Hi Sophos Community,

I'm pleased to announce Switch Backup Management will be available in Sophos Central on Thursday, September 21.  

Key Features

On-Demand backups per switch

  • Create a backup for any switches at any time, such as before and after making big changes.
  • See previous backup results.
  • Add backup tags for easy reference.

Configure a Recurring Backup Schedule

  • Maintain your peace of mind with scheduled backups to ensure a quick recovery in a worst-case situation.
  • Keep a history of previous backups per switch (you can configure up to 10).

Restore previous backups directly from Sophos Central

  • Did someone make unexpected changes from CLI, or switch API? Did it break something?
  • Did you upgrade or replace a switch?
  • Restore saved backups directly from Sophos Central with a click. 
  • Download saved backups to restore from the local UI, for un-managed switches.

Download Backups

  • Backup files may be restored manually through the local switch UI
  • Open backups in a text editor to review the configuration. Configuration is stored in the CLI command format, and can be easily read, searched, and understood without special tools.


Backup Management is available for switches with a valid Support & Services subscription.

  • Hey Bruce, thanks for highlighting this! We'll investigate how best to avoid this going forward. 

  • Hey, thanks for the answer.
    However, I do not quite get along with it either, am rather a novice. Would it be possible to get an illustrated tutorial on what to do?

    Too bad that it does not go from the beginning and you have to change something.

  • So -- might want to document that -- and maybe these switch exceptions (the jfrog ones too) should be baked into the XGS (updated via a pattern update, for example) like the DPI sophos-managed exception list.

    Thanks, when I get a chance I'll look for a similar log entry.

  • Hey Man, hows it going!  You may need to add a TLS inspection "No Decrypt" policy LAN>WAN for the Switches.If you look at your logs you may see something similar to this:


    Adding this to Web > Exceptions as well is an option.

  • Question -- is this actually active?  I tried it out on some switches we have and the backup process fails.  My guess is there is some other host / protocol that needs to be open to do this function, other than the jfrog and central exceptions we've had to add to firewalls to get the basic management to work with Central.  Is that the case?  We (and some of our customers) have very strict outbound rules in our firewalls.