After upgrading to EAP1-1 (Refresh 1) It becomes impossible to revert to v17.5.8

Maybe BillyBob will print a smile again on this one ?

Well ... Upgrading EAP1 to EAP1-1 wipes the second firmware on the appliance.  That's known.  v17.5.8 being replaced with EAP1-Refresh1 creates SFOS 18.0.0 EAP1-Refresh1 firmware in the appliance.  But then, uploading HW-17.5.8_MR-8.SF300-539.gpg to replace the old SFOS 18.0.0 EAP1 firmware shows error and cannot be done.  No quick revert back option anymore.

Misery strikes again. !!! 

I'll be forced to wipe the appliance with HW-17.5.8_MR-8-539.iso, upload the backup, upload EAP1-Refresh1.gpg (does it exist ???) upload a v18.0.0.113 backup.

And that, if it works.

So unproductive ...

Paul Jr

Parents
  • Here are the similarities and differences related to downgrade and rollback with v18 vis-a-vis v17.x and earlier:

    Support for downgrading to older firmware:

    • Devices running v17.5 or earlier: Downgrading using firmware upload is supported. However, when downgraded the device will boot up in the factory default configuration state (the Web console will give the appropriate alert before you continue). Administrators can restore the downgraded firmware's backup.
    • Devices running v18 or later: Downgrading using v17.5 or earlier firmware is NOT supported (the Web console will the give appropriate message). v18 uses Grub boot loader. The changed bootloader cannot recognize v17 firmware. Administrators can still use the hardware ISO of v17.5 or an earlier version to get the firewall on an older firmware version and restore the downgraded firmware's backup.

    Support for rollback (firmware switch) to older firmware:

    • Firmware switch/rollback is supported as usual. As an example, the active firmware on the firewall is v18, and the second firmware version is v17.5. Administrators can switch between these two and the configuration on each will stay as it is.

    Recommended upgrade process when you test multiple v18 early access releases:

    • This is applicable if you have upgraded to v18 from v17.5. When you upgrade from v18-EAP(x) to v18-EAP(x+1), you can first switch to v17.5 and upgrade from v17.5 directly to v18-EAP(x+1). From there, you can then restore the backup of v18-EAP(x). This way you will always have v17.5 firmware in your second firmware slot, and leave an option open to roll back to v17.5 if needed.

    Sincerely,

    Your Sophos XG Firewall Product Team

Reply
  • Here are the similarities and differences related to downgrade and rollback with v18 vis-a-vis v17.x and earlier:

    Support for downgrading to older firmware:

    • Devices running v17.5 or earlier: Downgrading using firmware upload is supported. However, when downgraded the device will boot up in the factory default configuration state (the Web console will give the appropriate alert before you continue). Administrators can restore the downgraded firmware's backup.
    • Devices running v18 or later: Downgrading using v17.5 or earlier firmware is NOT supported (the Web console will the give appropriate message). v18 uses Grub boot loader. The changed bootloader cannot recognize v17 firmware. Administrators can still use the hardware ISO of v17.5 or an earlier version to get the firewall on an older firmware version and restore the downgraded firmware's backup.

    Support for rollback (firmware switch) to older firmware:

    • Firmware switch/rollback is supported as usual. As an example, the active firmware on the firewall is v18, and the second firmware version is v17.5. Administrators can switch between these two and the configuration on each will stay as it is.

    Recommended upgrade process when you test multiple v18 early access releases:

    • This is applicable if you have upgraded to v18 from v17.5. When you upgrade from v18-EAP(x) to v18-EAP(x+1), you can first switch to v17.5 and upgrade from v17.5 directly to v18-EAP(x+1). From there, you can then restore the backup of v18-EAP(x). This way you will always have v17.5 firmware in your second firmware slot, and leave an option open to roll back to v17.5 if needed.

    Sincerely,

    Your Sophos XG Firewall Product Team

Children
  • Well.  Ok.

    Maybe you do not remember there's incredibly extensive tasks to perform after upgrading to v18.  For some users, for example, cleaning hundreds of identical linked NAT rules down to a single unlinked NAT rule, among other things.

    Groundhog Day ...

    Obviously, keeping more than 2 firmwares on disk, with the possibility to lock anyone of them, would be the solution.  We can store as many as we want on Checkpoint firewalls.  I'm not sure users could do that with those microscopic storages found on Sophos' appliances however.  

    Paul Jr