More Symantec Enterprise Firewall DR

Now that we had proved (or thought we had) that the DR recovery onto new hardware for our Symantec Enterprise Firewall worked it was time to upgrade to version 8 of the software.

However before doing that, we found that for about 15 minutes we lost connectivity on our live firewall on the internet cable. Our router was fine as the backup firewall and the monowall firewall were connecting ok but the SEF machine failed to communicate. We tried various things but nothing obvious was appearing in the logs – then all of a sudden everything started working again. We assumed it was rebooting the DR box with the cable plugged in (but it turns out this is not the case).
Anyway, after it all worked we upgraded the DR box. This involved backing up the config and removing version 7 of the software. At this point we removed the network cable connecting the machine to the internet and then proceeded to install sp4 onto w2k, installing ie6 and then installing v8 of Symantec Enterprise Firewall. When we came to import the backup of the file the configuration would not load, saying that it was corrupt. I tried an older backup config….same problem. We then discovered that plugging in the internet cables, so they were both enabled, meant tha the config was readable so it wasn’t corrupt at all.
So everything looked good and we proceeded to log into the configuration web page. However this would refuse to let us save the config as it couldn’t find one of the UserGroups even though I could see it on screen. As it couldnt find the usergroup, all the tunnels and address transforms that used this usergroup were not able to be saved either. In the end I had to create a new usergroup, transfer all the configs to use this new usergroup, save the config and then reconfigure it all to use the old user config.
After we had done all this and got it working and were testing connectivity the main firewall lost its connections again.
We’ve now decided to reinstall the DR box with w2k3 server and recover the firewall config onto it. Then we’ll shut down the live server, bring up the dr and test over a weekend when noone is in before swapping it out instead of the live server.
It has not been a fun day.