Fireware Update

Hi TEam,


Can you please suggest here,

1.How to check the existing running  version in XG firewall?(Steps)

2.What is the downtime required if this is the older one ?

3. What is the impact of up gradation in existing policies or client affect?


  • Hi  

    Please find the requested information below:

    1.How to check the existing running version in XG firewall?(Steps)

    Answer : Multiple method to confirm the existing firmware.

    1)Login on XG Firewall and check the version on Dashboard.

    2) Login on firewall and Navigate --> System --> Backup & Firmware --> Firmware

    Here you may check the active firmware.

    2.What is the downtime required if this is the older one ?

    No fix down time but generally upgrade procedure will take approx 30-40 min if you are having single device.

    If you are having HA setup you may upgrade with zero down time.

    Upgrade Firmware KBA :

    lease take a backup of current configuration as in safety measure. ( After upgrade restore of backup not required as it will migrate all existing settings and configuration).

    3. What is the impact of up gradation in existing policies or client affect?

    No any impact as existing settings will be migrated to upgraded version.

    The latest version contains some of the fix of ongoing issues reported in previous version.Please refer release note for more information on fixed issue details.

  • In reply to Vishal_R:

    I don't see mention of the fix in the MR9 release notes. Is this vulnerability exploited via ssh, the admin portal, clientless vpn?

    There is also no mention of what hot fix version patches the issue - the links only show you how to check the hot fix version, which doesn't help if you don't know what version to check for.

  • In reply to Jeremy Parr:

    I am struggling to find any details of the fix and in-depth details on remediation.

    I assumed that the hot fix version should show 2?

  • Where are the details on the vulnerability and how it is exploited?


    Aside from upgrading to MR9, can somebody provide version details for the Hotfix so we can verify that the vulnerability has been addressed?

  • Information on how to check if you have hotfix 2 (for v17.5.8) is here:

    What I'm not seeing is if this affects ALL firmware versions or just 17.5.8. 

    Is there a way to force a hotfix update? 

    Also please note, on some HA pairs, if going from a much older version to v17.5.9, there's a possibility that one of the firewall's will lock up during the update potentially taking your network down and forcing a manual reboot. I've had this happen on SEVERAL firewalls.  

  • In reply to Clark Baird:

    Come on XG team, you've announced an RCE vulnerability, but have give your customers very little to go on. Reading between the lines as Clark did, it appears that Hot Fix version 2 is what is needed on MR8? I've started spot checking some MR8 XGs we have out there, and they are on Hot Fix v1, even though auto-install of hotfixes is enabled. Can this be forced? Are the updates trickling out? Is there a workaround that can be done by disabling/ACLing certain services?

  • In reply to Jeremy Parr:

    I just got off with Sophos support, it affects ALL versions of Sophos XG firmware except 17.5.9 MR9. There is no way to force a hotfix update, it's likely a rolling patch/push. 

    No info on what the vulnerability is, Support seems caught as unaware as we are and recommended upgrading production firewalls to v17.5.9 to mitigate the issue (in the middle of the day?!?!?). 

  • In reply to Clark Baird:


    I've checked all our firewalls and they are all reporting that Hot Fix 1 is installed, still no sign of hotfix 2.  Rather than wait I thought I would upgrade to 17.5.9, however when I run a check for new firmware on the Sophos device itself I get the message that "No upgrades available" . It's currently running 17.5.8  

    Is anyone else having the same issue ?


  • In reply to Andrew Gurney:

    New firmware isn't typically released for the XG to update to via the GUI. You can download from the MySophos portal.

  • In reply to Jeremy Parr:

    Unconfirmed though official channels but unofficially it looks like the issue is related to SSH access from the WAN. If you turn off SSH access from the WAN (which you should anyway!) then it should mitigate the vulnerability. For reference, best practice is to turn off WAN access to the admin portal, SSH and/or any items you don't actively need (SSL VPN or User Portal asside). If you absolutely need access, try to lock it down to a specific ACL. 

    That said, still update your firmware or watch for the hotfix to be applied. The above will help mitigate, but is NOT a fix. 

  • In reply to Clark Baird:

    Eesh people leave management open to  WAN? Ours is limited to ACL to our networks & Sophos CFM. 

  • In reply to AWilson:

    What do you think you are also doing with Sophos central Management ?

    Paul Jr

  • In reply to Big_Buck:

    CFM is also limited by ACL. Ours don't seem to talk unless we have an ACL in there. Has been that way since XG started.