You can manage firmware versions, install hotfixes, and change the default language.

You can upgrade to a later firmware version, downgrade to an earlier version, or roll back to the previous version. For air gap deployments, you can update the firmware manually. You can also schedule firmware upgrades centrally from Sophos Central.

Upgrading to 18.0 firmware

For the complete details of migration from 17.5 to 18.0, see Migrating to 18.0.

When you upgrade to 18.0 firmware, you need to be aware of the following:

  • You can upgrade most XG hardware models to 18.0 and later. You cannot upgrade XG85, XG105 or any Cyberoam models. They can't run 18.x firmware due to a minimum memory requirement of 4 GB of RAM, therefore they will stay on 17.x until end of life (EOL).
  • You can upgrade all SG hardware models except SG105 to 18.0 and later.
  • You can upgrade to specific 18.x versions from 17.5 MR6 and later versions. You can also upgrade from any earlier 18.x EAP version. All configuration migration is supported, logs and reports are migrated, and the license remains the same.
  • For those versions that can't directly upgrade to 18.x, you can upgrade to 17.5 MR6 (or later) first and then upgrade to 18.x.
Restriction When you update the firmware, SFLoader doesn't automatically update. Some unsupported options may still show in the SFLoader menus. To install the latest SFLoader version, the firmware must be loaded manually. See Load firmware using SFLoader.

How to manage firmware versions

  • Firmware upgrade and configuration from Sophos Central: If Sophos Firewall is on 18.0 MR3 or later, you can schedule firmware upgrades from Sophos Central. You can also specify all the firewall settings using Zero Touch configuration available from Sophos Central. For more details, see Zero Touch configuration.
  • Compatible versions: To know the versions compatible with your current version, go to the Sophos Licensing Portal.

    Search using the serial number of your device, and click Download to see the firmware versions compatible with the device and its active version.

  • Upgrade to a later version: To upgrade to a firmware version that's later than the active version, move down to Latest available firmware and take the available actions. For more details, see Move to a different firmware version.
  • Move to any version: To move to any version, download the firmware image from Sophos Licensing Portal. Then, go to the web admin console, move to the Firmware section and take the available actions. For more details, see Move to a different firmware version.
    Use this method in the following cases:
    • Moving to an earlier version. An earlier version is available on the web admin console only if it's the previous version from which the device was updated, or if you manually uploaded a compatible version.
    • For air gap deployments (don't have internet access).
    • For EAP (early access program) versions.
  • Roll back: To roll back to the previous version or downgrade to an earlier version, go to the Firmware section and click Boot firmware image.
  • Corrupt firmware: To replace possibly corrupt firmware (prevents you from accessing the web admin console), change the firmware version using SFLoader. For more details, see Load firmware using SFLoader.
  • Move to an incompatible version: To move to a firmware version incompatible with the active version, reimage the device. For more details, see Reimage Sophos Firewall.
  • Air gap deployment: You can download the firmware from your Sophos Licensing Portal (MySophos) and upload it to the air gap device. See How Air Gap and manual pattern updates features works.
Note We recommend taking a configuration backup before you move to a different firmware. We also recommend making the change during non-peak hours.

Secure storage master key

The secure storage master key provides extra protection for the account details stored on Sophos Firewall. The key encrypts sensitive information, such as passwords, secrets, and keys, preventing unauthorized access.

The accounts have access to services, such as directory services, email servers, FTP servers, and proxies. They also include user accounts stored on Sophos Firewall.

Sophos Firewall removes the secure storage master key in the following cases:

  • You reset to factory configuration.
  • You reimage the firewall.

After resetting or reimaging the firewall, you can enter the master key to restore or import the configurations.

Rollback: Even if you set the master key for the current version, the previous version's configuration is available when you roll back to the previous version.

Status and Actions

Active icon Active firmware: Active version.

Upload firmware Upload firmware: Uploads the selected version from your endpoint device. After you upload, the firmware is available for Sophos Firewall to move to. Firmware upload takes a few minutes.

Boot firmware image Restarts with the specified firmware: Closes all sessions and restarts Sophos Firewall with the specified version.

Boot with factory default configuration Restarts with factory configuration: Closes all sessions and restarts Sophos Firewall with the factory configuration. We recommend taking a backup because you'll lose the existing configuration.


You can see a maximum of two firmware versions under Firmware. One of them is the active version. The inactive version is one of the following:

  • Previous version: When you change the firmware version of Sophos Firewall, the previous version is retained to allow you to roll back. If you roll back, configuration changes made after the change are lost because changing the firmware also updates Sophos Firewall with the configuration that corresponds to the new firmware version.
  • Uploaded version: You uploaded a version compatible with the active version. This can be a version later or earlier than the active version.

You can only move (upgrade, downgrade, or roll back) Sophos Firewall to an inactive version that's compatible with the active version.

Upgrade, downgrade, and rollback

Upgrade: When you upgrade, you move to a later version. For example, you upgrade from 17.5.6 to 18.0 if it's a compatible version.

Downgrade: When you downgrade, you move to an earlier version. For example, you downgrade from 18.0 to 17.5.6 if it's a compatible version.

Rollback: When you roll back, you move to the previously installed version on your device. For example, if the current version on your device is 18.0, and the version installed on the device before this is 17.5.6, you roll back to 17.5.6. You can roll back to a later or earlier compatible version.

Update action


Roll back from 18.x to 17.x

Can roll back.

17.x must be the previous version and must be available as the inactive version under Firmware.

Downgrade from 18.x to 17.x

Can't downgrade directly. You can't upload 17.x as the inactive version and move Sophos Firewall to it. You need to roll back to the previous (17.x) version and then move to the other 17.x version you want.

Updating HA devices

You don't need to disable high availability before you change the firmware version of HA devices.

To update HA devices, click the upload firmware button Upload firmware, upload the firmware ISO, and then click Upload and boot. This is the stable way to update HA devices.

Go to the primary device and select a method for changing the firmware.
Restriction You can't change the firmware version of the auxiliary device independently. However, pattern updates (example: ATP signatures and antivirus definitions) and hotfixes are applied to each device independently.
The upgrade process for HA devices is as follows:
  1. The primary device (example: Device_A), downloads the firmware and pushes it to the auxiliary device (example: Device_B). To remain up, the primary device doesn't move to the new firmware version at this point.
  2. Device_B restarts as the new primary device with the new firmware version. Device_A runs as a standalone device on the existing firmware.
  3. After Device_B restarts, it sends a restart signal to Device_A.
  4. Device_A restarts with the new firmware version and joins the HA cluster as the auxiliary device.

HA devices: Version compatibility and downtime

Update action


Upgrade from 17.x to 18.x

You'll experience downtime.

In 18.0, Sophos Firewall uses a different communication protocol, which results in downtime.

Upgrade from 18.x to 18.x

No downtime.

This applies when you download and install the firmware from Latest available firmware.

Roll back to a compatible version

You'll experience downtime.

Make sure the same inactive firmware version is available on both devices under Firmware. Example: SFOS 18.0.3 MR-3

Alternatively, disable HA and then roll back each device to the version you want. The primary device sends a factory reset signal to the auxiliary device. The auxiliary device stores the peer administration IP address and the dedicated peer HA link IP address. Enable HA again, if you want to.

Roll back to a previous version that wasn't configured with HA

The devices revert to standalone status. Configure HA again if you want to.

Each device holds the configuration file that corresponds to the previous firmware version. The file determines the HA configuration status. Roll back activates the configuration of the previous version.

Downgrade to any version

You'll experience downtime.

Installing hotfixes automatically

To install hotfixes automatically when they become available, select Allow auto-install of important hotfixes and click Apply.

After you select the option, Sophos Firewall looks for hotfixes every 30 minutes. By default, Sophos Firewall installs hotfixes automatically. We recommend retaining this selection.
Note The installed hotfixes remain when the firmware is upgraded.

Changing default language

Scroll down to Factory reset with default configuration language and select a default language for the web admin console. When you change the language, Sophos Firewall restarts with factory settings. All configuration changes are lost.

Note We recommend taking a backup before you change the language. However, Sophos Firewall restores backups in the language used by the backup configuration.