Best practice for Sophos Firewall firmware upgrade

Sophos Firewall firmware version v18.0 MR3 and earlier were end of life on 31 Jul 2021, v17.5* will be end of life on 30 Nov 2021.

It is recommended to upgrade to the latest firmware version of v18 to get Technical Support service.

* v17.5 MR15 is supported and v17.5 MR16 is maintained for XG 85(w) and XG 105(w) till these hardware models go End-of-Life.

Prepare for firmware upgrade

  1. Wait for the latest firmware to be available on Sophos Firewall.
    For version of the latest firmware, please check the following websites
    https://community.sophos.com/sophos-xg-firewall/b/blog
    https://docs.sophos.com/releasenotes/index.html?productGroupID=nsg&productID=xg&versionID=18.0

    On 20 Sep 2021, the latest firmware versions are v18.0 MR6, and v18.5 MR1

    If the available firmware on Sophos Firewall is not the latest, or no available firmware is pushed to Sophos Firewall, please manually download it from Sophos Licensing Portal. Details in How to download firmware from Sophos Licensing Portal

  2. Perform steps recommended by Sophos Firewall: Suggestions prior to upgrading the SFOS firmware version, except the last step "perform a disk test", as we will test disk in scheduled outage window.

  3. Check if any new feature in the new firmware
    Please refer to section "New features"

  4. Check common issues in the new firmware
    Please refer to section "Known issues"

  5. Backup firewall configuration now and download it to local computer

  6. Schedule an outage window of at least 1 hour, for firmware upgrade

Perform firmware upgrade

The following steps need to be performed in outage window.

  1. Perform disk test
    Details in Sophos Firewall: Disk Test
    For Sophos Firewall in HA, perform disk test on HA auxiliary node first, and then perform it on HA primary node.

  2. For firmware upgrade on a single Sophos Firewall, please refer to How to move to a different firmware version
    If Sophos Firewalls are in HA, please jump to "3. Perform firmware upgrade for Sophos Firewall in HA"

  3. For firmware upgrade on Sophos Firewalls in HA, please refer to section "Updating HA devices" in Sophos Firewall Help > firmware

    Please note, for HA, when upgrading from v17.x to v18.x, both Sophos firewalls reboot at same time.

    For active-passive HA, please check if the current primary node is the initial primary node after firmware upgrade.
    If it is not, please perform HA failover by clicking on "Switch to passive device" in webadmin GUI > System > High Availability.

    The reason is "The initial HA primary node must be the primary node all the time", as explained in Sophos Firewall Help > High availablity startup guide > FAQs

    To identity which firewall is initial primary node in active-passive HA:
    a.) Log on Sophos Firewall SSH terminal using admin account. Once authenticated, you will be presented with the Sophos Firewall console menu.
    b.) Go to 5. Device Management > 3. Advanced Shell, and run the following commands
    nvram get "#li.serial"
    nvram get "#li.master"

    If output of nvram get "#li.master" is YES, as below, then the Sophos Firewall is initial HA primary node.
    XG210_WP03_SFOS 18.0.5 MR-5# nvram get "#li.master"
    YES

    If output of nvram get "#li.master" is NO, as below, then the Sophos Firewall is initial HA auxiliary node.
    XG210_WP03_SFOS 18.0.5 MR-5# nvram get "#li.master"
    No

    Note: Serial number of the Sophos Firewall is displayed in output of nvram get "#li.serial"

  4. If upgrade doesn't go well

    Check section "New features" and "Known issues".

    If the issue is urgent, not listed as known issue, and cannot be solved by any workaround, please rollback firmware and then open a technical support ticket as described below:

    a.) Rollback firmware
    In webadmin GUI, click on "Boot firmware image" of the inactive firmware.
    If webadmin is not accessible, please perform it in SSH or serial console. Details in How do I boot to previous firmware with Putty?

    b.) Archive all logs with the following Advanced Shell commands
    cd /log
    tar -czvf logs.tar.gz *.log *.log.0

    c.) Generate CTR, and download it to local computer
    Details in section "Generate a CTR" in Sophos XG Firewall: How to generate a Consolidated Troubleshooting Report (CTR)

    d.) Open a technical support ticket at https://support.sophos.com/support

New features of v18.0

SSMK

Secure Storage master Key, SSMK was introduced in v17.5 MR15 and v18.0 MR3

Details about SSMK is available at SSMK(Secure Storage Master Key) for encryption of sensitive data

It is recommended to set SSMK once upgraded to v18.0 MR3, or later.

Key points about SSMK:

  • Secure Storage master Key, SSMK, is to to encrypt sensitive data, such as
    - passwords, secrets (inlcuding AP wifi AP secrets), and keys
    - accounts have access to services, such as directory services, email servers, FTP servers, and proxies.
    - user accounts stored on the Sophos Firewall.
  • If SSMK lost, we can reset it, but cannot recover it, therefore config backup with previous SSMK cannot be imported.
  • Config backup without SSMK cannot be restored to
    - a different XG
    - same XG on different firmware version
  • A single SSMK is shared by both firmwares on Sophos Firewall.
  • Factory reset removes SSMK
    It is impossible to switch to another firmware after factory reset, due to the fact SSMK is shared by both firmwares.
    Sophos plans to provide an option to retain SSMK in factory reset, on v18.0 MR7. (Issue ID: NC-67938)

new DPI engine for web proxy

Details in XStream - the new DPI Engine for web proxy explained

If problem happens on web traffic after upgrading from v17 to v18.0, please open a support ticket to investigate it further. If the issue is urgent, please disable the new DPI engine and use legacy web proxy as a workaround:

  1. In related firewall rules, Check "Use web proxy instead of DPI engine", and
  2. Go to SSL/TLS inspection rules, and toggle off "SSL/TLS inspection"

re-designed FastPath

FastPath is a feature to process trusted traffic at wire speed, in another word, to improve performance on trusted traffic.

In v17, there is only software FastPath, and only applies on IPv4 traffic over Ethernet/VLAN

In v18, there is hardware FastPath, and it applied on IPv4 traffic over LAG/bridge, IPv6, more.

Details about FastPath on v18 is available at Making the most of XG Firewall v18 – Part 3

If problem happens on traffic after upgrading from v17 to v18.0, please open a support ticket to investigate it further. If the issue is urgent, please disable FastPath as a workaround:
a.) Log on Sophos Firewall SSH terminal using admin account. Once authenticated, you will be presented with the Sophos Firewall console menu.
b.) Go to 5. Device Management > 3. Advanced Shell, and run the following commands
cish
system firewall-acceleration disable

re-designed firewall rule

Details in Making the most of XG Firewall v18 – Part 3

If you need to create a new firewall rule on v18, here is a guide How to configure firewall rule and NAT rule on Sophos XG v18

re-designed NAT rule

NAT has been de-coupled from firewall rule in v18.

Details in Understanding New decoupled NAT and firewall changes in v18

If you need to create a new NAT rule on v18, here is a guide How to configure firewall rule and NAT rule on Sophos XG v18

SD-WAN policy routing

Details in Sophos Firewall Help > SD-WAN policy routing

If you need to create a new SD-WAN policy route, here is a guide Sophos Firewall Help > How to configure SD-WAN policy routes

In v17, we can choose primary gateway for a traffic in firewall rule.
In v18, we need to achieve it in SD-WAN policy route. Here is configuration guide, Specify primary gateway

Known issues in v18.0

"Known issues" is listed in Sophos Firewall v18.0 release note

Together with the following recently found issues:iOS IPsec VPN profile downloaded from User Portal does

Issue ID: NC-73628
Symptom: Wireless network with Security Mode "WEP OPEN" doesn't broadcast SSID
Workaround: change security mode to WPA2
Expected fix version: v18.0 MR7
Note: WEP is not recommended. We recommend to use WPA2

Issue ID: NC-70778
Symptom: Cannot upload a file containing multiple CAs
Workaround: split CA into each file, and upload them individually
Expected fix version: v18.0 MR7

Issue ID: NC-69489
Symptom: Firewall crashed into fail-safe mode if RADIUS server is not present but SSID with WPA2-Enterprise is configured on LocalWiFi
Workaround: Configure a RADIUS server
Expected fix version: v18.0 MR7

Issue ID: NC-76400
Symptom: iOS IPsec VPN profile downloaded from User Portal doesn't work.
Workaround: Manually create IPsec profile on iOS device
Expected fix version: v18.0 MR7

Issue ID: NC-74735
Symptom: AUX reboots during HA switchover
Workaround: N/A
Expected fix version: v18.0 MR7

Issue ID: NC-75783
Symptom: LDAP authentication with anonymous login is not working on v18.0 MR5
Workaround:
a.) If you want to keep the Anonymous login option in place, you may roll back to firmware to 18.0 MR1/2/3/4
b.) With current firmware version 18.0 MR5, you may need to disable the Anonymous login option and provide Bind DN and password to search AD directory.
Expected fix version: v18.5 MR2
Note: No such issue on v18.0 MR1/2/3/4.

Issue ID: NC-73800
Symptom: Websites being blocked with custom Application Control policy being applied
Workaround: use legacy web proxy
Expected fix version: v18.0 MR7

Edition History

2021-09-20, updated the article to match latest MR version of v18.0

2021-09-02, removed content of v17.5 MR16, as it will be end of life on 30 Nov 2021.

2021-08-04, minor change

2021-07-30, first version



updated the article to match latest MR version of v18.0
[edited by: taowang at 2:17 AM (GMT -7) on 20 Sep 2021]