Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Migrate from NSa 4650 to NSa 4700 HA firewall

Hello Community,

We are wanting to move from our current NSa 4650 Gen6 firewall to the newer NSa 4700 Gen7 firewall. We use a HA pair as Active and Standby.

I Have used the Migration Tool as a test to convert the current Gen 6 config to the newer Gen & config for use with the new firewall.

Is there a step by step process for this? Should I Import the new config to the secondary (standby) device first etc.?

Any advise gratefully appreciated.

Kind Regards,

Asif

Category: Mid Range Firewalls
Reply

Answers

  • LarryLarry All-Knowing Sage ✭✭✭✭

    @Asif_Iqbal - you already performed the steps @Ajishlal suggested.

    Try this afterward:

    Use the migrated configuration to set up your base and continue from there.

  • Asif_IqbalAsif_Iqbal Newbie ✭

    Thanks @Ajishlal and @Larry

    I need to register the product in order to update the firmware. I trust this won't have an impact on my current SW HA pair?

    Also I trust if I add this on the network I can see and update the firmware?

    Thanks,

    Asif

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Asif_Iqbal I assume it's a Secure Upgrade, do the "Register only" on MySonicWall, this will keep the old units untouched for 90 days.

    Connecting the new units to your network can cause trouble because of the duplicate IP addresses, be careful on that. I usually create a new deployment network for this or attach the management port only for the time being. But you need WAN access on the units as well to have same call home.

    --Michael@BWC

  • Asif_IqbalAsif_Iqbal Newbie ✭

    @BWC - Thanks Michael, the new device is just out of the box with no or the default config from the factory. No IP assigned yet. I trust I can add this to the network for firmware upgrade/registration etc. before importing the config?

    Thanks,

    Asif

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Asif_Iqbal to be on the safe side I would connect MGMT and X1 to your LAN, if 192.168.1.0/24 isn't in use on your LAN. Configure X1 as DHCP client, this will pick up an address from your LAN and should be able to connect to the Internet.

    On your PC you need to configure 192.168.1.x/24 to access the NSa 4700 at 192.168.1.254 via MGMT Port. From there you can configure, register, update etc.

    When importing the config you might consider unplug X1 and only connect via MGMT and verify the config is properly imported.

    --Michael@BWC

  • Asif_IqbalAsif_Iqbal Newbie ✭

    @BWC - thanks Michael. 192.168.1.x/24 is not a range we use, X1 as DHCP would be the best option. Is it a simple case of accessing the IP assigned via DHCP through a web browser?

    Thanks,

    Asif

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Asif_Iqbal yes, you just need to configure X1 as DHCP, which is IMHO already the default if I'am not mistaken. Just make sure to connect the MGMT port as well because Management Access via WAN is not allowed per default.

    --Michael@BWC

  • Asif_IqbalAsif_Iqbal Newbie ✭

    @BWC - thanks Michael, so in essence patch both the MGMT and X1 port to the network for LAN and WAN access?

    Thanks,

    Asif

  • BWCBWC Cybersecurity Overlord ✭✭✭

    Correct, sounds a bit strange, but is the simple approach without messing things up. You need to configure a secondary address to your PC though, e.g. 192.168.1.50/24. Firewall MGMT IP is 192.168.1.254.

    --Michael@BWC

  • Asif_IqbalAsif_Iqbal Newbie ✭

    @BWC - thanks Michael. The simpler the better in my book. I'll let all of you know how I get on with this.

    Thanks,

    Asif

  • Asif_IqbalAsif_Iqbal Newbie ✭

    Hello,

    I have registered the product and completed a Firmware upgrade. Unfortunately, I chose the On Box option for management and need to change this to cloud. In the NSa 4650 there is an option to change this using the SN. I can't see this on the new NSa 4700. Is there a way to change the Managed By to Cloud?

    Thanks,

    Asif

  • BWCBWC Cybersecurity Overlord ✭✭✭
    edited March 2023

    @Asif_Iqbal that's an interesting question. Did you purchased an Essential or Advanced Secure upgrade? Only the Advanced edition comes with cloud management.


    --Michael@BWC

  • Asif_IqbalAsif_Iqbal Newbie ✭

    @BWC - Hi Michael, I will be transferring our existing licences across to the new NSa4700 when the NSa4700 is ready for this. The current licences support cloud management if that is what you are asking.

    Thanks,

    Asif

  • Asif_IqbalAsif_Iqbal Newbie ✭

    @BWC - Hi Michael, I've started a trial of the Management and Analytics Services on the NSa4700 and this has made the Managed by Cloud and Zero Touch options available.


    Many Thanks,

    Asif

  • Asif_IqbalAsif_Iqbal Newbie ✭

    Hello Everyone,

    I believe I am now in a position to start making the changes to the new NSa 4700 firewalls.

    What I have done so far is:

    1. Registered the 2x NSa 4700 in My SonicWall as a Primary and Secondary unit as Register only.
    2. Associated the Primary unit with the Secondary using HA association.
    3. Updated the firmware on the NSa4700 to 7.0.1-5111 Maintenance Release.
    4. Completed the Gen6 to Gen7 config upgrade using the Migration Tool and 1 to 1 mapping.
    5. Downloaded the Gen7 Config file to my PC.

    Can someone confirm the next steps please? I currently have the NSa 4650 as Active as a HA pair.

    I was thinking of completing the steps below. Please feel free to comment or advise.

    1. Import the Gen7 config to the NSa 4700 Primary device.
    2. Power off the old NSa 4650 Primary and Secondary Devices.
    3. Remove the old NSa 4650 Primary and Secondary devices.
    4. Install the new NSa 4700 Primary and Secondary devices.
    5. Power on the Primary device first and wait for this to be active.
    6. Power on the Secondary device. At this stage, the Primary device will see the Secondary device via the HA link and Push the config to the Secondary device.

    Is this acceptable? is there anything I have missed?

    Thanks,

    Asif

  • Asif_IqbalAsif_Iqbal Newbie ✭

    Has anyone any comments on the procedure above - even to say yes this is OK??

    Thanks,

    Asif

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Asif_Iqbal your upgrade plan looks solid to me. Just make sure that the old units are switched off before the new units get powered up.

    If you're running some form of NAC you might set the switch ports to ignore, this is sometimes forgotten but the new units come with new MAC addresses which need to be learned by the NAC.

    --Michael@BWC

  • Asif_IqbalAsif_Iqbal Newbie ✭

    @BWC - thanks Michael. appreciate your response to this. I'll be swapping the units out on Monday so I'll post back on here.

    Kind Regards,

    Asif

  • Asif_IqbalAsif_Iqbal Newbie ✭

    @BWC and everyone else. The upgrade is complete and working. I registered the devices only at this stage. Do I need to transfer and licences from the old NSa 4650 to the new NSa 4700 devices?

    Kind Regards,

    Asif

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Asif_Iqbal you should complete the Secure Upgrade process by transferring the old licenses and remaining days over to the new units.

    --Michael@BWC

  • Asif_IqbalAsif_Iqbal Newbie ✭

    @BWC - thanks Michael, can you point me to where I find this option in the My SonicWall portal please?

    Thanks,

    Asif

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @Asif_Iqbal you need to open up the details of your new NSa 4700 (Primary) in MSW and in the lower left corner there is a section with a ToDo list, one of the actions is complete Secure Upgrade.

    I don't have any unfinished Secure Upgrade in my Account right now, but you'll find it, it's obvious.

    --Michael@BWC

  • Asif_IqbalAsif_Iqbal Newbie ✭

    @BWC - Thanks Michael, I can see this and will do the necessary.

    Kind Regards,

    Asif

Sign In or Register to comment.