Sophos Firewall: Best practice for Sophos Firewall firmware upgrade

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Prerequisites 

Starting with version 19.0 MR1, you must have a support subscription for unlimited firmware upgrades. Without a support subscription, you're allowed three free firmware upgrades that include upgrading to general availability (GA), maintenance release (MR), and early access program (EAP) releases of Sophos Firewall.

More info: Support Subscription 

Overview

This recommended Read describes the best Practice for Sophos Firewall Firmware upgrade.

Prepare for firmware upgrade

  1. Wait for the latest firmware to be available on Sophos Firewall.

    The Firmware is not showing in your Firewall yet? Check out Firewall Firmware Release Process and Timeline to understand how the firmware releases are distributed.

    Note: As of 5 Nov 2023, the latest firmware version is v20.

    If available firmware on Sophos Firewall isn’t the latest, or no firmware is pushed to Sophos Firewall, please manually download it from the Sophos Central

  2. Ensure your Sophos Firewall can be upgraded to the targeted firmware version; otherwise, it’ll be factory reset once upgraded to a non-supported version.

    1. To upgrade to v20.0, We strongly recommend migrating only to the approved versions in the following table. If you try to migrate to other versions, Sophos Firewall shows an alert asking you to confirm the migration before it restarts. If you confirm the migration, Sophos Firewall restarts with the factory configuration, and you lose your current configuration

    2. To upgrade to v19.0, please check which firmware version is supported in the "Upgrade information" section of the Sophos Firewall v19.0 release note.
      The screenshot below shows that v19.0 can be upgraded from 18.5 GA to MR3, 18.0 MR3 and later, and 17.5 MR14 and later.
      In other words, 18.0 MR2 can't be upgraded to v19.0.


    3. To upgrade to v18.5, please check which firmware version is supported in the section "Upgrade information" of Sophos Firewall v18.5 release note
      The screenshot below explains
      - v18.5 MR3 can be upgraded from all v18.5 version, 
      - upgrading from v18.0 MR6 Build 655 to v18.5 MR1-1 Build 365 is not supported.


  3. Perform steps recommended by Sophos Firewall: Suggestions prior to upgrading the SFOS firmware version

  4. Check for any new feature in the targeted firmware.

  5. Check known issues in the targeted firmware.

  6. Backup firewall configuration and download it to the local computer

  7. Schedule a time window of at least 1 hour, for firmware upgrade.

Perform firmware upgrade

The following steps need to be performed in a scheduled time window.

  1. For firmware upgrades on a single Sophos Firewall, please refer to Move to a different firmware version
    If Sophos Firewalls are in HA, please jump to "3. Perform firmware upgrade for Sophos Firewall in HA"

    Note: if the firmware is manually uploaded to Sophos Firewall, make sure file name of firmware has no space or bracket. For example, HW-18.5.2_MR-2.SF310-326 (2).sig would trigger firmware upgrade fail.

  2. For firmware upgrades on Sophos Firewalls in HA, please refer to the section "Updating HA devices" in Sophos Firewall Help > firmware.

    Note:
    • If the firmware is manually uploaded to Sophos Firewall, make sure file name of firmware has no space or bracket. For example, HW-18.5.2_MR-2.SF310-326 (2).sig would trigger firmware upgrade fail.
    • For HA, when upgrading from v17.x to v18.x, both Sophos firewalls restart simultaneously.
    • For active-passive HA, please check if the current primary node is the initial primary node after firmware upgrade.

      If it’s not, please perform HA failover by clicking on "Switch to passive device" in webadmin GUI > System > High Availability.

      The reason is related to "License synchronization scenarios for Active-Passive setup", as explained in Sophos Firewall: FAQs on High Availability (HA) licensing.

      To identity which firewall is the initial primary node in active-passive HA:
      a.) Log on to the Sophos Firewall SSH terminal using the admin account. Once authenticated, you’ll be presented with the Sophos Firewall console menu.
      b.) Go to 5. Device Management > 3. Advanced Shell, and run the following commands
      nvram get "#li.serial"
      nvram get "#li.master"

      If the output of nvram get "#li.master" is YES, as below, then the Sophos Firewall is the initial HA primary node.
      XG210_WP03_SFOS 18.0.5 MR-5# nvram get "#li.master"
      YES

      If the output of nvram get "#li.master" is NO, as below, then the Sophos Firewall is the initial HA auxiliary node.
      XG210_WP03_SFOS 18.0.5 MR-5# nvram get "#li.master"
      No

      The serial number of the Sophos Firewall is displayed in the output of nvram get "#li.serial"

  3. If the upgrade doesn't go well

    Check sections "New features" and "Known issues".

    If the issue is urgent, not listed as a known issue, and can't be solved by any workaround, please rollback firmware and then open a Sophos Support ticket as described below:

    a.) Rollback firmware
    In webadmin GUI, click "Boot firmware image" of the inactive firmware.
    If webadmin isn’t accessible, please perform it in SSH or serial console. Details in Load firmware using SFLoader

    b.) Archive all logs with Advanced Shell commands
    cd /log
    tar -czvf logs.tar.gz *.log *.log.0

    c.) Generate CTR, and download it to local computer
    Details in section "Generate a CTR" in Sophos XG Firewall: How to generate a Consolidated Troubleshooting Report (CTR)

    d.) Open a Sophos Support ticket at https://support.sophos.com/support

New features of v20.0

Active Threat Response:

  • Extending Synchronized Security to MDR and XDR 
  • Dynamic Threat Feeds
  • Synchronized Security

Remote Worker Protection and SASE:

  • ZTNA Gateway Integration
  • 3rd Party SD-WAN Integration 
  • Sophos DNS Protection

Network Scalability and Resiliency Enhancements:

  • New VPN Portal
  • IPsec Enhancements 
  • SSL VPN Enhancements 
  • SD-WAN Scalability 
  • IPv6 Enhancements

Streamlined Management:

  • Interface Enable/Disable 
  • Object Reference Lookup
  • Hi-Res Display Support 
  • Auto-rollback on Failed Firmware Updates
  • Backup and Restore 
  • Azure AD SSO for Captive Portal
  • Azure Group Import and RBAC

More details can be found in Sophos Firewall v20 

Other Enhancements

  • Web Application Firewall (WAF) Enhancements i
  • Azure Single Arm Deployment Support 

Known Issues in V20.0

"Known issues" is listed in the Sophos Firewall v20.0 release note

New features of v19.0

  • Xstream SD-WAN utilizes the powerful performance of the Xstream Flow Processors in all XGS Series appliances to put IPsec traffic on the FastPath, resulting in up to a 5x VPN performance improvement
  • Performance-based link selection ensures your most important traffic is routed over your best-performing WAN connection, based on latency, jitter, or packet loss
  • Zero-impact transitions between WAN links ensure user applications aren’t impacted by ISP outages or disruption
  • SD-WAN orchestration in Sophos Central enables you to quickly and easily set up complex site-to-site VPN overlay networks with just a few clicks
  • VPN enhancements make it much easier and more intuitive to manage your site-to-site and remote-access VPN connections, including a new AWS VPC import tool
  • New search capabilities allow you to quickly find exactly what you’re looking for, both in the product and in your networking objects when building rules

More details can be found in Sophos Firewall v19

Known Issues in v19.0

"Known issues" are listed in the Sophos Firewall v19.0 release notes

Important SSL VPN change when upgrading from 18.5 to 19.0 and Later

NoteAfter you upgrade from 18.5 versions to 19.x.x, traffic may not flow through your remote access SSL VPN connections if you've added a custom host (for example, IP address range, list, or network for the leased IP addresses) to the corresponding firewall rule.

Related info: Sophos Firewall: SSL VPN "IPv4 lease range" changes OR global settings update gives error "You must enter a network IP address." in SFOS v19.



Removed old versions, updated links, and a note about SSL VPN change on 19.0 and later; Support Subscription
[edited by: emmosophos at 11:08 PM (GMT -8) on 17 Nov 2023]