Skip to content

Backup and restore

You can take encrypted backups and restore the configurations.

Backups contain the entire configuration on Sophos Firewall and are encrypted. You can save backups on Sophos Firewall, use FTP to save them on a server, or email the backup. You can set up an automatic backup schedule, or take a backup manually.

You must enter a password to encrypt the backup. To restore the backup, you must reenter the password and the secure storage master key.

Secure storage master key

The secure storage master key provides extra protection for the account details stored on Sophos Firewall. The key encrypts sensitive information, such as passwords, secrets, and keys, preventing unauthorized access. The default administrator (username: admin) sets the secure storage master key.


You must create the master key before taking a manual or scheduled backup.


After you create the master key, all new backups use it to secure sensitive data. If you don't enter the master key, you can't restore these backups.

Backups with a master key

  • To restore a backup that has a master key, you must enter the master key in addition to the backup encryption password. You must share both if you share these backups with Sophos Support.
  • Configurations are associated with their master key. If you generate a backup and then change the master key, you must use the previous master key to restore that backup. So, store the current and earlier master keys.

Backups without a master key

  • You can restore manual and scheduled backups that don't have a master key. The firewall won't ask for a master key.
  • If you restore a scheduled backup that doesn't have a master key, the firewall continues to take scheduled backups at the restored backup's frequency. You can't change the frequency until you set a master key.

Best practices

When to take a backup:

  • Schedule automatic backups.
  • Take a manual backup before and after you make a considerable change to the configuration.
  • Take a backup before upgrading the firmware.

How to keep the backup secure:

  • If you save backups at a different location, make sure the location is secure.
  • Make sure you set the secure storage master key to protect and restore sensitive information.

Compatible devices for restoring configuration

The following rules apply for restoring the backup configuration to a different Sophos Firewall device:

  • Hardware models:

    • You can restore the configuration to a model with an equal or higher number of Ethernet ports.
    • You can't restore the configuration from hardware models with FleXi Port modules to virtual SFOS appliances or hardware models without FleXi Port modules. These modules allow you to add additional ports to the Sophos Firewall appliance. For more details, see Backup-restore compatibility check.
    • You can't restore the configuration if the number of configured gateways in the backup exceeds the number of gateways the firewall supports.
  • Wireless models:

    • You can restore backups from non-wireless and wireless models to wireless models with an equal or higher number of Ethernet ports.
    • You can restore from a wireless model to a non-wireless model if it doesn't have any LocalWiFi configuration.
  • Revisions: You can restore to a hardware model with a different revision if it has an equal or higher number of Ethernet ports.

  • Firmware versions: You can restore to a device with the same or later firmware version.
  • Pattern versions: You can restore to a device with the same or later pattern version. If it's of an earlier version, update the patterns, and then restore the configuration.


Setting Description
Backup mode

To save the backup, or save and transfer the backup, select an option from the following list:

  • Local: Saves the backup on Sophos Firewall.
  • FTP: Saves to the FTP server.

    Specify the IP address of the FTP server, the username and password, and the FTP path. The FTP server can have an IPv4 or IPv6 address.

  • For FTP backup, the username must not include the domain when separated by a \ character. Only the special characters @, / and $ are supported as part of username or password.
  • Email: Emails the backup file.

    Enter the recipient's email address.

For FTP and email, Sophos Firewall first stores the backup locally and then transfers it.
Backup prefix

Enter a prefix to identify the backup configuration. Use the prefix to identify the configuration when you have more than one device.

By default, Sophos Firewall stores backups without a prefix. The backup name is as follows:

  • With prefix: <Prefix>_Backup_<Device Key>_<SFOS version>_<timestamp>

    Example: Dallas_Backup_ABCDEY190_SFOS-19.5.1-Build278_16Apr2023_12.09.24

  • Without prefix: Backup_<Device Key>_<SFOS version>_<timestamp>

    Example: Backup_ABCDEY190_SFOS-19.5.1-Build278_16Apr2023_12.09.24

  • Maximum number of characters: 32
  • Unsupported characters: / \ : * ? “ < > | ~ ` .. ä ö ü and UTF-8 characters except for English characters.

Select the frequency with which you want to take backups. If you store the backup on Sophos Firewall, only the latest backup is retained.

If you want to save the previous backup, download it.

Encryption password

Enter the password with which you want to encrypt the backups. You need to enter this password when restoring the backup.

To encrypt backups scheduled with earlier firmware versions without a password, you now need to provide a password.

Change encryption password Use this to change the password.
Backup now Click to take a backup manually.
Apply Click to apply the settings.

Click Download Download backup button. to download the backup stored on Sophos Firewall. Select one of the following options and click Download backup:

  • Download encrypted backup
  • Encrypt backup with a different password before you download: Use this to set a different password for the downloaded backup. The password doesn't apply to the encryption password set for all backups.

For backups scheduled with earlier firmware versions, you need to enter a password to encrypt the backup before downloading it.

Backup restore

When you restore a backup, the following changes take place:

  • The restored backup replaces the current configuration. This also deletes the stored backup and restarts Sophos Firewall.
  • The IP address assigned to the web admin console on the restored configuration becomes active. You must use this IP address to access the web admin console.
Setting Description
Restore configuration Upload the backup file to restore a configuration.

Enter the password with which the backup was encrypted.

To restore unencrypted backups taken with earlier firmware versions, you don’t need a password.

Upload and restore

Click to upload and restore the backup configuration.

If you restore an older configuration, you'll lose the later changes.