Precautions before migration
Before you migrate your firewall to an EVA model, read the following information carefully:
Automatic cloud backups
If your firewall has been configured to send automatic backup files to your personal Mystormshield area, back up your configuration locally before migrating your firewall.
Once the firewall's serial number changes during the migration procedure, all backup files relating to the former serial number will no longer be available in your personal Mystormshield area.
Services associated with the firewall's serial number
To configure SPNEGO authentication, you need a DNS entry in order to redirect the user to the firewall's authentication service. For further information, refer to the technical note SSO Configuration - Microsoft SPNEGO.
In most cases, this entry contains the firewall's serial number, so this DNS entry needs to be changed to include the new serial number or a generic name instead of the serial number, such as myfirewall.mydomain.com.
The SSL proxy's default authority is generated using the firewall's serial number. After you migrate the firewall to an EVA model, the proxy will continue to run but presents a certificate with the Name and Issuer fields corresponding to the former serial number.
High availability configuration (HA cluster)
In HA clusters, HA must first be disabled before each member of the cluster is migrated to the EVA model.
- Apply version 3.8.0 to the “active” firewall in the cluster. This firewall will restart and become “passive”.
- Shut down the second member of the cluster, which became “active”.
- On the firewall in version 3.8.0, in System > CLI console, run these commands:
- Apply the EVA activation kit. The firewall will restart.
- Log in to the firewall and create a new cluster.
- Create a new EVA firewall, which will be the second member of the cluster.
- As soon as it starts up, add it to the cluster created earlier.
CONFIG HA STATE OFF
HA CLUSTER REMOVE SERIAL=Firewall1_serial_number
HA CLUSTER REMOVE SERIAL=Firewall2_serial_number
HA CLUSTER ACTIVATE
CONFIG HA ACTIVATE
The HA configuration generated accordingly will take into account the firewalls' new serial numbers.