Sophos Firewall firmware update preparation and best practices
Firmware updates are a central component to keep the Sophos Firewall secure, stable, and up to date. They provide new features, close known security vulnerabilities, and improve overall performance. To ensure the update runs smoothly, some points should be considered and thoroughly prepared in advance. This guide explains step-by-step how to optimally prepare for Sophos Firewall firmware updates and avoid common mistakes.
Why Preparation is Important
A firmware update not only brings new features but also bug fixes and important security improvements. Without proper preparation, outages, rollbacks, or in the worst case, an unexpected factory reset can occur. This can significantly impact ongoing operations. The following best practices help minimize risks and ensure a structured approach.
Common problems with unprepared Sophos Firewall firmware updates include:
- insufficient storage space for the update package,
- faulty HA synchronization,
- missing or outdated backups,
- uncoordinated maintenance windows with parallel network work.
Before the Update: Preparation Steps
1. Check Release Notes
- Review the Sophos Release Notes:
- Important: Only choose supported upgrade paths; otherwise, the firewall will automatically reset to factory settings after the Sophos Firewall firmware update.
- Additionally, check if known issues (Known Issues) are documented in the new version that could affect your operation.
2. Check Available Storage
- Use the Advanced Shell to verify sufficient space:
df -kh
- If a partition is more than 95% full, free up storage space.
- Limited storage can cause update problems and may abort the upgrade.
- It is recommended to delete old backups, log files, or unnecessary files.
3. Restart Before the Update
- A restart clears the cache and ensures the firewall enters the update in a clean state.
- Restart both devices in an HA cluster.
- If issues occur, they can be detected and resolved before the update.
- Especially for devices not restarted for a long time, this can prevent performance problems.
4. Coordinate Maintenance Window
- Sophos Firewall firmware updates should only be performed during planned maintenance windows.
- Ensure no parallel maintenance work is running in the infrastructure.
- Inform responsible teams (e.g., network, applications, security) early.
- A clearly communicated time frame minimizes surprises for end users and ensures smooth processes.
5. Verify Access and Permissions
Before starting, ensure all necessary information and credentials are available:
- Admin passwords
- Secure Storage Master Keys
- Backup passwords
- Access credentials for support systems
- Access permissions from the respective network or, in worst case, directly on the appliance (Device Access ACL Rules)
6. Create Backups
- In addition to regular backups, create a fresh backup.
- This backup should be readily available in case a rollback is required.
- It is recommended to keep both a configuration backup and a backup of license information (Sophos Central access).
7. Download Firmware
- Keep offline copies of both the current and new firmware version.
- This allows quick rollback in an emergency.
- It is recommended to download the firmware via the official Sophos Support account and store it securely.
- Verify that the downloaded file is complete and not corrupted (e.g., compare hash values).
Special Considerations for High Availability (HA)
Active-Passive Cluster
- After a Sophos Firewall firmware update, check if the original primary node is active again.
- If not, manually perform a failover in the menu: System → High Availability → Switch to passive device
- In complex environments, it is advisable to keep a log of the HA role to track the original state later.
Identify Primary Node
- Log in via SSH with admin → open Advanced Shell
- Execute commands:
nvram get "#li.serial"
nvram get "#li.master"
- Result YES = Primary node
- Result NO = Auxiliary node
- The serial number helps clearly distinguish the devices.
Check Sync
- On the auxiliary node, check the sync log:
/log/msync.log
- If many vrrp timeout errors occur, check and possibly replace the HA cable.
- Restart both devices here as well to establish a clean state.
- Additionally, check the synchronization status in the WebAdmin.
Performing the Update
1. Follow the Plan
- Strictly adhere to the prepared schedule.
- Avoid improvised decisions as they often lead to problems.
- It is recommended to create a detailed runbook in advance describing each step and possible rollback scenarios.
2. Perform Rollback Consistently
- If the Sophos Firewall firmware update fails, immediately execute the planned rollback.
- Quick workarounds can cause more harm than good.
- A planned rollback saves valuable time and minimizes downtime in an emergency.
3. Actively Use Monitoring
- Tools like SNMP, monitoring systems, or simple pings help.
- Monitor closely for some time after the update to detect unexpected effects.
4. Document Test Results
- Communicate results after each step to the affected teams and services.
- This avoids misunderstandings.
- All critical applications should be actively tested and documented after the update.
5. Prepare Troubleshooting
- Collect as much information as possible in case of errors.
- This data helps to submit a support ticket quickly and effectively.
- This includes log files, screenshots, exact timestamps, and actions taken so far.
After the Update: Documentation
- Log commands: Record terminal outputs or capture GUI update sessions.
- Document dependent systems: Record changes to adjacent systems and inform the respective admins.
- Note deviations from the plan: Document deviations from the original process to be better prepared next time.
- Lessons Learned: Conduct a brief post-update review and record what worked well and where improvements are possible.
Conclusion
With good preparation, Sophos Firewall firmware updates can be performed in a structured, reliable manner without major interruptions. It is important to follow clear procedures, have backups ready, actively use monitoring, and document experiences afterward. This keeps the firewall secure, stable, and future-proof in the long term. At the same time, companies can reduce the effort for future updates.
👉 See also: