Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=firmware-faq

Firmware upgrade FAQs and troubleshooting

Learn about the firmware upgrade process and behavior, including downtime and safety features. Follow the guidance to prepare for, perform, and troubleshoot upgrades in standalone and high availability (HA) deployments.

Quick checklist

  • Standalone firewall

    Expect downtime. Restart is required.

    • Take a configuration backup.
    • Verify the available disk space.
    • Confirm the upgrade path for the SFOS version.

  • HA cluster

    Expect a brief failover interruption.

    • Complete the standalone firewall checklist.
    • Verify that the HA status is healthy.
    • Make sure both nodes meet the upgrade requirements.
    • Perform the upgrade only from the primary device.

Preparation before upgrading

What should I do before upgrading?

Recommended checklist for all deployments:

  1. Take a fresh backup.
  2. Verify the available disk space.
  3. Confirm the supported upgrade path.
  4. Review the release notes.
  5. Schedule a maintenance window.
  6. Optionally, restart the firewall beforehand to clear the memory cache.
What should I check specifically for HA?

Verification checklist for HA:

  1. The HA status must be healthy and synchronized.
  2. Both nodes must be reachable.
  3. Both nodes must meet disk space requirements.

Related information:

Requirements for SFOS 22.0 and later

Are there additional requirements for later versions?

Yes, SFOS 22.0 and later have the following requirements:

  • Additional disk space is required.
  • Partition-specific requirements for /var and /content exist.
  • SSD firmware requirements exist for certain nodes.
Do both HA nodes need to meet the requirements?

Yes, both firewalls must meet the firmware requirements.

  • Each firewall in the HA cluster is evaluated independently.
  • If one node fails the requirements, this can block the upgrade.

Related information:

SSD firmware requirements

Do I need to upgrade SSD firmware?

The SSD firmware upgrade improves reliability and prevents hardware issues. Learn when it's required:

  • It applies only to a subset of XGS models.
  • SSD firmware upgrade may be mandatory before upgrading to SFOS 22.0 and later.
  • A notification appears if action is required.

Related information:

General questions

What happens during a firmware upgrade?

During the firmware upgrade process, the firewall does as follows:

  1. Installs the new version.
  2. Restarts.
  3. Activates the new firmware.

The upgrade behavior depends on the deployment type.

  • Standalone firewall: Full restart, resulting in temporary downtime.
  • HA cluster: Upgrade is orchestrated across both nodes with failover to minimize disruption.
Do I need a maintenance window?

Yes, a maintenance window is always recommended.

  • Standalone firewall: Required. Service interruption occurs.
  • HA cluster: Recommended. Brief failover interruptions may occur.

Related information:

Standalone versus HA deployments

Show the upgrade features of standalone and HA deployments.
Feature Standalone firewall HA cluster
Downtime

Yes

Full outage during restart

Minimal

Brief failover interruption
Upgrade execution In a single firewall Orchestrated across both nodes
Failover Not applicable Automatic failover during upgrade
Risk mitigation Backup

Rollback		 Backup

Rollback

HA redundancy

How upgrades work

Standalone deployments

The upgrade process is as follows:

  • Upgrade is applied to the firewall.
  • Firewall restarts, resulting in downtime.
  • Traffic is interrupted until the restart is complete.
HA deployments

You must start the upgrade on the Primary device.

The HA cluster performs the upgrade as follows:

  1. Upgrades the auxiliary device.
  2. Fails over traffic to the auxiliary device.
  3. Upgrades the former primary device.
  4. Failback may occur after the upgrade, depending on the preferred primary device in the HA configuration.

Related information:

Firmware versions and flexibility

Can I upgrade or downgrade firmware versions?

Yes. You can do as follows in both standalone and HA deployments:

  • Upgrade to a later version.
  • Downgrade to an earlier compatible version.
  • Install firmware manually in offline environments.

Related information:

How are firmware versions stored?

Sophos Firewall uses the following two partitions:

  • Active firmware. The version currently running on the device.
  • Previous firmware. The version that was running before the most recent upgrade.

Each partition contains its own configuration snapshot.

What happens to the configuration during an upgrade?

The configuration is retained as follows:

  • Configuration is tied to the firmware version and remains in the partition.
  • If you roll back firmware, the firewall automatically restores the previous configuration.

Automatic rollback

What is automatic firmware rollback?

Automatic rollback is an important safety feature that can occur in SFOS 20.0 and later.

If an upgrade fails during configuration migration, the firewall automatically reverts to the previous version and configuration.

Why are automatic rollbacks important?

Previously, failed upgrades could result in the following behavior:

  • Factory reset of the firewall.
  • Loss of configuration.

Now, automatic rollback offers the following benefits:

  • Reduces downtime.
  • Preserves working configuration.

Related information:

Specific scenarios

What if my firewall doesn't receive updates?

Possible causes are as follows:

  • Connectivity issues.
  • Update services are blocked or disconnected.

Related information:

What are the requirements for virtual firewalls?

Insufficient disk space can block upgrades.

Disk resizing may be required before upgrading to later versions, such as SFOS 22.0 or later.

Related information:

Troubleshooting

What are the most common upgrade issues?

The common issues are as follows:

  • Insufficient disk space.
  • Unsupported upgrade path.
  • HA synchronization issues.
  • Configuration migration failures.

Related information:

What should I do if the upgrade fails?

If an upgrade fails, do as follows:

  • Wait. Automatic rollback may restore the previous version.

  • Verify the following parameters:

    • Disk space
    • System health

  • Retry using a supported upgrade path.

  • If needed, contact Sophos Support.

Related information:

To troubleshoot specific problems, see Troubleshooting firmware problems.