1. Do you have the new ISGs already? If so, do a mock upgrade in a lab network and see what problems you run in to.

 

2. Is the NS500 a stand alone? If so, you dont have a NSRP config.

 

3. Are you using an IDP card? The NSM? VPNs?

 

4. Are you going from 5.X code to 6.X code?

 

a lot to think about. I would try it in a lab first.

 

-damon

hi,

 i think you should to check you inteface names  because i don't thnos so between a both device have a same interfaces

 

i meted the same situation but between NS 208 to ISG 1000 i keeped  the name zone the IPs ......etc i do this 

i created the interface on ISG 1000 with IP ....ect, after that i bint the all interfaces to thier respective zone and  i put the config files without interface section, ofcouorse i meeted some mistake but i resolved it manually.

 

regarding NSRP i created it mannually.

 

good luck

Regard    

yes, I have done the same last week

 

Only you have to manually configure the ethernet settings, firewall hostname (if required).

 

him007

Thanks for that. So basically, I will need to create the untrust/trust interfaces, and what ports theya re to reside on. Then do an import of the config from the old f/wall, less the interface specifics, like eth0/1 etc. That should then bind the policy to the interfaces untrust/trust, which have already been assigned fibre/ethernet ports?

 

Seems that all should be simple to do, as most things with  Juniper are. But just incase, good to get some ideas and feedback from those who have gone before.

Thanks again fro your advice.

 

Yes, so many questions would come, if in ns500 you are using ethernet would use same in isg1000 not gbic ports.

In ns500 you will get eth1/1.... & isg 1000 ethernet 1/1 .......

first you sav the config from ns500 using CLI (admin login):

save conf from flash to tftp x.x.x.x ( you have to install the tftp server in any windows machine & should be reachable from firewall)
OR
using WebUI sav the config (easy job )

done!

edit the config do the interface settings manually..
note: you should chek that your firewall ns500 should not use any authentication like radius etc.. because once you upload the config in ISG1000 you will loose the authentication.
2. edit the management ip also.
& save it!

upload the same config in isg1000 either cli or webui

& test the stanby, whether everything is ok or not.....

these are the IMP checks to do this type of implementations...

him007

Hi 

 

Thanks for that. I have just received my 2xISG1000 and am looking to get the xml config that I exported from the NS500 onto one of the ISG's. I will set up the HA later. There does not seem to be a mechanism to import the config like with the NSM.

Do you know how I can import the config into the ISG?

Another alternative I guess would be to connect the ISG to the NSM and use the NSM to do the importing. I currently manage 4xfirewalls off the NSM, and am just a little concerned that something may go wrong.

The ISGs are in my office and would only have one connection to the network for the config part. Once all done , would like to deploy them, and replace the NS500.

 

I guess that it will just be a long task of changing all the interfaces etc in the config. I have something like 600+ rules in the firewall. Also the NS500 is in transparent mode, and want to put ISGs in route mode for external VPNs and logging.

Any and all help or heads up would be appreciated.

Thanks