SonicWall GEN8 TZs and GEN8 NSas Settings Migration

The SonicWall GEN8 TZ Series and GEN8 NSa Series firewalls introduce in-product migration capabilities that allow administrators to import configuration settings from supported legacy SonicWall firewalls. This greatly simplifies the upgrade process by eliminating the need for manual reconfiguration during hardware refresh or platform upgrade.

Settings Import Feature:

• Export/Import settings
• Devices must be entirely configured from scratch in a typical greenfield deployment (new setup). With GEN8 firewalls, you can import .exp configuration files from supported legacy devices, streamlining migration.
• The GEN8 TZ and NSa firewalls support in-product migration from select current and previous generation SonicWall firewalls.
• This feature is especially useful when upgrading from GEN6 or GEN7 models.

Key Benefits:

• Reduces time spent on manual configuration
• Maintains policy consistency across hardware generations
• Simplifies deployments and rollback planning

Pre-Requisites: The following devices are supported as source firewalls from which settings can be exported and imported to GEN8 TZs and NSa models:

Legend for the table above:

TIP: Due to an interface mismatch between NSa2650 and NSa2800, please use the Migration App on NSM to perform settings migration from NSa2650 to NSa2800.  

NOTE: Settings imported from a firewall running 7.3.x and above with TOTP configured to SonicOS 8.0.0/8.0.1/8.0.2 will not be supported. Please upgrade to SonicOS 8.0.3 before importing settings from a firewall running SonicOS 7.3.0 with TOTP function enabled. 

Supported Source firewall firmware versions:

Settings Migration Caveats:

Unsupported Settings that will need to be reconfigured

• CFS3: If migrating from a GEN5 device, the CFS policies will be dropped.
• VPN policy: If migrating from a GEN5 device, the interface it is bound to may be lost.
• Ip-helper:  If migrating from a GEN5 device, some ip-helper policies configuration may be lost.
• The contents of the certificates will not be migrated to the new device.
• If the target device does not support POE, POE-related configurations are dropped.
• On TZ80, L3 LAG and Port Redundancy related configurations are dropped.
• BWM(Bandwidth Management) advanced configuration will be dropped.
• Syslog server: If migrating from a GEN5 device, some configuration may be lost.
• Log Automation: If migrating from a GEN5 device, the username and password of mail server settings will be dropped.
• HA: If migrating from a GEN5 device, the HA control interface needs to be reconfigured.
• SNMP: if a SNMP user name contains space, this user will be dropped. 

Unsupported Interfaces settings:

• There will be a warning message displayed when importing settings from a source firewall that has W0/U1/MGMT interfaces, but the target does not. Any U1/W0/MGMT related default address objects and groups will be discarded upon import, and other configurations referencing these objects will be deleted or will need to be manually fixed after import.
• Settings Import will be blocked if the source settings file contains the following interfaces:
  • VLAN Interfaces
  • Tunnel Interfaces
• It is recommended that these interface settings be removed from the source firewall and then exported to the GEN8 TZ and NSa models, allowing the settings to be imported successfully.
• As a workaround, users can utilize the Migration Tool to convert the export file containing the VLAN and Tunnel interfaces into settings for equivalent GEN7 models and use that file to import settings on same GEN8 models, respectively.
  • Refer to: https://www.sonicwall.com/support/knowledge-base/how-to-create-gen-7-settings-file-by-using-the-online-migration-tool/210115150800277
  • Once converted, the new export file can be used for an On-Box migration to the GEN8 devices.
• SonicWall TZ380W – Wireless specific caveats
  • SonicWall TZ380W will support simultaneous dual-band operation. To support this, we will use VAPs or Virtual Access Points settings for wireless configuration as the default setting.
  • Our goal is to retain the imported wireless setting after on-box import.
    

    source GEN5/GEN6/Gen7 TZW	target Gen8 TZW expected behavior
    Radio Role: Access Point/station/AP&station/Mesh Radio Mode: 2.4G VAP mode	Radio Role: retain from source 2.4G radio config: retain from source 5G radio config: default settings VAP mode with source VAP group
    Radio Role: Access Point/station/AP&station/Mesh Radio Mode: 5G VAP mode	Radio Role: retain from source 2.4G radio config: default settings 5G radio config: retain from source VAP mode with source VAP group
    Radio Role: Access Point/station/AP&station/Mesh Radio Mode: 2.4G non VAP mode SSID and radio schedule, security, advanced and MAC filter list pages settings	Radio Role: retain from source 2.4G radio config: retain from source 5G radio config: default settings VAP mode with default VAP group contains default VAP object Source SSID and radio schedule, security, advanced and MAC filter list pages settings will apply to default VAP object
    Radio Role: Access Point/station/AP&station/Mesh Radio Mode: 5G non VAP mode  SSID and radio schedule, security, advanced and MAC filter list pages settings	Radio Role: retain from source 2.4G radio config: default settings 5G radio config: retain from source VAP mode with default VAP group contains default VAP object Source SSID and radio schedule, security, advanced and MAC filter list pages settings will apply to default VAP object

  • TZ380W wireless with SonicOS 8.0.3 does not support DFS(will support in future release). So import source firewall with DFS enabled to Gen8 wireless will disable DFS and reset radio mode/band/channels to default value.
  • TZ380W wireless do not support WEP. So import the source firewall with WEP settings to Gen8 wireless will be reset to default auth settings, which is WPA2-AUTO-PSK with the serial number as the password.
  • TZ380W wireless does not support WPA. So, when you import a source firewall with WPA settings to Gen8 wireless, it will be reset to the default auth settings, which are WPA2-AUTO-PSK with the serial number as the password.
  • TZ380W wireless with SonicOS 8.0.3 does not support SonicOS 7.2.1 features (they will be supported in a future release). For example, station EAP and W0 MAC override-related settings from the source firewall (SonicOS 7.2.1+) will be lost after import to SonicOS 8.0.3.

  • TZ380W wireless does not support mesh gateway mode. Importing settings from a source firewall with mesh gateway to TZ380W wireless will be set to AP mode.
    Importing settings from TZW in a different country/domain - When we import from a different domain, FCC/US or ETSI/Canada or JAPAN will keep unchanged, ETSI non-CA will set as default GB. And radio mode/band/channels will be reset to default value.

Settings Migration App on NSM:

The new Migration App, introduced in NSM 3.1, is embedded within the platform and enables seamless settings migration. Initial support includes GEN8 TZ and NSa models as listed below.