Network FW upgrade to Sophos redundant Firewall
Sophos Firewall redundant project implementation approach:
For large business providers, where continuous service must be ensured 24/7, our approach is to connect the firewall in a separate VLAN, even with a temporary Internet connection:
- In general, we recommend that both the devices get racked and connected to the network and that the network switch be configured so that they do not yet communicate with the network (for example, the allocated VLAN is an unused VLAN on Sophos ports).
- In this case, we will temporarily configure one of the Sophos ports with a network IP address that will not be used, but it will help us reach the device and perform administrative tasks.
- On the Sophos device, we will make all the necessary settings.
- If possible, we usually request a virtual machine that is in the same temporary VLAN as the LAN port of the Sophos firewall so we can perform the basic tests
- If possible, we test the Internet functionality of the Sophos firewall and Site-to-Site VPN connections in a predefined time (internet connections are migrated from the old firewall to the Sophos firewall one by one). We can perform additional tests from the virtual machine while the old firewall is live in the network.
- Based on the test results, we plan the UAT (on a weekend day) and pilot when the main firewall will be taken out of the network and Sophos will go live. User Acceptance Testing (UAT) will decide how to pilot and go live.
There are many cases in which it is possible to make the old and new firewalls work together so that the transition does not interrupt service. Therefore, it is necessary to have a preliminary conversation to learn the topology (how network devices are connected) and plan the project in a way that best suits the business needs.
Sophos Firewall redundant project in-scope activities:
We will perform the requirements analysis during the contract phase to accurately select the proper Sophos hardware, the required license, and the simplified migration plan.
- On-site inspection (if necessary)
- Create complete documentation
- Set firewall rules (current firewall rule exported or configured from scratch)
- Detailed migration planning
- Installation in a rack and connection to the network switches
- Perform configurations
- Prepare firewall settings
- Set up Internet, email, and spam filtering
- Basic and detailed testing – depending on the settings we make and how the pilot is designed
- Finalize pilot plan aligned with settings
- Pilot execution and in-depth testing and assess the results
- Fine-tuning – adjust settings based on pilot results
- Transition according to plan
- Make fine-tuning
- Implement support and monitoring
Sophos Firewall redundant project Hardware and software requirements:
Required physical equipment
- 2 x Sophos UTM: the exact model will be agreed upon during the requirements analysis phase, which mainly depends on the number of users, internet connections, and bandwidth.
Required software
- Sophos Full Guard License (finalization also in the requirements analysis phase)
Sophos Firewall redundant project pre-requirements:
- Redundant network LAN connection for two separate devices – Provide link aggregation
- Providing redundant internet connections / multiple internet connections and their connection and contact information
- Free rack space and free ports in switch, link aggregation setup
- If you don’t operate the network devices: Set up switch port (teaming/link aggregation setup, tagged and untagged VLAN setup)
- Providing resources for testing and tracking changes during migration according to ITIL processes