Firmware Auto Update Feature in SonicWall
Description
Keeping your SonicWall firewall firmware up to date is one of the most critical steps you can take to protect your network. Outdated firmware can expose your organization to known security vulnerabilities that attackers actively exploit.
SonicOS Gen 7 (version 7.1.1 and later) and GEN8 (8.0.0 and later) include an Automatic Firmware Upgrade feature that handles the entire update lifecycle for you:
Note: Starting with SonicOS 7.3.0, automatic firmware updates are enabled by default for greenfield deployments (new out‑of‑box setups). For brownfield deployments, users are prompted on first login to choose whether to enable automatic updates when upgrading from version 7.2.1 or earlier.
This behavior mirrors the GEN8 experience, where automatic updates were enabled by default starting with version 8.0.0, and SonicWall provided a pop‑up during the first login, allowing users to modify this setting.
Summary
|
Generation |
Firmware version |
Behavior |
|
GEN6 |
6.X |
This feature is not supported on GEN 6/6.5 and older Generation firewall models. |
|
GEN 7 |
7.0.1 & below |
The Auto-update feature is not available. |
|
GEN7 |
7.1.X 7.2.X |
The Auto-update feature was introduced with the check for available updates enabled. |
|
GEN7 |
7.3.X & above |
The auto-update feature has been enabled by default for critical-channel on new installs. In existing configurations, users are prompted to configure. |
|
GEN8 |
8.x |
The auto-update feature has been enabled by default for critical-channel on new installs. Existing configurations, users are prompted to configure. |
Note: NSM 3.5 & above supports automatic updates for NSM-managed firewalls running SonicOS 7.3.0 and later images.
How It Works
Your SonicWall firewall communicates with the SonicWall Update Server to check whether a newer firmware version is available. The check is tailored to your specific appliance based on its serial number, current firmware version, and configured update channel.
Updates flow through four automatic stages:
|
Stage |
Name |
What Happens |
|
1 |
Check |
The firewall queries the Update Server on a scheduled basis for firmware relevant to your appliance. |
|
2 |
Notify |
If a newer version is found, a notification badge appears in the top-right corner of the SonicOS management interface. |
|
3 |
Download |
The firmware image is downloaded directly to the appliance — automatically (if enabled) or manually by an administrator. |
|
4 |
Install |
The downloaded image is installed either automatically during a scheduled maintenance window, or manually at the administrator’s discretion. |
Tip: Your firewall must have outbound internet access (or a routed path to the SonicWall Update Server) for this feature to work. The appliance also must be registered on MySonicWall — unregistered firewalls cannot download updates.
Understanding Update Channels
The Update Channel controls which firmware stream your appliance subscribes to. Choosing the right channel ensures you receive the updates that are appropriate for your environment.
|
Channel |
Description |
|
Stable/Default |
Standard, fully validated firmware releases. Recommended for most production environments. This is the default channel. |
|
Critical |
Urgent security and reliability patches only. Ideal for environments where minimizing update frequency is a priority, but critical vulnerabilities must still be addressed quickly. |
Note: Customers are recommended to use the Stable/Default channel to stay current with all improvements, or the Critical channel if they prefer a more conservative update cadence.
Default Settings
The table below shows how the auto-update feature is configured on a new SonicOS 7.3.0 or later deployment. For appliances upgraded from an earlier version, some settings may differ until you configure them.
|
Setting |
Default Value |
|
Check for available updates |
Enabled |
|
Automatically download updates |
Enabled |
|
Critical updates only |
Enabled (starting 7.3.0 & above) |
|
Automatic installation |
Enabled |
|
Installation schedule (Local firewall time) |
Saturday, 1:00 AM – 2:00 AM |
Resolution
Configuring Auto-Update in the GUI
All auto-update settings are available in a single location in the SonicOS management interface.
Open the Firmware Auto-Update Settings
- Log in to the SonicOS management interface.
- Navigate to Device | Firmware & Settings.
- Click the Settings tab, then select the Firmware Auto-Update sub-tab.
Configure Update Checking and Download
|
Option |
Recommended Setting |
What It Does |
|
Enable firmware auto-update check |
On |
Allows the firewall to periodically poll the Update Server for newer firmware. |
|
Enable automatic download |
On |
Downloads the firmware image to the appliance automatically when an update is available. |
|
Critical updates only |
On |
Limits automatic activity to critical security updates. Stable updates can still be installed manually. |
Configure Automatic Installation (Recommended)
- On the Firmware Auto-Update tab, enable Automatic Firmware Installation.
- Review the Firmware Install Hours schedule. The default is Saturday from 1:00 AM to 2:00 AM.
- To change the maintenance window, go to Object | Match Objects | Schedules and edit the Firmware Install Hours schedule object.
Caution: Reboot Required: Firmware installation requires the firewall to reboot. Plan your maintenance window for low-traffic hours to minimize impact on users and connected devices.
Using the Firmware Update Notification
The SonicOS management interface displays a firmware update notification icon in the top-right corner. The icon state changes to alert you when action is available. Clicking the notification icon opens a status panel with a context-aware action button:
|
Notification State |
Action Button |
|
No update has been checked yet |
Check for Available Updates — triggers an immediate check. |
|
An update is available but not yet downloaded |
Download the Update — starts the download to the appliance. |
|
An update has been downloaded and is ready |
Update Now — takes you to Firmware & Settings to review and install. |
High Availability (HA) Deployments
If your SonicWall is deployed in an HA pair, the auto-update feature is designed to work seamlessly without any additional configuration:
- The active firewall handles all firmware checks, downloads, and installations.
- Auto-update configuration is automatically synchronized from the active unit to the standby unit through the standard HA sync mechanism.
- The standby unit does not independently check for or download updates, preventing duplicate operations.
Note: HA behavior is fully automatic. Simply configure auto-update on the active firewall and both units will stay in sync.
Frequently Asked Questions
- Will the firewall reboot during an automatic installation?
Yes — installing new firmware requires a full reboot of the appliance. The default maintenance window (Saturday, 1:00 AM – 2:00 AM) is chosen to minimize disruption.
Note: This time window follows the firewall’s configured system time zone. You can change this schedule at any time under Object | Match Objects | Schedules. - Can I still install firmware manually?
Yes. Once a firmware image is downloaded (automatically or manually), it appears on the Device > Firmware & Settings page and can be installed at any time, just as you would install a firmware image obtained from MySonicWall. - What happens if the firewall loses connectivity during a download?
The download will be interrupted. The appliance will automatically attempt the download again on the next scheduled check cycle. No manual intervention is needed. - Does auto-update work if I manage my firewall through Network Security Manager (NSM)?
The firewall’s built-in auto-update feature and NSM-managed firmware updates operate independently. If you use NSM to push firmware updates, we recommend reviewing the NSM documentation and aligning your update strategy to avoid conflicts. - Do I need an active support license for auto-update to work?
Your firewall must be registered on MySonicWall to download firmware from the Update Server. If your support contract has lapsed, you may see a notification in the interface indicating that the feature is limited. Contact SonicWall Support or your reseller to renew your service agreement. - What is the difference between a greenfield and brownfield deployment?
Greenfield deployment: A brand-new firewall running SonicOS 7.3.0 or later straight from the factory. Auto-update is enabled by default.
Brownfield deployment: An existing firewall that has been upgraded to SonicOS 7.3.0 from an earlier version (e.g., 7.2.1). On first login after the upgrade, a prompt will appear asking if you want to enable auto-updates. We recommend enabling it.
