Sophos XG upgrade - XG135 -> XGS2100

Hi Andre Thibodeau,

Thank you for reaching out to the Community! 

The configuration backup from SFOS v18.0.5 MR5 to v18.5 isn't supported at the moment. 

The workaround would be to downgrade the firmware to 18.0.4 MR4, download the backup, and use it on v18.5. 

Note: You will lose the configuration done between v18.0 MR4 and MR5. 

Reference: https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=18.0

Thanks,

Hi Harsh,

The XG135 was upgraded from 18.0.3 to 18.0.5 several months ago, we would loose too many changes to if we were to downgrade the XG135.  So I have reached out to our Sophos Rep and provided him with a copy of the XG135 backup to have it converted.  Will update this discussion if we are successful.

Thanks

André

Hi Harsh,

The XG135 was upgraded from 18.0.3 to 18.0.5 several months ago, we would loose too many changes to if we were to downgrade the XG135.  So I have reached out to our Sophos Rep and provided him with a copy of the XG135 backup to have it converted.  Will update this discussion if we are successful.

Thanks

André

The issue about restore is always, if you build a version, which is based on a older version. Basically V18.5 GA is based on MR4. Therefore the changes of MR5 are not included. 

But MR1 is released: https://community.sophos.com/sophos-xg-firewall/b/blog/posts/sophos-firewall-v185-mr1-eap

awesome, I will apply mr1 this morning and attempt the restore.

AT

All good.  Updated the XGS2100 to MR1 and restored backup from 18.0.5

AT

By why is this done at all? That is the point if you have a new version it was supposed to be able to "read" and restore an older version. It seems any time a restore is done there is some excuse why it doesnt work which is non sense.

If this was a failed unit and you had to wait for days just to restore what does the customer do?
There are way too many failures wen restoring configs if its not this its the pattern updates etc. Are you just supposed to get lucky and hope MR1 comes out when a customer is down?

There is literally no other firewall on the market that struggles this badly on restores operations. If a $50 netgear can pull it off we expect enterprise gear to do it too.

Andre glad you did get it going !

SFOS is able to read old config. 

But MR5 is not older than V18.5 GA. Infact V18.5 GA was build before MR5. V18.5 GA was built in parallel to MR4. Which means, it can only cover MR4 and below. But MR5 is a release, which is newer and "not known to V18.5 GA". Thats the issue, if you have multiple configuration releases in parallel and therefore it will be resolved by moving to V18.5 as a customer. 

Understood I am just saying I dont know why its pushed out like that, there must be a more logical way.

Thanks for the explanation.

So what would be the other direction? Sophos could delay MR5 on purpose until today. This would be the other possibility. I guess, get MR5 out for the installation base is a better approach compared to wait until V18.5 MR1 is ready. 

There are probably a few ways to look at the roll outs that make sense. We are cringing as we have had so many restore issues even within the accepted scope on XG we can only imagine how bad the XG to XGS restores are going to be.
We certainly hope its not the case but past experience shows this is a very weak point for Sophos firewalls.
I feel bad for those that have also rolled out wireless they will likely have even more to deal with.