XG 125 - can't update second firmware to SFOS 19.5.0 GA-Build197

What do you want to do? 

What do you mean by "the second firmware"? Do you want to upgrade both slots to be V19.5 ? 

Yes, exactly, that's what I mean: both should have the same firmware V19.5.

In addition, there is the behavior as described by jprusch.

That is not possible, the FW blocks this. There is usually no reason to do this. 

The update process does the following: 

It take the current configuration slot and migrate the config to the target version.

If you try to do this by migrating 19.5 GA to 19.5 GA, there is no migration in place, hence the firewall blocks it. 

All clear. But I don't agree with you. I think that this per design behavior is dangerous. But ok ... then I have now a solution.

Could you elaborate? 

Yes with pleasure.
Firstly, I like to keep it so that after some time, if my test phase with the updated firmware showed no side effects, I pull the second one as well.
Secondly, I believe that "usually" / often no admin looks at the weaknesses of the previous firmware anymore.
Third, this update behavior is contrary to all manufacturers I know (such as Cisco, Aruba, Netapp, ...).

Therefore, for me now: Lesson learned ;-) (regarding Sophos XG)!

I do not understand, what the point is to get the second slot to the same version. Because you will not have to move to the second slot in any case after a while? Your points seems not to explain, why a firmware upgrade of the second slot would make any difference? The second slot is inactive and has no impact to the running system. So what difference does it make to upgrade it? 

Thank you for your support!

Excuse me, but have you read and understood the whole process (especially the explanations of jprusch and the danger of a thoughtless reset)?

I do not want to spark a fundamental discussion here and have also only presented you my way of working / habits about my knowledge of other well-known manufacturers.

And in the end I can live well with your explanation (only I have unfortunately not read / found anything about this behavior - how it works with the XG).

I still do not understand your point, i am sorry.

The factory default topic is something, which is currently under consideration to resolve in a better way. The factory reset issue occurs, if the migration fails for whatever reason and the firewall cannot boot with the old configuration.

But still this does not apply to the problem and situation, you are referring to.

What point does it make to update the second firmware slot? The second firmware slot is not being used for anything other than a the next firmware update.

In fact, the firmware update works like this: 

Firmware Slot A 

Firmware Slot B

A is currently active with Firmware 19.0 

B is an old version with 18.5.

If you update to V19.5, it will replace the firmware in Slot B, then it upgrade the configuration of A to B with Firmware 19.5 and the firewall will boot Firmware Slot B. 

If you want to go up to V19.5 MR1, you will repeat the process, just with Firmware Slot A. 

So there is no need to upgrade Firmware Slot A at this point to the same firmware like B has. 

I still do not understand your point, i am sorry.

The factory default topic is something, which is currently under consideration to resolve in a better way. The factory reset issue occurs, if the migration fails for whatever reason and the firewall cannot boot with the old configuration.

But still this does not apply to the problem and situation, you are referring to.

What point does it make to update the second firmware slot? The second firmware slot is not being used for anything other than a the next firmware update.

In fact, the firmware update works like this: 

Firmware Slot A 

Firmware Slot B

A is currently active with Firmware 19.0 

B is an old version with 18.5.

If you update to V19.5, it will replace the firmware in Slot B, then it upgrade the configuration of A to B with Firmware 19.5 and the firewall will boot Firmware Slot B. 

If you want to go up to V19.5 MR1, you will repeat the process, just with Firmware Slot A. 

So there is no need to upgrade Firmware Slot A at this point to the same firmware like B has. 

Exactly such an exelente explanation was missing. If I had found this explanation so in the documentation, then I could have saved myself this question. Many thanks for this!

Note: The point is that I - as well as for example jprusch and probably (many) others - are/were used to it differently from other manufacturers.

Essentially this is explained here: docs.sophos.com/.../index.html