I keep this short and practical. You have an XGS126 on 19.5.x and you want to move to 21.5. The SSD firmware has already been updated on that device. I’ll walk through the prep I do, the upgrade process I follow, common pitfalls I watch for and the tests I run afterwards. No waffle, just steps that save time.
Start by confirming the exact firmware on the box from the admin console. Export a full configuration backup and store it off-box. I always take two copies, one on a USB stick and one on an internal file server. Check the release notes for the 21.5 series and for any specified upgrade path. If the vendor calls for an intermediate install, follow it rather than skipping. Sophos publish release notes that show required upgrade steps and compatibility; read them before clicking update. Make sure the XGS126 has the SSD firmware level that later SFOS releases expect. Sophos advise a specific SSD firmware update for some 19.5/20.x upgrade scenarios, so check that guidance first. If the SSD firmware is missing, the firewall can fail to boot after the OS upgrade [https://docs.sophos.com/releasenotes/output/en-us/nsg/sf_215_rn.html] [https://support.sophos.com/support/s/article/KBA-000009132]. Plan a maintenance window. For a single-site XGS126 allow 30 to 60 minutes. Allow extra time for post-upgrade tests. Make sure you have direct console access or a local keyboard/monitor path. Remote GUI alone is a risk if something goes wrong.
On the day, confirm the backup still restores and that the configuration file size looks normal. If you need an intermediate firmware, upload that first and let the appliance settle. I upload the firmware file to the device, start the installer from the admin UI and watch the bootstrap messages on the console. Do not interrupt power. Watch the serial or local console for errors that the web UI will miss. The upgrade process will reboot the appliance once or twice. After the device comes back, give it a few minutes to restart services. Check that the management interface is reachable. Verify HA peers if in HA. For a Sophos XGS126 check that your VLANs, firewall configuration and VPNs come back intact. Test a few real flows: ping the gateway from a workstation, perform a web browse that uses the firewall policy you rely on, and test any site-to-site VPNs or authentication proxies. If you use SFP+ ports, verify link speed and throughput on a known-good link. Note exact pass/fail results and timestamps.
Common firmware pitfalls I see are: skipped intermediate upgrades that cause service mismatches, missing SSD firmware that prevents boot, and changed defaults in the new firmware that affect packet flow. If something breaks, capture the serial log, export the system logs and keep the configuration backup handy. Restore the backup only after confirming the firmware settled, and avoid restoring a config from a much older major version without checking compatibility. If the device will not boot, use the Sophos recovery instructions and the installer images from Sophos support. When in doubt, include the serial number, model, exact original firmware and target firmware in any support request.
Document every step as you go. Note filenames, checksums, timestamps and the result of each smoke test. That record is the thing that speeds up recovery if the upgrade goes wrong. The simplest takeaways: read the release notes, verify SSD firmware first, back up twice, have console access and test real traffic after the upgrade. That approach keeps the Sophos XGS126 firmware upgrade predictable and quick.
