Migrate from T40-W to M270 - leftover wireless config an issue?
I am about to do a migration of a T40-W configuration where the wireless adapter configuration is present (as an AP) to a M270 which obviously doesn't have wireless capability (the client is getting dedicated APs instead and the T40-W is an interim setup for them anyway).
One thing I am not sure of when I did a dry run of the config migration using WSM ( https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/basicadmin/config_file_use_new_model_wsm.html ) is whether any leftover wireless references would cause any issues.
More specifically, the current wireless SSID connects to a VLAN that is defined, but when doing the configuration changeover in WSM (I don't have the M270 as yet to apply it to), I can see interface ath1 (as an example) against one of the VLANs after changing the model in the config to M270.
It would appear to stay there but obviously one can't manage/remove that if the model is set to M270 etc, hence the question as to whether it may cause issues.
Or do I need to remove that wireless config before changing the model in Policy Manager?
Answers
If an interface (like ath1, ath2, ath3, the wireless radios on a tabletop firewall) go away, any rules using the aliases for those interfaces just flip to "None" if there's nothing else in that part of the rule.
Policy manager will not allow you to save if a rule has "None" in it, and you'll need to add something to the rule (I just put a bogus RFC1918 address I'm not using in that field if I don't want to deal with it right away) or erase the rule from the ruleset.
-James Carson
WatchGuard Customer Support
It's not a policy that shows it (I've seen that before), but rather the VLAN configuration in my case since I have an SSID on ath1 connected to a specific VLAN.
ie. if I change the config from a T40-W to M270 then go save it as-is in Policy Manager (regardless of whether I change the feature key or not), when I go and look at that configuration again it shows "ath1" and "ath2" in the VLAN section as an interface the VLAN is bound to.
Screenshot is from after I changed the config to a M270 showing the remaining interfaces:
While it looks like it would work, it is this that I am not sure if it will cause issues down the track (the remaining interface) - eg. would it stop me doing something if I had to change those VLANs.
Side note - if I change the configuration back to a tabletop firewall with wireless (eg. T40-W), when I go to reconfigure the wireless SSID, it shows up as bound to the interface when I select VLAN for the interface type (which lead to the original question of whether I need to clean up this config first).
If the interface is removed, it should just drop it (the firewall does the same thing if you move from a 8 port device to a 5 port device -- it just drops off those interfaces. It will give you a pop up warning to check that the interfaces are where you want them, but it should also allow the save with those ath interfaces just falling off.
-James Carson
WatchGuard Customer Support
I see the warning, but the interfaces remain there as per the previous screenshot (which was taken after I changed it to a M270).
Given it shows as bound to the VLAN when I change it back to the T40-W, presumably it just sits there in the config.
Seems a bit odd but happy to leave it there if there is no impact down the track, but equally easy enough to clean up the wireless config beforehand since it is in Policy Manager anyway.
Begs the question of whether Policy Manager should have cleaned up that bit of config or whether it's by design.
Policy Manager is not perfect
If it remains, after you save to the firewall, close, and re-open policy manager, I'd suggest just opening a ticket. If something does need adjusting, our team can assist.
-James Carson
WatchGuard Customer Support