Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Firmware

You can manage firmware versions and change the default language.

You can upgrade to a later firmware version, downgrade to an earlier version, or roll back to the previous version. For air gap deployments, you can update the firmware manually. You can also schedule firmware upgrades centrally from Sophos Central.

For more information about upgrading to later versions and restoring backups, see Sophos Firewall release notes.

Support subscription

Starting with version 19.0 MR1, you must have Enhanced Support or Enhanced Plus Support for unlimited firmware upgrades.

Note

Trial licenses include Enhanced Support.

Without a support subscription, you're allowed three free firmware upgrades that include upgrading to general availability (GA), maintenance release (MR), and early access program (EAP) releases of Sophos Firewall.

After completing each free upgrade, the web admin console shows a message indicating the number of remaining free upgrades. After completing three upgrades, a support subscription is required, whether upgrading using the web admin console or SFLoader. Without a support subscription, you can download the firmware but can't install it.

A support subscription is only required if you're moving to another firmware version. It isn't required for the following:

  • Pattern updates
  • Hotfixes
  • Reimaging the hardware, virtual, and software appliances of Sophos Firewall
  • Mandatory firmware upgrades
  • Assistant firmware upgrades

    Note

    A support subscription isn't required when moving to version 19.0 MR1. It becomes applicable when moving from version 19.0 MR1 or later versions to another version.

Secure storage master key

The secure storage master key provides extra protection for the account details stored on Sophos Firewall. The key encrypts sensitive information, such as passwords, secrets, and keys, preventing unauthorized access.

The accounts have access to services, such as directory services, email servers, FTP servers, and proxies. They also include user accounts stored on Sophos Firewall.

Sophos Firewall removes the secure storage master key in the following cases:

  • You reset the firewall to factory configuration.
  • You reimage the firewall.

After resetting or reimaging the firewall, you can enter the master key to restore or import the configurations.

Rollback: Even if you set the master key for the current version, the previous version's configuration is available when you roll back to the previous version.

How to manage firmware versions

  • Firmware upgrade and configuration from Sophos Central: You can schedule firmware upgrades from Sophos Central. You can also specify all the firewall settings using Zero Touch configuration available from Sophos Central. For more details, see Zero Touch configuration.
  • Compatible versions: To know the versions compatible with your current version, go to Firewall Installers.

    Search using your device's serial number, and click Download to see the firmware versions compatible with the device and its active version.

  • Upgrade to a later version: To upgrade to a firmware version later than the active version, move down to Latest available firmware and take the available actions. For more details, see Move to a different firmware version.

  • Move to any version: To move to any version, download the firmware image from Firewall Installers. Then, go to the web admin console, move to the Firmware section, and take the required actions. For more details, see Move to a different firmware version.

    Use this method in the following cases:

    • Moving to an earlier version. An earlier version is available on the web admin console only if it's the previous version from which the device was updated or if you manually uploaded a compatible version.
    • Air gap deployments. These are deployments that don't have internet access.
    • EAP (early access program) versions.
  • Rollback: To roll back to the previous version, go to the Firmware section and under Version, click Boot firmware image. next to the previous version.

  • Downgrade: To downgrade to an earlier version, go to the Firmware section and under Version, click Boot firmware image. next to an earlier version.
  • Corrupt firmware: To replace possibly corrupt firmware (prevents you from accessing the web admin console), change the firmware version using SFLoader. For more details, see Load firmware using SFLoader.

    Note

    When you update the firmware, SFLoader doesn't automatically update. Some unsupported options may still show in the SFLoader menus. To install the latest version from SFLoader, you must load the firmware manually. See Load firmware using SFLoader.

    Note

    The option to load firmware using SFLoader isn't available for XGS devices. To update corrupt firmware for XGS devices, see Reimage Sophos Firewall.

  • Move to an incompatible version: To move to a firmware version incompatible with the active version, reimage the device. For more details, see Reimage Sophos Firewall.

  • Air gap deployment: You can download the firmware from Firewall Installers. When it's downloaded, upload it to the air-gapped device. See How Air gap and manual pattern updates work.

Note

We recommend taking a configuration backup before you move to a different firmware. We also recommend making the change during non-peak hours.

Upgrade, downgrade, and rollback

Upgrade: When you upgrade, you move to a later version compatible with the current version.

Downgrade: When you downgrade, you move to an earlier version compatible with the current version.

Rollback: When you roll back, you move to the previously installed version on your device. You can roll back to a later or earlier compatible version.

Note

Before migrating to a different firmware version, check Suggestions before updating the firmware version.

If migration to a different firmware version fails, the firewall rolls back to its existing version. See Automatic firmware rollback.

Firmware

You can see a maximum of two firmware versions under Firmware. The Active icon Active firmware. indicates the active version. The inactive version is one of the following:

  • Previous version: When you change the firmware version of Sophos Firewall, the previous version is retained to allow you to roll back. If you roll back, configuration changes made after the change are lost because changing the firmware also updates Sophos Firewall with the configuration corresponding to the new firmware version.
  • Uploaded version: You uploaded a version compatible with the active version. It can be a version later or earlier than the active version.

You can only move (upgrade, downgrade, or roll back) Sophos Firewall to an inactive version that's compatible with the active version.

Manage firmware

The Manage column has actions you can perform with the active or inactive firmware versions. You can choose from the following actions:

  • Upload firmware Upload firmware.: Uploads the selected version from your endpoint device. After you upload, the firmware is available for Sophos Firewall to move to. Firmware upload takes a few minutes.
  • Boot firmware image Restarts with the specified firmware.: Closes all sessions and restarts Sophos Firewall with the specified version.
  • Boot with factory default configuration Restarts with factory configuration.: Closes all sessions and restarts Sophos Firewall with the factory configuration. This doesn't clear the secure storage master key (SSMK). We recommend taking a backup because you'll lose the existing configuration.

Latest available firmware

To install the latest available firmware, do as follows:

  1. To see the latest available versions, click Check for new firmware.
  2. Click Download to download the firmware.
  3. Click Install next to the version. The firewall downloads the firmware, validates, and installs it.

Factory reset with default configuration language

We recommend that you only reset the default language when you deploy the firewall for the first time.

Warning

When you change the language, the firewall restarts with factory settings, and custom configurations are lost. For more information, see What happens after a reset.

We recommend taking a backup before you change the language, although you can't use the backup to restore your configuration and keep the language change. Restoring a backup also restores the language settings in the backup.

Scroll down to Factory reset with default configuration language and select a default language for Sophos Firewall. Click Apply to reset the firewall to the factory settings and begin the basic setup. When you complete the basic setup, the firewall restarts, and all default configurations appear in the selected language.

Updating HA devices

You don't need to disable high availability before you update the firmware in HA devices.

To update HA devices, click the upload firmware button Upload firmware., upload the firmware ISO, and then click Upload and boot.

  • Connected status: Go to the primary device and select a method for updating the firmware. The auxiliary device is updated first and then the primary device. See Firmware upgrade and pattern updates.

  • Standalone mode: You can't upgrade an HA device that's in standalone mode.

Note

You can't update the firmware in the auxiliary device independently.

Pattern updates (for example, ATP signatures and antivirus definitions) and hotfixes are applied independently to each device.

HA devices: Version compatibility and downtime

Update action Condition
Upgrade to a compatible version You may experience downtime.
Roll back to a compatible version

You'll experience downtime.

Make sure the same inactive firmware version is available on both devices under Firmware.

Alternatively, disable HA and then roll back each device to the version you want. The primary device sends a factory reset signal to the auxiliary device. The auxiliary device stores the peer administration IP address and the dedicated peer HA link IP address. Enable HA again if you want to.

Roll back to a previous version that wasn't configured with HA

The devices revert to standalone status. Configure HA again if you want to.

Each device holds the configuration file that corresponds to the previous firmware version. The file determines the HA configuration status. Rollback activates the configuration of the previous version.

Downgrade to any version You'll experience downtime.