Sophos Firewall Firmware Update: Preparation and Best Practices
Firmware updates keep a Sophos Firewall secure, stable and supported. Nevertheless, you should not treat it like a normal package update. A SFOS upgrade can affect HA behavior, VPN tunnels, certificates, web protection, TLS Inspection, remote access, central integration and routing.
For the broader hardening context, use the hub Sophos Firewall Hardening: best practices for secure configuration.
This article is the planning and operational checklist before a Sophos Firewall firmware update. It helps decide whether an update can be approved now, which dependencies must be checked before the maintenance window and when a rollback is more sensible than further troubleshooting. The specific installation via WebAdmin is described in Perform Sophos Firewall firmware update.
⚠️ Important: Before every firmware update, a current backup, the appropriate Secure Storage Master Key and a tested rollback plan are required. For SFOS 22 or newer, the Sophos Firewall check before SFOS 22 upgrade article should also be processed because the platform, storage space, interface names, STAS and legacy remote access IPsec are specifically checked there.
Which update article fits?
Firmware topics overlap quickly. It is therefore important for admins to first choose the right process:
- Prepare updates, check risks and plan maintenance windows: This article.
- Upload or install firmware image in WebAdmin: Perform Sophos Firewall firmware update.
- Prepare to upgrade to SFOS 22 or newer: Check Sophos Firewall before SFOS 22 upgrade.
- Check backup, Secure Storage Master Key and restore ability: Create or restore Sophos Firewall backup.
- Reinstall Firewall OS completely or restore it after a reimage: Reinstall Sophos Firewall OS: Reimage with USB stick.
- Assess HA cluster before maintenance, failover or upgrade: Sophos Firewall HA cluster variants.
- Central-controlled update or firewall task hangs: Check Sophos Central Firewall Management Task Queue.
- Evaluate XG, SG or XGS platform before the upgrade: Sophos XG vs. XGS: Differences, EOL and migration.
- Collect serial number, licence status or support data for the change: Find Sophos Firewall serial number.
This separation prevents typical errors. A firmware update is not the same as a reimage, a rollback does not replace a backup, and a successful download does not prove that the upgrade path, support entitlement, HA state and recovery plan are correct. This planning article should therefore not repeat every installation click, but primarily make the approval decision clean.
When an update needs to be prepared
A short check is often sufficient for small maintenance releases. Structured preparation is mandatory if at least one of these points applies:
- Productive firewall with multiple WAN uplinks, VPNs, NAT rules or WAF publications.
- HA cluster or remote location without easy physical access.
- Version jump over several releases or switching to a new major version such as SFOS 22.
- XG, SG, software, virtual or cloud appliance with platform or licensing issues.
- Critical dependencies such as Microsoft Entra ID, RADIUS, LDAP, Certificates, DNS, DHCP, SD-WAN or Sophos Central.
- Known performance, storage space or SSD issues on the appliance.
The larger the change, the more the update should be treated as a change with a runbook, test plan and rollback.
1. Check release notes and upgrade path
Before updating, first clarify whether the target version fits the current environment.
- Check the Sophos Release Notes to see whether the target version is released and whether there are notes on your own release branch.
- Additionally check the official release notes of the target version and the Known Issues so that known problems do not only become apparent after the update.
- Document existing version, target version and supported upgrade path.
- Important: Only select supported upgrade paths. If the upgrade path is not supported, the firewall can be reset to factory settings after the firmware update.
- For SFOS 22, note that XG and SG hardware is no longer supported.
- For SFOS 21.5, note that not every target path automatically leads to SFOS 22 GA. The release notes for the specific target version are authoritative.
- For many VLANs, Bridges, LAGs, RED or XFRM interfaces, check whether interface names with long blocks of numbers can trigger a WebAdmin display problem.
- For Legacy Remote Access IPsec, check whether an upgrade to SFOS 22 MR1 or newer is blocked.
- For STAS and user-based rules, check whether known upgrade notes are relevant to your own configuration.
- For software, virtual, Azure or AWS BYOL firewalls, clarify whether the firewall needs to be claimed in Sophos Central before upgrading.
- If there are incompatible version jumps, do not plan with a normal update, but rather prepare a reimage concept.
For concrete upgrade decisions, it is not announcements that count, but rather release notes, known issues, supported upgrade paths and local firmware planning. If a release just sounds interesting, but the upgrade path, platform, support eligibility or rollback are not clear, the change should not be released yet.
2. Clarify license and support eligibility
Since SFOS 19.0 MR1, Enhanced Support or Enhanced Plus Support is required for further firmware upgrades after the free initial updates. Without appropriate support authorization, the firmware may be able to be downloaded but not installed.
Exceptions apply to, among others, Pattern Updates, Hotfixes, Reimage, Mandatory Firmware Upgrades and Assistant Firmware Upgrades. However, these exceptions do not replace proper update planning.
Before making the change you should therefore check:
- Administration > Licensing shows valid license and support entitlement.
- Sophos Central shows the firewall with correct serial number.
- Support access and contact persons are known.
- Download of the target version is possible.
- If necessary, Avanet or Sophos support access is prepared.
If you want Avanet to support the change, the article Setting up Avanet support access to Sophos Firewall is appropriate.
3. Prepare backup, SSMK and rollback
A firmware update is installed on a second firmware slot. A rollback to the previous version is therefore often possible. Nevertheless, a rollback is not a replacement for a backup because the configuration status, restore compatibility and operating status must be checked separately.
Before the update:
- Download fresh configuration backup.
- Check Secure Storage Master Key in the password manager.
- Provide backup password and admin access.
- Document existing firmware version and target version.
- Document current configuration, critical screenshots and change time.
- For larger changes, also check a central backup or externally stored backup. The backup and restore process is detailed in Sophos Firewall Create or restore backup. If a normal firmware change is not possible, the article Reinstall Sophos Firewall OS: Reimage with USB stick will help.
4. Prepare change evidence
For simple maintenance releases, a backup, a screenshot of the firmware page and a short change note are often sufficient. For larger updates, you should also record which configuration was valid before the maintenance window and which changes were made during the follow-up check.
These tools answer different questions:
- Backup: Which configuration state can be restored?
- Config Studio: What differs between two configuration states?
- Audit Trail: Who made which supported configuration change, and when?
Sophos Firewall Config Studio is useful if you want to compare configuration states before and after an upgrade. This does not replace a backup, but it does help with the question of whether rules, objects, interfaces or policies were unexpectedly changed during a maintenance window.
The Sophos Firewall Audit Trail is suitable for temporal traceability. It is particularly helpful when multiple admins are involved or when a centrally controlled change ran parallel to the firmware update. If the update or a configuration change is triggered via Sophos Central, the Sophos Central Firewall Management Task Queue is also part of the follow-up check.
5. Check storage space and system health
Insufficient storage space, old logs, or an unstable HA state can make an update unnecessarily risky. Before a major upgrade, you should consciously check the system status.
In WebAdmin:
- Check Control center for warnings.
- Open Backup & Firmware > Firmware and check available versions.
- Check Diagnostics > Log viewer for recurring system errors.
- Check System services and relevant services.
- For SFOS 22, also look at the firewall Health Check, if available.
The free storage space can be checked using SSH or Advanced Shell:
df -kh
If a partition is very full, you should not update blindly. First clarify whether old local files, logs, reports or support dumps are taking up space. If the cause is unclear, a support case is safer than manually deleting the Advanced Shell. The practical process is in Sophos Firewall Check storage space and manage reports.
If the appliance is old, writes a lot of local reports or already shows I/O or database problems, the SSD health via SMART should also be checked and documented.
Sophos Firewall Troubleshooting: Services and Logs, Sophos Firewall Use Packet Capture in WebAdmin and [Sophos Firewall] help for status and log analysis How to use Health Check correctly](/en/kb/sophos-firewall-health-check/).
6. Plan HA cluster separately
HA clusters should not be treated like individual firewalls. Sophos writes that HA does not need to be disabled for the firmware update. Nevertheless, a HA update needs more control because both appliances, firmware slots, roles and failover behavior are affected.
Before the update:- Check HA status in WebAdmin.
- Clearly identify primary and auxiliary appliances.
- Check HA link and synchronization.
- Ensure the same firmware initial situation on both appliances.
- Also plan maintenance windows for Active-Passive-HA.
- Communicate expected short interruption when changing roles.
In the connected HA state, the firmware update is started on the primary device and processed by the cluster for both appliances. The roles are changed during the process and, depending on the HA configuration, the preferred primary can become active again at the end. The Auxiliary Appliance should not be updated separately. Pattern updates and Hotfixes are applied independently to the devices.

For HA environments, Sophos Firewall HA Cluster: Active-Passive, Active-Active and Auxiliary Appliance should also be read.
7. Define maintenance windows and tests
A good maintenance window includes not only the installation time but also clear tests afterward.
Set before update:
- Start time, latest abort time and rollback decision.
- Person responsible for firewall, network, servers, applications and support.
- Test list for Internet, DNS, DHCP, VLANs, NAT, VPN, WAF, Mail, Web Protection and critical applications.
- Accessibility via local management port or alternative access.
- Monitoring pause or maintenance mode in the monitoring system.
- Communication path if remote access fails during the change.
Tests shouldn’t just consist of pings. For productive firewalls, real connection checks are more important: VPN login, access to internal applications, DNS resolution, web access, published services, mail flow, SD-WAN routes and central authentication.
8. Validate after update
After the restart, the change is not yet completed. First you have to check whether the firewall is really running in the expected state.
Immediately after the update:
- Check active SFOS version.
- Check license and pattern update status.
- Check system and kernel logs for noticeable errors.
- Check interfaces, SD-WAN routes, VPN tunnels and HA status.
- Validate firewall rules, NAT, Web Protection, TLS Inspection and WAF with real tests.
- Sophos Central Check synchronization.
- Reactivate monitoring.
- Add change documentation with results, times and deviations.
If a firmware update was planned or triggered via Sophos Central, the Sophos Central Firewall Management Task Queue is also part of the follow-up check. There you can check whether the central task was completed successfully or whether a failed task is blocking later changes.
If unexpected errors occur after the update, the difference between configuration problem, firmware bug, license problem and external system problem should first be narrowed down. Log Viewer, Packet Capture and targeted service logs are more helpful than immediate multiple restarts.
Typical errors with firmware updates
- Update without fresh backup: Restore or rollback becomes unnecessarily risky; Check backup and SSMK before change
- Release notes only read superficially: Known bugs, platform blockers or unsupported upgrade paths are overlooked; Document Sophos release notes, known issues and supported upgrade path
- SFOS-22 check skipped: Platform, storage space, interface, STAS or legacy IPsec blockers are only noticed in the maintenance window; Before SFOS 22 or newer, complete the separate upgrade check
- HA assumed to be failure-free: Failover can interrupt sessions and individual connections; Also plan maintenance window and test plan for HA
- No local emergency access: Remote Change may get stuck on VPN or WAN issue; Clarify out-of-band access or on-site option
- Ping tested only: Application, DNS, TLS or VPN problems remain undetected; Define technical tests per service
- Rollback decided too late: Downtime becomes longer than necessary; Determine the termination time and rollback criteria in advance
Checklist
- Target version and upgrade path checked.
- Sophos release notes, official release notes, known issues and supported upgrade path checked.
- SFOS 22 Upgrade check performed on relevant upgrades, including platform, interface names, storage space, STAS and legacy remote access IPsec.
- License and Enhanced Support checked.
- Backup downloaded and SSMK available.
- Change proof prepared with Backup, Config Studio, Audit Trail or Central Task Queue if several admins or Central are involved.
- Disk space and system status checked.
- HA status and roles documented.
- Maintenance window, test plan and rollback criteria defined.
- Firmware file or GUI download prepared.
- Local or alternative management access clarified.
- Checked version, services, VPNs, NAT, WAF, logs, central task queue and monitoring after the update.