This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Option to downgrade / rollback firmware version

We're running SG135 in HA/Cluster mode. Recently we updated to the latest version 9.502-4 and a few hours later had serious troubles with a RED Box which failed to connect to Sophos SG135, only after rebooting SG135 it started to work again. During this situation we considered downgrading to the previous firmware version that was working just fine (v9.501005), and actually we would like to have the option to downgrade just in case this issue starts to re-appear or once we run into a similar situation again.

We uploaded u2d-sys-9.500009-501005.tgz.gpg (downloaded from ftp://ftp.astaro.com/pub/UTM/v9/up2date/) and tried to install it, though Sophos gave no useful feedback about its installation progress in the web UI at all. Only when looking at the HA logs we noticed:

  up2date_start(): ignore up2date request: version 9.501005 is less than local version 9.502004

We also tried to install it manually via placing the file into /var/up2date/sys and then running auisys.plx, though I couldn't find according cmdline options to force the downgrade.

I only found https://community.sophos.com/kb/en-us/115382 and no further documentations how to easily rollback/downgrade the firmware version.

My questions:

  1. Is it possible to downgrade the firmware version at all on UTM9/SG135, and if so what are the appropriate steps to do so?
  2. If the HA/Cluster mode is enabled, does this need any special care during downgrades or are the slaves handled automatically then?
  3. Connected RED Boxes are handled automatically during downgrades as well?

I'd appreciate any tips/pointers, thanks!



This thread was automatically locked due to age.
  • Hi Michael,

    Downgrade via GUI or SSH is not possible with UTM. XG has this feature.

    If you want to downgrade you have to install an image to the device. After that you can apply your last backup, which you should hopefully have kept.

    While that you should break up your HA/Cluster and work with one device. Is it's running you can rebuild your cluster, but I would guess you have to reimage the other device too, if you want a complete downgrade.

    So enough of the bad news for you.

     

    Best

    Alex (Not a Sophos employee, just an end user :-)

    -

  • If you do run an active/passive cluster, you can also configure to keep 1 node reserved while doing an upgrade. This 1 node will then NOT take the upgrade and also DOES NOT receive any configuration changes to the firewall.

    If after some time you are confident that the new version is working as expected, you can then also upgrade the remaining node and everything is up-and-running again. If you feel it's not working as expected, just shut down the upgraded node and the reserved node will take over and you are again on the "previous" firmware version.

    In both situations you will however loose logging information.


    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.