NGFW - How to migrate from legacy Stonesoft appliances to McAfee Next Generation Firewall (NGFW)

Version 2


     

     

    Purpose of this Document

     

    The purpose of this document is to assist with migration from older-generation Stonesoft hardware appliances to the current-generation McAfee® hardware appliances. The decision to upgrade from the older-generation Stonesoft hardware appliance may be motivated by the following: increased performance needs, end of life of a product, or end of support for a product. This document provides the recommended steps prior and during the migration.

     

    Product Documentation

     

    McAfee provides the information needed during each phase of product implementation, from installation to daily use, troubleshooting and during the migration to a newer hardware appliance. Below are links to documents that will help determine the right appliance and provide the necessary steps for a successful upgrade to the new hard appliance.

     

    1. Go to http://support.mcafee.com and select the product and version number

     

    2. McAfee Next Generation Firewall Spec sheet http://www.mcafee.com/us/resources/data-sheets/ds-next-generation-firewall-appli ance-spec-sheet.pdf

     

    3. Most current technical documents can be found at https://www.stonesoft.com/en/customer_care/documentation/current/

     

    4. McAfee Next Generation Firewall Administrator’s Guidehttps://www.stonesoft.com/opencms/export/system/galleries/download/product_docs/ current/McAfee_SMC_Administrators_Guide_v5-7.pdf

     

    5. McAfee Next Generation Firewall (Stonesoft) Legacy Appliances and Software Support Lifecycle http://www.mcafee.com/us/support/support-eol-next-gen-firewall.aspx

     

    New Hardware Selection

     

    Assumputions regarding the new McAfee hardware appliance:

     

    1. Has the same or greater number of network interfaces

     

    2. Has the same physical dimensions that match the old hardware

     

    3. Supports the increased performance needs

     

    Provided is a list of recommendations for the new hardware selection, but the final decision should be made based on which new hardware best fits the needs of the current business requirements. Please see the Appendix for a detailed list of recommended products.

     

    Upgrading New Hardware with Same Architecture


    Upgrading Single Appliance

     

    If the new hardware is using a 64-bit architecture and has the same architecture as older hardware, listed below are the following steps that provides for a seamless migration:

     

    1. Generate an initial configuration for the new appliance in the McAfee Security Management Center. If there is more than one appliance being contacted, make sure that the correct one-time passwords are used for the correct unit

     

    2. Add the appliance to the network (Make sure Layer 1 connectivity is accurate) and configure it in the same way as a new installation.


    Before starting the migration, check the interface ID to “eth” mappings on each appliance by running sg-reconfigure command on the CLI. Mark the cables accordingly with Interface ID and Eth numbers. This helps set the cables correctly for the new appliances and helps to avoid incorrect cabling.

     

    3. When contact with the Management Server is established, install the policy. The full working configuration is transferred to the new node.


      How to generate an initial configuration, how to add hardware to SMC and how to install a policy is explained in:https://community.mcafee.com/docs/DOC-6007

     

    Upgrading a Cluster

     

    Alternative A:

    • To avoid downtime with a next-generation firewall (NGFW) cluster, replace one node at a time. When upgrading two nodes in a large cluster at the same time, make sure the remaining node(s) can handle all of the traffic going through the cluster. If the remaining nodes can’t handle all the traffic, leave more nodes online.

     

    Alternative B:

    • Replacing all of the appliances at the same time will increase downtime due to making initial contact to several new appliances.


    Refer to “Maintenance and Upgrades” chapter in McAfee NGFW Administrators Guide found at:https://www.stonesoft.com/en/customer_care/documentation/current/


    NOTE: In some cases, the IPsec VPN certificate information may be lost and the policy installation fails. Replacing all the hardware will result in losing IPSec VPN certificate private keys and the policy installation will fail. If this happens, delete the old IPsec VPN certificates in the Management Client and create new VPN certificates for the node(s). See “Creating and Signing VPN certificates” chapter in the NGFW administrator’s guide.


    Upgrading New Hardware with Different Architecture

     

    Upgrading Single Appliance

     

    Procedure to upgrade a single appliance with different architecture is similar to the steps mentioned in the Upgrading Single Appliance section of “Upgrading New Hardware with same Architecture”


    Migrating from 32-bit Cluster to 64-bit Cluster

     

    This migration always requires service downtime due to the different architecture. Since the migration requires a complete change the appliances cannot operate in the cluster. Follow the steps below to start the migration.


    Current Scenario: All Nodes 32-bit Versions


    1. Turn as many nodes offline leaving enough to support the current traffic flow.


    Alternative A:

    Plan an outage and take all nodes offline, replace all the nodes are the same time. In this case, the downtime could last longer due to making initial contact to McAfee Security Management Center by several new appliances.


    2. Before starting the migration, check the interface ID to “eth” mappings on each appliance by running sg-reconfigure command on the CLI. Mark the cables accordingly with Interface ID and Eth numbers. This helps set the cables correctly for the new appliances and helps to avoid incorrect cabling.


    3. Power down the offline node(s). Replace the shutdown nodes with new hardware. Make sure cabling is done correctly.


    Current Scenario: One Node 32-bit, others are now 64-bit (At this point, only 32-bit node is handling all the traffic)


    4. Perform initial contact with the new appliance(s).


    If contacting more than one appliance, make sure to use the correct one-time password (OTP) for the correct unit


    How to generate an initial configuration, how to add hardware to the McAfee Security Management Center and how to install a policy are explained in: https://community.mcafee.com/docs/DOC-6007


    5. Lock the 32-bit device in online state.


    6. Install policy to the cluster so the new appliances get the configuration and area ready to start handling connections. They should be in offline state at this point.


    Current Scenario: Service Downtime Begins


    7. Command the remaining 32-bit node to go offline, disconnect the cables from it.


    8. Command new appliances to go online so the cluster will become operational again.


    Current Scenario: Service Downtime End


    9. Shut down the remaining 32-bit node and remove it.


    10. Put the new 64-bit appliance(s) in place, connect all cables and perform initial contact with the McAfee Security Management Center.


    11. Install policy to the cluster so the last new nodes get their configuration also.


    Appendix

     

    Suggested Replacement Models

     

    Below is a list of suggested equivalent replacement model. These recommendations can change based on your requirements. Please contact your McAfee Sales Representative for further details.


    Note: The newer McAfee models are modular and have less built in ports than the older ones. When ordering the suggested replacement model, please ensure that the port requirements are met on the newer appliance. Additional modules may need to be added for certain replacement models.

     

    SKUSuggested  Replacement ConfigurationProduct
    FW-100FWL-105Firewall
    FW-1020FWL-1035Firewall
    FW-1020EFWL-1035Firewall
    FW-1030-C2FWL-1035Firewall
    FW-1030-C2PFWL-1035Firewall
    FW-1050FWL-1035Firewall
    FW-1050EFWL-1035Firewall
    FW-1060-C3FWL-1065Firewall
    FW-1060-C3PFWL-1065Firewall
    FW-1060-C5FWL-1065Firewall
    FW-1060-C5PFWL-1065Firewall
    FW-1200FWL-1035Firewall
    FW-1200EFWL-1035Firewall
    FW-1200EF1FWL-1035Firewall
    FW-1200F1FWL-1035Firewall
    FW-1301-C1LFWL-1402Firewall
    FW-1301-C1LLFWL-1402Firewall
    FW-300FWL-315Firewall
    FW-300VFWL-315Firewall
    FW-310FWL-315Firewall
    FW-310LFWL-315Firewall
    FW-310PFWL-315Firewall
    FW-315-C2FWL-315Firewall
    FW-315-C2LFWL-315Firewall
    FW-315-C2PFWL-315Firewall
    FW-315-C3FWL-315Firewall
    FW-315-C3LFWL-315Firewall
    FW-3201-C1FWL-3202Firewall
    FW-3205-C1FWL-3206Firewall
    FW-5000FWL-3202Firewall
    FW-5000F1FWL-3202Firewall
    FW-5000F2FWL-3202Firewall
    FW-5000F3FWL-3202Firewall
    FW-5000F4FWL-3202Firewall
    FW-5000LFWL-3202Firewall
    FW-5000LF1FWL-3202Firewall
    FW-5000LF2FWL-3202Firewall
    FW-5100FWL-3202Firewall
    FW-5100F2FWL-3202Firewall
    FW-5100G1FWL-3202Firewall
    FW-5100G2FWL-3202Firewall
    FW-5105-C1FWL-3202Firewall
    FWL-1301C1FWL-1402Firewall
    FWL-3205C1PFWL-3206Firewall
    NGN-3201-C1NGF-3202Firewall
    NGN-3205-C1NGF-3206Firewall
    NGN-5205-C1NGF-5206Firewall
    SG-1100FWL-1402Firewall
    SG-200FWL-315Firewall
    SG-250EFWL-315Firewall
    SG-3100FWL-3202Firewall
    SG-3100-FFWL-3202Firewall
    SG-4000FWL-3202Firewall
    SG-4000LFWL-3202Firewall
    SG-500E-100FWL-315Firewall
    SG-500E-50FWL-315Firewall
    SG-570EFWL-315Firewall
    SG-S1100FWL-1065Firewall
    SG-S250EFWL-315Firewall
    SG-S3100FWL-1402Firewall
    SG-S500E-100FWL-315Firewall
    SG-S500E-50FWL-315Firewall
    SG-S570EFWL-315Firewall
    I-1030-C1ZNGF-1035IPS
    I-1030-C4NGF-1035IPS
    I-1060-C4NGF-1035IPS
    I-1060-C4PNGF-1035IPS
    I-1205-C1NGF-1065IPS
    I-2000CNGF-1035IPS
    I-2000CF1NGF-1035IPS
    I-2000SNGF-1035IPS
    I-2000STRNGF-1035IPS
    I-3201-C1NGF-3202IPS
    I-3205-C1NGF-3206IPS
    I-400CNGF-1035IPS
    I-6000CNGF-3202IPS
    I-6000CF1NGF-3202IPS
    I-6000CF1TRNGF-3202IPS
    I-6000CF2NGF-3202IPS
    I-6000SNGF-3202IPS
    I-6000SF1NGF-3202IPS
    I-6000SF1LXNGF-3202IPS
    I-6000SF2NGF-3202IPS
    I-6000STRNGF-3202IPS
    I-6100CNGF-3202IPS
    I-6100C4NGF-3202IPS
    I-6100C4TRNGF-3202IPS
    I-6100CF1NGF-3202IPS
    I-6100CF1LXNGF-3202IPS
    I-6100SNGF-3202IPS
    I-6100S4NGF-3202IPS
    I-6100S4TRNGF-3202IPS
    I-6105-C2NGF-3202IPS
    I-6105-C3NGF-3202IPS
    SGI-2000SNGF-1402IPS
    SGI-200CNGF-1035IPS
    SGI-20ANGF-1035IPS

     

    Features Available with the Appliance Upgrades

     

    McAfee has combined the Firewall/VPN and IPS/IDS codes into one software image, all the Next Generation Firewall models use one software image. McAfee allows the customer to use the Next Generation Firewall in either of these roles: Firewall/VPN (Layer 3), IPS mode (Layer 2) or Layer 2 Firewall. This unified software solution allows a customer to change the role of the appliance anytime according to the changing business requirements. All McAfee Next Generation Firewall models provide customers with a variety of features/technologies, most of which are critical for a modern Next Generation Firewall, IPS or Layer 2 Firewall.

     

    • One single appliance can be used as a Firewall/VPN (Layer 3), IPS Mode (Layer 2) or Layer 2 Firewall just by changing the licensing. With the purchase of Next Generation Firewall License, customers are free to deploy the appliance in any of the three modes which are mentioned

    earlier. If the customer has purchased regular Firewall license and want to upgrade to Next Generation Firewall, they just need to purchase the Next Generation Firewall license.

    • 64 bit software architecture for performance gain
    • Native Clustering support upto 16 Nodes for High Availability and Performance
    • Augmented VPN
    • Built in McAfee Multi-Link technology
    • Plug-and-play deployment
    • Evasion and Anomaly Detection (AET Detection and Prevention)
    • Anti-Botnet Technology
    • Virtual Contexts for Multi-Tenancy
    • Application Detection (Wide range of applications)
    • High Availability in IPS mode or Layer 2 Firewall
    • IPv6 support
    • McAfee SIEM Integration
    • Route based VPN
    • Built in McAfee anti virus
    • DoS/DDoS proection

     

    Support

     

    Each section of this document provides some samples and recommended steps to take to validate whether or not guidance has been followed correctly. If those steps do not work, refer back to the product documentation. If further assistance is needed, McAfee is ready to help.

     

    McAfee Next Generation Firewall customers

     

    Every McAfee customer receives a grant number for support. Grant numbers can be used to register for an account on our support portal, Technical Support Service Portal. Once an account is created, customers can log in 24/7 with their credentials and access support resources