Move to a different firmware version

You can check for the latest firmware version and upgrade the active firmware. You can also upload an earlier version and downgrade manually.

Introduction

Prerequisite: Check if XG Firewall has a valid support subscription.

Recommendations:

  • The device restarts when you change the firmware version. So, schedule the change during non-peak hours.
  • Take a backup of the configuration.

XG Firewall maintains the active and previous firmware versions along with the corresponding configurations in independent partitions. Configuration settings aren't shared between the two partitions. A rollback to the previous firmware also rolls back the configuration to the previous configuration.

This page shows the following methods for moving to a different firmware version:

Upgrade to a later version: Check for the latest available firmware versions and install the version you want.

Move to any compatible version: Download a compatible version and then move XG Firewall to it. You can use this to downgrade or upgrade with a compatible version, including EAP versions, and for airgap (no internet access) deployments.

Upgrade with a later version

  1. Go to Backup and firmware > Firmware. Scroll down to Latest available firmware and click Check for new firmware.

    When a new firmware version is available, an alert shows on the Control center under Messages. You can also click the alert to go to Latest available firmware.

  2. The new firmware version shows. Click Download next to the version you want.

    Download takes a few minutes.

  3. After the download is complete, click Install.
    XG Firewall closes all sessions and restarts with the new firmware version.

    Upgrade firmware automatically
  4. Sign in to the web admin console. On the upper-left corner of the Control center, verify the firmware version.

The new firmware version becomes the active version. The previously active version becomes the inactive version. You can see it in the section Firmware.

Upload and move to a compatible version

You can upgrade or downgrade firmware to a compatible inactive version. You can roll back to the previous version running on XG Firewall.

For details of the versions you can currently upgrade, downgrade, and roll back to, see Firmware.
  1. Optional Go to Sophos Licensing Portal and sign in to your account. Download the firmware you want to your endpoint device. For more details, see How to download firmware from Sophos Licensing Portal.
  2. Go to Backup and firmware > Firmware. Under Firmware, click upload firmware Upload firmware button next to the inactive firmware version.

    Upload firmware
  3. In the pop-up window, select the firmware image from your endpoint device. Click one of the following options:
    • Upload firmware: Uploads the firmware. The firmware is now an inactive version. See the next step to move to the new firmware.

      If XG Firewall restarts for other reasons after you upload the firmware, it doesn't move to the new firmware.

    • Upload and boot: Uploads the firmware. XG Firewall closes all sessions and restarts with the new firmware version.

    Firmware upgrade downgrade
  4. Optional To move to the inactive version (version uploaded in the previous step or an existing inactive version), click Boot firmware image Boot from firmware button.

    XG Firewall closes all sessions and restarts with the new firmware version.


    Update inactive firmare
  5. Sign in to the web admin console. On the upper-left corner of the Control center, verify the firmware version.

The new firmware version becomes the active version. The previously active version becomes the inactive version.