Options
Migration from T30 to T40
I will be doing an onsite migration from a T30 to a T40 next week.
Should it be as simple as uploading the T30 config to the T40 and going from there?
Or are there some things I need to be aware of.
The current T30 has dual WAN with failover configured along with mobile VPN for about 15 users setup.
0
Sign In to comment.
Comments
You also need to change the model info & the Feature key.
Review this:
Move a Configuration to a New Firebox
https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/basicadmin/config_file_use_new_model_wsm.html
While not strictly necessary, I would make sure that the T30 is at Fireware v12.5.9 Update 2 so that it has the latest Fireware and the Cyclops Blink protection when it is taken offline.
Use Policy Manager, export the config from the T30, remove the feature key and replace it with the T40 key, adjust the system type, adjust the OS Compatibility level to match what the T40 runs.
Gregg Hill
So this FB is very out of date, I will have to upgrade it first.
I guess I am a little confused with the order of things.
Do I connect the new T40 to my computer, get it setup with the latest software, firmware and register it?
Then upload the XML file from the T30 and then save the config from the T30 to the T40?
The existing T30 is running 11x of the WG firmware, I am going to upgrade it to the latest ASAP, it was never connected to WG cloud, but I think I might leave it running for a week before doing the migration to make sure there aren't any issues. Thoughts?
re. the T30 - review the upgrade info in the v12.5.9 Update 2 Release Notes prior to attempting any upgrades.
Thanks Bruce its on 11.10.7 and they don't use certificates so I think everything should be OK.
The release notes state the following warning:
Before you upgrade to Fireware v12.x, your Firebox must be running:
You said that you have 11.10.7, so it should be a straight shot to go Fireware v12.5.9 Update 2 so that it has the latest Fireware and the Cyclops Blink protection when it is taken offline. You don't HAVE to do the Fireware v12.5.9 Update 2 upgrade first, but why not do it? I had one old XTM 25 running 11.7.3 that had to be upgraded to 11.7.5 first, then it was a clean shot to the Fireware 12.1.3 Update 8 available for it. An XTM running 11.9.4 was also a clean shot update to Fireware 12.1.3 Update 8. Going from your 11.10.7 should be fine.
Then do what Bruce outlined. I use a laptop to prep my new Fireboxes.
Gregg Hill
So I haven't done a migration like this in a number of years. Do I have to connect the new T40 up to an actual internet connection to set it up initially?
No.
Helpful to have the Feature Key downloaded so that you can paste it in the config in Policy Manager.
I just realized this is a trade up, am I still able to configure the T40 prior to deploying it to replace the T30?
Yes
How do I activate a trade-up product?
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000g3ClSAI&lang=en_US
What happens to my old product when I activate a trade up product?
https://techsearch.watchguard.com/KB?type=Article&SFDCID=kA10H000000g2tXSAQ&lang=en_US
I am trying to run the quicksetup this up without an internet connection but I can't get past the part where it wants external DNS servers and tries to communicate with them. How do I get pas this?
I found a way around the DNS issue
I am trying to save the config from the T30 to the T40 but its telling me it does not support policy based routing. I have gone through all the rules and turned off policy based routing but its still giving me the error.
In Policy Manager -> Setup -> OS Compatibility, what version is selected?
Try "12.6 or higher" and see if that helps.
that is what I have it set to
Try changing 1 of your WAN interfaces to disabled and see what you get.
So this is a dual wan/failover setup, disabling one of my WAN interfaces gives me an error due to the failover config, I'll see if I can disable that and if it will let me upload it.
You can open a saved .xml file in a text editor, such as Notepad or Wordpad, and look for
"policy-routing-list" (no quotes) & preceeded by a less than sign and followed by a greater than sign. (this forum screws up special characters in posts thus the need to spell out the special characters instead of showing them) Damn Markdown enabled by default!!!!
In this list will be the names of policies which have PBR of SD-WAN selected.
Don't modify the .xml file, just look at it.
Hopefully this will help.
Thanks Bruce I will take a look, I have a call into WG support, hopefully I won't have to wait long onsite for a callback
I got the T40 deployed and I am testing a remote user using the SSL VPN
They connected and were prompted to upgrade their VPN client which they did, however now when they connect they cannot ping their main server across the VPN, either by hostname or IP, they can however ping the WG via IP. What could be blocking their access to the server? I see nothing in the traffic logs. Still waiting for a call back from WG support
You can turn on Logging on the "Allow SSLVPN-Users" policy to see packets allowed by it in Traffic Monitor.
No idea without more info.
No denies in Traffic Monitor from the user's SSLVPN connection IP addr?
Also, for others, what allowed you to get past the Policy Based Routing issue?
It turned out to be that I had to disable SD-WAN routing on the SLLVPN users policy, once that was turned off it worked. Thanks for all your help and suggestions, they are very appreciated.
SD-WAN should only be applied to outgoing to the Internet policies.
This happened to a number of others during the conversion to SD-WAN
I haven't done a migration like this in a number of years. Do I have to connect the new T40 up to an actual internet connection to set it up initially
Normally, no.
You will need the Feature Key, which requires you to register the firewall on your WG account.
I haven't done a migration like this in a number of years. Do I have to connect the new T40 up to an actual internet connection to set it up initially. .