The Management > Up2Date menu allows the configuration of the update service of Sophos UTM on AWS. Regularly installed updates keep your Sophos UTM on AWS up-to-date with the latest bug fixes, product improvements, and virus patterns. Each update is digitally signed by Sophos—any unsigned or forged update will be rejected. By default new update packages are automatically downloaded to Sophos UTM on AWS. This option can be configured in the Management > Up2Date > Configuration menu.
There are two types of updates available:
- Firmware updates: A firmware update contains bug-fixes and feature enhancements for Sophos UTM on AWS Software.
- Pattern updates: A pattern update keeps the antivirus, antispam, intrusion prevention definitions as well as the online help up-to-date.
In order to download Up2Date packages, Sophos UTM on AWS opens a TCP connection to the update servers on port 443—allowing this connection without any adjustment to be made by you. However, if there is another firewall in between, you must explicitly allow the communication via the port 443 TCP to the update servers.
Updates in Amazon Web Services
For every new release version in Amazon Web Services (AWS), Sophos publishes a new Amazon Machine Image (AMI). Every hour, the system checks automatically for new updates in the Amazon Marketplace.
If you update your stack with the information provided by the WebAdmin Up2Date page, AWS will modify the parameters of your stack according to the template and the AMI.
New worker and controller instances are created with the new version.
The old instances are terminated. For workers, to minimize downtime, this happens at the same time as creating new workers.
Once the new instances are up and running, they will load the backup of the previous version from S3 (backups are done regularly while UTM is running).
Work will resume as usual once the configuration backup has been restored which usually happens very quickly.
Depending on the size of your reporting database, it may take a few minutes before statistics and reporting are available in WebAdmin, but this will not impede the functionality of your UTM.
The system periodically creates backups of the configurations, reporting data, and logs every five minutes. All data will be transferred to an S3 storage and will be automatically imported to the node after the update is completed.
There are two different ways to update HA depending on the deployment type. Based on the AWS CloudFormation template, the update is deployed through cold standby (with one Sophos UTM on AWS running) or warm standby (with two Sophos UTM on AWS units running).
Warm Standby: One of the old instances will be replaced by another instance based on the new version. This will become the new active instance (master) later. Once that instance is up and running, the old instance will be terminated and replaced by a new passive instance.
Cold Standby: For HA standalone deployments, the old instance will be terminated. A new instance will be created with the new version.
After that, HA updates follow the same pattern as step 3–6 in "Auto Scaling".
A non-HA or non-Auto-Scaling UTM will update like any other standalone UTM.