Upgrading to SFOS 18.0.4

SFOS 18.0 MR4 build 506

You can upgrade from SFOS 17.5 (MR6 to MR15) to 18.0 MR4 (build 506).

18.0 MR4 enhancements: For details of the features and enhancements, see 18.0 MR4.

For migration details, see the table below:

Table 1. Supported migration from 17.5 to 18.0

Migrate from 17.5

Migrate to 18.0

MR1 (build 396)

MR2

MR3

MR4

17.5 MR6 to MR12

Yes

Yes

Yes

Yes

17.5 MR13 to 17.5 MR14.1

No

No

Yes

Yes

17.5 MR15

No

No

No

Yes

Caution Migrate only to the approved versions that are listed in the table. If you try to migrate to other versions, XG Firewall shows an alert asking you to confirm the migration before it restarts. If you confirm the migration, XG Firewall restarts with the factory configuration, and you lose your current configuration.
  • 18.0 and later versions require a minimum of 4 GB RAM. So, you can't upgrade the following models to 18.0 and later:
    • XG 85, XG 85w, XG 105, and XG 105w
    • SG 105, SG 105w

    These models must remain on a 17.x version. See XG Firewall Lifecycle Policy and XG Firewall retirement calendar.

  • Support for RED devices:
    • Doesn't support RED 10 devices.
    • Supports RED 15, RED 15w, and RED 50 devices.
    • Supports SD-RED 20 and SD-RED 60 devices.
  • Cyberoam models don't support 18.0 and later firmware versions. However, you can restore Cyberoam firewall backups on XG Firewall operating on 18.0 and later.
  • Firmware:
    • If your XG Firewall is on 18.0 MR3 or later, you can schedule firmware upgrades from Sophos Central.
    • Rollback (firmware switch) is supported. You can roll back to 17.5 MRx if you experience any issues with 18.0 and later. For example, the active firmware on the firewall is 18.0 and the other firmware version is 17.5. You can switch between these two versions. This doesn't change the configuration on either.
    • You can't downgrade from 18.0 and later to an older firmware using 17.5 or an earlier firmware file. The web admin console will show an alert.

      18.0 and later use Grub boot loader. The changed bootloader can't recognize 17.x firmware. You can still use the hardware ISO of 17.5 or earlier to have the firewall on an older firmware version and restore the downgraded firmware's backup.

    • In 18.0, we moved to a more secure firmware signing method. The firmware update files now use the .sig extension and not the earlier .gpg extension.

    • The web admin console shows the specific reasons for firmware upload failure.
  • Backup and restore are supported. You can restore the following on 18.0 and later versions:
    • SG firewalls running SFOS
    • Cyberoam firewalls
    • XG Firewall backups
  • HA: SFOS 18.0 moved to SSH tunnel-based secure communication for the HA cluster. If you're upgrading the HA cluster to 18.0 or later, both the devices in the cluster will reboot simultaneously once. You'll receive an alert on the UI before you can proceed.
  • Quarantined emails: You can only release quarantined emails from the user portal. For details, see KBA135515.

What's new since 18.0

  • High availability: HA devices can be managed centrally from Sophos Central. Improvements to FastPath offload for HA active-passive environment.
  • Sophos Connect client: Supports IPsec (remote access) and SSL VPN remote access configurations.
  • Secure storage master key: Introduced the master key to provide extra protection for the account details stored on XG Firewall. The key encrypts sensitive information, such as passwords, secrets, and keys, preventing unauthorized access.
  • SFOS 18.0 and later versions are available on the Amazon Web Services (AWS) public cloud infrastructure. Sophos Cloud Optix gives the VPC details of XG Firewall instances deployed in the AWS environment.
  • XG Firewall also provides route mode and non-IP bridge mode protection on the Nutanix AHV and Nutanix Flow infrastructure.
  • Supports SD-RED 20 and SD-RED 60 devices.
  • Key information you need to know about how to configure the following: