Sophos Firewall SSD firmware upgrade 19 and 20

By Avatar of iiQ8 Jobs, News January 25, 2024
Technology 77 total views, 0 today

Sophos Firewall SSD firmware upgrade 19 and 20

Sophos Firewall SSD firmware upgrade for a subset of XGS firewall models Sophos Firewall SSD firmware upgrade 19 and 20 .

 

Overview

A firmware upgrade that improves the operational performance of the Solid-State Drive (SSD) used in some XGS Series appliances will be released via hotfix on January 24, 2024. This is a manufacturer-issued update and is recommended for all eligible appliances.

As the SSDs used in any appliance model may change during the product lifecycle, this firmware upgrade only applies to some SSD models that have been used in a subset of the following XGS Series firewall appliances:

  • XGS 116(w), 126(w), 136(w)
  • XGS 2100, 2300, 3100, 3300
  • XGS 4300, 4500

Customers with an eligible appliance will see a banner and an alert in the Control Center of their firewall.

How to get the new SSD firmware

As the process of installing the SSD firmware will involve a short downtime period, the download will be automated, but the installation will require manual intervention. This is to allow you to schedule this update at your earliest convenience. Both steps must be completed:

  1. Automatic firmware download: If you have not changed the default setting*, the new SSD firmware will download to appliances running SFOS 19.0, 19.5, and 20.0 (including the GA and all MR versions), but it will not be installed.
    • If hotfixes are turned off (not recommended), you will need to upgrade to the next SFOS maintenance release (19.5 MR4 or later).
    • SFOS 19.5 MR4 and later will also include the new SSD firmware, and the manual installation process remains the same.
  2. Manual installation: You will need to manually install the SSD firmware via the CLI using the command delivered with the hotfix or firmware upgrade. Please ensure that you complete the installation during a maintenance window to accommodate the short downtime period.

*Allow automatic installation of hotfixes is turned on by default

Note: You can easily verify if hotfixes are turned on. To check, enter the following command in the CLI: system hotfix show

When will the new SSD firmware be available?

On January 24, 2024, the new SSD firmware version will be pushed over the air via a hotfix to firewalls that require the upgrade and are running SFOS versions 19.0, 19.5, and 20.0, including GA versions and all MRs.

Future MRs of SFOS (19.5 MR4 and later) will also include this SSD firmware. For any future release, the manual installation process for the firmware is as described in the article.

How do I know if my firewall needs the SSD firmware upgrade?

Control Center banner, alert, and Email notification: If your firewall is eligible for the firmware update, a banner and an alert message will appear on the Control Center. The firewall will also send out an email notification.

These will only appear if the upgrade is required and hotfixes are turned on.

Banner

banner Sophos Firewall SSD firmware upgrade 19 and 20

Alert

SSD: A recommended SSD firmware update is available for this device that improves the performance of the SSD. Upgrade is via the CLI. For details, see xxKBarticlexx.

Expanded alert

expanded Sophos Firewall SSD firmware upgrade 19 and 20

If you have one of the above models, have hotfixes turned on, and do not see the banner, your firewall does not need the SSD firmware upgrade.

Additional verification: An easy way to check if your firewall requires the upgrade is to enter the following command on the CLI: system ssd show

The command is only available if hotfixes are turned on.

What is Bitlocker FAQ | iiQ8 info

6G Network in India, Bharat 6G | What is 6G? Comparison of 5G, 6G, and 7G  Action required to install the SSD firmware

After seeing the Control Center alert, you must manually enter the CLI command to install the SSD firmware.  Sophos Firewall SSD firmware upgrade 19 and 20

Planning Requirements

  • Schedule a maintenance window. Installing the SSD firmware involves a short downtime.
  • As a precautionary measure, ensure you have access to power cycle the appliance, should that be required.

Steps to upgrade the SSD firmware

Follow these steps to complete the installation:

  1. Sign in to the CLI console and enter 4 for Device console.
  2. To verify if the upgrade is available, enter the following command:
    system ssd show
    You will see the details if an upgrade is available.
  3. To upgrade the SSD firmware, enter the following command:
    system ssd update
    The command upgrades the SSD firmware and immediately restarts the firewall. This results in a short downtime period.

Caution: The installation process will automatically interrupt the power supply and restart the appliance. In isolated instances, if the appliance does not restart within a few minutes (maximum 10 minutes), you may need to manually power cycle the appliance.

How to perform a power cycle?

Switch off the power, wait for two minutes, then switch it on again.

If the appliance is connected to a secondary or redundant power supply, switch off both the primary and the secondary power supplies to ensure a full power cycle. A redundant power supply unit can interfere with the upgrade process by increasing the hold-up capacity of the box. Sophos Firewall SSD firmware upgrade 19 and 20

Other firewall deployments

High availability

In an HA cluster, you must upgrade the SSD firmware on each appliance individually as follows:

  1. Verify if both appliances in the cluster require the SSD upgrade (see information above). Appliances in an HA cluster will not always have the same SSD model.
  2. If both require the upgrade, upgrade one appliance first.
    After it restarts, upgrade the second appliance.

AirGap

The new SSD firmware and the CLI commands will be released in the following maintenance releases:

  • 20.0 MR1 and onwards
  • 19.5 MR4 and onwards

After you upgrade to one of these MR versions, the banner and alert message on the Control Center will appear if the upgrade applies to your appliance. If you see the banner/alert, follow the instructions above and use the CLI command to install the firmware manually.

Frequently asked questions

 

Google Chat New Features, iiQ8 info

 

 

  • Q: Why do I need to upgrade the SSD?
    A: The upgrade improves the overall SSD performance and is recommended for all eligible appliances.
  • Q: What if I don’t immediately update the SSD? Does it impact the firewall?
    A: The new SSD firmware versions improve the operational performance of the SSDs used in some Sophos Firewall appliances. Your Sophos appliance will not be immediately impacted if you continue operating with the older SSD firmware; however, we recommend updating the SSD firmware at your earliest convenience to ensure optimal SSD performance.
  • Q: Why do I only see an upgrade available for some XGS models?
    A: The manual SSD firmware upgrade only applies to a subset of the XGS appliance models listed above. This depends on which SSD model is used. Sophos Firewall SSD firmware upgrade 19 and 20For other firewall appliances and SSD models, the SSD firmware update doesn’t require any manual intervention or a restart. We’ve been working to make this process as seamless as possible. For example, we delivered an automated SSD firmware update in 19.5 MR3.
  • Q: Does the upgrade require the firewall’s power to be switched off and back on?
    A: Only in very isolated instances. In most cases, the system ssd update command will update the SSD firmware and restart the firewall after the process is complete.If your appliance does not restart within a few minutes (maximum 10 minutes), switch off the power, wait for two minutes, then switch the power on again.
  • Q: If the firewall doesn’t restart after the upgrade, and I can’t switch the power off and back on, how can I recover the firewall?
    A: If you do not have access to switch the power off and back on, we recommend that you wait to upgrade the SSD firmware. Schedule the upgrade when you have access to the power controls. This is a necessary precaution.

Sign up for the Sophos Support Notification Service to receive proactive SMS alerts for Sophos products and Sophos Central services.

Sophos Firewall SSD firmware upgrade 19 and 20

A new firmware SFOS 20.0.0 GA-Build222 is available. We strongly recommend that you upgrade the device.
Version
  • SFOS 20.0.0 GA-Build222
News

Feature Release

  • .
  • MDR Threat Feeds – Automatically blocks traffic for dynamic threats to shut-down active threats on the network.
  • Synchronized Security – Any Sophos managed endpoint attempting to communicate with IoC will be queried using Synchronized Security for granular threat insights in the network.
  • VPN – New and more secure VPN Portal for VPN-specific functionalities – RA client download, configuration downloads, clientless VPN bookmarks, and SCC auto provisioning.
  • VPN – IPsec connection stateful HA failover for RBVPN, PBVPN and Remote access VPN enables seamless failover without losing a session.
  • VPN – FQDN hosts and group support for SSL VPN Remote access and site-to-site.
  • VPN – IPsec VPN tunnel status monitoring using SNMP.
  • VPN – Multiple 0.0.0.0 (=*/ ANY) remote gateway support for RBVPN – eliminates a need for explicit DDNS in the distributed deployments.
  • VPN – Unique PSK support for same local/remote gateway for IKEv2 connections.
  • VPN – DH Group 27-30 / RFC6954 support in IPsec VPN.
  • SD-WAN – 3x more gateways and SD-WAN profiles support for improved scalability. Now supports up to 3072 gateways and 1024 profiles.
  • IPv6 – DHCP prefix delegation – seamlessly integrates with ISP-provided DHCP-PD for LAN networks. DHCPv6 server support on Delegated interface to assign additional properties to devices on its network such as DNS address.
  • Routing, IPv6 – Upgraded dynamic routing engine and now supports BGPv6 that enables improved IPv6 interoperability.
  • Interface – Interface Enable/Disable – Quickly and easily disable or enable interfaces on the firewall without losing configuration.
  • Object Reference Lookup – To quickly identify where network objects are used in rules and policies.
  • Backup restore – Auto roll back – Firewall automatically rollback to previous good state if firmware upgrade fails.

 

 

Veera Indian Made Internet browser

 

  • Backup restore – Backup from Wi-Fi device can be resorted to non-Wi-Fi device.
  • UI – UI now supports higher resolution screens and uses better real estate.
  • Updated email notification text – XG to Sophos Firewall.
  • Removed already EOL’ed SATC download option from UI.
  • The Jordan time zone DST changes have been updated, as they have canceled the Wintertime change and fixed it at +03.
  • Sophos Advanced Threat Protection has been rebranded as Sophos X-Ops.
  • Authentication – Azure AD Single Sign On for easy user authentication on the captive portal.
  • Authentication – Azure Group import options for mapping group policies and attributes.
  • Authentication – Automatic Azure RBAC automatically promotes the user whenever appropriate role is found in Azure token.
  • WAF – GEO IP policy enforcement – blocks users from accessing WAF protected resources from a specified country or IP.
  • WAF – Custom Cipher and TLS version configuration – configure more secure ciphers and excludes less secure ciphers.
  • WAF – HSTS to mandate client’s web browser to only use HTTPS; and X-Content-Type-Options header enforcement provides MIME-type sniffing protection.
  • ZTNA Gateway on Firewall – Includes support for Sophos ZTNA Gateway integration into Sophos Firewall that will make ZTNA deployments easier than ever. The early access has been planned in September. Please stay tuned for a separate announcement on this topic.

Resolved issues Sophos Firewall SSD firmware upgrade 19 and 20

  • NC-125331 [Authentication] Azure AD SSO captive portal authentication is stuck when the Web proxy listening port other than 3128
  • NC-112370 [Gateway Management] WAN Link Manager: Error while updating failover rules
  • NC-117669 [Firewall] Invalid Traffic “Invalid TCP state” logs are observed in HA appliances for traffic coming from AUX appliance
  • NC-125589 [DHCP] On-link and Autonomous flages are disabled in Auto created RA server for delegated interface.
  • NC-125595 [DHCP] Getting wrong Error message while creating down stream interface with invalid subnet ID.
  • NC-124414 [Email] SPX password exposure in plain text (CVE-2023-5552)
  • NC-125369 [Email] Exim: libspf2 vulnerability – CVE-2023-42118
  • NC-125221 [RED] RED : Fail to establish S2S tunnels when RED server enforces TLS 1.2
  • NC-119334 [Backup-Restore] The Backup download button Symbol/Icon is non-responsive/non-clickable
  • NC-118460 [Dynamic Routing (PIM)] When clicking on view PIM-SM information, shows error “Unable to read routing information”
  • NC-116220 [Email] Awarrensmtp was in failed status and inbound email were not delivered. However, no NDR was sent to senders on 13-feb-23.
  • NC-117638 [Email] Emails gets quarantined even if the sender address is added in exception
  • NC-124102 [Email] Unable to disable legacy TLS protocols
  • NC-107708 [Firewall] Firewall is auto rebooted – RIP: 0010:muser_match+0x747
  • NC-120016 [Firewall] Local ACL doesn’t work with Backslash ( \ ) || Name contain Backslash (SOPHOS\TEST)
  • NC-113034 [Hardware] Lost device access to XGS appliances and no logs available
  • NC-116002 [IPsec, SDWAN Routing] : BO users unable to receive an email or Mail Receive slow or IPsec traffic slow
  • NC-122180 [Licensing] Unable to access webadmin portal due license sync issue
  • NC-122699 [nSXLd] Adding a trailing period at the end of the domain bypassing the web policies
  • NC-122511 [RED] Vulnerability detected on Port 3400
  • NC-119192 [VFP-Firewall] Slow speed using Virtio NICs
  • NC-119052 [WAF] WAF protection policy UI issue
  • NC-120190 [SSLVPN] SSLVPN S2S connections fail to due the absence of serveruser.conf file
  • NC-121432 [WAF] /tmp is not removing files and going out of space, Causing AV scan failure
  • NC-121415 [Web] avd stops responding after pattern update because one thread does not release (even after NC-114930 fix)
  • NC-119829 [WWAN] Verizon Mifi 4G USB modem (U620L) not working after upgrade to 19.5.2 MR 2
  • NC-114104 [AppFilter Policy] App Filter Policy set to block All Applications – template pushed from Central loses Risk
  • NC-107481 [Authentication] Logviewer is not showing src IP field information for the successfully authenticated SSLVPN Users
  • NC-110927 [Authentication] Missing: MFA enable/disable event logs
  • NC-113532 [Authentication] Cannot remove authorizers from data anonymization setting
  • NC-114057 [Authentication] Match Known Users option in rule is dropping traffic as user identity is not being marked
  • NC-114950 [Authentication] Unable to View usage with username “do’reilly” and UI stops responding
  • NC-116602 [Authentication] Logviewer is not showing Src IP field information for the Failed authenticated SSLVPN Users
  • NC-116880 [Authentication] SSH keys disappear when Admin has 2-Factor authentication enabled and added after login using different administrator user other than default admin
  • NC-116881 [Authentication] Uploading file(certificate) to Webadmin logged in via Azure AD SSO results in logoff
  • NC-119049 [Authentication] access_server crash due to missing nsgencode multi thread support
  • NC-119183 [Authentication] Edirectory authentication server – Transaction failure
  • NC-119560 [Authentication] Mandatory firmware update via wizard causes the initial setup to start again and again
  • NC-94533 [Certificates] Attribute challenge password prevents issuing a certificate with No-IP
  • NC-119825 [Certificates] Unable to Download Default certificate from Web > General Settings/ Logs out when click on Download Icon
  • NC-102256 [Clientless Access] VNCFreeRDP crashing
  • NC-108378 [Clientless Access] Clientless Access doesn’t work in case of name contains an “umlaut”
  • NC-114627 [Clientless Access] Unable to connect to RDP over Clientless Access SSLVPN while using username with space.
  • NC-115982 [CM] RCA of getting an alert on Sophos central that “Firewall has not checked in with Sophos Central for the past 5 minutes”
  • NC-116312 [CM] Garner thread stuck in Central Management plugin
  • NC-118749 [CM] Specific API call doesn’t seem to be working
  • NC-119198 [CM] Unable to Change Admin User Accounts Password from Central Firewall Management
  • NC-120519 [CM] Disable Central Management doesn’t work as per Firewall Api document
  • NC-108562 [Core Utils] Public key authentication for admin can not be managed via Central
  • NC-117314 [Core Utils] SWAP memory usage full
  • NC-107388 [DDNS] DDNS logs appears every 5 minutes
  • NC-111790 [DHCP] Unable to configure or edit interfaces
  • NC-113102 [DHCP] Not able to add static mac entry for specific DHCP pool
  • NC-109623 [Dynamic Routing (BGP)] BGP – FRR doesn’t advertise the configured networks if not available in RIB
  • NC-115369 [Dynamic Routing (OSPF)] OSPF flaps repeatedly when running continuous scan with ICMP Echo
  • NC-112492 [Dynamic Routing (PIM)] PIMD Service DEAD
  • NC-107283 [Email] Awarrensmpt service dead
  • NC-108237 [Email] Spam emails are been let through with error “spam scanning failed, unable to connect local antispam”
  • NC-108450 [Email] Inbound forwarded email with attachment is getting failed to deliver due to malware scan failed
  • NC-109625 [Email] Inbound Email gets quarantine from specific domain due to DKIM verification Failed
  • NC-110897 [Email] Getting error logs when using AV as Sophos in WAF Policy
  • NC-111023 [Email] Legacy email mode is crashing very frequently
  • NC-112128 [Email] Release link settings can not be saved – Quarantine Digest
  • NC-113038 [Email] Mail communication stopped working after upgrading to v19.5 GA
  • NC-113458 [Email] MIME Type recognition issues when Zero Day Detection is enabled
  • NC-113547 [Email] Invalid IP address causes error for notification mails
  • NC-116845 [Email] Fix occasional UT error in mailpoller
  • NC-116899 [Email] Attachment going through even if it should be blocked per extension / MIME
  • NC-117881 [Email] Antispam service DEAD
  • NC-120138 [Email] EmailUtility::is_valid_messageid is too strict
  • NC-101846 [Firewall] Connections are failing due to a high number of www in FIN_WAIT
  • NC-108536 [Firewall] Firewall rules stopped working after backup restroe due to failure in xml api while creating fw-rule Sophos Firewall SSD firmware upgrade 19 and 20
  • NC-109201 [Firewall] Device goes into Failsafe Mode after upgrade (Unable to apply Firewall Framework)
  • NC-112136 [Firewall] RED Connection interruption when Firewall acceleration is enabled in XG310
  • NC-116527 [Firewall] Entities.xml shows additional firewall rule that is not visible on GUI
  • NC-116890 [Firewall] NAT rule is not getting marked after reboot of firewall
  • NC-116939 [Firewall] Pktcapd bpf filter causing device reboot (___bpf_prog_run)
  • NC-117063 [Firewall] Allowed child connection gets logged as dropped
  • NC-118204 [Firewall, SDWAN Routing] Static Multicast packet changes reply-dst when SDWAN policy is applied.
  • NC-85114 [Firmware Management] ‘kworker’ process is taking high CPU continuously on XG450
  • NC-109689 [FQDN] When adding new FQDN host object to firewall it causes resolver to restart/hang and cause DNS query resolution to fail during that time.
  • NC-111423 [FQDN] FQDN resolving with low TTL (2-5 seconds) are creating issue with Wildcard FQDN host
  • NC-111476 [FQDN] Subdomain learning is not working in case of non-sfos DNS server set for client
  • NC-117675 [Gateway Management] Wwan gw update flow, updates wrong moid when wwan-gwid not same as it’s monitorid
  • NC-109626 [HA] Standalone device rebooted-msync : Too many open files
  • NC-106738 [Hotspot] Sort functionality doesn’t work properly in the user portal for hotspot vouchers
  • NC-119525 [Hotspot] Valid untill time on Hotspot login takes time in UTC instead of Local system time.
  • NC-120118 [Hotspot] Missing information in the hotspot voucher that is getting created for users
  • NC-116314 [Interface Management] Unable to delete or make changes to the bridge interface
  • NC-98796 [IPS-DAQ] Coredump during daq shutdown due to incorrect order of thread stop
  • NC-107329 [IPS-DAQ] Snort showed high CPU usage – customer experiencing low bandwidth
  • NC-114872 [IPS-DAQ] Certificate based authentication failing to server with small RX win
  • NC-115019 [IPS-DAQ-NSE] Firewall locks up. Snort core generated
  • NC-119321 [IPS-DAQ-NSE] Slow download speed with SSL/TLS inspection enabled even if TLS not being decrypted in the presence of large initial rxwin
  • NC-107042 [IPsec] Fix IPsec VPN path MTU related connection issues with IPsec acceleration
  • NC-119047 [IPsec] SSL/TLS inspection not working for VPN users
  • NC-119898 [IPsec] XFRM tunnel remains disabled when both s2s and rbvpn are UP simulatenously on the same local remote gateway pair
  • NC-114411 [IPS Engine] CM: Group IPS Policy behaviour issue
  • NC-116448 [L2TP] : A checkbox is not visible on the top line on L2TP members.
  • NC-112138 [Licensing] Licenses not getting sync
  • NC-107504 [Logging Framework] Unable to update the pattern file​ at AirGap sites.
  • NC-107975 [Logging Framework] Logging stopped on device with error showing database disk image is malformed Sophos Firewall SSD firmware upgrade 19 and 20
  • NC-110678 [Logging Framework] Logs stopped: Improvement to retry when DB corruption is detected
  • NC-113004 [Logging Framework] Garner crashed observed at init_cache_tree during sync cache
  • NC-114652 [Logging Framework (Central Reporting)] After 7200 files, Sending files to Central stops with Error on gzclose
  • NC-108003 [NFP-Firewall] Memory utilization increases until firewall hangs
  • NC-100418 [nSXLd] Internet down with error “nSXLd: Connection timeout while connecting to SXL server”

 

How to Activate New ATM Card, Gulf Bank Kuwait Bank Card Activation

 

  • NC-115360 [nSXLd] Deleted policy from Sophos central but the policy still showing in the firewall
  • NC-117753 [PPPoE] Internet via PPPOE Not Working Upon HA Failover
  • NC-112058 [RED] Some of the reports for RED tunnel on XG Firewall is not loading
  • NC-112117 [RED] Editing the details of a RED in XG firewall caused the firewall to become unresponsive.
  • NC-112621 [RED] Unable to edit some RED Interfaces
  • NC-113005 [RED] RED : Handle SigPipe in RED Service
  • NC-117243 [RED] Disable DHE ciphers support for RED
  • NC-117786 [Reporting] Security Audit Report score data differs between hat is seen on the Firewall versus what is received via email
  • NC-111110 [SDWAN Routing] Import/Export does not reflect changes in SD-WAN PBR Profiles
  • NC-112722 [SDWAN Routing] garner.log is flooded with the continuous logs for cache failures
  • NC-114075 [SDWAN Routing] Issue with connectivity when using IPsec RBVPN with SD-WAN Routes/Profiles
  • NC-107178 [SecurityHeartbeat] Improve license enforcement message for synchronized security
  • NC-116531 [SecurityHeartbeat] Cannot access resources for sometime when heartbeat is configured
  • NC-117680 [SecurityHeartbeat] Ipset hb_green entry removed without cause
  • NC-111441 [SSLVPN] SSLVPN RA not working after upgrade
  • NC-112065 [SSLVPN] When azure AD is used as the “authentication type” , the authentication=>services tab goes in buffering stage Sophos Firewall SSD firmware upgrade 19 and 20
  • NC-112211 [SSLVPN] /conf/certificate/openvpn directory is missing
  • NC-114163 [SSLVPN] Connections from LAN to static SSLVPN IP are routed through WAN on XGS
Spread iiQ8

January 25, 2024 8:07 AM

77 total views, 0 today