preview XG configuration appears for advanced users. Click this to preview and add a configurationin the modules supported for migration. Configuration changes that you make here will be applied inthe converted Sophos XG Firewall configuration file.

Click Close preview to go back to configure the exceptions. To filter the logs, select any of theoptions under Show status:

• Auto-migrated

• Accepted

• Auto-resolved

• Resolved

• Deleted

• Unresolved

• All



11 Appendix G: View dropped entitiesSophos XG Firewall doesn’t support the following entities for migration:

Categories Entities

Management > SNMP > Traps SNMP V3 traps and SNMP traps with duplicate IPaddress.

Definitions and Users > Network definitions

Interface address Auto-generated interface host

User/Groups System generated user or group hosts

Any Hosts with IPv4 address “0.0.0.0” and IPv6 address“::”

Definitions and Users > Service definitions Authentication Header (AH) or EncapsulatingSecurity Payload (ESP) services

Definitions and Users > Client authentication Sophos Transparent Authentication Suite (STAS)collectors with duplicate IP address

Interface and routing Group, 3G/UMTS, DSL (PPPoA/PPTP), and modem(PPP) interface and its alias

NoteOne PPoE interface per hardware is supported.

VLAN over bridge

Static routing Disabled static routes

Unicast blackhole routes

User or group host-based static routes

Network services

DNS-O-Matic, DNSdynamic, DNS Park, DtDNS,Dyn custom, FreeDNS, Namecheap, No-IP.com,OpenDNS IP update, selfHOST, STRATO AG.

Unsupported interface of DHCP server and DHCPrelay

Multiple DHCP options with same code

NoteOne DHCP option with code is supported.Duplicate entries are unsupported.

Site-to-Site VPN User-based certificates and other unreferencedcertificates



12 NoticeCopyright © 2019 Sophos Limited. All rights reserved. No part of this publication may be reproduced,stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical,photocopying, recording or otherwise unless you are either a valid licensee where the documentationcan be reproduced in accordance with the license terms or you otherwise have the prior permissionin writing of the copyright owner.

Sophos, Sophos Anti-Virus and SafeGuard are registered trademarks of Sophos Limited, SophosGroup and Utimaco Safeware AG, as applicable. All other product and company names mentionedare trademarks or registered trademarks of their respective owners.


Documents

Migration guide: Sophos Migration Assistant...Mar 14, 2019 · Migration guide: Sophos Migration Assistant 4 Reimaging and applying configuration Before reimaging the production Sophos