248 firewalls - SSD firmware update - This will not be fun

What's the best way for partners to handle this?  Seems like a logistical nightmare.  Most of the firewalls I've connected to in the last two days have the SSD firmware upgrade banner, so I'm going to guess it's a large portion of the installed base.

Performing the upgrade is manual and requires someone SSH to each firewall and run system ssd update.  Then wait while the firewall restarts and hopefully doesn't need to call one of our customers to tell them they need to go into their office after hours to give it a power cycle.

Sure, we can do several at a time, but this is not good.  We have our documentation in ITGlue, so basically the process will be go lookup IP and credentials for customer A firewall, login, update, wait and verify it came back.  Go to customer B, do the same, Go to customer C, do the same, all the way through. 

Takes a lot of time. Going to have to have some place to document who has this done and who doesn't. Nothing in Partner Central until you login to the customer, then to each firewall so no easy way as a partner to look. Thought Central was a place where we can schedule updates but not for this. Why not have it be a hot-fix or firmware update that can be scheduled without all the extra work? Going backwards.

For your end users, not a big deal.  For partners, this is gonna stink. Seems like we get the short end too often.



Edited TAGs
[edited by: emmosophos at 5:31 PM (GMT -8) on 26 Jan 2024]
Parents Reply Children
  • Based on what I've read, it seems like this is to reduce the number of RMAs for SSD issues.  Wonder if this firmware would have prevented the recent failures that we've seen (red status LED when power cycled due to boot failure).  Gonna guess we'll still want to get this done sooner than later. I don't want to wait for a firewall to "start" having problems and react by installing the update.

    Carbon15 below writes that the 19.5 MR3 update had a firmware update.  Why did that firmware update not require a power cycle?  And it looks like the firmware does a power cycle.  Perhaps it's the HA implementations. Be nice to know what the common factor is for those required power cycles so we could plan this out most of 245 times we are going to do this.

    I looked through 30 firewalls yesterday and the bulk of them require the update.  

    Sophos Firewall Engineer 16.0, 16.5, 17.0, 17.1, 17.5, 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Architect 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Technician 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Central & Endpoint Architect 3.0, 4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • A power cycle is not always required, but there's a chance of that being needed. What chance we will all find out in time.

    I think I read in another thread that in order to have the update properly applied there's a software "trick" to correctly disconnect the power internally from the disk (I've probably horribly butchered the real process). When applying MR3 and having the box "stick" a power cycle always bought it back, so I'm assuming that it's the same process (that firmware was for a small subset of disks).

  • The SSD update in v19.5 MR3 was for a different model of SSD, which did not require a power cycle (just reboot). 

    The SSD drive included in this hotfix does require a power cycle (not just a reboot) for the new firmware to take effect. We understand that is inconvenient for our partners/customers, so we tried to mimic a power cycle through software, but we found that's not always successful. That is why we added it as a manual update, so customers/partners can plan for the power cycle if required (rather than be surprised by it through a regular MR update).