ScreenOS Firewalls (NOT SRX)
Reply
Regular Visitor
absinthedjesus
Posts: 9
Registered: ‎08-10-2008
0

NS500 to ISG1000 Migration

Hi

 

I am about to migrate from NS500 to 2xISG1000. Has anyone done this, and are there any issues that I should be aware of ?

I am assuming that I can just import the config file across, and alter the interfaces and all should work fine?

Thanks

Contributor
JUNOS_damon
Posts: 18
Registered: ‎10-06-2008
0

Re: NS500 to ISG1000 Migration

1. Do you have the new ISGs already? If so, do a mock upgrade in a lab network and see what problems you run in to.

 

2. Is the NS500 a stand alone? If so, you dont have a NSRP config.

 

3. Are you using an IDP card? The NSM? VPNs?

 

4. Are you going from 5.X code to 6.X code?

 

a lot to think about. I would try it in a lab first.

 

-damon

Super Contributor
mehdi
Posts: 240
Registered: ‎08-19-2008
0

Re: NS500 to ISG1000 Migration

hi,

 i think you should to check you inteface names  because i don't thnos so between a both device have a same interfaces

 

i meted the same situation but between NS 208 to ISG 1000 i keeped  the name zone the IPs ......etc i do this 

i created the interface on ISG 1000 with IP ....ect, after that i bint the all interfaces to thier respective zone and  i put the config files without interface section, ofcouorse i meeted some mistake but i resolved it manually.

 

regarding NSRP i created it mannually.

 

good luck

Regard    

**If this reply solved your problem click on Kudos **
Kind Regard
http://www.linkedin.com/in/mkhitmane
personal mail: mehdi.khitmane@gmail.com
Trusted Contributor
him007
Posts: 34
Registered: ‎09-21-2008
0

Re: NS500 to ISG1000 Migration

yes, I have done the same last week :smileyhappy:

 

Only you have to manually configure the ethernet settings, firewall hostname (if required).

 

him007

Regular Visitor
absinthedjesus
Posts: 9
Registered: ‎08-10-2008
0

Re: NS500 to ISG1000 Migration

Thanks for that. So basically, I will need to create the untrust/trust interfaces, and what ports theya re to reside on. Then do an import of the config from the old f/wall, less the interface specifics, like eth0/1 etc. That should then bind the policy to the interfaces untrust/trust, which have already been assigned fibre/ethernet ports?

 

Seems that all should be simple to do, as most things with  Juniper are. But just incase, good to get some ideas and feedback from those who have gone before.

Thanks again fro your advice.

 

Trusted Contributor
him007
Posts: 34
Registered: ‎09-21-2008
0

Re: NS500 to ISG1000 Migration

Yes, so many questions would come, if in ns500 you are using ethernet would use same in isg1000 not gbic ports.

In ns500 you will get eth1/1.... & isg 1000 ethernet 1/1 .......

first you sav the config from ns500 using CLI (admin login):

save conf from flash to tftp x.x.x.x ( you have to install the tftp server in any windows machine & should be reachable from firewall)
OR
using WebUI sav the config (easy :smileyhappy: job )

done!

edit the config do the interface settings manually..
note: you should chek that your firewall ns500 should not use any authentication like radius etc.. because once you upload the config in ISG1000 you will loose the authentication.
2. edit the management ip also.
& save it!

upload the same config in isg1000 either cli or webui

& test the stanby, whether everything is ok or not.....

these are the IMP checks to do this type of implementations...

him007


Regular Visitor
absinthedjesus
Posts: 9
Registered: ‎08-10-2008
0

Re: NS500 to ISG1000 Migration

Hi 

 

Thanks for that. I have just received my 2xISG1000 and am looking to get the xml config that I exported from the NS500 onto one of the ISG's. I will set up the HA later. There does not seem to be a mechanism to import the config like with the NSM.

Do you know how I can import the config into the ISG?

Another alternative I guess would be to connect the ISG to the NSM and use the NSM to do the importing. I currently manage 4xfirewalls off the NSM, and am just a little concerned that something may go wrong.

The ISGs are in my office and would only have one connection to the network for the config part. Once all done , would like to deploy them, and replace the NS500.

 

I guess that it will just be a long task of changing all the interfaces etc in the config. I have something like 600+ rules in the firewall. Also the NS500 is in transparent mode, and want to put ISGs in route mode for external VPNs and logging.

Any and all help or heads up would be appreciated.

Thanks

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.