Skip to content
Avanet

Sophos Firewall SFOS 22 Upgrade Check: Find Blockers

Before upgrading to SFOS 22, confirm that the platform, upgrade path, and configuration support the target release. This check covers SFOS 22.0 MR2 Build 546 from July 14, 2026 and complements the general Sophos Firewall firmware update guide.

Hard upgrade and restore blockers

  • XG or SG hardware: SFOS 22 is not supported. Instead of upgrading, migrate to XGS or to a virtual, software, or cloud platform.
  • Legacy Remote Access IPsec: From SFOS 22.0 MR1, the configuration must be migrated or removed before the upgrade.
  • Legacy CLI VLAN Tagging on a bridge interface: From SFOS 22.0 MR2, system vlan-tag must be replaced with supported VLAN interfaces.
  • Backup with Legacy VLAN Tagging: To restore to SFOS 22.0 GA or later, clean up the source configuration and create a new backup.
  • Storage or upgrade path: If the firmware page reports insufficient storage or an invalid upgrade path, resolve the cause first.

If a blocker applies or any point remains unclear, do not start the upgrade.

Check before the maintenance window

Platform and legacy dependencies

  • Check the model, current firmware, and direct upgrade path against the SFOS 22 release notes.
  • Treat XG and SG hardware as a migration, not a normal upgrade.
  • Replace UTM9 SSL VPN tunnels and RED 15, RED 15w, and RED 50 before the upgrade.
  • Under Network > Interfaces, correct names that end in ten or more digits. Such names can hide interfaces in WebAdmin after the upgrade.

Storage, backup, and access

Partition usage can be checked roughly in the Advanced Shell:

df -kh

A warning on the firmware page takes precedence. For virtual and software firewalls, see the Sophos guidance in KBA-000010091 and KBA-000043681.

Before starting, also ensure the following are available:

  • a fresh backup stored externally and the matching Secure Storage Master Key
  • local administrator access or alternative access outside the normal VPN path
  • a defined fallback path with an owner and decision point
  • for HA, a healthy, synchronized cluster with stable HA links and Monitored Ports

Details on backup and recovery are available in Create or restore a Sophos Firewall backup.

Configurations with particular risk

Legacy Remote Access IPsec

From SFOS 22.0 MR1, an existing Legacy Remote Access IPsec configuration blocks the upgrade. Affected users, pools, and profiles must first be migrated to the current Remote Access IPsec configuration, SSL VPN, ZTNA, or another suitable design. The procedure is described in Migrate Legacy Remote Access IPsec before SFOS 22 MR1.

Policy-based IPsec and NAT

Production policy-based Site-to-Site tunnels should be checked before and after the upgrade with a specific test flow. This includes Source, Destination, Service, Traffic Selectors, the peer, and the expected firewall and NAT rule. For problems, see IPsec VPN troubleshooting and Understand NAT on Sophos Firewall.

Legacy VLAN Tagging on bridges

Legacy CLI VLAN Tagging on bridge interfaces has three consequences:

  • On GA and MR1, traffic from or to the firewall can fail while transit traffic continues.
  • From MR2, the upgrade is blocked.
  • An affected backup cannot be restored to SFOS 22.0 GA or later.

Before cleanup, document the bridge, VLAN IDs, IP addresses, zones, switch trunks, and dependent services. Then create supported VLAN interfaces with the bridge as Parent and generate a new backup. The special case is described in Check Sophos Firewall bridge VLANs before SFOS 22.

STAS

For an upgrade to MR1, set Restrict client traffic during identity probe to No under Authentication > STAS. MR2 fixes the MR1 issue and uses No as the default for new configurations; existing values and user-based rules should still be checked. See Configure STAS on Sophos Firewall for details.

Maintenance window and validation

  • Before: Rule out blockers, have the backup and SSMK available, check HA synchronization, and document VPN, test, and fallback paths.
  • During: Do not make parallel changes to routing, VPN, or switching; monitor status and HA failover.
  • After: Check firmware, interfaces, internet access, firewall rules, VPN, NAT, HA, STAS, DNS, DHCP, Central, and Log Viewer.

A green tunnel or a successful Policy Test does not prove that production traffic works. Test critical connections with real packets, Log Viewer, Packet Capture, and the Firewall and NAT Rule ID. When problems occur, do not change several areas at the same time.

The upgrade is complete when the defined tests succeed and the target version, HA status, test results, and outstanding follow-up work have been documented.

FAQ

Can every Sophos Firewall be upgraded to SFOS 22?

No. XG and SG hardware are not supported; on other platforms, the upgrade path must also be valid.

Does Legacy Remote Access IPsec block the upgrade?

Yes. From SFOS 22.0 MR1, the Legacy configuration must first be migrated or removed.

Is an automatic backup by email sufficient?

Only if it can be found, assigned to the correct device, and restored with the available Secure Storage Master Key.