trueNetLab ⚡️
Sophos Firewall v22 MR1: Upgrade Now or Wait?

Sophos Firewall v22 MR1: Upgrade Now or Wait?

8 min read
Network Sophos Security

Table of Contents

With Sophos Firewall v22 MR1, the first maintenance release for the v22 line finally arrived on April 20, 2026. And honestly, many admins have been waiting for exactly this release.

From the start, v22 looked technically ambitious. Secure by Design, Health Check, a stronger control-plane foundation, a harder kernel, and more audit depth. On paper, that looked good. In practice, the launch was rough. I already covered that phase in my earlier post about Sophos Firewall bugs from v21.5 to v22 .

That is why MR1 is not just “the next release”. It is the point where many teams start asking a practical question: is this finally the moment when v22 becomes a serious production upgrade candidate?

My short answer is: for some environments, yes. Blindly and untested, still no.

The Most Important Points

  • v22 MR1 is Build 490 and fixes many of the real-world issues that were still present in v22 GA and the re-release Build 411.
  • The most relevant areas are policy-based IPsec, bridge routing after upgrades, HA stability, PPPoE edge cases, WAF, SSL VPN, and several authentication issues.
  • At the same time, MR1 still comes with clear upgrade caveats: legacy remote access IPsec is gone, disk-space checks still matter, and XG/SG hardware remains unsupported.
  • If you are already on v22 and dealing with concrete problems, MR1 deserves serious attention.
  • If you are stable on 21.5, I would still test properly instead of clicking upgrade on day one.

Why MR1 Matters So Much

When a vendor publishes a major release, then a re-release, and shortly after that the first maintenance release, that usually tells you something. With Sophos, that is exactly what happened.

The original v22 GA Build 365 was replaced in January 2026 by the GA re-release Build 411. Sophos already fixed a number of painful problems there, including bridge web admin access, DNAT issues with specific outbound interfaces, CLI log spam with Invalid rule id or family for update, broken SNMP configuration, and problems in the policy test tool. That helped, but it still did not feel calm.

MR1 feels more like the release many admins probably expected from v22 in the first place: less slideware, more operational cleanup.

What Actually Gets Better In v22 MR1

The value of MR1 is not one flashy new feature. The value is that Sophos removes friction in several important areas at once.

Policy-Based IPsec Finally Gets Attention

Anyone who used policy-based IPsec on v22 GA had a fair chance of hitting trouble. In the official release notes, Sophos lists multiple fixes exactly in this area. Examples include tunnels showing as up while traffic did not flow, wrong interfaces shown in diagnostics route lookups, wrong SNAT IPs over MPLS, and web admin access to branch firewalls breaking after upgrades over policy-based IPsec.

That block is the most important part of MR1 for me. VPN problems are never “just a detail”. Once site-to-site connectivity, branch access, or SD-WAN paths depend on them, a firmware bug quickly becomes a real operations problem.

Bridge, Routing, and Firewall Issues Were Tightened Up

MR1 also addresses several issues that hurt immediately in real networks. Sophos explicitly mentions:

  • unreachable subnet communication over bridge interfaces after upgrading to v22 GA
  • ping problems over backup WAN in diagnostics
  • unexpected HA state changes followed by restarts
  • PPPoE-related issues in policy testing
  • export problems for firewall rules

On paper, that sounds like a collection of small bugs. In practice, it is exactly the kind of bug cluster that makes change windows more expensive than they should be.

WAF, SSL VPN, and Authentication Also Benefit

MR1 includes fixes in areas that are optional for almost nobody running real services. Sophos lists issues such as:

  • CAPTCHA deactivation for the VPN zone not working properly for SSL VPN users in v22 GA
  • Azure AD SSO for the user portal redirecting to a 404 page
  • OAuth certificate and API/MFA issues
  • periodic SSL VPN service restarts in certain scenarios
  • problems downloading mobile IPsec configurations because of wrong certificate permissions

If you have external users, VPN clients, or WAF-published applications on the firewall, MR1 removes several operational stumbling blocks here as well.

HA and Storage Still Matter

I also think it matters that Sophos keeps working on overall stability in the MR1 cycle. There are fixes around HA recovery after power loss, HA registration in Sophos Central, system traffic over dedicated links, upgrade failures on passive devices, and high system load caused by logging and disk issues.

This is not exciting release marketing. That is exactly why it is relevant.

What MR1 Does Not Solve

I would still avoid telling the romantic story that MR1 suddenly makes everything green. It does not. This release still has points you should check deliberately before upgrading.

Legacy Remote Access IPsec Is Now a Hard Blocker

This is probably the most important upgrade warning in the current release notes. Sophos explicitly states that the legacy variant of remote access IPsec is no longer supported in SFOS 22.0 MR1. Even more important: firewalls that still contain this legacy configuration cannot be upgraded to MR1.

If you still carry historical remote-access IPsec setups with third-party clients, do not just skim over this. Check it actively. Otherwise, “we will quickly do the MR tonight” becomes an unnecessarily long maintenance window.

Disk Space and Root Resize Still Matter

The second known v22 topic also remains: extra disk space. Sophos still points out that SFOS 22.0 and later need more space and that some appliances or virtual/software deployments may require manual preparation before upgrading.

Even if enough space is available, upgrades can take longer because the root partition is resized. Sophos says this can add two to ten minutes. For a small home office that is a footnote. For HA pairs in production or tight maintenance windows, it is planning detail.

XG and SG Stay Out

This is not new, but it still needs to be said in practice: SFOS 22.0 GA and later, including MR1, does not support XG and SG hardware anymore. If you still have older appliances in labs or remote sites, you do not want to discover that during an actual upgrade window.

Policy-Based IPsec Still Deserves Caution

Precisely because MR1 fixes several policy-based IPsec issues, I also see that as a reason for caution. If you run production-specific routes, MPLS, branch routing, third-party peers, or admin access through these tunnels, then test MR1 there on purpose.

A green tunnel is not enough. What matters is whether real traffic, return path, SNAT behavior, diagnostics, GUI access, and failover all behave as expected.

My Practical View

If I reduce it to the question many teams are asking right now, it is this:

Is v22 MR1 the first reasonable upgrade candidate for teams that intentionally skipped v22 because of GA and Build 411?

I would say yes, in many cases.

Not because Sophos suddenly became flawless. But because MR1 now visibly cleans up the parts of v22 that hurt in day-to-day operations: bridge behavior, IPsec, HA, auth, WAF, SSL VPN, logging, and several UI and routing corners. That is different from a purely cosmetic maintenance release.

Still, I would separate two groups clearly.

Who Should Look at Upgrading

  • teams already on v22 Build 411 and stuck with concrete bugs
  • environments waiting for selected v22 features but held back by early instability
  • admins who need better behavior in policy-based IPsec or certain auth and portal scenarios

Who Should Stay In the Lab First

  • stable 21.5 installations with no immediate feature pressure
  • environments still using legacy remote access IPsec
  • setups with sensitive WAF, MFA, or SSO chains
  • HA clusters that already behaved badly in earlier firmware phases

What I Would Check Before Upgrading

Before rolling out MR1 in production, I would check these points:

  • verify whether legacy remote access IPsec still exists in the configuration
  • export backups and think through the restore path seriously
  • confirm free disk space and any resize-related warnings
  • in HA setups, test failover instead of trusting status icons
  • for policy-based IPsec, verify real traffic and not only tunnel status
  • for WAF, portals, and SSL VPN, test login, MFA, redirects, and certificates with real users
  • for PPPoE or specific WAN scenarios, validate both policy tests and real flows

And one more thing: if you mostly looked at v22 through the new Health Check, do not confuse the technical and the operational layer. The Health Check in v22 is useful, and I covered it in detail here: Sophos Firewall v22 Health Check - Complete Overview . But a green Health Check does not replace a serious upgrade test.

Conclusion

From my perspective, Sophos Firewall v22 MR1 is the first release in the v22 line where an administrator starts thinking “this is worth a serious look” instead of “please wait a bit longer”.

That is a good sign. But it is not magic.

If you are already struggling with v22 issues, MR1 deserves close attention. If you are stable on 21.5, do not let the name “maintenance release” create false confidence. This upgrade still deserves preparation, testing, and a real fallback plan.

That is exactly how I would treat it: not as an emergency, not as a no-brainer, but as what it is. The first genuinely interesting upgrade candidate since the rough start of v22.

Until next time,
Joe

Sources

Related Posts

Sophos Firewall: No CVEs, But Plagued by Bugs (v21.5 to v22)

Sophos Firewall: No CVEs, But Plagued by Bugs (v21.5 to v22)

Anthropic Mythos and Project Glasswing: What IT Security Faces Next

Anthropic Mythos and Project Glasswing: What IT Security Faces Next

Operation Epic Fury: Sophos Warns of Global Cyber Retaliation

Operation Epic Fury: Sophos Warns of Global Cyber Retaliation

© 2026 trueNetLab

Search