This article will show how to troubleshoot configuration conversion when you want to convert a config file manually. This will show you how to troubleshoot when the config file cannot be applied, and the best way to convert your configuration from an old device to a new device via the convert tool, or manually.
Disclaimer! This article offers a general overview of the series and may not apply uniformly to every model, software/firmware version. Before purchasing or using the device, please consult the model/version-specific documentation or reach out to technical support for accurate information.
Note! The new conversion configuration has limited support from the support team as we only officially support conversion done with the convert tool. But there are ways you can convert the configuration manually yourself, but we cannot support you in this.
Table of Content
1) How the configuration works
1.1 Configuration application
The configuration file, when applied enters all the commands in the configuration file e.g.
interface-name ge3 LAN
In this way, the firewall can compile and apply the configuration to the new device
1.2 Command separation
The commands are separated with "!" to distinguish the configuration.
Make sure that you have separated the configuration with "!" and that there is no spaces before or after the "!" symbols. Otherwise, the configuration application will fail.
1.3 Copying over configuration
When copy and pasting a configuration file manually, try to find similarities of where some configuration sections are beginning and ending. You can also see the green fields in Notepad++ of what new configuration that's not in the current configuration file.
For example, in the old configuration of the USG310, we can see that the VPN configuration is ending with
vpn-configuration-provision authentication default
Therefore, we can copy the VPN configuration until we see this command line
Then copy it over to the new configuration where we can see this command
2) Prepare the configuration conversion
2.1 Download Configuration files
Maintenance -> File Manager -> Configuration File > Configuration
Download the latest "startup-config.conf" file by selecting the file and then hit "download", or look at the "last modified" to see which one is the latest configuration file.
2.2 Use the Convert Tool
a) Enter https://convert.cloud.zyxel.com/
b) Choose the most similar device to your new device
Take a look at this article for more information: Configuration Converter
If you have a USG FLEX 500 or a ATP700, you may choose to convert to the ATP500 (for the USG FLEX 500) and USG FLEX 700 (for the ATP700) because the amount of physical ports are the same for USG FLEX 500 & ATP500, as well as USG FLEX 700 and ATP700.
2.3 Upload the new converted configuration file
First navigate to:
Maintenance -> File Manager -> Configuration File -> Configuration
Then upload your configuration file by clicking on "Browse..."
Then select the newly uploaded configuration file by left-clicking on it and then click "Apply"
Choose to Immediately stop applying the configuration file and roll back to the previous configuration
3) Paths to configuration conversion
So when you want to convert the configuration manually, there is a few ways to go depending on what what firewall model you have and what model you have bought as your new device.
For USG310 (Zywall310), you may choose to convert to a VPN300, USG FLEX 700.
But you may also choose USG310 which gives you the option to convert your configuration file to a ATP500:
Path 1: Convert to a different firewall series but the equivalent firewall
If you have a Zywall310 and wants to convert this file to a USG FLEX 500, you might convert your Zywall310 configuration file from a
USG310 -> ATP500
Because the USG FLEX 500 and ATP500 has the same configuration structure (physical ports / config-file structure), then the conversion will be easy.
To trick the converter to convert your Zywall310 from a USG310, delete these two rows in the configuration file:
Then if you want to upload the new ATP500 configuration file to your new USG FLEX 500, you need to change a few things:
First the model needs to be changed from ATP500 to USG FLEX 500, and the firmware version is probably not 4.60 so you can try to delete both these rows or change the model to "USG FLEX 500" and delete the firmware version row.
Then upload the new converted and saved (without model & fw version) to the new device.
Path 2: Convert to a different firewall
Let's say we have the configuration of the Zywall310 and we want to convert our configuration to a USG FLEX 100.
Step 1) Convert to the closest firewall series
Zywall310(USG310)/ATP500 has a different interface structure than USG FLEX 100 because you have ports (ge1, ge2, ge3 etc.) instead of either choose lan1 and assign this to one port or a number of ports. So here we need to do some manual work.
So because the USG FLEX 100 has 6 ports, and the Zywall310 has 8 ports. We need to delete ge7 and ge8 as well as all the references to ge7 and ge 8 by searching in the config file for "ge7" and then "ge8"
Examples of where to delete the ge7 and ge8 mapping configuration:
After you've deleted all the references from the ports that doesn't exist on the USG FLEX 100, go ahead and upload the new configuration file you've created and apply the configuration.
Path 3: Manually copy/paste the configuration
Path 3.1: Download Notepad++
Navigate to https://notepad-plus-plus.org/downloads/ and download and install the latest notepad++ version.
Path 3.2: Install the "Compare" Plugin
Plugins -> Plugins Admin
Then search for compare and click "install" to install the Compare tool.
Path 3.3: Open both config-files and launch the compare tool
Open both the configuration files (from the old USG310 and the new USG FLEX 700)
White fields = same configuration on both
Red fields = doesn't exist on the other config-file
Green fields = new things that needs to be copied to the other config file
4.1 Examples to Copy/Paste
1. Ethernet interface + VLAN
2. User / admin config
3. VPN Settings
5. DNS & Domain Zone Forwarder
6. NAT (Virtual-server & NAT)
7. Secure-policy (firewall rules)
8. Policy routes
4.2 Things to not copy/paste
Application patrol as you can see below, is different syntax's for the old firewalls and the new firewalls
Certificates are unique to the firewalls and cannot be found in the configuration file. However, it will still be referenced in the configuration file. So you might want to be aware of the references here. Search in the config file document to find the "cert" references.
When you're done copying over, run the compare function again and you will see more clearly what's copied over and what's not.
This section will follow some explanations of how to troubleshoot and then examples of errors that could occur and how to fix it.
When you upload a new configuration file to the new firewall, you will probably have to troubleshoot this as the upload will fail. Whenever you run into this screen:
Monitor -> Logs
Under Filter, you might filter the logs on "File Manager" to see all the records related to the configuration upload.
5.1 WARNING vs. ERROR
What you want to look for is the ERROR messages that shows in red. Be aware that the WARNING messages is nothing to worry about and is completely normal here.
When it fails - fix the error and delete the configuration that you just uploaded, and upload the new configuration again
5.2 Encryption error
If you get an error message saying the "Data is encrypted" it could be that you need to delete all the user accounts (+ passwords) because the encryption of the passwords cannot be converted by the new device.
5.3 Example Errors
This error is saying that the "Associated AAA object doesn't exist", which means that something in the AD configuration is not matching this reference.
We could see that the SSL VPN users were referencing to the AD configuration, where the AD configuration was removed before conversion, because it wasn't used anymore. So the solution here was to delete the SSL VPN Users in the configuration and upload the config file again.
Here, the configure terminal account PPPoE GE14 could not be configured. So what we need to do is to search (ctrl+f) in the config file for the GE14 command that the firewall is trying to execute.
Here, it failed because we forgot to separation between the "account pppoe" and "ip dhcp pool". So what we need to do is to add a "!" between the commands.
We saw an error "configure terminal interface_ether ge \x09\x09\x09\x09[...]", and when searching for "interface_ether" we cannot find anything in the configuration file. So we then started to search for the interfaces in the config file.
After double-checking the interface configuration, we could see that it was a duplicate address objects on the ge interfaces which we deleted. So the duplicate address-object cannot work because the name LAN_SUBNET_GE4 is already in use
We could see that the address object RFC1918_2 could not be created and executed.
After some trial and error back and forth, we found out that the address objects here was in the wrong place in the config file, and was changed to in-between the address-object and object-group address
We had an issue with the service-object that couldn't be created.
So when we deleted these two Any_UDP and Any_TCP service-objects, we could see that the third service-object couldn't be created, which shows that none of the service-objects could be created.
The solution here was to check if there could be a "space" before or after the "!" between the address6-object and the service-object.