How to Backup, Upgrade and Recover Sophos UTM Offline

Upgrading to the latest version of Sophos UTM is always a worthwhile exercise, however you may want to first perform this upgrade in a sandboxed lab environment. There is the Up2Date feature, where updates can be downloaded and installed automatically, but this requires an active Internet connection. What if your Sophos UTM is offline?

If your test environment is virtualized (recommended), there is a relatively simple process to upgrade your Sophos UTM offline. The same process can also be used to recover a device should you lose the Sophos UTM's configuration for whatever reason.

In this article I will upgrade a virtualized Sophos UTM running on Hyper-V, but you can apply the same concepts for VMWare. See my article on deploying Sophos UTM on Hyper-V for a detailed guide on getting started on Hyper-V.

Step 1.  Download the latest Sophos UTM ISO

The Sophos UTM ISO images are often updated. At the time of writing this, the latest available version was asg-9.205-12.1.iso  The newest version of the UTM is always available from https://download.astaro.com/UTM/v9/software_appliance/iso/

Step 2. Backup the Sophos UTM configuration

You can check to see what the currently installed firmware version is from the dashboard.

It is a good idea to have your management interface configuration documented before you proceed.  Take note of the adapter hardware and the IP configuration. To do this:

1. Go to Interfaces and Routing and select Interfaces
2. Click the Edit button on the Internal Interface
3. Take note of the configuration

Next, you will create the configuration backup file, and shut down the Sophos UTM ready for upgrade.

1. Select Management | Backup/Restore
2. In the create backup section, enter a comment
3. Click Create Backup Now. Sophos UTM will create a backup that you can use to restore the UTM's configuration.
4. Click the blue download icon on the backup to download and save your configuration file.
5. Shut down the UTM by going to Management | Shutdown/Restart and click the Shutdown button

Note:  This backup process does not back up any of your log data. If you rebuild the VM at this point, it will not retain the logs. If however you are using Sophos Reporter, you already have your logs exported to a powerful reporting tool, because of this the need to retain logs on the device during an upgrade is mitigated.

Step 3. Upgrade the Sophos UTM with the new firmware

The upgrade process is as simple as building the newer version of the UTM and restoring the backup to it.

Since we are using a virtual machine, we have the advantage of simply creating a new virtual hard drive while keeping the old one. This makes it easy for us to roll-back if needed, and it allows us to keep the hardware configuration, especially the NICs, unaltered.

First, from the Hyper-V Management Console go to the properties of your UTM virtual machine, and create a new blank virtual disk:

1. Expand IDE controller and select the hard drive
2. Click the New button
3. Accept the defaults (except the file name) to create a new virtual disk

Next, attach the ISO:

1. Select the DVD drive
2. Select the Image File as the media type
3. Browse to the Sophos UTM iso file you downloaded earlier
4. Apply the changes and start the virtual machine

You can now connect to the VM through the Hyper-V Console and start the build process. For detailed information on this, please refer to my previous post: How to deploy Sophos UTM on Hyper-V in 7 simple steps.

During the build process, you will need to specify the management interface and IP.  This should be the same as when you did the backup as noted in step 1 above.

Let the build process complete, reboot and then log into the management interface.

Step 4. Restore the Sophos UTM Configuration

Now the initial build process has completed, you will need to complete the basic system setup, then restore from your backup:

1. Accept the license agreement and click the Perform basic system setup button
2. Log in as admin
3. On the first screen select Restore a backup and click Next at the bottom of the screen
4. Upload the backup file you saved in the step 1 above.
5. Click Finish

Once this is done you will be logged out. Give the process a minute to apply all the setting from the backup and then log back in again.

If you look at the dashboard now you should see updated Firmware version and the UTM should be configured with all of your previous settings.

I hope this helps anyone looking to upgrade or restore their Sophos UTM virtual appliance. If you have any questions, let me know in the comments!