Firmware

You can manage firmware versions, install hotfixes, and change the default language.

For the complete details of migration from 17.5 to 18.0, see Migrating to 18.0.

When you upgrade to 18.0 firmware, you need to be aware of the following:

  • You can upgrade most XG hardware models to 18.0 and later. You cannot upgrade XG85, XG105 or any Cyberoam models. They cannot run 18.x firmware due to a minimum memory requirement of 4 GB of RAM, therefore they will stay on 17.x until end of life (EOL).
  • You can upgrade all SG hardware models except SG105 to 18.0 and later.

    To upgrade to 18.x on SG hardware, burn an SFOS ISO and restore the backup. See Reimage XG Firewall

  • You can upgrade to 18.x from 17.5 MR6 and later versions. You can also upgrade from any earlier 18.x EAP version. All configuration migration is supported, logs and reports are migrated, and the license remains the same.
  • For those versions that can't directly upgrade to 18.x, you can upgrade to 17.5 MR6 (or later) first and then upgrade to 18.x.
  • Air gap deployment: You can download the firmware from your Sophos Licensing Portal (MySophos) and upload it to the air gap device. See How Air Gap and manual pattern updates features works.

Secure storage master key

The secure storage master key provides extra protection for the account details stored on XG Firewall. The key encrypts sensitive information, such as passwords, secrets, and keys, preventing unauthorized access.

The accounts have access to services, such as directory services, email servers, FTP servers, and proxies. They also include user accounts stored on XG Firewall.

XG Firewall removes the secure storage master key in the following instances:

  • Reset to factory configuration.
  • Reimage the firewall.

After resetting or reimaging the firewall, you can enter the master key to restore or import the configurations.

Rollback: After you set the master key, if you roll back to the previous version, you continue to have the previous configuration. You'll only lose the configuration changes you made prior to the rollback.

How to manage firmware versions:

  • To know the versions compatible with your current version, go to the Sophos Licensing Portal. Search using the serial number of your device, and click Download to see the firmware versions compatible with the device and its active version.
  • To upgrade to a firmware version that's later than the active version, scroll down to Latest available firmware and take the available actions. For more details, see Move to a different firmware version.
  • To move to any version, download the firmware image from Sophos Licensing Portal. Then, go to the web admin console, scroll to the Firmware section and take the available actions. For more details, see Move to a different firmware version. For more details of how to download, see Download firmware from Sophos Licensing Portal.
    Use this method in the following cases:
    • Moving to an earlier version. An earlier version is available on the web admin console only if it's the previous version from which the device was updated, or if you manually uploaded a compatible version.
    • For air gap deployments (don't have internet access).
    • For EAP (early access program) versions.
  • To roll back to the previous version or downgrade to an earlier version, go to the section Firmware and click the Boot firmware image .
  • To replace possibly corrupt firmware (prevents you from accessing the web admin console), change the firmware version using SFLoader. For more details, see Load firmware using SFLoader.
  • To move to a firmware version incompatible with the active version, reimage the device. For more details, see Reimage XG Firewall.
Note We recommend taking a configuration backup before you move to a different firmware. We also recommend making the change during non-peak hours.

Status and Actions

Active icon Active firmware: Active version.

Upload firmware Upload firmware: Uploads the selected version from your endpoint device. After you upload, the firmware is available for XG Firewall to move to. Firmware upload takes a few minutes.

Boot firmware image Restarts with the specified firmware: Closes all sessions and restarts XG Firewall with the specified version.

Boot with factory default configuration Restarts with factory configuration: Closes all sessions and restarts XG Firewall with the factory configuration. We recommend taking a backup because you'll lose the existing configuration.

Firmware

You can see a maximum of two firmware versions under Firmware. One of them is the active version. The inactive version is one of the following:

  • Previous version: When you change the firmware version of XG Firewall, the previous version is retained to allow you to roll back. If you roll back, configuration changes made after the change are lost because changing the firmware also updates XG Firewall with the configuration that corresponds to the new firmware version.
  • Uploaded version: You uploaded a version compatible with the active version. This can be a version later or earlier than the active version.

You can only move (upgrade, downgrade, or roll back) XG Firewall to an inactive version that's compatible with the active version.

Upgrade, downgrade, and rollback

Upgrade: When you upgrade, you move to a later version. For example, you upgrade from 17.5.6 to 18.0 if it's a compatible version.

Downgrade: When you downgrade, you move to an earlier version. For example, you downgrade from 18.0 to 17.5.6 if it's a compatible version.

Rollback: When you roll back, you move to the previously installed version on your device. For example, if the current version on your device is 18.0, and the version installed on the device before this is 17.5.6, you roll back to 17.5.6. You can roll back to a later or earlier compatible version.

Update action

Condition

Roll back from 18.x to 17.x

Can roll back.

17.x must be the previous version and must be available as the inactive version under Firmware.

Downgrade from 18.x to 17.x

Can't downgrade directly. You can't upload 17.x as the inactive version and move XG Firewall to it. You need to roll back to the previous (17.x) version and then move to the other 17.x version you want.

Updating HA devices

You don't need to disable high availability before you change the firmware version of HA devices.

To update HA devices, click the upload firmware button Upload firmware, upload the firmware ISO, and then click Upload and boot. This is the stable way to update HA devices.

Go to the primary device and select a method for changing the firmware.
Restriction You can't change the firmware version of the auxiliary device independently. However, pattern updates (example: ATP signatures and antivirus definitions) and hotfixes are applied to each device independently.
The upgrade process for HA devices is as follows:
  1. The primary device (example: Device_A), downloads the firmware and pushes it to the auxiliary device (example: Device_B). To remain up, the primary device doesn't move to the new firmware version at this point.
  2. Device_B restarts as the new primary device with the new firmware version. Device_A runs as a standalone device on the existing firmware.
  3. After Device_B restarts, it sends a restart signal to Device_A.
  4. Device_A restarts with the new firmware version and joins the HA cluster as the auxiliary device.

HA devices: Version compatibility and downtime

Update action

Condition

Upgrade from 17.x to 18.x

You'll experience downtime.

In 18.0, XG Firewall uses a different communication protocol, which results in downtime.

Upgrade from 18.x to 18.x

No downtime.

This applies when you download and install the firmware from Latest available firmware.

Roll back to a compatible version

You'll experience downtime.

Make sure the same inactive firmware version is available on both devices under Firmware. Example: SFOS 18.0.3 MR-3

Alternatively, disable HA and then roll back each device to the version you want. The primary device sends a factory reset signal to the auxiliary device. The auxiliary device stores the peer administration IP address and the dedicated peer HA link IP address. Enable HA again, if you want to.

Roll back to a previous version that wasn't configured with HA

The devices revert to standalone status. Configure HA again if you want to.

Each device holds the configuration file that corresponds to the previous firmware version. The file determines the HA configuration status. Roll back activates the configuration of the previous version.

Downgrade to any version

You'll experience downtime.

Installing hotfixes automatically

To install hotfixes automatically when they become available, select Allow auto-install of important hotfixes and click Apply.

After you select the option, XG Firewall looks for hotfixes every 30 minutes. By default, XG Firewall installs hotfixes automatically. We recommend retaining this selection.
Note The installed hotfixes remain when the firmware is upgraded.

Changing default language

Scroll down to Factory reset with default configuration language and select a default language for the web admin console. When you change the language, XG Firewall restarts with factory settings. All configuration changes are lost.

Note We recommend taking a backup before you change the language. However, XG Firewall restores backups in the language used by the backup configuration.