I upgraded lab kit and a spare appliance to Sophos Firewall v22 and kept notes on what worked and what did not. I will call out the practical bits first. Health Check and the Sophos XDR Linux Sensor are the two features everyone mentions. Read the release notes, back up your configuration, check available disk space, and slot the upgrade into a maintenance window. These are the essentials behind the Sophos Firewall v22 user experiences I saw and read about.
Community feedback I saw focused on a few repeating points. Several admins reported the Health Check surfaced configuration and disk issues straight away. The XDR Linux Sensor added remote integrity monitoring, so it alerted on unexpected configuration exports and file tampering in some setups. People also flagged that SFOS 22 needs extra disk space compared with older releases, so low-capacity appliances saw warnings. Practical configuration tips from early adopters included testing the XDR sensor in a non-production box first, keeping an eye on log growth after the upgrade, and confirming support entitlements if you want the free upgrade path that Sophos documents for Enhanced and Enhanced Plus customers. My own setup showed Health Check highlighting older log archives; clearing or moving those files fixed the immediate space warning.
Here are the configuration tips and security practices I use and recommend. Lock management interfaces to a few management IPs and put the admin UI on a management VLAN. Turn on two-factor authentication for admin accounts. Install the XDR sensor and tune its rules so you only get meaningful alerts. Clean up the rule base: remove rules unused for 90 days, rename vague policies so their purpose is clear, and split broad allow rules into tighter source/destination pairs. Turn on logging for denied traffic; forward logs to a central collector or SIEM for longer retention and easier searching. Use scheduled exports of the configuration and store them off-box. If you use NAT and stepping policies, keep NAT rules ordered logically so traffic hits intended rules, and avoid Any-to-Any rules unless absolutely necessary. Those are simple steps that improve security posture and make troubleshooting faster.
Troubleshooting and upgrade order deserve a short, practical list. Read the upgrade notes for HA advice, and test the process in a lab if you can. Back up configs and verify the backup can be restored. Check available disk space before you start; free up archives if needed. If XDR does not auto-install, download the sensor package and install it manually, then check the sensor status in the system dashboard. If Health Check shows failing items after upgrade, record the messages, address the highest-severity items first, and re-run the health scan. Keep an eye on CPU and memory in the week after upgrade; extra monitoring and log forwarding often uncovers config items that need tuning. For verification, check that firewall rules behave as expected, that VPN tunnels come up, and that user authentication still works. If something breaks, restore the config to the pre-upgrade backup and test again in a controlled window.
Concrete takeaways from my time with v22 and the community chatter. Treat the upgrade as operational work, not a routine patch. Back up and test restores. Check disk space and log retention. Test XDR in a lab and tune alerts before you trust them. Keep the rule base tidy and give rules clear names. Use Health Check as an early warning system, not the final word; investigate each flag. Those steps reduce surprises and make the security and monitoring improvements in v22 actually useful rather than noisy.
