Reinstall Sophos Firewall OS: USB reimage
A reimage fully reinstalls Sophos Firewall OS. This procedure is intended for recovery situations, lab systems, model changes or a clean reinstall. For normal version changes, a firmware update through WebAdmin is usually the better option.
⚠️ Important: A reimage overwrites the firewall completely. Configuration, local logs, certificates, reports and stored account data are no longer present on the device afterwards. Before starting, a current backup and the matching Secure Storage Master Key (SSMK) are required if encrypted configuration data must be restored later.
Reimage, firmware update or factory reset?
| Method | Purpose | Typical use |
|---|---|---|
| Firmware update | Update SFOS to another version | Normal maintenance through Backup & Firmware > Firmware |
| Rollback | Return to a previously installed firmware version | Problems after an update, as long as the previous firmware is still available |
| Factory Reset | Reset the configuration | Device remains on the installed SFOS version, configuration is lost |
| Reimage | Reinstall SFOS from a USB stick | Defective system, clean reinstall, incompatible version change or recovery |
For a normal update, check Sophos Firewall: perform an SFOS firmware update first. For XGS appliances with damaged firmware, Sophos uses the reimage procedure because SFLoader is not available for XGS.
When not to start a reimage
A reimage is the hard recovery option. If normal administrative access is still possible, first check whether a less invasive approach is enough.
| Situation | Better check first |
|---|---|
| WebAdmin is hanging but traffic continues | Restart WebAdmin GUI deliberately |
| A single service does not respond | Restart Sophos Firewall services safely |
| A firmware update is planned | Firmware update and rollback plan instead of reimage |
| The configuration should be deleted | Factory Reset may be sufficient if SFOS itself is healthy |
| Storage space or reports are the problem | Check storage space, reports and logs |
| A support case is still running | Save logs, support archives and current errors first |
Reimage makes sense if the operating system is damaged, a clean rebuild is required, or Sophos Support or the recovery plan specifies this path. For normal maintenance, individual GUI problems or unclear performance issues, it is usually too early.
Back up before the reimage
Before a production reimage, prepare these points:
- Download a current configuration backup and store it safely.
- Document the Secure Storage Master Key if the backup contains encrypted account data.
- Check licence status, serial number and Sophos Central assignment.
- Document model, current SFOS version, target version and backup version.
- Note WAN data, VLANs, static routes, VPN parameters and special HA information separately.
- Plan a maintenance window because the firewall does not protect or process traffic during the reimage.
- Ensure local access to the appliance, power supply, USB port and management port.
- Check the restore process in advance, especially for HA clusters and critical VPN locations.
- Save logs or support archives if the root cause must be analysed later.
The relevant basics are covered in Sophos Firewall: create and restore backups, Sophos Firewall: SFOS 22 upgrade check and Sophos Firewall HA cluster: Active-Passive, Active-Active and Auxiliary Appliance.
Clarify restore compatibility in advance
The most important part of a reimage is not writing the USB stick, but the successful restore afterwards. A backup should not be evaluated for the first time after the reinstall.
Clarify beforehand:
| Item | Why it matters |
|---|---|
| Backup version | A backup cannot be restored to any older or newer SFOS version without limits. |
| Target model | Port count, interface names and model class affect restore and port mapping. |
| Secure Storage Master Key | Without the matching SSMK, protected account data is missing after the restore. |
| Licence and account | After a reimage or model change, the firewall must be licensed and assigned correctly again. |
| HA role | In clusters, it must be clear whether the Initial Primary or Auxiliary is being rebuilt. |
| Legacy configuration | Old remote access IPsec settings or upgrade blockers should be known before the restore. |
For hardware replacement, XG-to-XGS migration or restore to another model, also check whether the Backup-Restore Assistant is available and whether the port mapping is correct before the final restore. The process is described in Sophos Firewall backup and restore.
Requirements
- Sophos Firewall appliance or suitable software or virtual appliance.
- USB stick with at least 4 GB storage.
- Windows, macOS or Linux computer to create the bootable USB stick.
- Tool for writing the ISO image, for example balenaEtcher.
- Local access to the appliance.
- Optional: USB-to-Micro-USB cable or RJ45-COM adapter for status messages and troubleshooting through the serial console.
Enhanced Support entitlement is not required for the reimage itself. Regular firmware upgrades are still subject to the relevant licence and support conditions.
1. Download the correct SFOS installer image
Download the installer image from the official Sophos download page:
- Open Sophos Firewall Installers. Alternatively, use the direct download.
- Under Hardware Installers, select the required SFOS version for Sophos hardware appliances.
- Accept the licence terms and download the ISO image.
Hardware appliances usually use an image with the HW prefix. Software and virtual appliances use different image types.
Installer image filename
Example: HW-22.0.1_MR-1-490.iso
| Component | Meaning |
|---|---|
HW | Installer for Sophos hardware appliances |
22.0.1 | SFOS version |
MR-1 | Maintenance Release 1 |
490 | Build number |
.iso | ISO image for USB stick or software installation |
The most important filename components:
Platform or appliance type
- HW: ISO image for Sophos hardware appliances. This is usually required for reimaging an XGS appliance.
- SW: ISO image for Sophos Firewall as a software appliance.
- VI: Image package for Sophos Firewall as a virtual appliance.
- AMI: Image for Amazon AWS.
- AZU: Image for Microsoft Azure.
Virtualisation platform for VI files
- HYV: Microsoft Hyper-V.
- KVM: KVM.
- VMW: VMware Hypervisor.
- XEN: Xen.
Release type
- GA: General Availability. This is a generally available major or interim version, often with new features.
- MR: Maintenance Release. An MR mainly contains fixes, stability improvements and security adjustments within an existing version.
File extension
- .iso: ISO image that can be written to a USB stick or used for software appliances.
- .zip: Archive with image files for virtual appliances.
- .sig: Signed image for specific appliance models or update scenarios.
For production systems, the current MR of a supported version is usually the better choice than a freshly released GA version. If a reimage is part of a recovery or support case, the target version must always match the available backup, licence status and planned restore.
For an XGS reimage, a file such as HW-22.0.1_MR-1-490.iso is normally relevant. SW, VI, AMI or AZU are intended for other platforms and should not be used for a hardware appliance.

2. Create a bootable USB stick
The USB stick is formatted when the ISO image is written. All existing data on the USB stick is lost.
- Insert a USB stick with at least 4 GB storage into the computer.
- Download and start balenaEtcher.
- Use
Flash from fileto select the downloaded SFOS ISO image. - Under
Select target, select the correct USB stick. - Use
Flash!to write the ISO image to the USB stick.
After writing, eject the USB stick cleanly. If macOS or Windows reports the stick as unreadable afterwards, this is not necessarily an error because the image was written for the appliance boot process.

3. Reinstall SFOS on the firewall
The reimage process runs directly on the appliance. The device must not be switched off during this process.
- Shut down the firewall completely.
- Insert the prepared USB stick into the firewall.
- Switch on the firewall.
- Wait until the Sophos Firmware Installer starts from the USB stick.
- Monitor the installation status according to the appliance model.
- After successful installation, remove the USB stick and restart the firewall.
Status on XGS desktop appliances
Many XGS desktop models do not have a VGA, SVGA or HDMI connector for a monitor. The reimage status is therefore shown through the status LED on the front. If more detail is required, use the serial console through the COM port.
| Model family | Display connector | Reimage status |
|---|---|---|
| XGS 87 / 87w / 107 / 107w | No VGA, SVGA or HDMI | Status LED and optional serial console |
| XGS 116 / 116w / 126 / 126w / 136 / 136w | No VGA, SVGA or HDMI | Status LED and optional serial console |
| XGS 88 / 88w / 108 / 108w | No VGA, SVGA or HDMI | Status LED and optional serial console |
| XGS 118 / 118w / 128 / 128w / 138 | No VGA, SVGA or HDMI | Status LED and optional serial console |
| LED status | Meaning |
|---|---|
| 🔴 Blinking red | Reimage is running |
| 🟢 Solid green | Reimage was successful |
| 🔴 Solid red | Reimage failed |
The reimage is only complete when the LED is solid green. While the LED is blinking red, the process is still running.
Status on XGS rack appliances
Rack appliances show the status on the integrated display. Typical messages are Installation in progress, Installation successful, Installation failed or Failsafe mode.
Status through the serial console
For additional diagnostics, a console can be connected. On current XGS desktop appliances, this is usually no longer a classic old RS-232 connector on the notebook, but a USB-to-Micro-USB cable connected to the firewall’s COM Micro USB port. The appliance still provides a serial console through it. On the admin computer, it appears as a COM port on Windows or as a tty device on macOS and Linux.
This is especially useful when no display connector is available, the LED remains solid red, USB boot is unclear or installer and error messages need to be viewed directly. Many XGS models also have an RJ45-COM port. This RJ45-COM port is a console port, not a normal network port. If Micro-USB and RJ45-COM are connected at the same time, Micro-USB has priority.
Typical tools:
- Windows: PuTTY, Windows Terminal or another serial terminal client.
- macOS: Terminal with
screen, for examplescreen /dev/tty.usbserial-XXXX 38400. - Linux:
screen,minicomorpicocom.
Serial settings:
| Setting | Value |
|---|---|
| Baud rate | 38400 |
| Data bits | 8 |
| Parity | None |
| Stop bits | 1 |
4. Reach the firewall after the reimage
After the reimage, the firewall starts with the default configuration. The first access is typically through Port 1:
- Management IP:
https://172.16.16.16:4444 - Connection: connect the computer directly to Port 1 of the firewall
- Computer IP: set a suitable static IP in the
172.16.16.0/24network if access is not possible
Then follow the initial setup or restore an existing backup. During restore, the matching Secure Storage Master Key must be provided if the backup contains protected account data.
After the restore, at least these points should be checked:
- Interfaces, zones and VLANs.
- Default gateway, static routes and SD-WAN routes.
- Firewall rules, NAT rules and web server protection.
- VPN connections and certificates.
- Licence status and synchronisation with Sophos Central.
- HA status if the firewall is part of a cluster.
- Logging, syslog targets and reporting.
For centrally managed firewalls, connect Sophos Firewall to Sophos Central is helpful. For model changes or older devices, Sophos XG or XGS Firewall: choose the right appliance is relevant.
Acceptance test after reimage and restore
After a successful login, a quick look at the dashboard is not enough. The firewall must serve the most important production paths correctly again.
Useful order:
- Check licence status, serial number, model and firmware version.
- Check interfaces, link status, VLANs and zones.
- Check WAN gateway, DNS, NTP and Sophos Central connection.
- Validate firewall rules, NAT rules and Log Viewer with a test client.
- Test site-to-site VPNs and remote access with real test targets.
- Check HA status and roles if a cluster is involved.
- Check syslog, Central Reporting, backups and scheduled reports.
- Remove old temporary access, local admin accounts or recovery exceptions.
If a restore was successful but traffic does not flow, do not immediately reimage again. Interface mapping, routing, NAT, Device Access, licence status or the return path of the peer are often involved. For analysis, use test firewall rules with Log Viewer, Policy Test and Packet Capture, understand NAT on Sophos Firewall and Sophos Firewall IPsec VPN troubleshooting.
Common problems
| Problem | Possible cause | Check |
|---|---|---|
| Firewall does not boot from the USB stick | USB stick not written correctly, wrong USB port or boot problem | Write ISO again, test another USB stick, check serial status |
| LED remains solid red | Reimage failed | Start reimage again, use another image or another USB stick |
| Backup restore fails | Wrong target version, damaged backup or missing SSMK | Check backup version, verify SSMK, try restore with a compatible SFOS version |
| WebAdmin is not reachable | Wrong port, wrong client IP or browser blocks certificate | Use Port 1, set client IP in 172.16.16.0/24, open https://172.16.16.16:4444 |
| HA does not start cleanly | Cluster member was reinstalled without HA planning | Check HA role, Auxiliary Appliance, firmware versions and restore order |
| Traffic does not flow after restore | Interface mapping, zones, routing, NAT or firewall rules do not match | Check link status, Rule ID, NAT ID, Route Lookup and Packet Capture |
| Licence or Central connection is missing | Account assignment, serial number or internet access is wrong | Check licence status, DNS, gateway and Central registration |
Checklist
- Backup downloaded.
- Secure Storage Master Key available.
- Backup and target SFOS version documented.
- Serial number, licence status and Central assignment checked.
- Correct SFOS installer image selected.
- USB stick written successfully.
- Maintenance window and local access clarified.
- Appliance not switched off during the reimage.
- WebAdmin reached through Port 1 after restart.
- Backup restored and SSMK entered.
- Network, VPN, licence, Central and HA checked.
- Rule, NAT, routing and VPN tests performed with real clients.
- Temporary recovery access and notes cleaned up.