It seems like your browser didn't download the required fonts. Please revise your security settings and try again.
Barracuda NextGen Firewall X

This Product is End-of-Life and End-Of-Support

End-Of-Life and End-Of-Support on December 1st, 2020: All Barracuda Firewall X-Series sales will cease; neither new sales nor any renewals will be available. If you currently hold a maintenance and support contract, you will continue to receive our award-winning support and services until your contract expires. Please see the End-Of-Life definition as described in the End of Support and End of Life Information.

How to Migrate an X-Series Firewall Configuration to a CloudGen Firewall

  • Last updated on

Migration Requirements

Note that 7.2.3 is the highest firmware version that can be migrated from an X-Series to a CloudGen Firewall.

X-Series to CloudGen Migration

You can migrate the configuration from an X-Series Firewall to a CloudGen Firewall. However, before migrating, you must verify that certain conditions are met. You can only migrate an X-Series Firewall model with a firmware version greater than or equal to 7.1.3 to a target CloudGen Firewall model with a firmware version greater than or equal to 7.2.1. The following table shows which X-Series models can be migrated to a special CloudGen Firewall model.

NGX ModelNICsWIFINGF ModelNICsWIFIComments
X504-F18a4-F18 has 4 GB RAM and 50 GB (or higher) SSD storage.
X514YesF804YesF80 has 4 GB RAM and 50 GB (or higher) SSD storage.
X1004-F18a4YesF18 has 4 GB RAM and 50 GB (or higher) SSD storage.
X1014YesF804YesF80 has 4 GB RAM and 50 GB (or higher) SSD storage.
X2004-F18a or F1806 + Switch(8x)Yes

F18 has 4 GB RAM and 50 GB (or higher) SSD storage. F180 is larger, has more ports (+2) and has an 8-port unmanaged switch (8x).

X2014YesF1806 + Switch(8x)YesF180 is larger, has more ports (+2) and has an 8-port unmanaged switch (8x).
X3006-F2806 + Switch(8x)YesF280 additional has the switch (8x)
X4008-F3808- 
X6008-F4008-F400 is the largest model that supports Web-UI.
F600.C10 does not have a Web-UI.

Only migrate an X-Series Firewall to a CloudGen Firewall with a factory default configuration. For more information, see How to Reset a Hardware F-Series Firewall to Factory Defaults.

Migration of Information from the X-Series to the CloudGen Firewall

Note: The following information will NOT be imported into the CloudGen Firewall:

Information

Comment
Management IP configuration

To avoid conflicting management IP addresses on the X-Series and CloudGen Firewalls, the management IP address will not be migrated to the CloudGen Firewall.

BridgingFor security reasons, bridging configuration is not migrated to the CloudGen Firewall.
Authoritative DNSAuthoritative DNS is not available on CloudGen Firewalls with the Web UI.
BackupsCreating backups on an X-Series Firewall provides completely different options than on a CloudGen Firewall.
LogsNo log files from an X-Series Firewall are migrated to a CloudGen Firewall.
System serial / licensesThe target system has its own serial number / licenses.
Access Rules
  • All access rules with "Redirect to Service Details" set to "Proxy".
  • All access rules with "Redirect to Service Details" set to "DNS".
User credentials

The password will be the default one on the new CloudGen Firewall. Also note that the user name is different by default:

  • X-Series is "admin"
  • CloudGen is "root"

Note: The following information WILL be updated during migration to the CloudGen Firewall:

Information

Comment
Interface GroupsOnly custom configured interface groups will be transferred to the CloudGen firewall.
Predefined interface group configurations will be omitted.
Network objects
  • Custom and predefined network objects are imported into a common table on the CloudGen firewall.
  • 3G is renamed to WWAN.
Service objects
  • Predefined service objects are not imported on the CloudGen firewall.
  • Custom service objects are imported into a common table on the CloudGen firewall. Both custom AND predefined service objects are editable on the CloudGen firewall.

The following port numbers are changed:

  • ENDPOINTMAPPER: port changed from TCP 113 to TCP 135 UDP 135
  • RDP: TCP 3389 to TCP 3389 UDP 3389
  • SMTPS: TCP 587 to TCP 465 587
Connection objects

Connection objects are renamed:

  • Dynamic SNAT is renamed to Dynamic NAT.
  • No SNAT is renamed to Original Source IP.

Client-to-Site VPN Settings

To authenticate a VPN tunnel on the X-Series Firewall, you can select one of three options in the section IPSEC SETTINGS. Note that because the option Shared Key is not present on the CloudGen Firewall, the option Shared Key or Client Certificate is set in case Shared Key was previously set on the X-Series Firewall.
cg_vpn_shared_key_or_client_certificate.png

Step 1. Create a Configuration Backup of Your X-Series Firewall

  1. Log into your X-Series Firewall.
  2. Go to ADVANCED > Backups.
  3. In the MANUAL BACKUPS section, click Backup Now.
    xs_create_backup.png
  4. Depending on the specific settings of your browser, the file will be saved to your computer.

Step 2. Restore the Configuration Backup to Your CloudGen Firewall

  1. Log into your CloudGen Firewall.
  2. Go to ADVANCED > Backups.
  3. Click in the address bar of your browser and append &expert=1 to the current URL.
    enable_expert_mode_00.png
  4. The firewall will reload the page in expert mode, which adds additional configuration fields and is indicated by the highlighted menu bar item Expert Variables.
    cg_now_in_expert_mode.png
  5. In MIGRATE FROM X-SERIES FIREWALL, click Restore from X-Series BAK file.
    cg_restore_from_xs_bak.png
  6. In the Restore from X-Series BAK file window, read the information.
  7. If it is safe for you to do so, click Select X-Series BAK file.
    cg_restore_from_xs_bak_notification.png
  8. In the file selection window, select the backup file to restore from.
  9. The firewall loads the configuration data from the backup file and restarts with the new configuration setup.
  10. The firewall shows a window indicating that migration is in progress.
    migrating x-series.png
  11. Log into the CloudGen Firewall.
  12. To re-activate the network configuration changes, click click here inside of the info box.
    cg_reactive_network_changes.png
  13. After the network re-activation is complete, your CloudGen Firewall will display the current firmware version number.

Scroll to the bottom of the web page and verify that the migrated version is the same as on your X-Series Firewall, e.g.:
cg_version_after_migration.png

Unlike on an X-Series Firewall, the VPN service is not enabled on the CloudGen Firewall by default. Therefore, the VPN service will not be enabled automatically after the migration from the X-Series to the CloudGen Firewall.

Step 3. (optional) Make Final Configuration Changes to Your New CloudGen Firewall

You now have two firewalls running with different management IP addresses and different box level configurations. Because some configurations were not migrated, you can now decide whether to reconfigure them manually on the CloudGen Firewall.

If you want to replace your X-Series Firewall, reconfigure the CloudGen Firewall with the management IP address of your X-Series Firewall and power off the X-Series Firewall.