Hello everybody,
yesterday I updated two Firewalls (XGS 126 and XG 125) from Version 19.0.0 to 19.0.1. After the upgrade both Firewalls has SFOS 19.0.1 firmware installed but lost their configuration. The problem was both firewalls are on remote site and lost all external connections (Sophos Central und VPN), so I can't reach the firewalls. Today we connect on site via serial console to the Firewalls, and I saw that Firmware 19.0.1 was installed, but (at minimum) the network configuration was gone. I made some tests:
- Booting the 19.0.0 Firmware the Firewall runs as expected.
- Booting the 19.0.1 Firmware via Bootloader or via WebAdmin Firewall has no configuration.
On the other hand, I made the upgrade on serval firewalls without any problem (2x XG 125, 1x XGS 5500 HA, a Virtual and a Software Firewall).
How can I remove the 19.0.1 Firmware from the non-working firewalls to get a 2nd try to upload the firmware again and install the 19.0.1?
Thanks,
Ben
Thank you all for reporting this issue.
We have confirmed this is a bug, and we'll fix it in an upcoming new build for v19.0 MR1.
This issue affects devices which has 'set vpn conn-remove-on-failover…
Hello @Ben@Network,Thank you for reaching out to the community, You can download the v19.0 GA from the following links:> https://www.sophos.com/en-us/support/downloads/firewall-installers> https://download.sophos.com/firmware/HW/index.htmlAnd then re-image the appliance: https://support.sophos.com/support/s/article/KB-000036812?language=en_USThen you can download firmware latest firmware 19.0.1 MR-1 from Sophos Licensing Portal: https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/Firmware/FirmwareDownloadFirmware/index.htmlBetween after the firmware upgrade did your appliance went into the failsafe mode ? If that is the case then you may check the reason by following the article below:> Know the cause of hardware appliance going in failsafe mode: https://support.sophos.com/support/s/article/KB-000036375?language=en_US
Thanks & Regards,
Vivek Jagad | Technical Account Manager 3 | Cyber Security Evolved
Sophos Community | Product Documentation | Sophos Techvids | SMSIf a post solves your question please use the 'Verify Answer' button.
Hello Vivek,
Thanks for the answer. Since the firewall is not directly in my access, I did not want to install a new image on the firewall. With the version 19.0.0 the firewall runs without problems. However, now when I click on "Boot Firmware Image" on the 19.0.1 in WebAdmin, the firewall boots again with the broken configuration. I am now looking for a way to upload the 19.0.1 version again and have a 2nd attempt to boot a working 19.0.1.
Is there a way that the firewall automatically reboots after a certain time and boots with the previous firmware version, unless the automatic reboot is cancelled by the administrator?
Hey Ben@Network ,SFOS provides you to slots of the firmware, where in you can switch between the two slots anytime without loosing the configurations. So, before moving to the SFOS v19.01 MR-1 if you have the backup of v19.0.0 GA that is excellent. And now that the configurations are broken on v19.01 MR-1 then that backup file will be handy. You can load the previous firmware using *SFLOADER: https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/BackupAndFirmware/Firmware/FirmwareLoadFirmwareSFLoader/index.htmlOnce you are able to start the v19.0.0 GA without appliance being broke or into the fail-safe mode then you may restore the backup with the file you saved. *WARNING: The option to load firmware using SFLoader isn't available for XGS devices. To update corrupt firmware for XGS devices, see Reimage Sophos Firewall. OR the link shared previously !!
If I understood your answer correctly, the only way to boot a running19.0.1 on the firewalls is to install a new image, update to 19.0.1 and import the 19.0.0 configuration backup? There is no more "remote" friendly way?
Nope if it is broken or in a fail-safe mode then there is no other remote friendly way of restoring it !!You should take a look into the suggestion given by LuCar Toni. Ben@Network