Move to a different firmware version
You can check for the latest firmware version and upgrade the active firmware. You can also upload an earlier version and downgrade manually.
Introduction
Prerequisite: Check if Sophos Firewall has a valid support subscription. See Support subscription.
Recommendations:
- The device restarts when you change the firmware version. So, schedule the change during non-peak hours.
- Take a backup of the configuration.
Sophos Firewall maintains the active and previous firmware versions along with the corresponding configurations in independent partitions. Configuration settings aren't shared between the two partitions. A rollback to the previous firmware also rolls back the configuration to the previous configuration.
Note
You'll see an error message if the number of configured gateways exceeds the number of gateways the firewall supports. You must delete the excess gateways before moving to a different firmware version.
This page shows the following methods for moving to a different firmware version:
- Upgrade to a later version: Check for the latest available firmware versions and install the version you want.
- Move to any compatible version: Download a compatible version and then move Sophos Firewall to it. You can use this to downgrade or upgrade with a compatible version, including EAP versions, and for air gap (no internet access) deployments.
Upgrade to a later version
-
Go to Backup and firmware > Firmware. Scroll down to Latest available firmware and click Check for new firmware.
When a new firmware version is available, an alert shows on the control center under Messages. You can also click the alert to go to Latest available firmware.
-
The new firmware version shows. Click Download next to the version you want.
Download takes a few minutes.
-
After the download is complete, click Install. Sophos Firewall closes all sessions and restarts with the new firmware version.
Note
Install is turned off if you don't have a support subscription and have used up the three free firmware upgrades.
-
Sign in to the web admin console. On the upper-left corner of the control center, verify the firmware version.
The new firmware version becomes the active version. The previously active version becomes the inactive version. You can see it in the section Firmware.
Upload and move to a compatible version
You can upgrade or downgrade firmware to a compatible inactive version. You can roll back to the previous version running on Sophos Firewall.
For details of the versions you can currently upgrade, downgrade, and roll back to, see Firmware.
- Go to Sophos Central and sign in to your account. Download the firmware you want to your endpoint device. For more details, see How to download firmware.
-
Go to Backup and firmware > Firmware. Under Firmware, click Upload next to the inactive firmware version.
-
In the pop-up window, select the firmware image from your endpoint device. Click one of the following options:
-
Upload firmware: Uploads the firmware. The firmware is now an inactive version. See the next step to move to the new firmware.
If Sophos Firewall restarts for other reasons after you upload the firmware, it doesn't move to the new firmware.
-
Upload and boot: Uploads the firmware. Sophos Firewall closes all sessions and restarts with the new firmware version.
-
-
To move to the inactive version (version uploaded in the previous step or an existing inactive version), click Boot firmware image .
Sophos Firewall closes all sessions and restarts with the new firmware version.
-
Sign in to the web admin console. On the upper-left corner of the control center, verify the firmware version.
The new firmware version becomes the active version. The previously active version becomes the inactive version.