This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

9.604 without problems?

Anybody has installed 9.604 already and being happy with it?

Best regards

Alex



This thread was automatically locked due to age.
Parents
  • Hello

    we have 2 Firewalls in HA. May I update both direct from Web Intrface? We have 6 RED 50 too outside.

    May be Problems with the updates?

    THX

    peter

  • Hallo Peter and welcome to the UTM Community!

    UPDATE 2019-07-31: See my latest post below.

    First, read the threads above.  I'm getting ready to handle a similar situation with a client.  Here's a copy of the plan I proposed:

    1. Disable the RED Servers in WebAdmin.
    2. Start the Up2Date process and wait for it to complete - probably about 10 minutes or so.  Watch on the High Availability 'Status' tab for the new Slave to be READY.
    3. At the command line, disable the use of unified wireless firmware.
    4. Enable the RED Servers in WebAdmin.

    The only disruption would be to an upload or download or VoIP call active at the moment the current Slave becomes the Master node.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • Re: 9.605 Up2Date

    Does this Up2Date leave use_unified_firmware at 0?  Does it address the issue that was bricking some REDs?  Until there's more clarity, I don't recommend this to anyone.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  • How does a bricked RED50 look like?

    Like this?

  • 2019-08-06 See my final version posted today.

    UPDATED 2019-08-01

    Hi All,

    I've had several messages back and forth with Sophos folks.  As Jan Weber says in a post, 9.605 fixes the problem with REDs and the only danger is updating the RED firmware when the RED is under a heavy load.  I have suggested that the following instructions be added to the information about the Up2Date (I in blue dot) and the blog post about the 9.605 Up2Date:

    In order to ensure that there's no problem with the update of firmware in RED devices, do the following with two planned outages:

     1. Outage 1 - Up2Date to 9.604:
         A. In WebAdmin, disable all RED Servers for RED appliances.
         B. Apply Up2Dates through 9.604.
         C. At the command line: cc set red use_unified_firmware 0
         D. In WebAdmin, enable all RED Servers for RED appliances.
     2. Outage 2 -
    Disconnect all LAN connections from all REDs, leaving the RED online but with no connection to local clients.
     3. Apply the 9.605 Up2Date.
     4. After the Up2Date is complete, reconnect disconnected LAN cables to the REDs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Reply
  • 2019-08-06 See my final version posted today.

    UPDATED 2019-08-01

    Hi All,

    I've had several messages back and forth with Sophos folks.  As Jan Weber says in a post, 9.605 fixes the problem with REDs and the only danger is updating the RED firmware when the RED is under a heavy load.  I have suggested that the following instructions be added to the information about the Up2Date (I in blue dot) and the blog post about the 9.605 Up2Date:

    In order to ensure that there's no problem with the update of firmware in RED devices, do the following with two planned outages:

     1. Outage 1 - Up2Date to 9.604:
         A. In WebAdmin, disable all RED Servers for RED appliances.
         B. Apply Up2Dates through 9.604.
         C. At the command line: cc set red use_unified_firmware 0
         D. In WebAdmin, enable all RED Servers for RED appliances.
     2. Outage 2 -
    Disconnect all LAN connections from all REDs, leaving the RED online but with no connection to local clients.
     3. Apply the 9.605 Up2Date.
     4. After the Up2Date is complete, reconnect disconnected LAN cables to the REDs.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
Children
  • Hello Bob,

    I still have my UTM's on 9.602-3. Do you recommend upgrading at all and if so to 9.605? I don't have any RED appliances so that's not really an issue over here.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • I would go to 9.605, Arno, because of the TCP SACK vulnerability.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA