248 firewalls - SSD firmware update - This will not be fun

What's the best way for partners to handle this?  Seems like a logistical nightmare.  Most of the firewalls I've connected to in the last two days have the SSD firmware upgrade banner, so I'm going to guess it's a large portion of the installed base.

Performing the upgrade is manual and requires someone SSH to each firewall and run system ssd update.  Then wait while the firewall restarts and hopefully doesn't need to call one of our customers to tell them they need to go into their office after hours to give it a power cycle.

Sure, we can do several at a time, but this is not good.  We have our documentation in ITGlue, so basically the process will be go lookup IP and credentials for customer A firewall, login, update, wait and verify it came back.  Go to customer B, do the same, Go to customer C, do the same, all the way through. 

Takes a lot of time. Going to have to have some place to document who has this done and who doesn't. Nothing in Partner Central until you login to the customer, then to each firewall so no easy way as a partner to look. Thought Central was a place where we can schedule updates but not for this. Why not have it be a hot-fix or firmware update that can be scheduled without all the extra work? Going backwards.

For your end users, not a big deal.  For partners, this is gonna stink. Seems like we get the short end too often.



Edited TAGs
[edited by: emmosophos at 5:31 PM (GMT -8) on 26 Jan 2024]
Parents
  • We've had a list of the serial numbers through, so we were able to identify any that have been hanging regularly and hadn't already been patched by Sophos GES (that's what this is meant to fix). Any that aren't showing this behaviour can get this patch applied with much less urgency.

    Otherwise, yeah - we have the same sentiments and have let our Sophos contacts know. We'll have to get round patching them at some time, and whilst we've had the line you can do it at the same time as updating the firmware we use Central to do that so never have to waste time visiting 100's of XG's one by one. There is also the added issue that I think a reasonable number will require a manual power cycle, which is what we've seen with MR3 which also had an SSD firmware update component.

  • Bang on and this is 's point. One of the best features of Sophos Central is the ability to centrally roll out firmware updates instead of having to log in to each individual device one by one. I don't understand why this couldn't be released as part of minor firmware release (MR2 or something). That way we could push out the firmware centrally and include a reboot as normal.  It feels like we're going backwards, not forwards.

  • The easy answer is: You still need to trigger the SSD Update whenever you are ready for the SSD Update. In Case this needs an manual power cycle, you dont want to do this centralized. For Example: You do 100 Firewalls at the same time and 2 firewalls need a reboot cycle, you would have to deal with this at the same time. 

    Therefore the best approach (from my perspective) is to do it whenever the customer/Partner has the time to watch the process. 

    I was looking into do this via Sophos Factory but overall i would not recommend to do it centralized (at the same time). 

    __________________________________________________________________________________________________________________

  • We have seen enough firewalls need a manual restart when scheduling updates via Central that we make the customer aware of the pending update so they can have someone onsite reboot the firewalls that don't come back up. I understand that we want this to be a manual process just in case the firewall doesn't come back up but with it already being the current situation without SSD firmware updates, that argument doesn't hold water.

    Sophos Firewall Engineer 16.0, 16.5, 17.0, 17.1, 17.5, 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Architect 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Technician 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Central & Endpoint Architect 3.0, 4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

Reply
  • We have seen enough firewalls need a manual restart when scheduling updates via Central that we make the customer aware of the pending update so they can have someone onsite reboot the firewalls that don't come back up. I understand that we want this to be a manual process just in case the firewall doesn't come back up but with it already being the current situation without SSD firmware updates, that argument doesn't hold water.

    Sophos Firewall Engineer 16.0, 16.5, 17.0, 17.1, 17.5, 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Architect 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Firewall Technician 18.0, 18.5, 19.0, 19.5, 20.0
    Sophos Central & Endpoint Architect 3.0, 4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

Children
No Data