Firewall Commissioning USG FLEX 700 (taking-over from USG110)

USG_User
USG_User Posts: 369  Master Member
First Anniversary 10 Comments Friend Collector First Answer
Hi guys,
We are happy, vessel with new Zyxel hardware has approached Europe and we were able to purchase an USG FLEX 700 which has already been delivered.
But it's the first time we have to move our FW adjustments and rules from an "old" device to a new one, without the opportunity to use the Zyxel config converter. Unfortunately the converter is not available for changing from USG110 to an USG FLEX 700.
That's why we have to set up the new FLEX by hand step by step. :'(

But before I start by "try and error", is it possible to connect the FLEX700 only by one physical port (e.g. GE3) to our LAN1, means it will get an IP by USG110 DHCP server of range 192.168.21.xxx, so that I'm able to reach it from my LAN1 machine for complete manual configuration.
This means that I configure all other pysical ports, setup NAT rules, security rules, forwardings, etc. but without connecting all other physical ports of the USG FLEX. Only when the complete setup has been arranged, we would replace the old USG110 with the new FLEX700 and hope that all is running without any delay in production.

Or will the FLEX700 present permanent error messages, when creating rules for ports which are presently not yet connected?

All Replies

  • zyman2008
    zyman2008 Posts: 197  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    USG_User,
    It's better to setup a temporary WAN interface (IP: get via DHCP) on FLEX700.
    And create another LAN interface/subnet on USG110 with DHCP server enabled.
    Then connect it to the temporary interface port of FLEX700.

    This prevent the routing conflict with USG110 LAN1 subnet, once you setup current LAN1 subnet to FLEX700 LAN1 subnet.
    Then, you can setup FLEX700 via IP address of the temporary interface.
     
    All configuration can create on FLEX700 without other port connected.
    But you need to disable the connectivity check on FLEX700 or add the temporary interface as default route. If you has policy route / User defined WAN Trunk which only routing to the not connected interfaces/ports. 

  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    @USG_User are you sure that the converter is offline? Page some zyxel representatives, maybe they can convert the configuration for you, eventually. Their choice, not implying that this can be arrange neverthless.
  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    mMontana said:
    @USG_User are you sure that the converter is offline? Page some zyxel representatives, maybe they can convert the configuration for you, eventually. Their choice, not implying that this can be arrange neverthless.

    No, the converter isn't offline anymore. But you could only convert from an USG110 to an USG FLEX500, but not to an USG FLEX700. I've just already spoken with Zyxel's german branch and they unfortunately confirm that this is not possible. It would also be too difficult to convert to USG FLEX500 followed by a manual edit of the config file. The likelyhood to make wrong entries is too high.
  • mMontana
    mMontana Posts: 1,298  Guru Member
    First Anniversary 10 Comments Friend Collector First Answer
    Thanks for sharing the status.
    I agree with the suggestions made by @zyman2008, adding also objects for the "destination" ip addresses for every interface, for allowing fast changes just editing the object for NAT, policies, VPNs and so on.
    Don't forget to write down before starting the configuration all the tests that need to be done (and working) at first go-live. Which, IMVHO, should not be the first test.
  • Zyxel_Kevin
    Zyxel_Kevin Posts: 741  Zyxel Employee
    First Anniversary 10 Comments Friend Collector First Answer
    Hi @USG_User
    Agree with zyman2008,Build the parallel enviroment then you can set FLEX700 via temporary interface. 
    Kevin
  • USG_User
    USG_User Posts: 369  Master Member
    First Anniversary 10 Comments Friend Collector First Answer
    Hi guys,
    thanks for your replies and suggestions.
    Unfortunately our USG110 ports are presently fully occupied and we're not able to create another LAN segment with parallel environment via an available unused USG110 port. For that reason we've purchased a FLEX700 instead of a FLEX500 which has not enough ports for us.

    What about setting-up the FLEX700 by connecting to a stand-alone Notebook on LAN1, means without connection to any LANs/WANs. I would only prepare all settings by taking-over them from USG110 by hand. Later, when all settings are saved, I would replace the USG110 with FLEX700 and connect only the WAN interface and one single notbook on LAN1 interface. If LAN1 is working correctly and securily and different test are done, I would replace the notebook with the real LAN1 and could go forward to the next LAN/DMZ zone.
    Since both firewalls are never connected simultaneously, no routing or address conflicts should occur. But again, I don't know whether I could make any settings without WAN ports connected.

    The last opinion could be to take our 2nd ISP WAN connection (intended for switch-over redundancy), switch it off the USG110 and use it temporarily as main WAN connection for the new FLEX700. Then I setup each single zone (by connecting one notebook directly to FLEX port), followed by tests, and move the patch cables one after another for the different zones from USG110 to FLEX. Of course, USG and FLEX will report/alert when different zones are not available, but the settings should be taken over nevertheless.

Security Highlight