Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

248 firewalls - SSD firmware update - This will not be fun

What's the best way for partners to handle this?  Seems like a logistical nightmare.  Most of the firewalls I've connected to in the last two days have the SSD firmware upgrade banner, so I'm going to guess it's a large portion of the installed base.

Performing the upgrade is manual and requires someone SSH to each firewall and run system ssd update.  Then wait while the firewall restarts and hopefully doesn't need to call one of our customers to tell them they need to go into their office after hours to give it a power cycle.

Sure, we can do several at a time, but this is not good.  We have our documentation in ITGlue, so basically the process will be go lookup IP and credentials for customer A firewall, login, update, wait and verify it came back.  Go to customer B, do the same, Go to customer C, do the same, all the way through. 

Takes a lot of time. Going to have to have some place to document who has this done and who doesn't. Nothing in Partner Central until you login to the customer, then to each firewall so no easy way as a partner to look. Thought Central was a place where we can schedule updates but not for this. Why not have it be a hot-fix or firmware update that can be scheduled without all the extra work? Going backwards.

For your end users, not a big deal.  For partners, this is gonna stink. Seems like we get the short end too often.



This thread was automatically locked due to age.
Parents
  • We've had a list of the serial numbers through, so we were able to identify any that have been hanging regularly and hadn't already been patched by Sophos GES (that's what this is meant to fix). Any that aren't showing this behaviour can get this patch applied with much less urgency.

    Otherwise, yeah - we have the same sentiments and have let our Sophos contacts know. We'll have to get round patching them at some time, and whilst we've had the line you can do it at the same time as updating the firmware we use Central to do that so never have to waste time visiting 100's of XG's one by one. There is also the added issue that I think a reasonable number will require a manual power cycle, which is what we've seen with MR3 which also had an SSD firmware update component.

  • Bang on and this is 's point. One of the best features of Sophos Central is the ability to centrally roll out firmware updates instead of having to log in to each individual device one by one. I don't understand why this couldn't be released as part of minor firmware release (MR2 or something). That way we could push out the firmware centrally and include a reboot as normal.  It feels like we're going backwards, not forwards.

  • The easy answer is: You still need to trigger the SSD Update whenever you are ready for the SSD Update. In Case this needs an manual power cycle, you dont want to do this centralized. For Example: You do 100 Firewalls at the same time and 2 firewalls need a reboot cycle, you would have to deal with this at the same time. 

    Therefore the best approach (from my perspective) is to do it whenever the customer/Partner has the time to watch the process. 

    I was looking into do this via Sophos Factory but overall i would not recommend to do it centralized (at the same time). 

    __________________________________________________________________________________________________________________

  • We have seen enough firewalls need a manual restart when scheduling updates via Central that we make the customer aware of the pending update so they can have someone onsite reboot the firewalls that don't come back up. I understand that we want this to be a manual process just in case the firewall doesn't come back up but with it already being the current situation without SSD firmware updates, that argument doesn't hold water.

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner

  • The reason we didn't make this part of a MR update was because there's a chance the SSD firmware update requires a power cycle. We didn't want customers to install a normal MR, and then find they have to get someone on-site to do a power cycle rather than a simply reboot. That's why even with the hotfix, we only made the SSD firmware available, and a manual process to apply. We didn't want to force all customers to take this risk, especially those who aren't experiencing SSD related issues. 

    However we heard the community & partners' feedback, and we're working on a way to allow the SSD firmware to be applied through Central. This will save partners from having to log into every firewall one by one, but still have to be on standby in case a power cycle is required. Stayed tuned. 

Reply
  • The reason we didn't make this part of a MR update was because there's a chance the SSD firmware update requires a power cycle. We didn't want customers to install a normal MR, and then find they have to get someone on-site to do a power cycle rather than a simply reboot. That's why even with the hotfix, we only made the SSD firmware available, and a manual process to apply. We didn't want to force all customers to take this risk, especially those who aren't experiencing SSD related issues. 

    However we heard the community & partners' feedback, and we're working on a way to allow the SSD firmware to be applied through Central. This will save partners from having to log into every firewall one by one, but still have to be on standby in case a power cycle is required. Stayed tuned. 

Children
  • I understand the chance of having to power cycle.  But we already have to power cycle sometimes when doing standard, scheduled firmware updates.  

    Good to know that something's in the works so we don't have to do the one-by-one check and likely update.

    Sophos Firewall Engineer 16.0-20.0
    Sophos Firewall Architect 18.0-20.0
    Sophos Firewall Technician 18.0-20.0
    Sophos Central & Endpoint Architect 3.0-4.0
    Sophos Central Email v2.0
    Sophos Mobile v9.6
    Sophos ZTNA 1.0, 2.0
    Synchronized Security Accredited
    Sophos Gold Partner