Problems Upgrading Gen 6 to Gen 7 Devices
MDS_UK
Newbie ✭
Has anyone else had any problems when migrating Gen 6 configs to Gen 7 devices? We have had issues with several devices now including:
- Admin access on HTTPS. Gen 6 device has WAN>WAN firewall rule restricted to one IP address. On Gen 7 device, this rule has been superseded by an ANY rule and we are unable to delete the original rule with the restricted IP address.
- IPSEC VPN Agreement - unable to amend existing SA. Any change to SA results in an error when trying to save. SonicWALL support suggested upgrading to the latest firmware but this resulting in the SA disappearing completely but leaving orphaned access rules.
- HA - problem whereby the Secondary device is missing large amounts of the configuration when failed over to. Specifically all VPN SAs are completely missing.
I would be interested to hear if anybody else has had anything similar.
For clarity, these upgrades were performed by exporting the config from the Gen 6 device and importing to the Gen 7 device. We have seen these problems across the TZ and NSA models.
Category: Entry Level Firewalls
0
Answers
Unfortunately the time-honored method of exporting the settings and importing them to a new device is not the recommended method for the Gen 6 to Gen 7 upgrade.
Follow this KB article for guidance. You should factory reset your Gen 7 device prior to undertaking these steps.
Hi @MDS_UK , are you using the migrate tool ? https://migratetool.global.sonicwall.com/
if not use this and see if you get the sam results and make sure the 6 Appliance is on the latest 6.5.4.8 firmware and Gen7 appliance you are upgrading to is the latest 7.0.1-5023-R1826 firmware
I've migrated lots of configs this way the only issue I've seen recently is sometimes the WAN Group VPN Shared secret is incorrect after migration.
If you are attepmting to migrate gen5 appliances you'll need to go via a Gen6 appliance.
if you are migrating from a Gen 6 appliance make sure it is on at least 6.5.4 not 6.2 or lower
Thanks Larry. Is this "official" SonicWALL guidance and, if so, is it documented somewhere?
I've tried that tool a few times before and it's failed dismally. Does it migrate anything beyond the interfaces? Eg. objects, rules, policies etc?
Admin access on HTTPS
There should be an option in the /diag menu that allows you to completely edit/delete automatically created rules. Suggest you enable it, edit the rules, then disable it again afterwards.
Thanks - that's helpful to know.
Yes it should migrate all the settings configured from the original config file to the new one
@MDS_UK yes, that is the official SonicWall KB on the matter.
Yes I get errors too.
Converting TZ400 to TZ270 (using the sonicwall migration tool) and the security services signatures fail to upload either automatically or manually after the conversion.
Converting TZ500 to TZ470 same issue as above and the DNS tests fail from 'Diagnostics>Check network settings' but the DNS IPs can be pinged from other diagnostics pages. I have a sonicwall support ticket open for this.
Converting TZ600 to TZ470 and the IP helper configuration was lost and had to be manually reconfigured.