Skip to content
Avanet

Performing a Sophos Firewall Firmware Update

This article explains how to practically perform a Sophos Firewall firmware update via WebAdmin: obtain firmware, upload image, start installation, and revert to the previous version if necessary.

For larger updates, the technical execution should not be confused with planning. The actual update preparation with release notes, upgrade path, backup, HA, storage space, test plan, and rollback criteria is detailed in Sophos Firewall Firmware Update: Preparation and Best Practices. This article is the appropriate step when it is clear which version should be installed.

⚠️ Important Note on Legacy Devices: SFOS 21.5 GA and later versions no longer support XG and SG hardware appliances. If you are still operating an XG, you should first check before each upgrade whether a migration to XGS is necessary. Helpful resources include What is the difference between an XG and XGS Firewall? and the Sophos Product Lifecycle Calendar.

Info: The guide assumes that a supported device with valid Enhanced Support is available or that the device is still within the free initial updates. A backup of the Sophos Firewall should be created before each update. The update is installed on the second partition, and a rollback is available for fallback. However, you should never update without a backup.

Before upgrading to SFOS 22 or newer, the SFOS 22 Upgrade Check should also be performed. This separately checks platform support, storage space, interface names, HA status, STAS, and legacy remote access IPsec as typical upgrade blockers.

Preparation or Execution?

For admins, two questions are important:

For productive firewalls, preparation should be completed first. After that, the installation itself is usually the shorter part of the maintenance window.

Final Check Before Upload & Boot

Just before starting, it should be checked again whether everything is really ready for the restart. This brief check does not replace update planning but prevents typical errors during the maintenance window.

  • Backup available and SSMK known: A rollback to the old partition does not replace a restorable backup.
  • Access clarified after restart: For remote locations, a fallback is needed if WAN, VPN or routing does not return immediately.
  • HA role and cluster status checked: An update in an already unstable cluster unnecessarily increases the risk.
  • Critical VPNs and WAN uplinks known: After the restart, it can be checked specifically whether the most important connections are back up.
  • Rollback criterion defined: In case of failure, it should be clear when to revert and when to continue analysis.

Especially at remote locations, you should not rely solely on the WebAdmin session. If possible, a second access path should be prepared: local contact, out-of-band access, management VPN, Sophos Central, or a clear escalation path. Otherwise, a normal firmware window quickly becomes a site problem.

Manually Download SFOS Firmware

Before the new firmware can be installed, it must be obtained via Sophos Central or the firmware download page.

SFOS Firmware Images for Software Appliances (Virtual Machines)

SFOS Firmware for Cloud Appliances

Note: Those with Enhanced Support can often download the latest firmware directly via the GUI. The manual method remains useful when an update needs to be specifically prepared, checked, or timed.

Offline is not automatically Air-Gap: This article describes the manual upload of an SFOS firmware image. In strictly isolated environments, license synchronization and pattern updates remain separate operational processes. For this, Operating Sophos Firewall Air-Gap Licensing and Pattern Updates is suitable.

Check image and upgrade path

Before upload, do not only check the file name. What matters is whether the image fits the appliance, the active version and the planned target path.

  • XGS hardware: Use the hardware image for the appropriate appliance series and do not accidentally plan XG/SG hardware.
  • Virtual or software appliance: Use the software or VM image and check hypervisor and resource requirements.
  • Cloud appliance: Check cloud image and platform path, especially for BYOL and Marketplace deployments.
  • Air-Gap environment: Plan firmware image, licence synchronisation and pattern updates as separate steps.
  • Major release: Check upgrade path, release notes and known issues before the maintenance window.

If a version change is not offered in WebAdmin or an incompatible path would be required, do not continue with a normal upload. First clarify whether an intermediate step, reimage or migration to supported hardware is required.

Manually Install SFOS Firmware

The downloaded firmware can now be installed on the Sophos Firewall.

  1. Log in to the Sophos Firewall.
  2. Open Backup & Firmware in the navigation.
  3. Under the Firmware section, select the desired version and click the upload icon.
  4. In the Firmware Upgrade/Downgrade window, select the firmware file from your computer and start Upload Firmware or Upload & Boot.

Sophos Firewall shows a maximum of two firmware versions in the Firmware section: the active version and one inactive version. The inactive version is either the previous version for rollback or a manually uploaded compatible image. Before uploading, therefore check which version is currently in the second slot and whether it is still needed as a fallback option.

The following screenshots show the upload dialog and the selection of the firmware image.

Sophos Firewall Upload Firmware Image Dialog
In the upload dialog, the local firmware image is selected and prepared for installation.
Select Sophos Firewall Firmware Image
Before uploading, it should be checked that the image matches the appliance series and the planned upgrade path.

Note: The choice between Upload Firmware and Upload & Boot should be made consciously. With Upload Firmware, the image is only uploaded. With Upload & Boot, the installation is started directly.

  • Upload Firmware: Useful when the image should be staged before the maintenance window. Risk: a later admin may start an image whose context is not documented.
  • Upload & Boot: Useful when the maintenance window is active and backup, access and tests are ready. Risk: the firewall restarts immediately and existing sessions are interrupted.
  • Boot firmware image: Useful when an already uploaded image should be started at a defined time. Risk: the version in the slot is booted, not automatically the newest available version.

HA cluster during firmware updates

If an HA cluster is configured, start the update on the primary device. The cluster then runs the process for both appliances. The auxiliary appliance shouldn’t be updated separately. Still plan a maintenance window. During the role change, individual sessions may drop, VPN tunnels may reconnect briefly, or some pings may be lost. After the update, deliberately check HA status, roles, VPNs, and central connections.

An HA device in standalone mode is a special case and shouldn’t be updated like a cleanly synchronised cluster. Before the update, HA status, synchronisation, and roles must be clear. For preparation, see Sophos Firewall HA cluster variants.

If only Upload Firmware was chosen, the installation time can be set later. Use the icon with the two arrows under the Firmware section when the time for installation is right.

Sophos Firewall Boot Firmware Image Action
With the boot action, an already uploaded firmware image is started at a later time.

Automatically Install SFOS Firmware

If a valid Enhanced Support license is available, the firmware can often be downloaded directly in the GUI.

Note: If a new firmware version does not appear quickly enough in the GUI, the manual variant can always be used.

  1. Log in to the Sophos Firewall.
  2. Open Backup & Firmware in the navigation.
  3. Under the Latest Available Firmware section, search for new versions.
  4. Select Download for the listed update.
  5. After the download is complete, start the installation with Install.
Download Sophos Firewall Firmware in WebAdmin
With valid authorization, the firewall can download available firmware directly in WebAdmin.
Install New Sophos Firewall Firmware Version
After the download, the new firmware version is offered for installation in the firmware section.

If the update is planned or triggered not locally in WebAdmin but via Sophos Central, the Sophos Central Firewall Management Task Queue should also be checked after the maintenance window. There you can see whether the Central task has been completed or if a failed task is blocking further changes.

Check After the Update

After the restart, you should not immediately switch to the next change. First, it must be clear whether the firewall is really stable on the new firmware and the most important operational functions are accessible.

Directly check:

  • Backup & Firmware > Firmware shows the expected active version.
  • Control center shows no new critical warnings.
  • Interfaces, WAN uplinks, SD-WAN routes, and default gateway are plausible.
  • HA status and roles are correct if a cluster is used.
  • Site-to-Site VPN, Remote Access VPN, and RED connections are established.
  • DNS, DHCP, NAT, WAF, and central firewall rules work with real tests.
  • Sophos Central synchronization and Central Firewall Management are up to date.
  • Monitoring, Syslog, or SIEM receive data again if used.

If rules, NAT, or VPN do not work as expected after the update, you should first narrow down with Log Viewer, Policy Test, Packet Capture, and relevant service logs. For structured troubleshooting, Test Firewall Rule with Log Viewer, Policy Test, and Packet Capture and Sophos Firewall Troubleshooting: Services and Logs are suitable.

Rollback to Previous Version

After an update, it may happen that individual functions do not work as expected. In this case, you can revert to the previous firmware partition. To do this, click on the marked rollback icon next to the current version. In an HA cluster, both appliances are started with the selected version.

A rollback is not the same as a restore. The firewall restarts with the previous firmware version, but a restorable backup, a known Secure Storage Master Key and a clear recovery plan are still necessary. Configuration changes made after the version change can be lost or behave differently when switching back to the older firmware. Therefore, do not make unnecessary side changes after the update before it is clear that the new version is stable.

Rollback and downgrade are also not the same:

  • Rollback: Switch to the previously installed compatible version in the second firmware slot.
  • Downgrade: Switch to an earlier compatible version that is not necessarily the direct previous version.
  • Reimage: Reinstall Sophos Firewall OS, usually with data loss on the device and subsequent restore.

Before a rollback, you should briefly note why you are reverting. Sensible criteria include: WAN connection does not stabilize, central VPNs remain down despite checking, HA does not synchronize cleanly, critical firewall rules do not apply, or a known bug affects the productive environment. If only a single service is noticeable, targeted troubleshooting may be more sensible than an immediate rollback.

  • WAN, HA or central VPNs fail during the maintenance window: Rollback is useful if the cause cannot be stabilised quickly. If a clear configuration error is visible, analyse that first.
  • Individual rule, NAT or WAF publication seems wrong: Consider rollback only with broad disruption or a known firmware issue. Otherwise, first check Log Viewer, Policy Test, Packet Capture and service logs.
  • WebAdmin seems slow, but traffic runs stably: Rollback is rarely the first measure. Better check load, services, browser, logs and known notes.
  • HA cluster is unsynchronised after the update: Rollback is possible if production operation is at risk. First, however, check HA roles, sync status, links and logs.

Before clicking, at least the active version, target version, time, symptom, affected services, HA status, and already tested points should be documented. In HA environments, it should also be clear which node is active and that when reverting, interruptions in sessions, VPNs, or management access are possible again.

After the rollback, the check starts again from scratch: check active firmware version, check Control center, validate WAN, VPN, HA, central rules, NAT, WAF, DNS, DHCP, Central synchronization, and logging with real tests. Then you should not just stay permanently on the old version. A better approach is a short follow-up plan: narrow down the cause, check support or release notes, secure backup and evidence, and only set the target update again when the trigger is understood.

Sophos Firewall Rollback to Previous Firmware Version
The rollback icon allows the previous firmware partition to be restarted.

FAQ

Is a firmware update in an HA cluster interruption-free?

Not guaranteed. The firewalls are updated one after the other, but during the role change, individual sessions may be interrupted, VPN tunnels may need to be re-established briefly, or some pings may be lost. Therefore, even with HA, a maintenance window should be planned, and after the update, HA status, roles, VPNs, and important connections should be checked.

Why are updates no longer free?

Without a support subscription, three firmware upgrades are permitted. After that, Enhanced Support or Enhanced Plus Support is required for further normal firmware changes. Pattern Updates, Hotfixes, reimage, Mandatory Firmware Upgrades and Assistant Firmware Upgrades must be considered separately. Background: Sophos Firewall Updates No Longer Free

What is an Enhanced Support license?

The Enhanced Support license provides access to updates and technical support. This license is either included in every license bundle or can be purchased separately. Without a valid Enhanced Support license, no further updates can be installed after the first three free updates, which can pose security risks.