Best practice for Sophos Firewall firmware upgrade

Sophos Firewall OS v17.5* has been end of life on 30 Nov 2021.

Sophos Firewall OS v18.0 is scheduled to be end of life on 31 Jul 2022.

It is recommended to upgrade to the latest firmware version of v19.0, or v18.5.

* v17.5 MR16 is supported and v17.5 MR17 is maintained for XG 85(w) and XG 105(w) till these hardware models go End-of-Life.

Note:

Prepare for firmware upgrade

  1. Wait for the latest firmware to be available on Sophos Firewall.

    For version of the latest firmware, please check the following websites:
    Community
    Sophos Release Notes

    On 22 Apr 2022, the latest firmware versions are v18.5 MR3, and v19.0 GA

    If available firmware on Sophos Firewall is not the latest, or no firmware is pushed to Sophos Firewall, please manually download it from the Sophos Licensing Portal. Details in How to download firmware from Sophos Licensing Portal

  2. Make sure your Sophos Firewall can be upgraded to the targeted firmware version, otherwise, it will be factory reset once upgraded to a non-supported firmware version.

    To upgrade to v19.0, please check which firmware version is supported in the section "Upgrade information" of Sophos Firewall v19.0 release note
    The screenshot below shows v19.0 GA can be upgraded from 18.5 GA to MR3, 18.0 MR3 and later, and 17.5 MR14 and later.
    In other words, 18.0 MR2 cannot be upgraded to v19.0 GA.


    To upgrade to v18.5, please check which firmware version is supported in the section "Upgrade information" of Sophos Firewall v18.5 release note
    The screenshot below explains
    - v18.5 MR3 can be upgraded from all v18.5 version, 
    - upgrading from v18.0 MR6 Build 655 to v18.5 MR1-1 Build 365 is not supported.


  3. Perform steps recommended by Sophos Firewall: Suggestions prior to upgrading the SFOS firmware version, except the last step "perform a disk test", as we will test disk in scheduled time window.

  4. Check for any new feature in the targeted firmware
    Please refer to section "New features of v19.0"
    Please refer to section "New features of v18.5"

  5. Check known issues in the targeted firmware
    Please refer to section "Known issues in v19.0"
    Please refer to section "Known issues in v18.5"

  6. Backup firewall configuration and download it to the local computer

  7. Schedule a time window of at least 1 hour, for firmware upgrade

Perform firmware upgrade

The following steps need to be performed in scheduled time window.

  1. Perform disk test
    Details in Sophos Firewall: Disk Test
    For Sophos Firewall in HA, perform disk test on HA auxiliary node first, and then perform it on HA primary node.

  2. For firmware upgrade on a single Sophos Firewall, please refer to Move to a different firmware version
    If Sophos Firewalls are in HA, please jump to "3. Perform firmware upgrade for Sophos Firewall in HA"

    Note: if firmware is manually uploaded to Sophos Firewall, make sure filename of firmware has no space or bracket. For example, HW-18.5.2_MR-2.SF310-326 (2).sig would trigger firmware upgrade fail.

  3. For firmware upgrade on Sophos Firewalls in HA, please refer to section "Updating HA devices" in Sophos Firewall Help > firmware

    Note: if firmware is manually uploaded to Sophos Firewall, make sure filename of firmware has no space or bracket. For example, HW-18.5.2_MR-2.SF310-326 (2).sig would trigger firmware upgrade fail.

    Please note, for HA, when upgrading from v17.x to v18.x, both Sophos firewalls reboot at same time.

    For active-passive HA, please check if the current primary node is the initial primary node after firmware upgrade.
    If it is not, please perform HA failover by clicking on "Switch to passive device" in webadmin GUI > System > High Availability.

    The reason is related to "License synchronization scenarios for Active-Passive setup", as explained in Sophos Firewall: FAQs on High Availability (HA) licensing

    To identity which firewall is initial primary node in active-passive HA:
    a.) Log on Sophos Firewall SSH terminal using admin account. Once authenticated, you will be presented with the Sophos Firewall console menu.
    b.) Go to 5. Device Management > 3. Advanced Shell, and run the following commands
    nvram get "#li.serial"
    nvram get "#li.master"

    If output of nvram get "#li.master" is YES, as below, then the Sophos Firewall is initial HA primary node.
    XG210_WP03_SFOS 18.0.5 MR-5# nvram get "#li.master"
    YES

    If output of nvram get "#li.master" is NO, as below, then the Sophos Firewall is initial HA auxiliary node.
    XG210_WP03_SFOS 18.0.5 MR-5# nvram get "#li.master"
    No

    Note: Serial number of the Sophos Firewall is displayed in output of nvram get "#li.serial"

  4. If upgrade doesn't go well

    Check section "New features" and "Known issues".

    If the issue is urgent, not listed as known issue, and cannot be solved by any workaround, please rollback firmware and then open a technical support ticket as described below:

    a.) Rollback firmware
    In webadmin GUI, click on "Boot firmware image" of the inactive firmware.
    If webadmin is not accessible, please perform it in SSH or serial console. Details in Load firmware using SFLoader

    b.) Archive all logs with the following Advanced Shell commands
    cd /log
    tar -czvf logs.tar.gz *.log *.log.0

    c.) Generate CTR, and download it to local computer
    Details in section "Generate a CTR" in Sophos XG Firewall: How to generate a Consolidated Troubleshooting Report (CTR)

    d.) Open a technical support ticket at https://support.sophos.com/support

New features of v19.0

  • Xstream SD-WAN utilizing the powerful performance of the Xstream Flow Processors in all XGS Series appliances to put IPsec traffic on the FastPath, resulting in up to a 5x VPN performance improvement
  • Performance-based link selection ensures your most important traffic is routed over your best performing WAN connection, based upon latency, jitter, or packet loss
  • Zero-impact transitions between WAN links ensures end-user applications are not impacted by ISP outages or disruption
  • SD-WAN orchestration in Sophos Central enables you to quickly and easily set up complex site-to-site VPN overlay networks with just a few clicks
  • VPN enhancements make it much easier and more intuitive to manage your site-to-site and remote-access VPN connections, including a new AWS VPC import tool
  • New search capabilities allow you to quickly find exactly what you’re looking for, both in the product and in your networking objects when building rules

Details in Sophos Firewall OS v19 is now available

Please click here to check New features of v18.5

Known issues in v19.0

"Known issues" is listed in Sophos Firewall v19.0 release note

New features of v18.5

Please click here to check New features of v18.0

Known issues in v18.5

"Known issues" is listed in Sophos Firewall v18.5 release note

New features of v18.0

SSMK

Secure Storage master Key, SSMK was introduced in v17.5 MR15 and v18.0 MR3

Details about SSMK is available at SSMK(Secure Storage Master Key) for encryption of sensitive data

It is recommended to set SSMK once upgraded to v18.0 MR3, or later.

Key points about SSMK:

  • Secure Storage master Key, SSMK, is to to encrypt sensitive data, such as
    - passwords, secrets (inlcuding AP wifi AP secrets), and keys
    - accounts have access to services, such as directory services, email servers, FTP servers, and proxies.
    - user accounts stored on the Sophos Firewall.
  • If SSMK lost, we can reset it, but cannot recover it, therefore config backup with previous SSMK cannot be imported.
  • Config backup without SSMK cannot be restored to
    - a different XG
    - same XG on different firmware version
  • A single SSMK is shared by both firmwares on Sophos Firewall.
  • Factory reset removes SSMK
    It is impossible to switch to another firmware after factory reset, due to the fact SSMK is shared by both firmwares.
    Sophos plans to provide an option to retain SSMK in factory reset, on v18.0 MR7. (Issue ID: NC-67938)

new DPI engine for web proxy

Details in XStream - the new DPI Engine for web proxy explained

If problem happens on web traffic after upgrading from v17 to v18.0, please open a support ticket to investigate it further. If the issue is urgent, please disable the new DPI engine and use legacy web proxy as a workaround:

  1. In related firewall rules, Check "Use web proxy instead of DPI engine", and
  2. Go to SSL/TLS inspection rules, and toggle off "SSL/TLS inspection"

re-designed FastPath

FastPath is a feature to process trusted traffic at wire speed, in another word, to improve performance on trusted traffic.

In v17, there is only software FastPath, and only applies on IPv4 traffic over Ethernet/VLAN

In v18, there is hardware FastPath, and it applied on IPv4 traffic over LAG/bridge, IPv6, more.

Details about FastPath on v18 is available at Making the most of XG Firewall v18 – Part 3

If problem happens on traffic after upgrading from v17 to v18.0, please open a support ticket to investigate it further. If the issue is urgent, please disable FastPath as a workaround:
a.) Log on Sophos Firewall SSH terminal using admin account. Once authenticated, you will be presented with the Sophos Firewall console menu.
b.) Go to 5. Device Management > 3. Advanced Shell, and run the following commands
cish
system firewall-acceleration disable

re-designed firewall rule

Details in Making the most of XG Firewall v18 – Part 3

If you need to create a new firewall rule on v18, here is a guide How to configure firewall rule and NAT rule on Sophos XG v18

re-designed NAT rule

NAT has been de-coupled from firewall rule in v18.

Details in Understanding New decoupled NAT and firewall changes in v18

If you need to create a new NAT rule on v18, here is a guide How to configure firewall rule and NAT rule on Sophos XG v18

SD-WAN policy routing

Details in Sophos Firewall Help > SD-WAN policy routing

If you need to create a new SD-WAN policy route, here is a guide Sophos Firewall Help > Configure SD-WAN policy routes

Specify primary gateway:

  • In v17, we can choose primary gateway for a traffic in firewall rule.
  • In v18, we need to achieve it in SD-WAN policy route. Here is configuration guide, Specify primary gateway

Edition History

2022-04-22, updated with Sophos Firewall OS v19.0

2022-03-22, updated with requirement on firmware filename

2022-02-02, updated URLs

2022-01-17, updated the article to match latest product lifecycle. 

2021-10-08, added "Upgrade information", to prevent factory reset after upgrading to non-supported version.

2021-09-20, updated the article to match latest MR version of v18.0

2021-09-02, removed content of v17.5 MR16, as it will be end of life on 30 Nov 2021.

2021-08-04, minor change

2021-07-30, first version



Proofread
[edited by: Karlos at 2:59 PM (GMT -7) on 22 Apr 2022]
Parents Reply Children
No Data