This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Fireware Update

Hi TEam,

 

Can you please suggest here,

1.How to check the existing running  version in XG firewall?(Steps)

2.What is the downtime required if this is the older one ?

3. What is the impact of up gradation in existing policies or client affect?

 



This thread was automatically locked due to age.
  • Hi  

    Please find the requested information below:

    1.How to check the existing running version in XG firewall?(Steps)

    Answer : Multiple method to confirm the existing firmware.

    1)Login on XG Firewall and check the version on Dashboard.

    2) Login on firewall and Navigate --> System --> Backup & Firmware --> Firmware

    Here you may check the active firmware.

    2.What is the downtime required if this is the older one ?

    No fix down time but generally upgrade procedure will take approx 30-40 min if you are having single device.

    If you are having HA setup you may upgrade with zero down time.

    Upgrade Firmware KBA : https://community.sophos.com/kb/en-us/123285

    P
    lease take a backup of current configuration as in safety measure.

    https://community.sophos.com/kb/en-us/123145 ( After upgrade restore of backup not required as it will migrate all existing settings and configuration).

    3. What is the impact of up gradation in existing policies or client affect?

    No any impact as existing settings will be migrated to upgraded version.

    The latest version contains some of the fix of ongoing issues reported in previous version.Please refer release note for more information on fixed issue details.

    https://community.sophos.com/products/xg-firewall/b/blog/posts/sfos-17-5-mr9-released

    Regards,

    Vishal Ranpariya
    Technical Account Manager | Sophos Technical Support

    Sophos Support Videos | Knowledge Base  |  @SophosSupport | Sign up for SMS Alerts |
    If a post solves your question use the 'This helped me' link.

  • I don't see mention of the fix in the MR9 release notes. Is this vulnerability exploited via ssh, the admin portal, clientless vpn?

    There is also no mention of what hot fix version patches the issue - the links only show you how to check the hot fix version, which doesn't help if you don't know what version to check for.

  • I am struggling to find any details of the fix and in-depth details on remediation.

    I assumed that the hot fix version should show 2?

  • Where are the details on the vulnerability and how it is exploited?

     

    Aside from upgrading to MR9, can somebody provide version details for the Hotfix so we can verify that the vulnerability has been addressed?

  • Information on how to check if you have hotfix 2 (for v17.5.8) is here: https://community.sophos.com/kb/en-us/134852#related%20information

    What I'm not seeing is if this affects ALL firmware versions or just 17.5.8. 

    Is there a way to force a hotfix update? 

    Also please note, on some HA pairs, if going from a much older version to v17.5.9, there's a possibility that one of the firewall's will lock up during the update potentially taking your network down and forcing a manual reboot. I've had this happen on SEVERAL firewalls.  

  • Come on XG team, you've announced an RCE vulnerability, but have give your customers very little to go on. Reading between the lines as Clark did, it appears that Hot Fix version 2 is what is needed on MR8? I've started spot checking some MR8 XGs we have out there, and they are on Hot Fix v1, even though auto-install of hotfixes is enabled. Can this be forced? Are the updates trickling out? Is there a workaround that can be done by disabling/ACLing certain services?

  • I just got off with Sophos support, it affects ALL versions of Sophos XG firmware except 17.5.9 MR9. There is no way to force a hotfix update, it's likely a rolling patch/push. 

    No info on what the vulnerability is, Support seems caught as unaware as we are and recommended upgrading production firewalls to v17.5.9 to mitigate the issue (in the middle of the day?!?!?). 

  • Hi,

    I've checked all our firewalls and they are all reporting that Hot Fix 1 is installed, still no sign of hotfix 2.  Rather than wait I thought I would upgrade to 17.5.9, however when I run a check for new firmware on the Sophos device itself I get the message that "No upgrades available" . It's currently running 17.5.8  

    Is anyone else having the same issue ?

     

  • New firmware isn't typically released for the XG to update to via the GUI. You can download from the MySophos portal.