To move a configuration from one Firebox to another Firebox, you must use Policy Manager.
Do not try to restore a backup image created from a different Firebox. Each backup image is unique to a single device; it includes the serial number, certificates, and private keys for that device.
In Policy Manager, you edit the configuration from the original Firebox, update the feature key with the feature key for the new Firebox, and then save the updated configuration to the new Firebox. When you import a new feature key to your existing configuration file, Policy Manager automatically updates the existing configuration file so that it operates correctly with the new Firebox serial number and model specified in the feature key.
The procedure to move a configuration to a new Firebox also applies to FireboxV and XTMv.
To upgrade a FireCluster pair to a new hardware model, you must disable FireCluster in your Firebox configuration, then add the feature key for one of the new cluster members. After you save the configuration to the new Firebox, you can configure a FireCluster as usual. For more information about FireCluster configuration steps, see Configure FireCluster. For information about how to configure a new RMA Firebox that replaces a member of a FireCluster, see Configure a Replacement (RMA) FireCluster Member
When you move a configuration file to a new Firebox, the file does not include manually configured users and roles for Firebox administration. You must manually add them to the new Firebox.
When you move a configuration file from one Firebox to another Firebox, you must:
- Remove feature key for the old Firebox from the configuration file.
- Add the feature key for the new Firebox to the configuration file.
- If the new feature key is for a different model with a different number of interfaces, review and update the network interface configuration.
- If the new Firebox runs a different version of Fireware OS, update the OS Compatibility setting.
- Save the configuration to the new Firebox.
- If the new configuration file is an upgrade to a newer Fireware release, make sure to review the release-specific upgrade notes, especially if you use Policy-Based Routing or RADIUS authentication. For more information, see Release-Specific Upgrade Notes.
To update your configuration file, from Policy Manager:
- If you have not already done so, get a feature key for your new Firebox.
- Open your existing Firebox configuration in Policy Manager.
- Select Setup > Feature Keys.
The Firebox Feature Key dialog box appears.
- To remove the current feature key, click Remove.
- To add the new feature key, click Import.
The Import Firebox Feature Key dialog box appears.
- Open the feature key file for the new Firebox and paste the contents of the feature key in the Import Firebox Feature Key dialog box.
- Click OK.
The model information and features from the new feature key appear in the Firebox Feature Key dialog box.
- Click OK.
If your new Firebox model has a different number of interfaces than the old device model, Policy Manager shows a message that advises you to verify the configuration of the network interfaces.
To update or verify the device name or time zone, select Setup > System.
- Select Setup > Authentication > Web Server Certificate.
- Make sure that Default certificate signed by the Firebox is selected.
- If you have a third-party certificate, the option Third party certificate is selected. You must select Default certificate signed by the Firebox instead.
In the next section, you import the third-party certificate on the new Firebox.
- Select Network > Configuration and review the network interface configuration.
- If the new Firebox runs a different version of Fireware OS, update the OS Compatibility setting to the OS version that the new Firebox uses.
To save the updated configuration to the new Firebox:
- Connect your computer to a trusted or optional network interface on the new Firebox.
- From Policy Manager, select File > Save > To Firebox.
- In the IP Address or Name text box, type the IP address of the new Firebox.
- In the User Name and Passphrase text boxes, type the credentials of a user with Device Administrator privileges on the new device.
If the new Firebox has a default configuration, the User Name is admin and the Passphrase is readwrite.
- From the Authentication Server drop-down list, select the correct authentication server for the user account you specified.
If the new Firebox has a default configuration, the Authentication Server is Firebox-DB.
- If you use an Active Directory server for authentication, in the Domain text box, type the domain name of your Active Directory server.
- Click OK.
- In the File Name text box, type the file name to save the configuration file.
- Click Save.
If the IP address you specified in Step 3 does is not the same as any of the IP addresses in the configuration file, a warning message appears.
- If a warning message appears, to confirm that you want to save the file, click Yes.
- If you have a third-party certificate, you must import the certificate now. For more information about the import and installation process, see Import and Install a Third-Party Web Server Certificate.
After you save a configuration file that changes the IP address of the Firebox interface that your computer is connected to, before you can connect to the Firebox, you must make sure your computer has an IP address on the same network as the updated interface IP address.
The new Firebox has a different MAC address than the original Firebox. Devices in your network might fail to communicate with the new Firebox until their old ARP entries for the Firebox IP address expire. This can take up to sixty minutes or require you to reboot the affected devices. If a device in your network has a static ARP entry configured for the Firebox IP address, you must change it.
If your new Firebox is an M4600 or M5600, or any other Firebox that has removable interface modules, the number of configurable interfaces that appear in Policy Manager depends on the interface modules installed on the Firebox. After you save the configuration to the new Firebox, you must open the configuration file from the new Firebox to update the interface list.
To open the configuration from the Firebox and see the list of installed interfaces, from Policy Manager:
- Select File > Open > Firebox.
- In the User Name and Passphrase text boxes, type the credentials for a Device Monitor (read-only) user account.
- If you use an Active Directory server for authentication, the Domain text box appears. Type the domain name of your Active Directory server.
- Click OK.
The configuration file appears in Policy Manager.
- Select Network > Configuration.
The Network Configuration dialog box appears with the Interfaces tab selected.