New article with version: 2.5 (05.2025)
notemptyThis article refers to a Beta version
Introduction
This function offers the option of replacing the core as well as a satellite UTM in an existing VPN configuration (Adaptive Secure Connect ASC) without losing settings or even having to create a new VPN configuration.
This makes it possible, for example, to replace a faulty or failed UTM in a VPN configuration so that this configuration works again.
Necessity of backups
notemptyBefore the new UTM can be exchanged, strongly recommends to create a new backup of the old UTM!
It is irrelevant whether it is a manual backup (more information on this in this Wiki article) or
a cloud backup.
Note: No backup no pity!
General procedure
Procedure for replacing a UTM:
- Check that the backup of the old UTM is up to date
- For actions → Exchange UTM for the core/satellite UTM to be exchanged
- the new UTM is selected in the Replace Core-UTM or Replace Satellite-UTM dialog box for the UTM option
- if desired, the core/satellite UTM can be edited, see edit Core-UTM, or edit Satellite-UTM
- Save and then click Publish to publish the change to the VPN configuration
Replace failed UTM
To replace a failed UTM that is integrated in a VPN configuration, either a cloud backup or a local backup is required.
There are two ways to restore this backup to a UTM and thus replace the failed UTM with a new UTM.
Option 1: Cloning
The cloud backup of the failed UTM is uploaded to a new UTM. This UTM is cloned, so to speak. This is the procedure for this option:
- Set up a new UTM and use the license of the failed UTM when setting up this UTM
- The new UTM should be in the same environment as the failed UTM
- The lastdownload cloud backup of the failed UTMso the most recent
- Install this cloud backup on the new UTM
- If the UTM configuration of the cloud backup is included in the VPN configuration, it will be used again for this purpose
- Replace the failed UTM with the cloned UTM exchange
notemptyIf a UTM was cloned with an outdated backup, errors may occur in the VPN configuration of core UTMs due to missing configurations of satellites or roadwarriors, which are displayed when the topology is published. In this case, errors can also occur with satellites when publishing.
Option 2: Exchange with another UTM
- Load this configuration onto the UTM that is to serve as a replacement and then activate this configuration
- The replacement UTM should be in the same environment as the failed UTM
- In the Unified Security Portal (USP) , select the VPN configuration (ASC) with the failed UTM
- Replace the failed UTM with the replacement UTM exchange
notemptyIf the core UTM is to be replaced, the imported backup must contain the VPN configuration for all currently integrated satellites and pools. The backup of a satellite UTM must also already contain the information for the integration of this UTM into the VPN configuration. notemptyAlways use the last backup that was created!
Configuration not available
If a corresponding configuration from a (cloud) backup is not available, the exchange via the portal is prevented in this case.
Then the following is necessary:
- Include failed UTM as a satellite: This UTM is removed from the configuration and a new UTM is added
- Failed UTM integrated as Core: The entire configuration must be deleted and recreated
UTM rules
- If all required network objects are present in the backup, the created rules remain included and can be republished after the exchange
- If network objects are missing, the affected rules are marked accordingly with an error
notempty If the configuration is published, these rules are ignored.
It is possible to edit these rules and select or create other network objects so that these rules are also valid again and can be published.