3 Replies Latest reply on Mar 26, 2013 4:01 AM by PhilM

    Migrate Firewall rules

      Hello, I'm in the process of migrating from Sidewinder version 7.X.X  to version 8.3.0.

      The current FW is a UTM style FW and the new one is the S4016.

      I have exported into a CSV the old rules but don't see an import function on the new FW GUI.

      when I tried doing it manually from the CLI there were many errors popping up.

      It appears some of the command formats have changed.

      Is it possible to migrate the rules digitally or am I forced to do this manually?

       

      ej

        • 1. Re: Migrate Firewall rules
          PhilM

          Trying to migrate versions and hardware at the same time can be a challenge.

           

          There are a few options at your disposal:-

           

          • Take the existing appliance through the migragtion process from v7 to 8.3.0. If your support license has expired, you may be able to speak to McAfee customer services to get a temporary activation key so that you can install the necessary patches. With it upgraded to 8.3.0, you can then simply take a configuration backup from the old appliance, restore it to the new appliance and deal with a few remediation tasks (sometimes the network interfaces need to be re-assigned and you'll need to put the new appliance's serial number back in so that it will activate).
          • Find out from McAfee support if there is a 7.x.x compatible ISO for the S4016 appliance, install this release, backup and restore the configuration from the old appliance, remediate and then take it through the upgrade process to 8.3.0.
          • Apply for an evaluation serial number for the virtual Firewall appliance. Use this virtual appliance, installed on VMWare, as a staging server - starting with 7.x.x, restore a config backup from the original appliance, upgrade to 8.3.0 and then (as per the first suggestion) backup and restore this upgraded config directly to the S4016 appliance.

           

          Hope that helps.

           

          -Phil.

          • 2. Re: Migrate Firewall rules

            I did think about upgrading the current firewall to the latest version but dismissed it as we are under that lovely Govt CR and can't spend any money. I didn't even think to ask for a temporary license but since we purchased a new FW they might just go for it.

            Thank's I'll give it a try it's the least painful of the 3 suggestions.

             

            ej

            • 3. Re: Migrate Firewall rules
              PhilM

              We've just used option 3 for one of our customers. They had a pair of 510F appliances running 7.0.1.03 and had ordered a new pair of S3008 appliances which came with 8.3.0.

               

              My colleague, who carried out this particular task, created a VMWare machine with the appropriate number of interfaces and installed 7.0.1.03, he then took a config backup from the currently active 510F appliance and restored it. He then made sure the interfaces where assigned correctly and activated the license. He then took the installation through the 7.0.1.03-8.1.2 upgrade path. Once on v8 he spent some time optimising the configuration (the upgrade is far more efficient than it was when the 7.x-8.x upgrade scripts where first released, but it still seems to create a number of "generic" application defense definitions which can be consolidated into a single entry) and then continued upgrading through to 8.3.0.

               

              He then took one of the S3008s and went through the initial config process. He then backed-up his 8.3.0 virtual machine and restored it to the new appliance. Checking that everything was in place (helped by the fact that in one of the more recent v8 releases the interface names have been standardized) he then activated this appliance and checked that traffic was passing through it. He then took the 2nd S3008, performed the initial configurarion and re-built the HA cluster.

               

              With that done, the boxes where packed, shipped to the customer and he met them on site yesterday. Old appliances where shut down, new ones installed and the cables swapped over. Aside from some minor additional remidial work, the on-site exercise was pretty painless.

               

              -Phil.