Reverting firmware through SSH on SFOS v18+

A few days ago I got into a difficult situation where an XG 135 was unreachable through VPN after updating to SFOS 19.0.0 GA-Build317.

This wasn't the first time I was having issues with SFOS v19.0.0 GA-317 update, but it was the first time while working remotely.

I was not on site, and since I couldn't establish a VPN connection with the device after the fw update, for whatever reason, I tried to find a workaround to regain remote access.

Luckily, I had terminal access from a device on that LAN (Synology NAS, Docker ssh client); my first thought was to try to revert the firmware back, and I tried using the methods discussed here: community.sophos.com/.../how-do-i-boot-to-previous-firmware-with-putty

Unfortunately, the methods on the previous link didn't work for me. I'm unsure why (maybe FW version?), rebootfw command didn't return any errors but it also didn't return anything, after a reboot it clearly wasn't working as intended or suggested.

I eventually used another command which apparently is issued by the system during firmware updates: loadfw

This worked for me:

1. SSH into the firewall
2. Choose option 5 (Device Management)
3. Choose option 3 (Advanced Shell)
4. Execute: showfw

The command above returns a list of existing firmwares on the device:
FW0=SFLoader
FW1=19_0_0_317
FW2=18_5_3_408

We already know which version is in use from the terminal prompt alone, for example:
XG135_XN03_SFOS 19.0.0 GA-Build317#

If Firmware 1 (FW1) is in use, we probably want to switch to Firmware 2 (FW2) - and vice-versa.

5. To switch to FW2, execute: loadfw -d -f 2
Summary:
-d: Sets the firmware # passed by -f as the default FW to use
-f #: Tells which firmware to use for this command

6. Reboot the device now by issuing: reboot

It took around 5-10 min. for me to regain access to the device, hope this helps someone else.



Edited TAGs
[edited by: emmosophos at 6:00 PM (GMT -7) on 23 May 2022]