Astaro ASG Sophos UTM went to version 9 a few months ago. With it came loads of features, but i want to focus on the “reserve node” feature in a High Availability configuration.

Sophos releases new features/bugfixes on a regular basis, so i recommend you review what’s in the new versions under the Up2date section.
The Feature “keep node(s) reserved during up2date” is a feature that appeared in version 9 and will upgrade ONLY the master node so you can switch back in case of an emergency. You can find the feature under Management > HA > configuration:


After updating the system from v9.003 to v9.004 this will give me:


If i give the master a shutdown i will be running v9.003 again:


Some considerations though:

  • Even though a failover/switchover will be very quick, this will interrupt your connections for a brief moment.
  • Rebooting Node2 will switch the master momentarily to the Node1 during the reboot, but will switch back to Node2 after it comes back online. So if you want to run the older version, be sure to shutdown the node with the newest version.

Update: I saw that this post didn’t say if the master or the slave will be updated first. Here’s the answer;


  1. […] The details; – The system is hosted in VM's. – the upgrade was performed according to UTMv9 Reserve node feature in HA | – The upgrade was from 9.004-33 to 9.106-17. – The update of the slave node was performed 2 days […]

  2. Shahin

    Hi thank you for this nice artikel

    We have 2 sg330 and both are setup in Active/passive mode and now in the webadmin console i see 2 updates are availble.
    We want first to update the master and some days later update the slave
    If i undrstood u correctly we can enable option keep the node……
    Then schdule the update to be installed
    After that say week later we can go to HA managment and use upgrade Node (slave node) then both devices are in the same version and if we dont like the new version just reboot the node with the higher version (in this case the master ) and then both nods are again running the older version is this correct?


    1. Dennis Pennings

      Hi Shahin, i already responded to your earlier question, if you need more info let me know.

  3. Shahin


    I dont know if my question was removed or somthing els is wrong any who ask one more time

    My SG230 are in HA active/passive mode i see 2 updates availible and i want first to intall the update first on one and next week on the second one.
    Can we just enable the above option install the updates and next week if everything works then we should just run the upgrade node right?

    Why in your last screenshot node slave shows up2date instead of active or ready?


    1. Dennis Pennings

      I’m sorry if yu had to repost twice, we get quite an amount of spam in the comments and i guess your post didn’t make it or was accidentally marked as spam.

      Yes, if you have the checkbox “reserve node” enabled, you can update just one node and do the other node next week. If something breaks, you can enable the node, you do this by turning the node with the newer firmware off. Keep in mind though that you can’t rollback by pressing a button. Although adding a slave node takes only 5m, you do have to do a reinstall if you want that node to have a lower firmware version if there is a newer version installed.

      I don’t understand your last question though, could you clarify a bit?

      1. Dennis Pennings

        I think i understand your question now, the last screenshot is ment to show that the slave node will be the first to be updated by up2date. After a successful update on the slave node, the node reboots and takes over and will be the master.

Leave a Reply to Shahin Cancel Reply

Your email address will not be published. Required fields are marked *