Watchguard has recently retired their X series of firewalls and replaced them with their new lineup of XTM boxes.
I took this opportunity to replace my X series firewalls with some from the new lineup, and found a neat way to migrate your existing configuration from old to new in a few very easy steps.
Note: Normally I would not recommend migrating your configuration in this manner. In my mind you should always rebuild rules when replacing your firewall, as it is the perfect time to review and do some QA.
Migrating your existing config
I used a laptop do do the actual configuration, to make sure that I didn’t get any conflicts in my production environment when setting up the new one with an old config. By default the Watchguard firewalls come with DHCP enabled on eth1 (trusted) and blindly plugging that into your existing infrastructure might not be the best of ideas. Also, remember that the config also includes the firewall IP adress and what happens if you have two firewalls with identical IP adresses in your network? Lets just agree that it’s not a pretty sight.
- Save your current (old) configuration from your live production firewall
- Install latest version of Watchguard System Manager
- Activate new firewall and retrieve feature key from watchguard.com
- Disconnect laptop from existing production environment, and connect it directly to new XTM firewall on eth1 (trusted)
- Run through Quick Setup Wizard on new XTM firewall
- Open new config xml file in a suited editor. I used Notepad++
- Find the lines that reads <for-model>x700</for-model> (your model might differ)
- Replace x700 with XTM820 (again, your model might differ) and save config file with new name
- Connect Watchguard System Manager to new firewall and start Policy Manager
- Open freshly edited config file and save to firebox (if prompted to convert config file to new format, do so)
- Add new feature key
- Save to firebox
And there it is. All existing configuration migrated from old Watchguard X series firewall migrated to a new and shiny XTM series.
You should now be able to do a quick switch between new and old firewalls and all your services should be available immediately. If not, you can always just revert to the old firewall and troubleshoot the new one.