Skip to content
Avanet

Reinstall Sophos Firewall OS

Sophos Firewall

This article explains how to perform an SFOS reimage on a Sophos Firewall and reinstall Sophos Firewall OS.

Requirements

  • Sophos Firewall Appliance
  • USB flash drive 4 GB or larger
  • Windows, macOS, or Linux computer to prepare the USB flash drive

1. Download the SFOS ISO image

First, download the “Sophos Firewall OS” ISO image that will later be installed on the Sophos Firewall.

  1. On the Sophos website, you can download the Sophos Firewall installers. Alternatively, you can use the direct download.
  2. Under Hardware Installers, you will find the latest version of Firewall OS.
  3. Accept the terms and conditions and click Submit. The ISO image will then be downloaded.

Direct download: firmware file name explained

Example: HW-22.0.1_MR-1-490.iso

The parts of the file name mean:

  • Platform or appliance type

    • HW: ISO image for Sophos hardware appliances. This is usually the variant required to reimage an XGS appliance.
    • SW: ISO image for Sophos Firewall as a software appliance.
    • VI: Image package for Sophos Firewall as a virtual appliance.

  • Virtualization platform for VI files

    • HYV: Microsoft Hyper-V.
    • KVM: KVM.
    • VMW: VMware Hypervisor.
    • XEN: Xen.

  • Release type

    • GA: General Availability, a major release.
    • MR: Maintenance Release.

  • File extension

    • .iso: ISO image that can be written to a USB flash drive or used for software appliances.
    • .zip: Archive with image files for virtual appliances.
    • .sig: Signed image for specific appliance models.

For the example HW-22.0.1_MR-1-490.iso, this means:

  • HW: Hardware appliance
  • 22.0.1: SFOS version
  • MR-1: Maintenance Release 1
  • 490: Build number
  • .iso: ISO image
Sophos Firewall Installer with hardware ISO for XGS appliance
Sophos Firewall Installer: download the hardware ISO for an XGS appliance reimage

2. Create a bootable USB flash drive

Info: We use balenaEtcher to create the bootable USB flash drive. The tool is easy to use and works on Windows, macOS, and Linux.

In the second step, copy the downloaded ISO image to a USB flash drive. A dedicated tool is required so the XGS appliance can later boot from this USB flash drive.

  1. Insert a USB flash drive with at least 4 GB of storage into your computer. Make sure there is no important data left on it because it will be completely erased.
  2. Go to https://etcher.balena.io/ and download the latest version of balenaEtcher.
  3. Click Flash from file and select the ISO image you downloaded earlier.
  4. Under Select target, choose the USB flash drive.
  5. Finally, click Flash! to format the USB flash drive and write the SFOS image to it.
balenaEtcher with selected SFOS ISO image and USB flash drive
balenaEtcher writes the SFOS ISO image to the USB flash drive

3. Install SFOS on the firewall appliance

The preparation is complete. You now have a bootable USB flash drive with SFOS, and the installation on the appliance can begin.

⚠️ Important: Installing SFOS on your firewall completely overwrites the disk and fully resets the device. No configuration is retained!

  1. Power off the firewall completely.

  2. Insert the prepared USB flash drive into the firewall.

  3. Power on the firewall again. The Sophos Firmware Installer normally starts the reimage automatically from the USB flash drive.

  4. Monitor the installation status depending on the appliance model:

    • XGS desktop appliances: The status is shown through the LED on the front panel.

      LED statusMeaning
      🔴 Blinking redReimage in progress
      🟢 Stable greenReimage was successful
      🔴 Stable redReimage failed

    • XGS rack appliances: The status is shown on the display, for example Installation in progress, Installation successful, Installation failed, or Failsafe mode.

    • Appliances with monitor ports: If a VGA, SVGA, or HDMI port is available, you can optionally connect a monitor. For current XGS appliances, don’t rely on this because many models no longer have a monitor port.

  5. Optionally, you can use a console cable and connect with PuTTY, Windows Terminal, or a terminal on macOS/Linux. This lets you see the reimage status and possible error messages directly on the console.

    Serial settings: 38400 baud, 8 data bits, no parity, 1 stop bit.

  6. When the installation is complete, remove the USB flash drive and restart the firewall. The firewall then starts with the default configuration.

You can find the official Sophos steps for reimaging with a USB flash drive in the Sophos documentation: Reimage the firewall using a USB flash drive.

4. Reach the firewall after installation

After installation, the appliance is reachable on Port 1. Connect your computer to Port 1 and open the web interface at https://172.16.16.16:4444.