WatchGuard M200 to M270

Currently using a M200. Can the configuration file (.xml) be uploaded to the M270 and consider all the configurations "migrated"? The documentation is not clear about the xml file.
I understand that the backup (
.fxi) cannot be moved to another device.

Thanks!

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/basicadmin/config_report_download_web.html

https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/backup_upgrade_recovery/firebox_backup_image_restore_c.html

Comments

  • Hi Bruce!
    I read that article and if I'm reading this right the "current/old" firewall will save the configuration to a remote destination, that happens to be the new firewall.

    Is there a way to do this offline? Can I just open/import the xml on the new device?

  • No.
    You need to use WSM Policy Manager.
    Open the config (.xml file) from the old firewall, make the needed changes - model info & license keys, then save that config someplace.
    Then import the modified config into the new firewall using WSM Policy Manager.

  • Hi @Bruce_Briggs
    I tried to follow the article but the feature key on the old box despite being disabled they are apparently still being in use and I was not able to "Save to Firebox"

    I tried saving and opening the configuration file and it seems it worked, but I cannot save the configuration because the feature keys are not installed. I can obtain the feature keys from the WatchGuard portal directly but I do not know if by installing them, I'll make the old unit unusable (creating an outage).

    Installing the feature key on the new M270 will cause any problem on the production M200? Do I need to install the feature key during a maintenance window?

    My plan is to have everything ready to do on the M270 (configuration and licenses and since all the interfaces will be configured equal, just move the cables from one to the other during a maintenance window.

    Thanks for your patience.

  • Open the current M200 config in Policy Manager.
    Save the config with a new name to disk.
    Change the device type from a M200 to a M270.
    Change the device name etc. if desired.
    Remove the old License Key and import the M270 license key.
    Save this change config to disk.
    When ready, save this config to the new M270.
    The M200 will continue to work until you physically replace the interface connections from the M200 to the M270.
    You may need to power off/on your ISP device when you swap in the new firewall.

  • Thanks for your quick reply Bruce,
    I'm sorry to keep asking thing but the "remove feature key" you and the documentation mention keeps confusing me. Why do I need to do that?

    I can retrieve a feature key from the WatchGuard Portal (documentation) so I do not understand why I need to remove it from the M200.

    I checked the configuration XML and I cannot find a reference to a particular key and I can change the device type right from notepad++

    Are these steps wrong?
    1- Go to WatchGuard Portal and get the M270 key
    2- Open the M270 WSM Policy Manager and install the key
    3- Edit M200.xml to update the device name
    4- Open and Save the M200.xml file on the M270

    Thanks.

  • You are removing it from a copy of the config which is in Policy Manager.
    Until you save a config from Policy Manager to a firewall, NOTHING on that firewall changes, no matter how many changes you make in Policy Manager.

    This is totally different than the use of the Web UI, where any change is immediately made to the firewall.

    So, you are not removing it from the M200.

  • Oooohhhh that makes more sense, thanks for the clarification.
    We have the maintenance window schedule for Jan 30. I'll report how it goes later :)

    Thank you for answering all my questions.

  • Everything worked after following your steps and I did not have problems with the keys or anything on either FireFox.

    Thank Bruce!

Sign In to comment.