Skip to content
Supported migration paths

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/support/migration/en-us/index.html?contextId=migrate-other-firewalls

Migrate Sophos UTM and third-party firewalls

This guide is for Sophos Partners and administrators planning a migration from Sophos UTM, SonicWall, FortiGate, and Palo Alto Networks to Sophos Firewall using Sophos Firewall Config Studio.

Each firewall vendor uses different configuration models and schemas, so not all settings can be automatically migrated. Sophos Firewall fully supports some configurations. For other configurations, Config Studio minimizes compatibility issues by automatically resolving some items, identifying issues, and letting you resolve these manually.

Learn about the supported configurations, firewall‑specific migration steps, and how to review and import the migrated configuration into Sophos Firewall.

Best practices

Plan, review, and test the migration to minimize downtime and complete the migration smoothly.

Note

We recommend working with your Sophos Partner during the migration to achieve the best possible outcome.

People

Make sure the right people are involved before and during the migration.

  • Inform your Sophos Partner in advance and confirm their availability.
  • If you're migrating to a hardware Sophos Firewall, make sure an IT executive has physical access to the appliance.

Preparation

Complete the following tasks before you start the migration.

  • Take a backup of the source firewall configuration.
  • In Sophos Firewall Config Studio, review the Unsupported, Partial, and Manual configurations for the firewall you're migrating. See Status of configuration support.
  • Create a checklist of configurations you must recreate manually in the firewall.

Resolution and testing

After you upload the configuration to Config Studio, review and resolve issues before importing it into Sophos Firewall.

  • Resolve all Action required and Unsupported configurations.
  • Review and remove duplicate and shadow configurations.

After importing the configuration to Sophos Firewall, recreate any missing configurations, and test traffic flow to verify that rules, policies, routing, and services work as expected.

Status of configuration support

Sophos Firewall Config Studio shows the status of configuration support for each supported vendor firewall. The statuses help you resolve the configuration differences between the two firewalls.

  • Supported: Migrated automatically without changes.
  • Partial: Migrated with gaps. You must recreate the missing settings, for example, certificates and passwords.
  • Manual: Not migrated. You must configure these items manually.
  • Not supported: Not migrated at all.

Note

Click the tooltip next to each configuration to learn what's migrated.

Status of configuration from other firewalls.

How to migrate

Complete the following steps in Sophos Firewall Config Studio, then select your source firewall.

To open the tool in your browser, go to Config Studio and click the Migrate to Sophos Firewall panel. [Sophos Firewall Config Studio](https://docs.sophos.com/nsg/sophos-firewall/config-studio/index.html.

Click the relevant tab to select the source firewall and migrate the configuration.

  1. Click Sophos UTM (SG).
  2. To convert the Sophos UTM configuration to a format that's compatible with SFOS, follow the instructions in the GitHub utility we provided and run the migration script. Go to Sophos Migration Utility.
  3. After the conversion is complete, copy the Export.tar configuration file to your endpoint device.
  4. To review the configuration, extract the Entities.xml file.
  5. Click Continue in Config Studio.
  6. Upload the .xml file.
  7. Select Keep all configurations.
  8. Click Import to Editor.
  1. Click the SonicWall panel and check which configurations are imported fully, partially, manually, or aren't supported.
  2. Click Continue to upload in the upper-right and upload the unencrypted backup (.exp) file from SonicWall.
  3. Click Import converted entities.
  1. Click the Migrate to Sophos Firewall panel.
  2. Click the FortiGate panel and check which configurations are imported fully, partially, manually, or aren't supported.
  3. Click Continue to upload in the upper-right and upload the unencrypted backup (.conf) file from FortiGate.
  4. Click Import converted entities.

Note

Config Studio automatically maps FortiGate interfaces to the zones corresponding to their role. So, review the zones and firewall rules. Firewall rules are zone-based in Sophos Firewall instead of the interface-based rules in FortiGate.

  1. Update each rule individually or click Bulk update in the upper-right and apply the changes to multiple rules.
  1. Click the Palo Alto Networks panel and check which configurations are imported fully, partially, manually, or aren't supported.
  2. Click Continue to upload in the upper-right and upload the running-config.xml file from Palo Alto Networks.
  3. Click Import converted entities.

The Port Mapping Wizard appears.

Review the configuration

You must review and resolve all configuration issues before importing the configuration into Sophos Firewall.

Note

Preview and download aren't available until you resolve the issues.

In Config Studio

In Config Studio, map interfaces, resolve migration issues, and prepare the configuration for import to Sophos Firewall.

  1. The Port Mapping Wizard appears after you import the configuration. Select the XGS model.
  2. Click Auto-assign in the bottom-right to assign the interfaces, or manually assign each interface.

  3. Delete the interfaces you don't need.

    This action doesn't delete configurations where the interfaces are in use.

  4. Click Apply mapping.

    The Configuration Editor page appears. If any configuration requires an action, a Migration report button appears at the top of the left menu.

  5. Click Migration report.

  6. Click Auto-resolved on the upper-right to review the automatically resolved issues.

  7. To manually resolve the issues that require your action, click Action required above the list, click Open for each entry, and edit them.

    Migration report.

  8. To see unsupported configurations directly, click a configuration in the left menu, filter the Config analysis column, and click Unsupported.

    To learn more about an issue, hover over Unsupported before you edit or delete the configuration.

    Warning

    Deleting unsupported configurations may affect traffic flow.

    Unsupported configuration information.

    After you resolve all the configurations that require action, a Ready to export banner appears.

    Ready to export.

  9. Click Download, and download the .tar file.

In Sophos Firewall

In Sophos Firewall, import the migrated configuration and complete the post‑migration verification and testing.

  1. Sign in to Sophos Firewall and go to Backup & firmware > Import export.

  2. Under Import, upload the .tar file and click Import.

    The migration is complete.

  3. Verify network connectivity and test network and server connections.

  4. Create the missing configurations, for example, certificates and passwords.
  5. Test configurations, such as firewall rules, VPN tunnels, and authentication servers, to make sure that traffic flows.