Migrate from NSa 4650 to NSa 4700 HA firewall
Asif_Iqbal
Newbie ✭
Hello Community,
We are wanting to move from our current NSa 4650 Gen6 firewall to the newer NSa 4700 Gen7 firewall. We use a HA pair as Active and Standby.
I Have used the Migration Tool as a test to convert the current Gen 6 config to the newer Gen & config for use with the new firewall.
Is there a step by step process for this? Should I Import the new config to the secondary (standby) device first etc.?
Any advise gratefully appreciated.
Kind Regards,
Asif
Category: Mid Range Firewalls
0
Answers
@Asif_Iqbal
Follow the below KB for the HA unit migration;
@Asif_Iqbal - you already performed the steps @Ajishlal suggested.
Try this afterward:
Use the migrated configuration to set up your base and continue from there.
Thanks @Ajishlal and @Larry
I need to register the product in order to update the firmware. I trust this won't have an impact on my current SW HA pair?
Also I trust if I add this on the network I can see and update the firmware?
Thanks,
Asif
@Asif_Iqbal I assume it's a Secure Upgrade, do the "Register only" on MySonicWall, this will keep the old units untouched for 90 days.
Connecting the new units to your network can cause trouble because of the duplicate IP addresses, be careful on that. I usually create a new deployment network for this or attach the management port only for the time being. But you need WAN access on the units as well to have same call home.
--Michael@BWC
@BWC - Thanks Michael, the new device is just out of the box with no or the default config from the factory. No IP assigned yet. I trust I can add this to the network for firmware upgrade/registration etc. before importing the config?
Thanks,
Asif
@Asif_Iqbal to be on the safe side I would connect MGMT and X1 to your LAN, if 192.168.1.0/24 isn't in use on your LAN. Configure X1 as DHCP client, this will pick up an address from your LAN and should be able to connect to the Internet.
On your PC you need to configure 192.168.1.x/24 to access the NSa 4700 at 192.168.1.254 via MGMT Port. From there you can configure, register, update etc.
When importing the config you might consider unplug X1 and only connect via MGMT and verify the config is properly imported.
--Michael@BWC
@BWC - thanks Michael. 192.168.1.x/24 is not a range we use, X1 as DHCP would be the best option. Is it a simple case of accessing the IP assigned via DHCP through a web browser?
Thanks,
Asif
@Asif_Iqbal yes, you just need to configure X1 as DHCP, which is IMHO already the default if I'am not mistaken. Just make sure to connect the MGMT port as well because Management Access via WAN is not allowed per default.
--Michael@BWC
@BWC - thanks Michael, so in essence patch both the MGMT and X1 port to the network for LAN and WAN access?
Thanks,
Asif
Correct, sounds a bit strange, but is the simple approach without messing things up. You need to configure a secondary address to your PC though, e.g. 192.168.1.50/24. Firewall MGMT IP is 192.168.1.254.
--Michael@BWC
@BWC - thanks Michael. The simpler the better in my book. I'll let all of you know how I get on with this.
Thanks,
Asif
Hello,
I have registered the product and completed a Firmware upgrade. Unfortunately, I chose the On Box option for management and need to change this to cloud. In the NSa 4650 there is an option to change this using the SN. I can't see this on the new NSa 4700. Is there a way to change the Managed By to Cloud?
Thanks,
Asif
@Asif_Iqbal that's an interesting question. Did you purchased an Essential or Advanced Secure upgrade? Only the Advanced edition comes with cloud management.
--Michael@BWC
@BWC - Hi Michael, I will be transferring our existing licences across to the new NSa4700 when the NSa4700 is ready for this. The current licences support cloud management if that is what you are asking.
Thanks,
Asif
@BWC - Hi Michael, I've started a trial of the Management and Analytics Services on the NSa4700 and this has made the Managed by Cloud and Zero Touch options available.
Many Thanks,
Asif
Hello Everyone,
I believe I am now in a position to start making the changes to the new NSa 4700 firewalls.
What I have done so far is:
Can someone confirm the next steps please? I currently have the NSa 4650 as Active as a HA pair.
I was thinking of completing the steps below. Please feel free to comment or advise.
Is this acceptable? is there anything I have missed?
Thanks,
Asif
Has anyone any comments on the procedure above - even to say yes this is OK??
Thanks,
Asif
@Asif_Iqbal your upgrade plan looks solid to me. Just make sure that the old units are switched off before the new units get powered up.
If you're running some form of NAC you might set the switch ports to ignore, this is sometimes forgotten but the new units come with new MAC addresses which need to be learned by the NAC.
--Michael@BWC
@BWC - thanks Michael. appreciate your response to this. I'll be swapping the units out on Monday so I'll post back on here.
Kind Regards,
Asif
@BWC and everyone else. The upgrade is complete and working. I registered the devices only at this stage. Do I need to transfer and licences from the old NSa 4650 to the new NSa 4700 devices?
Kind Regards,
Asif
@Asif_Iqbal you should complete the Secure Upgrade process by transferring the old licenses and remaining days over to the new units.
--Michael@BWC
@BWC - thanks Michael, can you point me to where I find this option in the My SonicWall portal please?
Thanks,
Asif
@Asif_Iqbal you need to open up the details of your new NSa 4700 (Primary) in MSW and in the lower left corner there is a section with a ToDo list, one of the actions is complete Secure Upgrade.
I don't have any unfinished Secure Upgrade in my Account right now, but you'll find it, it's obvious.
--Michael@BWC
@BWC - Thanks Michael, I can see this and will do the necessary.
Kind Regards,
Asif