Migrating external interface from one port to another
Our XTM535 is configured with three external providers and have them set up on interface 0, 1, and 4. We have two Trusted networks set up on 2 and 3. We have recently upgraded the bandwidth with our provider on interface 0 from 100Mbps to 250Mbps. We realized pretty quickly that interface 0 is not a gigabit port and we can not reap the full bandwidth of the connection.
We want to migrate our interface 0 connection to our unused interface 5 port. Through the WatchGuard policy manager, we can disable the current one interface 0 and add all the settings to the new port setup but we have an issue where it removes all of our SNATs. We have fifty of so SNATs and many policies attached to them. Is there a way to migrate to another port without having to recreate all these SNATs and add them back to the policies? We are afraid we could possibly make a mistake and or even miss some in the process.
Comments
There is no way to do this using either Policy Manager or the Web UI.
You can edit the .xml file with an editor such as Notepad++, and make careful changes. This is not supported by WG.
Should you choose to edit the config file, make sure that you keep a good copy of your current running config.
Use Policy Manager to open the changed config, review everything, and then try saving it to the firewall.
Look for nat-list in the config - surrounded by less than and greater than chars *.
You will see each SNAT listed - look for the interface entry- surrounded by less than and greater than chars *.
Change the interface name from the old one to the new one.
*Note - because of this forum having Markdown enabled by default, one can't enter a number of special characters in text strings as they are interpreted as Markdown expressions.
In the interface-list section would it be possible to just change
<if-dev-name>eth0</if-dev-name>
to eth5 and keep all the attributes the same? Are there other attributes that would have to change as well?
I believe just changing to eth5 should work.
Give it a try.
You can then check out the results in Policy Manager - just open the modified config, and check every thing out.
If all looks OK, give it a try - preferably during off hours.
I don’t know if all of your SNATs are set from Any-External or have a more specific setup, but I have done this with Policy Manager to move my single ISP connection from interface 0 to a different interface or to prep for a new ISP connection with minimal downtime. After saving the new config, it only requires moving the network cable from Int0 to IntX.
SNATs by default are set as from Any-External and the 0 interface is named External. To keep things clear in my head (not an easy task!) and to make FSM traffic monitor more clear, I named my "External" interface (Spectrum DHCP service) to "Int0-Ext-Spectrum" and then chose an available interface (#4 for this example) and named it "Int4-Ext-FiOS" and set it to type of External, using DHCP as does my Int0 interface. That name change is for changing ISPs. If I just wanted to get a faster interface and keep my Spectrum ISP, I would name it "Int4-Ext-Spectrum". With static IP addresses, you would have to change Int0’s IP and gateway to something else so that you could put those settings onto the new IntX interface.
I then went to each SNAT that applies to the Any-External interface and changed it to be from "Int4-Ext-FiOS" interface (or "Int4-Ext-Spectrum" if only needed for changing to a Gigabit interface). Then I saved that config to the box, moved the cable to Int4, and verified I still had Internet access. With Spectrum, I have to reboot my cable modem because it locks onto the MAC address of the connection. I only have four SNATs, but you could skip that step. In your case, you would rename whatever the Int0 interface is, then change whatever SNATs apply to that interface. You would change whatever SNATs apply to Int0 and make them from IntX.
Once confirmed working, I go back and set Int0 to DHCP.
Gregg Hill
We moved the policies that referenced the external interface to
any-external
that seemed to work for the policies. I think the SNATS were removed because we have IP addresses added on theSecondary
tab for that interface that are used in the SNATS.It looks like it is going to work seems like there are a few references to the interface that we will be replacing that we will have to remove.