Open a Sophos support ticket: preparation and portal

A Sophos support ticket is useful faster when the most important information is prepared cleanly before it is opened. For Sophos Firewall this mainly means serial number, model, firmware version, license status, time of the error, affected function, logs, screenshots and the checks already performed.

This guide explains when a Sophos Support Case makes sense, which details should be prepared, and how to open the ticket in the Sophos Support Portal in a traceable way. For classifying the different Sophos access points, see also Sophos portals: SophosID, Central, support and firewall access.

When a Sophos support ticket makes sense

A Sophos support ticket makes sense when a problem can no longer be clarified locally through configuration, logs or known operational processes alone.

Typical cases:

hardware defect, RMA or suspected defective appliance
license or account problem with a specific serial number
firmware, hotfix or upgrade problem
recurring service crash or unclear system state
VPN, WAF, HA, RED or routing problem after initial local narrowing down
error that looks like a product issue after logs and reproduction
support request where Sophos needs access to internal analysis data

Before opening a ticket, the obvious local checks should be performed. For Sophos Firewall this does not mean everything must already be solved. But the more precisely the initial situation, time window and affected function are described, the fewer follow-up questions are needed.

What Sophos Support does not replace

Enhanced Support is not a free configuration service. A Sophos support ticket should be opened when a firewall function no longer works properly or when a specific product, license, hardware or software error is suspected.

A Sophos support ticket is not useful when only the required knowledge for a desired configuration is missing. Typical examples are:

planning a new VPN topology
structuring firewall rules cleanly
setting up NAT or WAF for a new service
reviewing an HA design
assessing a routing concept or VLAN architecture
rebuilding an existing configuration according to best practices

In such cases, Avanet Support is the better contact. The firewall can then be checked, planned or configured as requested under Avanet support conditions. Sophos Support primarily helps with technical product cases where a feature does not work despite correct configuration, or where an appliance, license or cloud assignment has a problem.

Enhanced Support, Incident Levels and target times

Enhanced Support improves the support entitlement and response targets, but it does not replace a clean problem description. The target times are response targets, not guaranteed resolution times. A complex VPN, HA or routing problem can still take longer despite a quick first response if logs, reproduction or remote access are missing.

The following values are guidance for Enhanced Support:

Incident Level	Typical classification	Target response time
P1	total production outage or major security incident without a practical workaround	30 minutes
P2	strong production impact, multiple users or critical services affected	2 hours
P3	technical problem with limited impact or existing workaround	4 hours
P4	low impact, general technical question or non-time-critical problem	24 hours

Sophos also uses Severity levels in the support process. Depending on region, support entitlement and case type, these names and target values may be shown differently in the portal:

Severity	Typical meaning	Target according to Sophos Support Guide
Critical	severe production outage, no workaround, immediate handling required	4 hours, with 24/7 handling where available
High	significant impairment of production systems	8 business hours
Medium	limited function, workaround possible or limited impact	24 business hours
Low	low impact, general question or planning topic	24 business hours

Severity should be selected honestly according to the real impact. An overly high classification without a matching impact rarely helps, because Sophos will ask in the ticket about impact, reproducibility and affected services. If the case is business-critical, the description should clearly prove it: affected sites, number of users, missing workaround, timing, redundancy status and checks already performed.

Requirements

For a technical support ticket, the following are usually needed:

SophosID for the Support Portal
valid license or active support entitlement
affected serial number or account assignment
for partner cases: customer assignment and relevant license or serial number
product and model, for example Sophos Firewall XGS or virtual firewall
firmware version and build
short error description with impact
time window of the problem with time zone
available logs, screenshots or error messages

Sophos checks the license and serial number assignment in support cases. Without a matching license or serial number, a case can go to Customer Care for validation. This delays technical processing. If a partner opens the case for a customer, the customer assignment and affected license or serial number must also be stated clearly. If Avanet is to manage support cases on behalf of a customer, the customer must allow Avanet the corresponding partner access.

The firewall serial number can be found directly in the SFOS dashboard. The process is described in Find the Sophos Firewall serial number.

If the request concerns a hardware defect, the article What should I do if my Sophos hardware has a technical defect? should also be checked.

Classify support channels

Sophos offers several ways to contact support. Not every channel is equally suitable for the same purpose.

Support channel	Suitable for
Sophos Support Portal	traceable technical Support Cases, attachments, RMA, longer analysis
Phone	urgent follow-up with an existing ticket number or contact when access problems exist
Digital Chat	quick orientation, portal or general support questions
Sophos Community	non-confidential questions, known symptoms, exchange with other admins
Sophos TechVids and Docs	how-to topics, configuration and known procedures

For technical firewall cases, the Support Portal is usually the best starting point because the ticket number, history and attachments remain traceable there. Phone or chat are especially useful when an existing ticket must be prioritized urgently or a portal problem must be clarified.

The current contact options and phone numbers are on the official Sophos Support contact page. The general support overview remains available under Sophos Support.

Prepare account and partner access

A SophosID is required for the Support Portal. The account should match the company, license or Sophos Central tenant so that the affected products are visible. If the firewall is managed through a partner, it should be clarified before the actual support case whether the partner is allowed to manage cases.

If Avanet is to accompany a case on behalf of a customer or communicate with Sophos, access to the customer assignment must be allowed in the Sophos Support Portal. Sophos describes this step under Allow a Sophos Partner to manage your account.

In practice this means:

Check SophosID.
Have the affected license or serial number ready.
If Avanet is to assist, prepare partner access in the Sophos portal.
If Sophos needs remote access, prepare Support Access on the firewall.

Prepare before opening the ticket

A Support Case should be written so that support can classify the problem without guessing.

Technical key data

For Sophos Firewall, these details should be available:

serial number
model or platform
firmware version and build
license status or support plan, if relevant
HA status, if the firewall is part of a cluster
affected function, for example IPsec, SSL VPN, WAF, RED, Web Protection or Reporting
exact time of the error with time zone
affected users, networks, sites or services
last changes before the problem

For HA clusters, both nodes should be documented clearly. For classifying roles, serial numbers and HA operation, see Sophos Firewall HA cluster variants and operation.

Reproduction and impact

The description should not only say that something does not work. A short, verifiable description is better:

What was expected?
What happens instead?
Since when has the problem occurred?
Is the problem permanent or sporadic?
How can it be reproduced?
Which users or services are affected?
Is there a workaround?
How critical is the impact on operations?

If a ticket consists only of a screenshot and one sentence, support almost inevitably has to ask follow-up questions. That costs time, especially for VPN, routing or HA problems.

Logs and attachments

For firewall problems, logs are often more important than long assumptions. If the problem is reproducible, the error time window should be recorded as precisely as possible and the matching logs should then be saved.

Depending on the problem, the following are helpful:

screenshot of the error message
Log Viewer screenshot with filter
relevant service logs
Packet Capture or tcpdump if packet flow is unclear
firmware or license screenshot
short network diagram or affected IP addresses if routing is involved
description of the rules, NAT objects or VPN parameters already checked

For complete log archives, Save Sophos Firewall logs for support and analysis is the matching procedure. Which log file belongs to which module is summarized in Assign Sophos Firewall service logs correctly.

Not every attachment answers the same question:

Question in the ticket	Suitable evidence
Which rule or module made the decision?	Log Viewer export, Rule ID, NAT ID, affected time period
Which service reports errors?	relevant service logs or complete `/log` archive
Does traffic arrive and continue?	Packet Capture in WebAdmin
Does support need a PCAP file?	narrow tcpdump capture, separate from the log archive
Did a change trigger the problem?	audit trail, change time, affected objects

A broad log archive without an error time is often less helpful than a smaller data package with an exact time, clear reproduction and a matching capture. For packet-flow problems, the PCAP file should be handled separately from the log archive so it remains clear in the ticket which file contains service logs and which file contains network packets.

⚠️ Logs, screenshots and Packet Captures can contain internal IP addresses, public IPs, user names, host names, certificate details or other confidential information. Before uploading, it should be clear who receives the data and whether it must be sanitized first.

Consolidated Troubleshooting Report

For device or system problems, Sophos may request a Consolidated Troubleshooting Report. In the firewall this can be found under Diagnostics > Tools. The report collects diagnostic information and relevant log data in a compressed archive.

Such a report is especially useful for:

service crashes
unclear system states
recurring errors after updates
problems Sophos cannot assess from a screenshot alone
support cases where several modules may be affected

The report does not replace a good error description. Time, time zone, affected function and reproduction steps must still be included in the ticket.

Support Access and Remote Assistance ID

For firewall cases, Sophos may ask for a Remote Assistance ID or for enabled Support Access. This allows Sophos to access the firewall for a limited time if this is necessary for analysis.

Support Access should only be enabled when it is needed for the specific case. After the support case is closed, access should be disabled again or at least checked. For the practical process, see Release Sophos Firewall Support Access for Avanet. The official Sophos documentation describes the general process under Support access.

The ticket should state:

whether Support Access is already active
Remote Assistance ID, if available
how long access has been enabled for
whether MFA or ACL rules affect access
whether there is a maintenance window for tests

Open a ticket in the Sophos Support Portal

The Sophos Support Portal is available at:

➜ Sophos Support Portal

Sign in with the SophosID. Depending on the portal version, the interface may look slightly different, but the basic idea remains the same: create a new Technical Support Case, select the product, describe the problem and upload attachments.

The process is usually:

Sign in to the Support Portal.
Open Support Cases.
Create a new Technical Support Case.
Select account, contact, Severity, subject and product category.
Describe the problem and impact.
Answer product-specific follow-up questions.
Enter serial number or license number.
Attach logs, screenshots, CTR or PCAP files.
Submit the case and document the ticket number internally.

The problem should be described briefly but completely in the form. A meaningful subject is important. A subject such as IPsec VPN fails after SFOS 22.0 MR1 upgrade on XGS 2100 is much better than VPN problem.

Sophos Support Portal form Contact Technical Support with account, contact, Severity, subject and product category — In the first step, account, contact person, Severity, subject, description and product category are recorded.

Sophos Support Portal Probing Questions Form with product-specific questions, logs and Remote Assistance ID — Depending on the product category, Sophos asks for further details such as reproduction, impact, changes, logs, error messages and Remote Assistance ID.

If a field cannot be answered, Not Applicable is often better than an empty field. Empty mandatory fields otherwise quickly lead to follow-up questions or delay assignment.

What belongs in the description

A good description is short enough to read and specific enough to work with.

Practical template:

Product:
Serial number:
License number:
Model:
Firmware version:
Support plan:
Impact:
Start time and time zone:
Affected users/sites/services:
Recent changes:
Expected behavior:
Actual behavior:
Steps to reproduce:
Checks already performed:
Remote Assistance ID:
Attachments:

For firewall rule, NAT or VPN problems, the following should also be stated:

source and destination networks
affected service or port
expected firewall rule
NAT rule, if involved
VPN tunnel or remote access profile
Log Viewer result
Packet Capture or tcpdump PCAP if packet flow is relevant
Support Access ID if Sophos needs remote access

For rule analysis, Test firewall rule with Log Viewer, Policy Test and Packet Capture can help before the Support Case is opened.

RMA and hardware defect

For hardware defects, Sophos needs additional information for RMA processing. This includes not only the error description and serial number, but also model, revision, firmware, license, HA status and shipping information.

Prepare:

defective product and model
serial number of the affected device
firmware version
license number or license assignment
error description and points already checked
Dead on arrival if the device is affected immediately after delivery
HA cluster: yes or no
shipping address and contact person
phone number and email address
special shipping instructions

For firewalls, it should also be checked whether a current backup exists and how the replacement firewall will be restored. For backup and restore, see Backup and restore on Sophos Firewall.

For RMA cases, follow the current Sophos Support Portal and the response in the ticket. Community posts or older process descriptions may seem helpful, but they are not authoritative if Sophos asks for other details in the specific case.

Following up and escalating

After opening the ticket, a confirmation with ticket number should arrive by email. This ticket number belongs in every later communication.

If a critical case does not move forward quickly enough, a second ticket should not be opened. Duplicate tickets create more coordination work and can slow down processing.

Better:

have the existing ticket number ready
describe impact and urgency specifically
provide missing logs or answers
follow up by phone or Digital Chat with the ticket number
escalate in the existing case if a target value was not met
document internally who gave which feedback

An escalation should be justified. Useful reasons include:

target response time was exceeded.
production outage is still ongoing.
no response despite additional information.
wrong assignment or unsuitable product category.
case blocks a planned recovery or maintenance process.

The escalation should always describe the current business impact. A sentence such as We need an update is weaker than a concrete statement such as The main site-to-site VPN between headquarters and production is still down, 80 users cannot access ERP, no workaround is available.

For serious security or outage cases, it should also be checked whether other support or incident response processes apply. A normal technical ticket is not automatically a complete incident response process.

Checklist

SophosID works.
License and support entitlement are clarified.
Serial number, model and firmware version are documented.
Error time with time zone is known.
Impact on users, services or site is described.
Last changes were noted.
Reproduction or error pattern is traceable.
Relevant logs and screenshots are prepared.
Packet Capture or tcpdump PCAP is prepared only for packet-flow problems.
Confidential data in attachments was checked.
For RMA: shipping information and HA status are prepared.
Ticket number is documented internally.

Further Links

FAQ

Is Enhanced Support a configuration service?

No. Enhanced Support improves the support entitlement and response targets, but it does not replace firewall configuration by Sophos. If knowledge for a desired configuration is missing, Avanet is the right contact. Sophos Support is intended for technical product cases where a function does not work as expected despite correct configuration.

Should Sophos be contacted by phone or through the portal?

For technical cases, the Support Portal is usually better because history and attachments remain traceable. Phone or Digital Chat are useful when an existing ticket must be followed up urgently or a portal problem must be solved.

What happens if no serial number or license number is provided?

The case can go to Customer Care for validation. This delays technical processing. Therefore, the affected serial number or license number should always be provided directly when opening the case.

Are target response times the same as resolution times?

No. Target response times describe how quickly a first qualified response can be expected. The actual resolution depends on the error pattern, reproducibility, logs, remote access, product behavior and necessary tests.

Does a Sophos support ticket have to be written in English?

In practice, English is the safest choice because technical cases can be handled internationally. Subject, error messages, time windows and logs should therefore be phrased as clearly as possible in English.

When should Support Access be enabled?

Support Access should be enabled when Sophos needs remote access to the firewall for analysis. Access should be time-limited and checked or disabled again after the case is closed.

Which information does Sophos need for firewall problems?

At minimum serial number, model, firmware version, error time, affected function, impact, recent changes and relevant logs. For VPN, NAT or routing, source, destination, service, rule, route and tunnel should also be named.

How large can attachments be?

The Support Portal can enforce size and file type limits. If a log archive is too large, it should be compressed or a suitable upload method should be requested in the ticket. Old blanket size statements should not be treated as guaranteed.

What is important in an RMA case?

For RMA cases, Sophos needs the error description as well as clear device identification, license and shipping information and HA status. For firewalls, it should first be checked whether a current backup exists and how a replacement firewall will be restored.