9.604 without problems?

Anybody has installed 9.604 already and being happy with it?

Best regards


  • The Up2Date seemed to have hung 33 seconds in:

    A few minutes later, I refreshed WinAdmin and, apparently it completed successfully.

    sys-9.603-9.604-1.2.1.tgz (Jul 11 15:31)

    I will post in this thread if I see anything else odd.

    Cheers - Bob

  • In reply to BAlfson:

    I just Up2Dated my lab and did not see the apparent hang.  Perhaps that's an issue with AWS instances.

    No apparent problem with either UTM.

    Cheers -  Bob

  • I had no problems updating the SG135 in my lab to version 9.604 and the UTM seems to work fine until now.

    Kind regards, Holger

  • In reply to Holger Gran:

    URGENT ALERT: Issue with RED 50 and 9.604 which fixes the TCP SACK PANIC vulnerability

    I just received an SMS alert from Sophos: Up2Date to 9.604 after powering off your RED 50(s)! Otherwise, there's a good chance a RED 50 will be bricked.  Then after the before powering the RED 50 on again, execute the following commands as root at the command line:

    cc set red use_unified_firmware 0
    cc get red use_unified_firmware

    If you're running in High Availability, I believe you must also execute these commands on the Slave - at least do the second one to confirm.  For that, you will need the loginuser and root passwords after doing the following as root at the command line:

    ha_utils ssh

    The relevant Sophos KnowledgeBase article is: https://community.sophos.com/kb/en-us/134398

    Sign up to receive SMS alerts yourself at https://sms.sophos.com

    Cheers - Bob

  • In reply to BAlfson:

    I just received the following from Sophos Support:

    1. Are any other REDs in danger of being bricked, or is it just the RED 50?
    - So far we have only seen RED 50 but this doesn't rule out RED 15
    2. In High Availability, does use_unified_firmware need to be set to 0 on all nodes?
    - No it would replicate the command
    3. Instead of physically unplugging REDs, would it suffice to disable the RED server objects in WebAdmin before applying the Up2Date and then enable them after 9.604 has had use_unified_firmware set to 0?
    - In theory yes if you disable the service in the UTM or turn off the RED devices, then they won't be able to get the Firmware Update, so they won't be able to contact the server, and once you re-enable the services they will not search for a new firmware update

    Cheers - Bob

  • In reply to BAlfson:



    i had 2 dead  red 50's  back around the time we first upgraded to 9.6  , and had them replaced by sophos

    i remember at the time setting this  unified firmware to  0 

    currently running 9.603 and just checked the switch is set back to 1 

    so are we saying that every new 9.6 update resets the switch to 1 ? 

    so currently i have 9.603 with 2 red devices attached and everything is working , is there any comment from sophos , does it affect all red 50 devices , or only some revisions ? 

    if they know this is a problem- and i think they have as this happened to us a few months ago , would it not make sense to set the firmware to 0 , in the update file ? or have the change persist after updates 

  • Hello

    we have 2 Firewalls in HA. May I update both direct from Web Intrface? We have 6 RED 50 too outside.

    May be Problems with the updates?



  • In reply to centi Peter:

    Hello Peter,

    You need to upload new updates to the master unit only in HA. The slave unit gets the updates pushed from the master.

    By installing the update there is the risk that the setting "use_unified_firmware" is switched back to 1, with the mentioned problems above . Therefore it would be better to disable the RED50 for the update and check the settings afterward before enabling the RED50 again.

    Kind regards, Holger

  • In reply to centi Peter:

    Hallo Peter and welcome to the UTM Community!

    UPDATE 2019-07-31: See my latest post below.

    First, read the threads above.  I'm getting ready to handle a similar situation with a client.  Here's a copy of the plan I proposed:

    1. Disable the RED Servers in WebAdmin.
    2. Start the Up2Date process and wait for it to complete - probably about 10 minutes or so.  Watch on the High Availability 'Status' tab for the new Slave to be READY.
    3. At the command line, disable the use of unified wireless firmware.
    4. Enable the RED Servers in WebAdmin.

    The only disruption would be to an upload or download or VoIP call active at the moment the current Slave becomes the Master node.

    Cheers - Bob

  • In reply to BAlfson:



    9.605 has fixes apparently but according to the post in the below link  its all a bit convoluted ,  "disable the network behind the red before updating:......"  




  • In reply to neildonaldson:

    Re: 9.605 Up2Date

    Does this Up2Date leave use_unified_firmware at 0?  Does it address the issue that was bricking some REDs?  Until there's more clarity, I don't recommend this to anyone.

    Cheers - Bob

  • In reply to BAlfson:

    How does a bricked RED50 look like?

    Like this?

  • In reply to StephanG:

    2019-08-06 See my final version posted today.

    UPDATED 2019-08-01

    Hi All,

    I've had several messages back and forth with Sophos folks.  As Jan Weber says in a post, 9.605 fixes the problem with REDs and the only danger is updating the RED firmware when the RED is under a heavy load.  I have suggested that the following instructions be added to the information about the Up2Date (I in blue dot) and the blog post about the 9.605 Up2Date:

    In order to ensure that there's no problem with the update of firmware in RED devices, do the following with two planned outages:

     1. Outage 1 - Up2Date to 9.604:
         A. In WebAdmin, disable all RED Servers for RED appliances.
         B. Apply Up2Dates through 9.604.
         C. At the command line: cc set red use_unified_firmware 0
         D. In WebAdmin, enable all RED Servers for RED appliances.
     2. Outage 2 -
    Disconnect all LAN connections from all REDs, leaving the RED online but with no connection to local clients.
     3. Apply the 9.605 Up2Date.
     4. After the Up2Date is complete, reconnect disconnected LAN cables to the REDs.

    Cheers - Bob

  • In reply to BAlfson:

    Hello Bob,

    I still have my UTM's on 9.602-3. Do you recommend upgrading at all and if so to 9.605? I don't have any RED appliances so that's not really an issue over here.