Remote migration of firewall rules?

Started by guvi, Today at 06:45:45 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
Today at 06:45:45 PM

Hi,
has anyone managed to perform a migration of old firewall-rules to the new format remotely?
If so, please share any pointers/ideas on how to succeed  :-)
Today at 06:59:58 PM #1
i did 2 of them, i would make sure your fully up to date on the patch levels, then do the export and import, then instead of removing the old rules, i would disable them to make sure the new ones are working for you. Once all confirmed you can remove the old ones.   I had issues with some new rules on 26.1.1 but not on 26.1.2 and newer

Quote from: guvi on Today at 06:45:45 PMHi,
has anyone managed to perform a migration of old firewall-rules to the new format remotely?
If so, please share any pointers/ideas on how to succeed  :-)

Today at 10:55:50 PM #2 Last Edit: Today at 11:01:26 PM by mokaz
Hi there,

Yes basically 5 out of 6 migrated nodes here are remote / I always keep way's in each Hypervisor from my current location while doing this and I simply snapshot the VM before doing anything (remote access = a simple Network(s) alias hosting my edge WAN IP's having access to a few DNAT rules; allowing HTTPS management over the hypervisor + a ThinLinc enabled Linux host + 127.0.0.1/32:OPNsense_admin_port). Although yes, if these rules fails, I may be in troubles.

I've successfully done the rules migration on all of them -- a single issue in the wizard was a left over rule addressing a none existing anymore gateway. I started by doing the local node to assess that my Remote Access rules were fully migrated and working fine (tested from a remote site)...

Another safety net I've been using sometimes was a complete "clone" of the untouched, in running state VM. Clone on which I'd set the "start at boot" parameter to enable this while remaining in powered off status for now. Then I'd remove that same parameter from the currently running VM (do NOT start on boot) on which I'd conduct the updates. You'd do your things, if all goes well, you can drop the clone and re-set the start at boot parameter on the main VM. If in troubles, you'd have to reboot the host and analyze what went wrong.

I'm sorry I wouldn't be of much help if you're using hardware appliances.

Hope this helps a bit.
Cheers,
m.
Print
Go Up Pages1
User actions