Skip to content
Supported migration paths

XG to XGS migration

The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Software updates on these appliances will stop shortly after this date. So, we recommend you migrate to XGS Series hardware appliances as soon as possible to avoid the risk of degraded functionality and security.

Prerequisites

Before you begin, do as follows:

  1. Appliance models: Select the XGS firewall model you want to migrate to.

    We recommend you select the equivalent XGS model of your XG model. For example, if you're using XG 230, select XGS 2300.

    See Check compatible devices to restore backups.

  2. Licenses: Claim the new XGS firewall in Sophos Central and apply the required licenses. See Firewall licenses.

  3. SSMK: If you've configured a Secure storage master key (SSMK) on your XG firewall, make sure you have the master key and the backup encryption password before migration. See Secure storage master key.

  4. SFOS version of XG firewall: Check the SFOS version of your XG firewall in the top-left corner of the control center.

    Check the SFOS version.

  5. Flexi Ports: If you've configured Flexi Port modules on the XG firewall, purchase and insert compatible Flexi Port modules on the XGS firewall. See Compatible Flexi Port modules in the Backup-restore tool.

Migrate from an XG appliance to an XGS appliance

You can migrate using the two firewalls' web admin consoles or use Sophos Central's Zero Touch functionality to migrate remotely.

Migrate using the web admin console

Migrate based on the SFOS version of your XG firewall.

If your XG firewall version is 20.0 MR3, do as follows:

  1. Take a backup of your XG firewall.

  2. Start the XGS firewall.

    In the setup assistant, do as follows:

    1. Clear the checkbox for automatic upgrade to the latest version.
    2. Don't restore the backup through the assistant.

    3. Upgrade the XGS firewall to 20.0 MR3.

      See Upload and move to a compatible version.

  3. Restore the backup and use the backup-restore assistant to map the interfaces.

    See Backup-restore assistant.

These versions are supported for migration to 21.0 GA.

If your XG firewall version is 19.5 MR4, 20.0 GA, 20.0 MR1, or 20.0 MR2, do as follows:

  1. Take a backup of your XG firewall.

  2. Start the XGS firewall.

    The setup assistant will upgrade the XGS firewall to the latest available version.

  3. Restore the backup and use the backup-restore assistant to map the interfaces.

    See Backup-restore assistant.

We recommend that you upgrade to a version that supports the backup-restore assistant, such as 19.5 MR4 and later. This assistant helps you map the ports from XG firewall to XGS firewall.

If your XG firewall version is 19.5 MR3 and earlier, do as follows:

  1. (Optional) To use the backup-restore assistant for port-mapping, go to Backup and firmware > Firmware and upgrade to SFOS 20.0 MR3.

    If you upgrade, do as follows:

    1. Take a backup of your XG firewall.

    2. Start the XGS firewall, and in the setup assistant, do as follows:

      1. Clear the checkbox for automatic upgrade to the latest version.
      2. Don't restore the backup through the assistant.

      3. Upgrade the XGS firewall to 20.0 MR3.

        See Upload and move to a compatible version.

        Warning

        You can't restore a 20.0 MR3 backup to 21.0 GA because 21.0 GA was released before 20.0 MR3.

    3. Restore the backup.

  2. If you don't upgrade, do as follows:

    1. Take a backup of your XG firewall.
    2. Start the XGS firewall.
    3. Restore the backup on the XGS firewall.

The following video shows how to use backup and restore to migrate.

Migrate using Zero Touch

You can also use Sophos Central's Zero Touch functionality to migrate your XG firewall to XGS firewall.

To migrate using Zero Touch, do as follows:

  1. Understand how to migrate for your XG firewall version. See Migrate using the web admin console.
  2. Then, follow the Zero Touch instructions as described in Replace an XG firewall with an XGS firewall by using Zero Touch Deployment.

High availability (HA) setup

To migrate your XG firewall configured for HA, you can configure HA on the XGS firewall device and then restore the backup. Alternatively, you can restore the backup, then configure HA.

Note

When restoring a backup with HA to a firewall without HA, the restore process doesn't restore the HA configuration. Because your XGS firewall is new and doesn't have an HA configuration, you must manually configure HA on it.

To migrate your XG firewall configured for HA, do as follows:

  1. Deploy the two XGS firewall devices in your network. See HA deployment requirements.
  2. Take a backup from the primary device of the XG firewall.
  3. Follow the instructions for your XG firewall version as described in Migrate using the web admin console.

The following video shows how to migrate if your XG firewall is configured for HA.

Wireless models

See Backup and restore wireless models.

After migration

Sophos Central registration

To manage your new XGS firewall from Sophos Central, do as follows:

  1. Register your new firewall with Sophos Central.
  2. Turn on any services you want. Synchronized security is turned on automatically when you complete the registration.
  3. Manually add the new appliance to the required groups in Sophos Central.

See Enable Sophos Central management of Sophos Firewall.

Reports

You can't transfer the reports on your XG firewall to the new XGS firewall. However, you can transfer the reports generated from Central Firewall Reporting (CFR) in Sophos Central to the new XGS firewall. To do this, you must transfer the CFR license you used on the old appliance to the new appliance. The CFR license isn't transferred when you transfer the firewall license.

To transfer the CFR license to the new appliance, do as follows:

  1. Make sure Use Sophos Central reporting is turned on in the new firewall.

    To do this, sign in to the new firewall and go to System > Sophos Central.

    See Enable Sophos Central management of Sophos Firewall.

  2. In Sophos Central, click the Profile icon, go to Licensing, and click Firewall licenses.

  3. Under License Details, next to Central Firewall Reporting, click Manage.

  4. For the XG firewall, select Associate licenses and data with replacement device.

    Associate licenses and data with replacement device.

  5. In Associate licenses and data, select the new XGS firewall.

SD-WAN connection groups

If you've configured the old XG firewall in an SD-WAN connection group in Sophos Central, you must add the new XGS firewall to that group.

After the migration, do as follows:

  1. Sign in to the new firewall.

  2. Delete the firewall rules and VPN tunnels created by Sophos Central.

    1. Go to Rules and policies > Firewall rules and delete the rules with the Central_ prefix.
    2. Go to Site-to-site VPN > IPsec and delete the tunnels with the Central_ prefix.

  3. In Sophos Central, add the new XGS firewall to the SD-WAN connection group.

    See Manage an SD-WAN connection group.

Zero Trust Network Access (ZTNA) gateways

If you're using the old XG firewall as a ZTNA gateway, replace it with the new XGS firewall in Sophos Central after the migration.

To do this, do as follows:

  1. In Sophos Central, go to Manage your products > ZTNA > Gateways.
  2. Click the gateway with the old XG appliance.
  3. In Edit Gateway, in the Firewall list, select the new XGS firewall as the gateway.

Connected devices

After the migration, the SD-RED devices and access points automatically become available in the XGS firewall when you disconnect the XG firewall from the network.

If you want to keep the XG firewall connected to the network, do as follows:

  • For SD-RED devices, delete the SD-RED configuration from the XG firewall. The SD-RED devices now switch to the new firewall.
  • For access points, accept them in XGS firewall.

More resources