Precautions before migration
Before beginning the procedure of migrating a firewall to an EVA model, please read the following information carefully:
Automatic cloud backups
If your firewall has been configured to send automatic backup files to your Mystormshield area, perform a local configuration backup before migrating your firewall.
Once the firewall's serial number is changed during the migration procedure, all backup files relating to the former serial number will no longer be available in your Mystormshield private area.
Services associated with the firewall's serial number
The configuration of SPNEGO authentication requires a DNS entry in order to redirect the user to the firewall's authentication service (see. Technical Note on SSO Configuration - Microsoft SPNEGO).
In most cases, this entry contains the firewall's serial number, so this DNS entry needs to be changed to include the new serial number or to use a generic name instead of the serial number (e.g.: myfirewall.mydomain.com).
The SSL proxy's default authority is generated using the firewall's serial number. Before migrating the firewall to an EVA model, the proxy will continue to run but presents a certificate with the Name and Issuer fields corresponding to the former serial number.
High availability configuration (HA cluster)
In HA clusters, HA must first be disabled before starting the migration of each member of the cluster to the EVA model.
To do so:
- Apply SNS v3.8.0 on the Active member of the cluster.
This firewall reboots and becomes Passive.
- Shutdown the second member of the cluster which has become Active.
- On the Active firewall (v3.8.0), in System > CLI Console module:
- Apply EVA initialization Kit. The firewall reboots.
- Log on the firewall and build a new cluster.
- Build a new EVA firewall which will become the second member of the cluster.
- Join this new firewall to the previously created cluster.
CONFIG HA STATE OFF
HA CLUSTER REMOVE SERIAL=Firewall1_Serial_Number
HA CLUSTER REMOVE SERIAL=Firewall2_Serial_Number
HA CLUSTER ACTIVATE
CONFIG HA ACTIVATE
The HA configuration generated accordingly will take into account the firewalls' new serial numbers.