Migration tool - Yes or No?
We have a TZ400 running 18.104.22.168-83n that we are planning on upgrading to a TZ470. The vendor wants a LOT of money for configuration and after looking at the more than 43,000 lines on the TSR, I can understand why. As with everyone, however, budgets are tight and if we can avoid that expense, we would like to.
There are only a few posts on this forum (as well as reddit) regarding the online migration tool, but of course, they deal with issues or problems. There MUST be a lot of success stories, but no one ever posts anything when things work as they should. :)
I've seen some people always recommend to only build a config from scratch - but, again, 43,000 lines!
So I have a few questions:
1) Has anyone actually had a good experience with the migration tool?
2) What does NOT get migrated - (I've read something about user passwords)?
3) We use GVC for remote access. Will I have to generate a new .rcf config file and distribute it to all our remote users?
4) Can I test the new firewall live before transferring the registration (in case things go south)?
5) Any other pitfalls to watch out for?
Thanks in advance for any advice you may have to offer.
Follow the below KB;
I experienced few issues like PPPoE passwords are not migrated & VPN related issues faced.
As per my recommendation, After the Firewall migration, go through the all security policies and compare it and confirm both are matching before applying to the production environment.
The vendor wants a LOT of money for configuration and after looking at the more than 43,000 lines on the TSR, I can understand why.
Just to put things in perspective. I have a TZ250W and the TSR is around 40,000 lines. The bulk of that is from the default SW configuration - NOT from my changes.
I just received my NFR / test TZ270W and now have the task of building my new Standard Operating Procedure for upgrading Gen 6.5 to Gen 7 firewalls. More than likely, I'll follow TKWITS advice and start from scratch and simply operate the device "clean." That means a minimal amount of site-specific customization. That way I'll know whether it is the device, or my settings. Only over time will I start to add additional functionality and tighten it up for production use. I'm thinking that is a longer than "let's just migrate and go" approach, but it safeguards my business.
Hope that helps answer your question.
Oh, and I'm curious - please send me a note offline - just what you mean by a lot of money.
Plus, how would you know, and what assurances do you have, the vendor didn't imply use the migration tool to provide you with the new configuration?
@Ajishlal , Yes, I read the KB article an migrating. It's basically a step-by-step - which is ok, and while there are a FEW issues mentioned, there is no detail about them. I've also seen NUMEROUS posts regarding certain fields in the tool not populated depending on which browser you have (I've experienced that in the past where only Edge would apply a firmware update and Chrome would not.) We don't use PPPoE. What VPN issues did you face - we use GVC for remote access.
@Larry , I don't know for a fact that the vendor won't use the migration tool - perhaps they will. When I spoke with the salesman and mentioned the tool, he advised against it because "it misses a lot of things". Was this him just trying to make a configuration sale? after looking at the TSR, it would seem MORE likely that a human would miss a lot of things trying to convert one config to another.
We are upgrading for two reasons - to gain more performance, but primarily because the appliance randomly reboots itself. Sometimes it will go 2 - 3 weeks before a reboot, other times it will reboot 2 - 3 times within a 30 minute period. TSR shows
"12/03/2021 07:19:45.928Reboot due to DP Core hang12/03/2021 07:19:45.928Core Trace 2: cause: Interrupt"
The cores and traces vary from event to event. Sometimes "Core n GAV Processing taking 1 seconds" is added to the error.
I've had support tickets open with SonicWall, sent them everything I could download. They sent me a hotfix - but it really didn't help. There was no ultimate resolution. Perhaps it is the configuration, perhaps it is a hardware glitch. If I install the same config to the new unit and it continues rebooting, well, I guess we'll know then.
I would love the luxury of building from scratch, but 1) I'm not sure I am adept enough for that and 2) we need to be up and running as quickly as possible. It was installed in 2017 and has had numerous tweaks and changes by both my predecessor and me. I don't really want to go through all that trial and error again. :)
I have been using Sonicwall for over 20 years, and am capable of configuring them. However, we have an abundance of walls across our WAN, and there is literally decades of custom programming in those appliances. For me, I use the migration tool, and have used it successfully for many years with little problem. The few glitches I have encountered took me a few minutes to fix, but I would have spent hours per wall configuring them all.
You have nothing to lose by trying it. If it doesn't work for you, default the wall and start from scrach.
Thank you @MacGyver , this is the type of reassurance I was hoping for.
I decided to run a test of the migration tool, so I exported a config and ran it through. The good news is that I didn't experience any missing fields or empty drop-downs.
The only question I have is related to the final step where the following advanced options are presented:
Of course, there's no help or documentation to explain the ramifications of these choices. I'm fairly certain I don't want to check either of the "Drop..." boxes, but since this will be a single, stand-alone wall, shouldn't I UNCHECK the HA option? Why would it default to that?
Any thoughts or advice is appreciated.
@RussF yes, uncheck it.
Can't speak for why SW decided on the default (perhaps it was frequently overlooked and caused significant/major problems).
As a follow-up and a notification to future users searching for migration advice, we successfully upgraded from a TZ400 to a TZ470 using only the migration tool. The only password that didn't migrate was the admin password, but that was easy enough to change. All users and their passwords, interfaces, objects, etc. seem to have copied over.
Now all that's left is to get used to the OS 7 user interface and figure out where things are. :)
We've also had success going from SOHO and TZ units to newer Gen 7 with the migration tool where hand-rebuilding could have taken an extremely lengthy period of time. As per usual, the only setting that doesn't come over is the administrative password but the migration tool is quite handy!