Screen OS

One of my client is upgrading the firewall from NetScreen 5GT to SSG-5-SH, I have already copy the configuration from the NetScreen, I am wondering is it possible to copy the config file into the SSG-5-SH?

You can't copy the configuration as-is, but it can be imported after a few minor changes. The most important change will be that the interface names have changed. On a standard 5GT they will be named "trust" and "untrust". In a similar configured SSG they will be named ethernet0/0 and bgroup0.

 

Off the top of my head, you'll have to change the interface names in the following parts of the config:

- the interface definitions (set interface)

- the VPN definitions (set ike gateway)

- the routing table (set route)

 

Thank you motd, I will review the config file and make the change.  Other than the inferface name, is there any other thing i have to change as well?

Hi Onii

 

As far as i know, u just need to change interface name. but for smooth migration better u simulate using the new on (SSG 5) some time some command dont supported between each other. 

 

 

Thanks

 

EL

Hi EL,

 

I have changed the interface name, but when I put the config file to the SSG5, I can able to ping it, but I can't get into the web interface to configure the firewall...

hi Onii

 

could you collect this command

 

get int <interface where u connect to web >

get socket

get config | i manager

 

 

Thanks

 

EL

Check whether the interface is manageable by using the following command:

 

get int <interface >

 

Did you have the same version of code on both the firewall ?

 

Thanks

Atif

Sorry EL, I just back home, I will go to client's site to get those information and post it here.

 

BTW, should I post the config file here and see where is the problem?

 

Atif, both firewall has the same version of code.

Hi Onii

 

all depends to you. some people wont publish the config to the public. u can sent me config private 

 

 

Thanks

 

EL

Hi EL

 

Thanks, please check PM

 

Onii

Hi Onii

 

From Config i see u setting manager ip on the firewall. so only from that source ip that can manage the firewall. if u wanna use manager-ip feature, u can add your ip address in order to manage the firewall

 

set admin manager-ip <ip address> <subnet mask>

 

 

if this works please flag my post with Accepted solution and give me some kudos 🙂

 

Thanks

 

EL

Hi EL,

 

So the only problem should be the manager ip?  Let me give it a try~

One more thing, all the config should be able to migrate to SSG5, like VPN rule and Access control?

 

Thanks

 

Onii

Hi Onii

 

please send me the 5gt config so i can compare it

 

 

Thanks

 

EL

Hi EL,

 

The config I send to you is 5GT config file, just I have changed the ethernet1 to ethernet0/1

 

Thanks

 

Onii

hi Onii

 

as per my experience, only change the interface migration will be ok. if u already try apply the config to new box,  and no error occured, i think no problem arise

 

Thanks

 

EL

Hi EL,

 

I have been try to apply the config by update it on the webUI, but no luck.  The router can ping but can't connect to the webUI, neither using console port, I have to using hardrest to get it back to work.

 

Should I using console port to type in the command one by one?

 

Thanks

 

Onii

hi Onii

 

yes usually we copy paste per  block of commands. and observe any error occured or not.

 

 

Thanks

 

EL

Hi EL

 

I am getting error on (set interface "ethernet0/2" zone "home") and (set interface "ethernet0/3" zone "Untrust"), both errors are (- - - unknown keyword zone)  but i am able to set (set interface "ethernet0/1" zone "work") without error.

 

Thanks

 

Onii

never mind, i figure out where is the problem, still trying to apply the config file to the firewall

hi , u should create the L3 zone first for zone  home and work.

 

 

Thanks

 

EL

Hi EL,

 

Finally has applied all config into the firewall, and there are 3 configs which cannot apply

 

set url protocol sc-cpa    <---- unknown keyword sc-cpa

 

set global-pro policy-manager primary outgoing-interface ethernet0/3         <--- unknown keyword outgoing-interface
set global-pro policy-manager secondary outgoing-interface ethernet0/3    <--- unknown keyword outgoing-interface

 

 

and I have set my lan card to ip address 10.10.10.10,but when I type 10.10.10.1 on IE with the cable on ethernet0/1, but i still not able to get into the WebUI.

 

Thanks

 

Onii

Hi

 

do use global pro manager for manage fw ?

for u can not access the box. please send me get interface eth0/1

 

 

Thanks

EL

HI EL,

 

Problem solved!!  I was so careless and missed to enable the  WebUI service. 

And I think I will leave the global pro manager alone.

 

Thank you so much for your help EL!!!

 

Onii

hi Onii

 

glad the problem solve already 🙂

 

 

Thanks

 

EL