Upgrading to SFOS 18.0

Security update for SFOS 18.0 GA.

Important note about 18.0 GA build 379:
  • This is a security release for v18 GA; incremental to the previous GA release 18.0 GA build 354.
  • Fixes SQL injection vulnerability and malicious code execution in XG Firewall/SFOS detailed out in KBA135412.
  • We will soon have a re-release of version 18 MR1 to support SD-RED devices and upgrade from v17.5 MR11 and MR12.
  • You can upgrade from SFOS 17.5 (MR6 to MR10) to this release 18.0 GA (build 379).
  • Hotfix referenced in KBA135412 is NOT required for 18.0 GA-Build379 as CVE-2020-12271 has been fixed in this release version

Note the following upgrade information for SFOS 18.0:

  • 18.0 requires a minimum of 4 GB RAM. So, you can't upgrade the following models to 18.0:
    • XG 85, XG 85w, XG 105, and XG 105w
    • SG 105, SG 105w

    These models must remain on a 17.x version. See XG Firewall Lifecycle Policy and XG Firewall retirement calendar.

  • SFOS 18.0 doesn't support RED 10 devices.
  • Cyberoam models don't support 18.0 firmware. However, you can restore Cyberoam firewall backups on XG Firewall operating on 18.0.
  • Firmware:
    • Rollback (firmware switch) is supported. You can roll back to 17.5 MRx if you experience any issues with 18.0. For example, the active firmware on the firewall is 18.0 and the other firmware version is 17.5. You can switch between these two versions. This doesn't change the configuration on either.
    • You can't downgrade from 18.0 to an older firmware using 17.5 or an earlier firmware file. The web admin console will show an alert.

      18.0 uses Grub boot loader and the changed bootloader can't recognize 17.x firmware. You can still use the hardware ISO of 17.5 or earlier to have the firewall on an older firmware version and restore the downgraded firmware's backup.

    • In 18.0, we moved to a more secure firmware signing method. The firmware update files now use the .sig extension and not the earlier .gpg extension.

  • Backup and restore are supported. You can restore the following on 18.0:
    • SG firewalls running SFOS
    • Cyberoam firewalls
    • XG Firewall backups
  • SFOS 18.0 moved to SSH tunnel-based secure communication for the HA cluster. If you're upgrading the HA cluster to 18.0, both the devices in the cluster will reboot simultaneously once. You'll receive an alert on the UI before you can proceed.

What's new