Sophos Firewall OS v17.5* has been end of life on 30 Nov 2021.
Sophos Firewall OS v18.0 is scheduled to be end of life on 31 Jul 2022.
It is recommended to upgrade to the latest firmware version of v19.0, or v18.5.
* v17.5 MR16 is supported and v17.5 MR17 is maintained for XG 85(w) and XG 105(w) till these hardware models go End-of-Life.
The following steps need to be performed in scheduled time window.
For active-passive HA, please check if the current primary node is the initial primary node after firmware upgrade.If it is not, please perform HA failover by clicking on "Switch to passive device" in webadmin GUI > System > High Availability.The reason is related to "License synchronization scenarios for Active-Passive setup", as explained in Sophos Firewall: FAQs on High Availability (HA) licensing
To identity which firewall is initial primary node in active-passive HA:a.) Log on Sophos Firewall SSH terminal using admin account. Once authenticated, you will be presented with the Sophos Firewall console menu.b.) Go to 5. Device Management > 3. Advanced Shell, and run the following commandsnvram get "#li.serial"nvram get "#li.master"
If output of nvram get "#li.master" is YES, as below, then the Sophos Firewall is initial HA primary node.XG210_WP03_SFOS 18.0.5 MR-5# nvram get "#li.master"YES
If output of nvram get "#li.master" is NO, as below, then the Sophos Firewall is initial HA auxiliary node.XG210_WP03_SFOS 18.0.5 MR-5# nvram get "#li.master"No
Note: Serial number of the Sophos Firewall is displayed in output of nvram get "#li.serial"
Details in Sophos Firewall OS v19 is now available
Please click here to check New features of v18.5
"Known issues" is listed in Sophos Firewall v19.0 release note
Please click here to check New features of v18.0
"Known issues" is listed in Sophos Firewall v18.5 release note
Secure Storage master Key, SSMK was introduced in v17.5 MR15 and v18.0 MR3
Details about SSMK is available at SSMK(Secure Storage Master Key) for encryption of sensitive data
It is recommended to set SSMK once upgraded to v18.0 MR3, or later.
Key points about SSMK:
Details in XStream - the new DPI Engine for web proxy explained
If problem happens on web traffic after upgrading from v17 to v18.0, please open a support ticket to investigate it further. If the issue is urgent, please disable the new DPI engine and use legacy web proxy as a workaround:
FastPath is a feature to process trusted traffic at wire speed, in another word, to improve performance on trusted traffic.
In v17, there is only software FastPath, and only applies on IPv4 traffic over Ethernet/VLAN
In v18, there is hardware FastPath, and it applied on IPv4 traffic over LAG/bridge, IPv6, more.
Details about FastPath on v18 is available at Making the most of XG Firewall v18 – Part 3
If problem happens on traffic after upgrading from v17 to v18.0, please open a support ticket to investigate it further. If the issue is urgent, please disable FastPath as a workaround:a.) Log on Sophos Firewall SSH terminal using admin account. Once authenticated, you will be presented with the Sophos Firewall console menu.b.) Go to 5. Device Management > 3. Advanced Shell, and run the following commandscishsystem firewall-acceleration disable
Details in Making the most of XG Firewall v18 – Part 3
If you need to create a new firewall rule on v18, here is a guide How to configure firewall rule and NAT rule on Sophos XG v18
NAT has been de-coupled from firewall rule in v18.
Details in Understanding New decoupled NAT and firewall changes in v18
If you need to create a new NAT rule on v18, here is a guide How to configure firewall rule and NAT rule on Sophos XG v18
Details in Sophos Firewall Help > SD-WAN policy routing
If you need to create a new SD-WAN policy route, here is a guide Sophos Firewall Help > Configure SD-WAN policy routes
Specify primary gateway:
2022-04-22, updated with Sophos Firewall OS v19.0
2022-03-22, updated with requirement on firmware filename
2022-02-02, updated URLs
2022-01-17, updated the article to match latest product lifecycle.
2021-10-08, added "Upgrade information", to prevent factory reset after upgrading to non-supported version.
2021-09-20, updated the article to match latest MR version of v18.0
2021-09-02, removed content of v17.5 MR16, as it will be end of life on 30 Nov 2021.
2021-08-04, minor change
2021-07-30, first version
Peers rebooted simultaneously during firmware upgradation | Normally they shouldn't | downtime experienced
Old firmware was 18.0.4 MR-4.
Current firmware is 18.5.3 MR-3
Cluster managed in Sophos central as well.
What can be next POA ??
Did you do the Firmware Upgrade via Central? There is/was an issue about firmware upgrade via Central in HA.
can you please share the link about the same?
Hi Abid Ahanger : The required information has been shared with you via DM.
Regards,Vishal RanpariyaTechnical Account Manager | Sophos Technical SupportSophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts | If a post solves your question use the 'This helped me' link.