Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.

Prepare for firmware upgrade

1. Wait for the latest firmware to be available on Sophos Firewall.
   
   For version of the latest firmware, please check the following websites:
   Community
   Sophos Release Notes
   
   On 9 Dec 2022, the latest firmware versions are v18.5 MR4, and v19.0 MR1.
   
   If available firmware on Sophos Firewall is not the latest, or no firmware is pushed to Sophos Firewall, please manually download it from the Sophos Licensing Portal. Details in How to download firmware from Sophos Licensing Portal
   
   
2. Make sure your Sophos Firewall can be upgraded to the targeted firmware version, otherwise, it will be factory reset once upgraded to a non-supported firmware version.
   
   
   1. To upgrade to v19.0, please check which firmware version is supported in the section "Upgrade information" of Sophos Firewall v19.0 release note
      The screenshot below shows v19.0 can be upgraded from 18.5 GA to MR3, 18.0 MR3 and later, and 17.5 MR14 and later.
      In other words, 18.0 MR2 cannot be upgraded to v19.0.
      
      
      
   2. To upgrade to v18.5, please check which firmware version is supported in the section "Upgrade information" of Sophos Firewall v18.5 release note
      The screenshot below explains
      - v18.5 MR3 can be upgraded from all v18.5 version, 
      - upgrading from v18.0 MR6 Build 655 to v18.5 MR1-1 Build 365 is not supported.
      
      
      
3. Perform steps recommended by Sophos Firewall: Suggestions prior to upgrading the SFOS firmware version
   
   
4. Check for any new feature in the targeted firmware
   Please refer to section "New features of v19.0"
   Please refer to section "New features of v18.5"
   
   
5. Check known issues in the targeted firmware
   Please refer to section "Known issues in v19.0"
   Please refer to section "Known issues in v18.5"
   
   
6. Backup firewall configuration and download it to the local computer
   
   
7. Schedule a time window of at least 1 hour, for firmware upgrade

Perform firmware upgrade

The following steps need to be performed in scheduled time window.

1. For firmware upgrade on a single Sophos Firewall, please refer to Move to a different firmware version
   If Sophos Firewalls are in HA, please jump to "3. Perform firmware upgrade for Sophos Firewall in HA"
   
   Note: if firmware is manually uploaded to Sophos Firewall, make sure filename of firmware has no space or bracket. For example, HW-18.5.2_MR-2.SF310-326 (2).sig would trigger firmware upgrade fail.
   
   
2. For firmware upgrade on Sophos Firewalls in HA, please refer to section "Updating HA devices" in Sophos Firewall Help > firmware
   
   Note:
   • if firmware is manually uploaded to Sophos Firewall, make sure filename of firmware has no space or bracket. For example, HW-18.5.2_MR-2.SF310-326 (2).sig would trigger firmware upgrade fail.
   • for HA, when upgrading from v17.x to v18.x, both Sophos firewalls reboot at same time.
   • For active-passive HA, please check if the current primary node is the initial primary node after firmware upgrade.
     
     If it is not, please perform HA failover by clicking on "Switch to passive device" in webadmin GUI > System > High Availability.
     
     The reason is related to "License synchronization scenarios for Active-Passive setup", as explained in Sophos Firewall: FAQs on High Availability (HA) licensing

     To identity which firewall is initial primary node in active-passive HA:
     a.) Log on Sophos Firewall SSH terminal using admin account. Once authenticated, you will be presented with the Sophos Firewall console menu.
     b.) Go to 5. Device Management > 3. Advanced Shell, and run the following commands
     nvram get "#li.serial"
     nvram get "#li.master"

     If output of nvram get "#li.master" is YES, as below, then the Sophos Firewall is initial HA primary node.
     XG210_WP03_SFOS 18.0.5 MR-5# nvram get "#li.master"
     YES

     If output of nvram get "#li.master" is NO, as below, then the Sophos Firewall is initial HA auxiliary node.
     XG210_WP03_SFOS 18.0.5 MR-5# nvram get "#li.master"
     No

     Serial number of the Sophos Firewall is displayed in output of nvram get "#li.serial"
     
     
3. If upgrade doesn't go well
   
   Check section "New features" and "Known issues".
   
   If the issue is urgent, not listed as known issue, and cannot be solved by any workaround, please rollback firmware and then open a technical support ticket as described below:
   
   a.) Rollback firmware
   In webadmin GUI, click on "Boot firmware image" of the inactive firmware.
   If webadmin is not accessible, please perform it in SSH or serial console. Details in Load firmware using SFLoader
   
   b.) Archive all logs with the following Advanced Shell commands
   cd /log
   tar -czvf logs.tar.gz *.log *.log.0
   
   c.) Generate CTR, and download it to local computer
   Details in section "Generate a CTR" in Sophos XG Firewall: How to generate a Consolidated Troubleshooting Report (CTR)
   
   d.) Open a technical support ticket at https://support.sophos.com/support

New features of v19.0

• Xstream SD-WAN utilizing the powerful performance of the Xstream Flow Processors in all XGS Series appliances to put IPsec traffic on the FastPath, resulting in up to a 5x VPN performance improvement
• Performance-based link selection ensures your most important traffic is routed over your best performing WAN connection, based upon latency, jitter, or packet loss
• Zero-impact transitions between WAN links ensures end-user applications are not impacted by ISP outages or disruption
• SD-WAN orchestration in Sophos Central enables you to quickly and easily set up complex site-to-site VPN overlay networks with just a few clicks
• VPN enhancements make it much easier and more intuitive to manage your site-to-site and remote-access VPN connections, including a new AWS VPC import tool
• New search capabilities allow you to quickly find exactly what you’re looking for, both in the product and in your networking objects when building rules

Details in Sophos Firewall OS v19 is now available

Known issues in v19.0

"Known issues" is listed in Sophos Firewall v19.0 release note

Note:

If remote access SSL VPN stops working after upgrading from v17.x/v18.x to v19.x, it is most likely to be caused by SSL VPN IPv4 lease range changes in SFOS 19.0 

New features of v18.5

• Support for new XGS appliance
• Support for new Central Orchestration Subscription

Known issues in v18.5

"Known issues" is listed in Sophos Firewall v18.5 release note

Edition History

2022-12-09, removed content of v18.0, as it has been end of life.

2022-09-07,

• updated with a known issue of remote access SSL VPN in Sophos Firewall OS v19.0
• removed content about disk test, as it is not recommended any more.

2022-04-22, updated with Sophos Firewall OS v19.0

2022-03-22, updated with requirement on firmware filename

2022-02-02, updated URLs

2022-01-17, updated the article to match latest product lifecycle. 

2021-10-08, added "Upgrade information", to prevent factory reset after upgrading to non-supported version.

2021-09-20, updated the article to match latest MR version of v18.0

2021-09-02, removed content of v17.5 MR16, as it will be end of life on 30 Nov 2021.

2021-08-04, minor change

2021-07-30, first version