Sophos Firewall migration from XG to XGS
Migrating from Sophos XG Firewall to the new XGS series is an urgent matter for many organizations as the End-of-Life date of the XG series approaches. This blog post provides a comprehensive guide for IT administrators to successfully migrate from XG to XGS and highlights the key benefits and differences between the two firewall series. If you absolutely don’t feel like taking care of it, we have already done many migrations and are happy to take care of it(contact us).
Topics
Why migrate from XG to XGS?
The Sophos XG series will be officially discontinued on March 31, 2025. This means no more updates, no more support and no more license orders after the end of March 2025.
There are several reasons why this change makes sense:
- Price increase: One reason is that Sophos has increased the prices for the XG licenses by 30% and it is only worth staying on the old hardware to a limited extent. Yes, we have to mention this again and again, as this was simply an uncool action by the manufacturer and has a very bland aftertaste 💩.
- Future-proof: Future software releases such as Sophos Firewall v21 will only be available for the XGS series.
- Higher performance: The XGS series is equipped with a dual-processor architecture that is specially optimized for high loads and encrypted data traffic. By using multi-core CPUs, encryption operations such as TLS inspection can be carried out much more efficiently.
- Improved hardware quality: The XGS series was developed in close cooperation with leading hardware manufacturers, resulting in greater reliability and a longer service life for the devices. In addition, the devices have been extensively tested to ensure the highest quality standards.
Migration process in detail
Migrating from XG to XGS is relatively easy thanks to the seamless backup and restore function. Here are the most important steps:
Preparation
- Create a backup of the XG configuration: Before the migration, you should create a current backup of the XG firewall. It is important that the backup encryption password and the Secure Storage Master Key are available.
- Check SFOS versions: At least the same or a higher version of SFOS must be installed on the XGS target device as on the XG source.
Sophos Firewall v20 MR2 Upgrade
If possible, you should update the Sophos XGS Firewall to Sophos Firewall v20 MR2 or higher before restoring the config, as the migration process has been improved considerably in this version.
The backup and restore wizard makes it much easier to migrate firewall configurations. You can create backups of versions from v19.5 MR4 and restore them to v20 MR2 or higher. This simplifies the upgrade from XG to XGS as well as the migration between XGS models or to/from virtual and cloud appliances. Interfaces can be flexibly assigned, which is particularly helpful for network infrastructure optimization. Pseudo interfaces act as placeholders for unused interfaces.
Backup restore
The backup of the XG can be transferred directly to the XGS. The migration assistant function offers the option of adjusting the port assignments if the hardware configurations of the two devices differ.
- Sophos has removed the restrictions so that you can now easily migrate configurations between devices with different numbers of ports. It is also possible to restore a backup of a wireless device to an XGS appliance without integrated WLAN functionality.
- The port mapping wizard (in v20 MR2) allows you to flexibly determine how the current hardware ports should be mapped to the new device.
You can check whether a backup is compatible between XG and XGS hardware, cloud or virtual devices on the Sophos XG Backup Compatibility Tool website.
Post-processing and tests
- Make corrections: After restoration, all settings should be checked and adjusted if necessary, especially the network interfaces, VLANs and firewall rules.
- Perform tests: Finally, you should comprehensively test the functionality of the firewall to ensure that all services and rules have been migrated correctly.
Step-by-step video instructions
In this video, the process for switching from XG to XGS is explained again:
Single Appliance
This video explains how to migrate from Sophos XG to XGS Firewalls using the new Backup Restore Assistant. It covers the prerequisites, including compatibility, the backup encryption password and the Secure Storage Master Key. It shows step-by-step how to create a backup, transfer it to the target device and complete the configuration. Important: The port assignment must be checked in advance, as it can no longer be changed after the restore. Further details in the linked video.
For an HA cluster, the process is identical, with the main addition being to configure the HA link, which must use a suitable port type on both the old and new systems.
XG to XGS Migration (High Availability)
The video shows the migration from Sophos XG to XGS Firewalls in a high-availability configuration with the new Backup Restore Assistant. It explains prerequisites such as compatibility, the backup encryption password and the Secure Storage Master Key. The migration process is shown step by step: Create backup, transfer to the target device, adjust ports and finalize the configuration. Important: The HA-Link port assignment must match in advance. Pseudo ports should be avoided. Further details in the linked video.
FAQ
When will support for the XG series end?
On March 31, 2025.
Can I migrate from any XG firewall to any XGS firewall?
Almost any migration is possible, but there are restrictions on the number of ports and special models.
Do I need a new license for the XGS firewall?
Yes, a new license is required, but there are attractive promo offers for switching.
Which version of SFOS is required for the migration?
At least SFOS 18.5 for a smooth migration.
How long does the migration take on average?
Depending on the complexity of the configuration, the migration can take between 30 minutes and several hours.
Is it possible to migrate from a wireless XG to a non-wireless XGS?
Yes, provided that the local Wi-Fi configuration is removed before the migration.
Is it possible to exchange backups between different models (1U, 2U, desktop)?
In most cases yes, but there are restrictions on the port configuration.
Can the migration be carried out without downtime?
No, a short downtime is necessary because you only have to move the cabling.
However, if everything is well planned, the downtime is less than 5 minutes.