SFOS 19.0 almost bricked my XG230

Hi,

I also encountered the same issue when updating my Sophos XG210 with SFOS 19.0.0 GA-Build317 going into Fail Safe Mode on 20th May 2022. Had to roll back to the previous version of 18.5.3. Second day I attempted update again and with same failure. Looks like there is some compatibility issue of the latest SFOS 19.0 with XG2XX series hardware since the same update is successfully installed in XG115 devices.

Awaiting feedback from Sophos on way forward

Nikhil

Hello Nikhil,

Have you created a Support Ticket about this? 

Regards,

Yes I do, ticket number is 05269821

Hi Nikhil Patwa1 Thanks for sharing the case details and I added notes over the case for the next update and progress.

Hi Vishal,

Does this confirm that SFOS 19.0.0 GA-Build317 on XG210 is an issue and we need to wait for the next update release?

When are we expecting the next update

Regards,

Nikhil

Hi Nikhil Patwa1:   Further update you will get on your ticket from the support team (Issue is not getting observed for all XG210).

Hi Nikhil Patwa1:   Further update you will get on your ticket from the support team (Issue is not getting observed for all XG210).

Hi Nikhil Patwa1:  Based on the current investigation below is the finding 

If your device is using a configuration previously restored from a Cyberoam backup, and you have NOT regenerated the appliance certificate on SFOS, upgrading to SFOS v19 will result in operation in fail-safe mode.

The appliance certificate generated in Cyberoam devices uses a weak signature algorithm (MD5) that is NOT supported for appliance certificates in SFOS v19.

How to verify before upgrading:

One may check the Signature Algorithm of the Appliance certificate by running the following command on the advanced shell:

“openssl x509 -in /conf/certificate/ApplianceCertificate.pem -text -noout”

If the output shows the signature algorithm as "md5WithRSAEncryption", Please DO NOT upgrade to v19 before regenerating the appliance certificate.

Points need to be taken care of before Applying the workaround:

Regenerating Appliance certificate results in remote users being unable to connect via VPN to the Sophos Firewall. Have the remote VPN user(s) re-download their client configuration package from the user portal to make it work. Or Restore the Sophos Firewall to a previous configuration backup taken prior to the Certificate renewal in the previous version. not in v19 to make it work as previously.

Please refer to below advisory for more info:

ADVISORY - Sophos Firewall: Appliance goes into failsafe mode when firmware upgrades to 19.0 GA with the reason "Unable to start logging daemon"

support.sophos.com/.../KB-000044122

Hi Vishal,

I have regenerated the Appliance Certificate although we are not using the Appliance Certificate any more, for administration console the certificate chosen is the self-signed one which is SHA-256

I will again try to update and provide the status

Regards,

Nikhil

Hi,

I did regenerate the old certificate although we don't use it using the 18.5 installation. When rebooting into the 19.0 I still did ended up in failsafe mode probably because the 19.0 had already converted the previous configuration. Fired up the CLI, reset to factory mode, changed the network address and uploaded the backed up configuration (With the new certificate), and voila.

Order has been restored.

Thanks!