This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Upgrading 17 to 18 experiences would and criticism

Hi,

I'm looking for users advice and experience for upgrading to 18, especially directly from 17.5 to latest 18 .

I'm thinking about upgrading in the next days, but we have a critical organization and I'm reading of several criticism especially from NAT rules point of view, anyone can share his experience? I want to upgrade but I cannot disrupt connection or VPNs connections, we are 24/7 available organization, and we have a TON of Policies and NAT rules...

We have an XG330 Cluster in HA mode

Best Regards,

Simone



This thread was automatically locked due to age.
Parents
  • There is a good post about upgrades in general: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/129246/best-practice-for-sophos-firewall-firmware-upgrade

    But from 17.5 to V18.0/5, there are some specialties. 

    First of all, the HA will reboot at the same time. Therefore you will have a downtime of ~2-5 minutes until both appliances reboot. 

    The configuration should not change and it should not have impact on your configuration but the config will look messy. Therefore some cleanup should be follow up. 

    Linked NAT will be created for each and every firewall rule. This is generally speaking not needed, because you have a SNAT MASQ Rule at the bottom. 

    I recommend to disable the virtual fastpath, if something behavior oddly after upgrade. The new architecture is loaded after upgrade and the new DPI engine is loaded: You can disable this via console> system firewall-acceleration disable    and in the webadmin under TLS/SSL Inspection Rule. 

    __________________________________________________________________________________________________________________

Reply
  • There is a good post about upgrades in general: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/129246/best-practice-for-sophos-firewall-firmware-upgrade

    But from 17.5 to V18.0/5, there are some specialties. 

    First of all, the HA will reboot at the same time. Therefore you will have a downtime of ~2-5 minutes until both appliances reboot. 

    The configuration should not change and it should not have impact on your configuration but the config will look messy. Therefore some cleanup should be follow up. 

    Linked NAT will be created for each and every firewall rule. This is generally speaking not needed, because you have a SNAT MASQ Rule at the bottom. 

    I recommend to disable the virtual fastpath, if something behavior oddly after upgrade. The new architecture is loaded after upgrade and the new DPI engine is loaded: You can disable this via console> system firewall-acceleration disable    and in the webadmin under TLS/SSL Inspection Rule. 

    __________________________________________________________________________________________________________________

Children