Skip to content

Automatic firmware rollback

We automatically roll back your firmware version if there's an issue migrating your firewall's configuration during the update process.

Automatic firmware rollback is available from SFOS 20.0.

How automatic firmware rollback works

Previously, when the firewall encountered issues while migrating its configuration during a firmware update, it would still upgrade to the new version using the default (factory) settings. This led to network outages and the loss of firewall access from Sophos Central. Sophos Central displayed the firewall as disconnected.

Configuration migration issues can happen due to errors in the database or errors in files. From SFOS 20.0 and later, the firewall automatically rolls back to the previous firmware version if there's an issue migrating configuration during a firmware update. This reduces disruptions to the network and reduces network downtime.

Alerts and notifications

When an automatic rollback to the previous version is triggered, an alert appears on the firewall control center, and an entry appears in the log viewer. This alert is only visible if you migrate from versions 19.5 MR2 and later.

If you trigger the firewall update from Sophos Central or Sophos Central Partner, you'll see the following notification next to your firewall version: "Couldn't migrate to the firmware version you wanted. Firmware has rolled back to the previous version".

Sophos Central firewall firmware notification.

Automatic firmware rollback availability

Automatic firmware rollback is available if you do as follows:

  • Manually upload your firmware.
  • Automatically update your firmware by checking for new versions from the firewall's web console.
  • Update the firmware for your high-availability firewalls.

Automatic rollback isn't available if you do as follows:

  • Install the latest firmware or do a mandatory firmware upgrade from the setup assistant.
  • Upgrade firmware from an earlier unsupported firmware version, such as 17.5.x.
  • Try to upgrade using an unsupported upgrade path.

Next steps

After the automatic rollback, you can do as follows:

  • Try to upgrade the firmware again or upgrade to a different supported firmware version.
  • Check the migration.log and migrationhash.log files to discover why the migration failed and share the info with Sophos Support.
  • Contact your partner or Sophos Support for help.