Precautions before migration

Before you migrate your firewall to an EVA model, read the following information carefully:

Automatic cloud backups

If your firewall has been configured to send automatic backup files to your personal Mystormshield area, back up your configuration locally before migrating your firewall.

Once the firewall's serial number changes during the migration procedure, all backup files relating to the former serial number will no longer be available in your personal Mystormshield area.

Services associated with the firewall's serial number

SPNEGO authentication:

To configure SPNEGO authentication, you need a DNS entry in order to redirect the user to the firewall's authentication service. For further information, refer to the technical note SSO Configuration - Microsoft SPNEGO.

In most cases, this entry contains the firewall's serial number, so this DNS entry needs to be changed to include the new serial number or a generic name instead of the serial number, such as myfirewall.mydomain.com.

SSL proxy:

The SSL proxy's default authority is generated using the firewall's serial number. After you migrate the firewall to an EVA model, the proxy will continue to run but presents a certificate with the Name and Issuer fields corresponding to the former serial number.

High availability configuration (HA cluster)

In HA clusters, HA must first be disabled before each member of the cluster is migrated to the EVA model.

  1. Apply version 3.8.0 to the “active” firewall in the cluster. This firewall will restart and become “passive”.
  2. Shut down the second member of the cluster, which became “active”.
  3. On the firewall in version 3.8.0, in System > CLI console, run these commands:
  4. CONFIG HA STATE OFF
    CLUSTER LIST
    HA CLUSTER REMOVE SERIAL=Firewall1_serial_number
    HA CLUSTER REMOVE SERIAL=Firewall2_serial_number
    HA CLUSTER ACTIVATE
    CONFIG HA ACTIVATE

  5. Apply the EVA activation kit. The firewall will restart.
  6. Log in to the firewall and create a new cluster.
  7. Create a new EVA firewall, which will be the second member of the cluster.
  8. As soon as it starts up, add it to the cluster created earlier.

The HA configuration generated accordingly will take into account the firewalls' new serial numbers.