Planning for firmware upgrade? Planning to Tshoot issue?

Hi Everyone, 

I noticed that many users are complaining that Sophos firmware updation is going bad for him/her. Today I am sharing some important notes with you. How to plan a software up-gradation or tshoot session? I know that you are working hard to archive your uptime and security SLA. We can consider some basic steps as below:

1. What things are fixed or new features released in the update? We should check the release note for all the details. I am never adding newly released firmware without testing in an isolated environment such as virtual firewall on VMWare or Hyper-V or GNS3. Mainly, I noticed things as many times we did some customization for out of box solution or temp solution to archive a flexible goal. I hope this type of flexible solution will break after apply a new firmware. As an example: We were working on a red tunnel and noticed some bug with WAF solution over the RED tunnel. We fixed this solution by adding some missing entries in the Database of the firewall but it was again broken after the upgrade. 

2. Why am I facing this issue? What is the root cause? Many times we are playing guess card for troubleshooting an issue. I think this is not a good idea. First, we have a deep dive into the issue and resolution. I remembering a case where my client has called and started complaining that this firewall is not working properly and some of the users are not getting the internet. We checked the issue and found he made policies changes because he wants to bypass some users from the hotspot. Which is technically not possible on XG firewall. Another accident we noticed that the user changed his Core switch after its DNS resolution was getting failed. He tried with Local DNS and as well as Public DNS. We found out that this issue belonged to Switch configuration and there was a routing blackhole. So before making changes in the current configuration, you must check the root cause. I think the best solution is that start troubleshoots with a single host which is for testing purpose only. Create a new policy for a single test machine, Capture the traffic for a single machine and try to understand the issue. If you will not find any such issue then book a ticket with Sophos with your primary finding on the case. This will save your time.

3. Don't compare future with another vendor. As I am a cisco guy so I like traffic engineering. The Cisco or Juniper will give you many options to perform traffic engineering but you will not found the same options on the Sophos. If you know about the Cisco then there will a single routing table and you can modify the best routing based on AD value, Metric etc. But Sophos maintaining multiple routing tables and we can adjust different routing table with routing precedence. So you must know about this type of changes. 

4. Do you a recovery plan, in case of up-gradation failure? Always keep a backup or recovery plan if the upgrade version will make an issue for you. It may include an increase downtime permission, restoring firewall on last firmware or configuration etc. 

5. Make a daily backup habit. It will help in a disaster recovery option. 

6. Check all community updates on particular firmware version before the start or planning an upgrade.

Your opinions are valuable on this post. All cases are for the reference purpose only. It may differ for you.