Skip to content
Supported migration paths

XG to XGS migration

The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Software updates on these appliances will stop shortly after this date. So, we recommend you migrate to XGS Series hardware appliances as soon as possible to avoid the risk of degraded functionality and security.

Prerequisites

Before you begin, do as follows:

  1. Select your XGS appliance model.

    We recommend you select the equivalent XGS model of your XG model. For example, if you're using XG 230, select XGS 2300.

    See Check compatible devices to restore backups.

  2. Make sure the new XGS appliance has the required license, and you claim the firewall. See Firewall licenses.

    Note

    If you're using Sophos Central's Zero Touch functionality, you can apply licenses and claim the firewall when you add the firewall to Sophos Central using Zero Touch.

  3. We recommend you upgrade to SFOS versions 20.0 MR2 and later. These versions offer the following capabilities:

    • Wider model compatibility as follows:

      • You can move from a higher to a lower capacity appliance model and restore existing backups. For example, you can restore backups from a 1US XG Series firewall model to the desktop model XGS 126 of the more powerful XGS Series firewalls.
      • You can use backups with generic configurations as templates and restore these to your organization's or customers' firewalls.
    • You can use the backup-restore assistant to help you complete the migration. It allows you to see and change the default port mapping.

      The backup-restore assistant only appears if all of the following conditions are met:

      • The backup is from an appliance running 19.5 MR4 and later.
      • You're restoring to 20.0 MR2 and later.
      • You're restoring to XGS, virtual, and cloud appliances.

      See Backup-restore assistant.

    • We support backup and restore from a wireless model to a non-wireless model. If you're using a wireless model (on-box Wi-Fi), you can migrate to a wireless model or to a non-wireless model with AP6 for Wi-Fi connectivity.

      See Wireless to non-wireless model.

Note

XG Series-compatible Flexi Port modules aren't compatible with XGS Series appliances. You must purchase Flexi Port modules that are compatible with XGS Series appliances.

Migrate from an XG appliance to an XGS appliance

You can migrate using the two firewalls' web admin consoles or use Sophos Central's Zero Touch functionality to migrate remotely.

  • High availability (HA)


    If you have an HA setup, you can migrate using one of the following options:

    • Option 1: Configure HA and then restore the backup
    • Option 2: Restore the backup and then configure HA

    Migrate in a high availability (HA) setup

Migrate using the web admin console of the two firewalls

You use the firewall's backup and restore functionality to migrate from an XG appliance to an XGS appliance.

To migrate, do as follows:

  1. Take a backup on the XG appliance.
  2. Restore the backup on the new XGS appliance.
  3. Use the backup-restore assistant to complete the migration.

    Note

    The assistant is available for backups from 19.5 MR4 and later versions restored to 20.0 MR2 and later.

See Backup and restore.

The following video shows how to use backup and restore to migrate:

Migrate in a high availability (HA) setup

If you have an HA setup on your old XG appliance, you can migrate using one of the following options:

  • Option 1: Configure HA and then restore the backup
  • Option 2: Restore the backup and then configure HA

Note

For migration in an HA setup, restore the backup to the primary device.

Configure HA and then restore the backup

To do this, do as follows:

  1. Take a backup of the primary XG appliance running HA.
  2. Configure HA on the new XGS appliances.
  3. After HA is established, restore the backup on the primary XGS appliance.

    Note

    If the number of interfaces on the old and new appliances differs, the new XGS appliance must run SFOS 20.0 MR2 and later.

Restore the backup and then configure HA

To do this, do as follows:

  1. Take a backup of the primary XG appliance running HA.
  2. Restore the backup to the new XGS appliance you want as the initial primary device.

    Note

    If you're using the active-passive mode, make sure this device has the required licenses.

  3. Configure HA using QuickHA mode on this appliance as the initial primary device.

  4. Configure HA on the auxiliary device.

    Note

    In Interactive mode, you must configure the auxiliary device first so that peer discovery by the primary device doesn't time out.

See High availability (HA).

The following video shows how to migrate if you have an HA setup:

Migrate using Zero Touch

You can also use Sophos Central's Zero Touch functionality to remotely migrate your XG appliance to an XGS appliance.

To migrate using Zero Touch, do as follows:

  1. In Sophos Central, take a configuration backup of the XG appliance. See Back up a firewall now.

    Note

    On the XG appliance, make sure WAN access is turned on or you have direct access to the new firewall after migration.

  2. Add the new XGS appliance to Sophos Central using Zero Touch.

    See Add a firewall with Zero Touch.

  3. Open the web admin console of the XGS appliance.

  4. Connect the XGS appliance to the internet. See What to do on Sophos Firewall.
  5. Restore the backup of the old firewall to the new firewall. See Restore from a backup.

Deregister and register the new firewall with Sophos Central

You must deregister the new firewall from Sophos Central and then register it again. This is a one-time procedure.

Do as follows:

  1. On the new firewall's web admin console, go to System > Sophos Central.
  2. Under Sophos Central registration, click Deregister.
  3. Register with Sophos Central again. See Enable Sophos Central management of Sophos Firewall.
  4. Turn off WAN access.

Firewall configuration

If you're using SD-RED devices and access points, those configurations are migrated to the new XGS Series firewall after the migration.

SD-RED configuration

When you take a backup on the XG appliance, make sure the SD-RED devices are configured and connected. After the migration, the SD-RED devices automatically switch to the new firewall when you disconnect the XG appliance from the network.

If you want to keep the XG appliance connected to the network, manually delete the SD-RED devices from the XG appliance. The SD-RED devices now switch to the new firewall.

Access points

Access points (AP and APX Series) automatically become functional after you restore the backup to the new XGS appliance. No manual action is required.

Sophos Central configuration

If you want to manage your new XGS appliance from Sophos Central, register your new firewall with Sophos Central. Then, turn on any services you want. Synchronized security is turned on automatically when you complete the registration. See Enable Sophos Central management of Sophos Firewall.

Next, manually add the new appliance to the required groups in Sophos Central.

Reports

You can't transfer the reports on your XG appliance to the new XGS appliance. However, you can transfer the reports generated from Central Firewall Reporting (CFR) in Sophos Central to the new XGS appliance. To do this, you must transfer the CFR license you used on the old appliance to the new appliance. The CFR license isn't transferred when you transfer the firewall license.

To transfer the CFR license to the new appliance, do as follows:

  1. Make sure Use Sophos Central reporting is turned on in the new firewall.

    To do this, sign in to the new firewall and go to System > Sophos Central.

    See Enable Sophos Central management of Sophos Firewall.

  2. In Sophos Central, click the Profile icon, go to Licensing, and click Firewall licenses.

  3. Under License Details, next to Central Firewall Reporting, click Manage.
  4. For the XG appliance, select Associate licenses and data with replacement device.

    Associate licenses and data with replacement device.

  5. In Associate licenses and data, select the new XGS appliance.

SD-WAN connection groups

If you've configured the old XG appliance in an SD-WAN connection group in Sophos Central, you must add the new XGS appliance to that group.

After the migration, do as follows:

  1. Sign in to the new firewall.
  2. Delete the firewall rules and VPN tunnels created by Sophos Central.

    1. Go to Rules and policies > Firewall rules and delete the rules with the Central_ prefix.
    2. Go to Site-to-site VPN > IPsec and delete the tunnels with the Central_ prefix.
  3. In Sophos Central, add the new XGS appliance to the SD-WAN connection group.

    See Manage an SD-WAN connection group.

Zero Trust Network Access (ZTNA) gateways

If you're using the old XG appliance as a ZTNA gateway, replace it with the new XGS appliance in Sophos Central after the migration.

To do this, do as follows:

  1. In Sophos Central, go to Manage your products > ZTNA > Gateways.
  2. Click the gateway with the old XG appliance.
  3. In Edit Gateway, in the Firewall list, select the new XGS appliance as the gateway.

More resources