Sophos Firewall firmware version v18.0 MR3 and earlier were end of life on 31 Jul 2021, v17.5* will be end of life on 30 Nov 2021.
It is recommended to upgrade to the latest firmware version of v18 to get Technical Support service.
* v17.5 MR15 is supported and v17.5 MR16 is maintained for XG 85(w) and XG 105(w) till these hardware models go End-of-Life.
The following steps need to be performed in outage window.
For active-passive HA, please check if the current primary node is the initial primary node after firmware upgrade.If it is not, please perform HA failover by clicking on "Switch to passive device" in webadmin GUI > System > High Availability.The reason is "The initial HA primary node must be the primary node all the time", as explained in Sophos Firewall Help > High availablity startup guide > FAQs
To identity which firewall is initial primary node in active-passive HA:a.) Log on Sophos Firewall SSH terminal using admin account. Once authenticated, you will be presented with the Sophos Firewall console menu.b.) Go to 5. Device Management > 3. Advanced Shell, and run the following commandsnvram get "#li.serial"nvram get "#li.master"
If output of nvram get "#li.master" is YES, as below, then the Sophos Firewall is initial HA primary node.XG210_WP03_SFOS 18.0.5 MR-5# nvram get "#li.master"YES
If output of nvram get "#li.master" is NO, as below, then the Sophos Firewall is initial HA auxiliary node.XG210_WP03_SFOS 18.0.5 MR-5# nvram get "#li.master"No
Note: Serial number of the Sophos Firewall is displayed in output of nvram get "#li.serial"
Secure Storage master Key, SSMK was introduced in v17.5 MR15 and v18.0 MR3
Details about SSMK is available at SSMK(Secure Storage Master Key) for encryption of sensitive data
It is recommended to set SSMK once upgraded to v18.0 MR3, or later.
Key points about SSMK:
Details in XStream - the new DPI Engine for web proxy explained
If problem happens on web traffic after upgrading from v17 to v18.0, please open a support ticket to investigate it further. If the issue is urgent, please disable the new DPI engine and use legacy web proxy as a workaround:
FastPath is a feature to process trusted traffic at wire speed, in another word, to improve performance on trusted traffic.
In v17, there is only software FastPath, and only applies on IPv4 traffic over Ethernet/VLAN
In v18, there is hardware FastPath, and it applied on IPv4 traffic over LAG/bridge, IPv6, more.
Details about FastPath on v18 is available at Making the most of XG Firewall v18 – Part 3
If problem happens on traffic after upgrading from v17 to v18.0, please open a support ticket to investigate it further. If the issue is urgent, please disable FastPath as a workaround:a.) Log on Sophos Firewall SSH terminal using admin account. Once authenticated, you will be presented with the Sophos Firewall console menu.b.) Go to 5. Device Management > 3. Advanced Shell, and run the following commandscishsystem firewall-acceleration disable
Details in Making the most of XG Firewall v18 – Part 3
If you need to create a new firewall rule on v18, here is a guide How to configure firewall rule and NAT rule on Sophos XG v18
NAT has been de-coupled from firewall rule in v18.
Details in Understanding New decoupled NAT and firewall changes in v18
If you need to create a new NAT rule on v18, here is a guide How to configure firewall rule and NAT rule on Sophos XG v18
Details in Sophos Firewall Help > SD-WAN policy routing
If you need to create a new SD-WAN policy route, here is a guide Sophos Firewall Help > How to configure SD-WAN policy routes
In v17, we can choose primary gateway for a traffic in firewall rule.In v18, we need to achieve it in SD-WAN policy route. Here is configuration guide, Specify primary gateway
"Known issues" is listed in Sophos Firewall v18.0 release note
Together with the following recently found issues:iOS IPsec VPN profile downloaded from User Portal does
Issue ID: NC-73628Symptom: Wireless network with Security Mode "WEP OPEN" doesn't broadcast SSIDWorkaround: change security mode to WPA2Expected fix version: v18.0 MR7Note: WEP is not recommended. We recommend to use WPA2
Issue ID: NC-70778Symptom: Cannot upload a file containing multiple CAsWorkaround: split CA into each file, and upload them individuallyExpected fix version: v18.0 MR7
Issue ID: NC-69489Symptom: Firewall crashed into fail-safe mode if RADIUS server is not present but SSID with WPA2-Enterprise is configured on LocalWiFiWorkaround: Configure a RADIUS serverExpected fix version: v18.0 MR7
Issue ID: NC-76400Symptom: iOS IPsec VPN profile downloaded from User Portal doesn't work.Workaround: Manually create IPsec profile on iOS deviceExpected fix version: v18.0 MR7
Issue ID: NC-74735Symptom: AUX reboots during HA switchoverWorkaround: N/AExpected fix version: v18.0 MR7
Issue ID: NC-75783Symptom: LDAP authentication with anonymous login is not working on v18.0 MR5Workaround: a.) If you want to keep the Anonymous login option in place, you may roll back to firmware to 18.0 MR1/2/3/4b.) With current firmware version 18.0 MR5, you may need to disable the Anonymous login option and provide Bind DN and password to search AD directory. Expected fix version: v18.5 MR2Note: No such issue on v18.0 MR1/2/3/4.
Issue ID: NC-73800Symptom: Websites being blocked with custom Application Control policy being appliedWorkaround: use legacy web proxyExpected fix version: v18.0 MR7
2021-09-20, updated the article to match latest MR version of v18.0
2021-09-02, removed content of v17.5 MR16, as it will be end of life on 30 Nov 2021.
2021-08-04, minor change
2021-07-30, first version