Skip to content

Move to a different firmware version

You can check for the latest firmware version and upgrade the active firmware. You can also upload an earlier version and downgrade manually.

Introduction

Prerequisite: Check if Sophos Firewall has a valid support subscription. See Support subscription.

Recommendations:

  • The device restarts when you change the firmware version. So, schedule the change during non-peak hours.
  • Take a backup of the configuration.

Sophos Firewall maintains the active and previous firmware versions along with the corresponding configurations in independent partitions. Configuration settings aren't shared between the two partitions. A rollback to the previous firmware also rolls back the configuration to the previous configuration.

This page shows the following methods for moving to a different firmware version:

  • Upgrade to a later version: Check for the latest available firmware versions and install the version you want.
  • Move to any compatible version: Download a compatible version and then move Sophos Firewall to it. You can use this to downgrade or upgrade with a compatible version, including EAP versions, and for air gap (no internet access) deployments.

Upgrade to a later version

  1. Go to Backup and firmware > Firmware. Scroll down to Latest available firmware and click Check for new firmware.

    When a new firmware version is available, an alert shows on the control center under Messages. You can also click the alert to go to Latest available firmware.

  2. The new firmware version shows. Click Download next to the version you want.

    Download takes a few minutes.

  3. After the download is complete, click Install. Sophos Firewall closes all sessions and restarts with the new firmware version.

    Install the latest firmware version.

    Note

    Install is turned off if you don't have a support subscription and have used up the three free firmware upgrades.

  4. Sign in to the web admin console. On the upper-left corner of the control center, verify the firmware version.

The new firmware version becomes the active version. The previously active version becomes the inactive version. You can see it in the section Firmware.

Upload and move to a compatible version

You can upgrade or downgrade firmware to a compatible inactive version. You can roll back to the previous version running on Sophos Firewall.

For details of the versions you can currently upgrade, downgrade, and roll back to, see Firmware.

  1. Go to Sophos Central and sign in to your account. Download the firmware you want to your endpoint device. For more details, see How to download firmware.
  2. Go to Backup and firmware > Firmware. Under Firmware, click Upload Upload button. next to the inactive firmware version.

    Upload a firmware version.

  3. In the pop-up window, select the firmware image from your endpoint device. Click one of the following options:

    • Upload firmware: Uploads the firmware. The firmware is now an inactive version. See the next step to move to the new firmware.

      If Sophos Firewall restarts for other reasons after you upload the firmware, it doesn't move to the new firmware.

    • Upload and boot: Uploads the firmware. Sophos Firewall closes all sessions and restarts with the new firmware version.

    Options to upload firmware or upload and restart with the new firmware.

  4. To move to the inactive version (version uploaded in the previous step or an existing inactive version), click Boot firmware image Restart with the inactive version..

    Sophos Firewall closes all sessions and restarts with the new firmware version.

    Restart with the inactive firmware version.

  5. Sign in to the web admin console. On the upper-left corner of the control center, verify the firmware version.

The new firmware version becomes the active version. The previously active version becomes the inactive version.