Firmware upgrade and pattern updates
How Sophos Firewall firmware upgrades work when HA is turned on.
If you upgrade Sophos Firewall while the device is in HA mode, there will be no downtime throughout the upgrade process.
The following image shows the HA upgrade process:
In HA, a group of two devices works as a single entity known as a cluster. Every HA cluster has one primary device and one secondary (auxiliary) device. The primary device controls how the cluster operates, while the auxiliary device always waits to become the primary device. The roles of the primary and auxiliary devices in the cluster depend on the configuration mode.
When you upgrade an HA device, the process is as follows:
- The primary device (device A) upgrades the secondary device (device B).
- Device B runs the new firmware and takes control of the network. It's now the primary device and device A is the secondary.
- Device A then upgrades and runs the new firmware. It's still the secondary device, but if you have configured the other device as a preferred primary, then the cluster will failover.
You can also roll back the firmware version of a HA pair without disabling HA. This follows the same process.
When you upgrade from SFOS 18 or later, you can upgrade the HA pair using either Upload and boot or Boot firmware image.
When you upgrade from SFOS 17.5 or earlier, don't upgrade the HA pair using Boot firmware image.
You must update the patterns on the primary device. These are automatically synchronized to the auxiliary device.
This also applies to air gap deployments.