Upgrading to SFOS 18.0.3

SFOS 18.0 MR3 build 457

You can upgrade from SFOS 17.5 (MR6 to MR14) to 18.0 MR3 (build 457).

18.0 MR3 enhancements: For details of the features and enhancements, see 18.0 MR3: New features and enhancements.

The security hotfixes released so far are part of the 18.0 MR3 version.

For migration details, see the table below:

Table 1. Supported migration from 17.5 to 18.0

Migrate from 17.5

Migrate to 18.0

MR1 (build 396)



17.5 MR6 to MR12




  • 17.5 MR13
  • 17.5 MR14
  • 17.5 MR14.1




Caution Do not migrate from 17.5 MR13, MR14, or MR14.1 to 18.0 MR1 or MR2. If you try to migrate, XG Firewall shows an alert asking you to confirm the migration before it restarts. If you confirm the migration, XG Firewall restarts with the factory configuration, and you lose your current configuration.
  • 18.0 and later versions require a minimum of 4 GB RAM. So, you can't upgrade the following models to 18.0 and later:
    • XG 85, XG 85w, XG 105, and XG 105w
    • SG 105, SG 105w

    These models must remain on a 17.x version. See XG Firewall Lifecycle Policy and XG Firewall retirement calendar.

  • Support for RED devices:
    • Doesn't support RED 10 devices.
    • Supports SD-RED 20 and 60 devices.
  • Cyberoam models don't support 18.0 and later firmware versions. However, you can restore Cyberoam firewall backups on XG Firewall operating on 18.0 and later.
  • Firmware:
    • Rollback (firmware switch) is supported. You can roll back to 17.5 MRx if you experience any issues with 18.0 and later. For example, the active firmware on the firewall is 18.0 and the other firmware version is 17.5. You can switch between these two versions. This doesn't change the configuration on either.
    • You can't downgrade from 18.0 and later to an older firmware using 17.5 or an earlier firmware file. The web admin console will show an alert.

      18.0 and later use Grub boot loader. The changed bootloader can't recognize 17.x firmware. You can still use the hardware ISO of 17.5 or earlier to have the firewall on an older firmware version and restore the downgraded firmware's backup.

    • In 18.0, we moved to a more secure firmware signing method. The firmware update files now use the .sig extension and not the earlier .gpg extension.

    • The web admin console shows the specific reasons for firmware upload failure.
  • Backup and restore are supported. You can restore the following on 18.0 and later versions:
    • SG firewalls running SFOS
    • Cyberoam firewalls
    • XG Firewall backups
  • HA: SFOS 18.0 moved to SSH tunnel-based secure communication for the HA cluster. If you're upgrading the HA cluster to 18.0 or later, both the devices in the cluster will reboot simultaneously once. You'll receive an alert on the UI before you can proceed.
  • Quarantined emails: You can only release quarantined emails from the user portal. For details, see KBA135515.

What's new since 18.0

  • Secure storage master key: Introduced the master key to provide extra protection for the account details stored on XG Firewall. The key encrypts sensitive information, such as passwords, secrets, and keys, preventing unauthorized access.
  • SFOS 18.0 and later versions are available on the Amazon Web Services (AWS) public cloud infrastructure.
  • XG Firewall also provides route mode and non-IP bridge mode protection on the Nutanix AHV and Nutanix Flow infrastructure.
  • Supports SD-RED 20 and SD-RED 60 devices.
  • Key information you need to know about how to configure the following: