Skip to content
Avanet

Reinstall Sophos Firewall OS: USB reimage

A reimage fully reinstalls Sophos Firewall OS. This procedure is intended for recovery situations, lab systems, model changes or a clean reinstall. For normal version changes, a firmware update through WebAdmin is usually the better option.

⚠️ Important: A reimage overwrites the firewall completely. Configuration, local logs, certificates, reports and stored account data are no longer present on the device afterwards. Before starting, a current backup and the matching Secure Storage Master Key (SSMK) are required if encrypted configuration data must be restored later.

Reimage, firmware update or factory reset?

MethodPurposeTypical use
Firmware updateUpdate SFOS to another versionNormal maintenance through Backup & Firmware > Firmware
RollbackReturn to a previously installed firmware versionProblems after an update, as long as the previous firmware is still available
Factory ResetReset the configurationDevice remains on the installed SFOS version, configuration is lost
ReimageReinstall SFOS from a USB stickDefective system, clean reinstall, incompatible version change or recovery

For a normal update, check Sophos Firewall: perform an SFOS firmware update first. For XGS appliances with damaged firmware, Sophos uses the reimage procedure because SFLoader is not available for XGS.

When not to start a reimage

A reimage is the hard recovery option. If normal administrative access is still possible, first check whether a less invasive approach is enough.

SituationBetter check first
WebAdmin is hanging but traffic continuesRestart WebAdmin GUI deliberately
A single service does not respondRestart Sophos Firewall services safely
A firmware update is plannedFirmware update and rollback plan instead of reimage
The configuration should be deletedFactory Reset may be sufficient if SFOS itself is healthy
Storage space or reports are the problemCheck storage space, reports and logs
A support case is still runningSave logs, support archives and current errors first

Reimage makes sense if the operating system is damaged, a clean rebuild is required, or Sophos Support or the recovery plan specifies this path. For normal maintenance, individual GUI problems or unclear performance issues, it is usually too early.

Back up before the reimage

Before a production reimage, prepare these points:

  • Download a current configuration backup and store it safely.
  • Document the Secure Storage Master Key if the backup contains encrypted account data.
  • Check licence status, serial number and Sophos Central assignment.
  • Document model, current SFOS version, target version and backup version.
  • Note WAN data, VLANs, static routes, VPN parameters and special HA information separately.
  • Plan a maintenance window because the firewall does not protect or process traffic during the reimage.
  • Ensure local access to the appliance, power supply, USB port and management port.
  • Check the restore process in advance, especially for HA clusters and critical VPN locations.
  • Save logs or support archives if the root cause must be analysed later.

The relevant basics are covered in Sophos Firewall: create and restore backups, Sophos Firewall: SFOS 22 upgrade check and Sophos Firewall HA cluster: Active-Passive, Active-Active and Auxiliary Appliance.

Clarify restore compatibility in advance

The most important part of a reimage is not writing the USB stick, but the successful restore afterwards. A backup should not be evaluated for the first time after the reinstall.

Clarify beforehand:

ItemWhy it matters
Backup versionA backup cannot be restored to any older or newer SFOS version without limits.
Target modelPort count, interface names and model class affect restore and port mapping.
Secure Storage Master KeyWithout the matching SSMK, protected account data is missing after the restore.
Licence and accountAfter a reimage or model change, the firewall must be licensed and assigned correctly again.
HA roleIn clusters, it must be clear whether the Initial Primary or Auxiliary is being rebuilt.
Legacy configurationOld remote access IPsec settings or upgrade blockers should be known before the restore.

For hardware replacement, XG-to-XGS migration or restore to another model, also check whether the Backup-Restore Assistant is available and whether the port mapping is correct before the final restore. The process is described in Sophos Firewall backup and restore.

Requirements

  • Sophos Firewall appliance or suitable software or virtual appliance.
  • USB stick with at least 4 GB storage.
  • Windows, macOS or Linux computer to create the bootable USB stick.
  • Tool for writing the ISO image, for example balenaEtcher.
  • Local access to the appliance.
  • Optional: USB-to-Micro-USB cable or RJ45-COM adapter for status messages and troubleshooting through the serial console.

Enhanced Support entitlement is not required for the reimage itself. Regular firmware upgrades are still subject to the relevant licence and support conditions.

1. Download the correct SFOS installer image

Download the installer image from the official Sophos download page:

  1. Open Sophos Firewall Installers. Alternatively, use the direct download.
  2. Under Hardware Installers, select the required SFOS version for Sophos hardware appliances.
  3. Accept the licence terms and download the ISO image.

Hardware appliances usually use an image with the HW prefix. Software and virtual appliances use different image types.

Installer image filename

Example: HW-22.0.1_MR-1-490.iso

ComponentMeaning
HWInstaller for Sophos hardware appliances
22.0.1SFOS version
MR-1Maintenance Release 1
490Build number
.isoISO image for USB stick or software installation

The most important filename components:

  • Platform or appliance type

    • HW: ISO image for Sophos hardware appliances. This is usually required for reimaging an XGS appliance.
    • SW: ISO image for Sophos Firewall as a software appliance.
    • VI: Image package for Sophos Firewall as a virtual appliance.
    • AMI: Image for Amazon AWS.
    • AZU: Image for Microsoft Azure.
  • Virtualisation platform for VI files

    • HYV: Microsoft Hyper-V.
    • KVM: KVM.
    • VMW: VMware Hypervisor.
    • XEN: Xen.
  • Release type

    • GA: General Availability. This is a generally available major or interim version, often with new features.
    • MR: Maintenance Release. An MR mainly contains fixes, stability improvements and security adjustments within an existing version.
  • File extension

    • .iso: ISO image that can be written to a USB stick or used for software appliances.
    • .zip: Archive with image files for virtual appliances.
    • .sig: Signed image for specific appliance models or update scenarios.

For production systems, the current MR of a supported version is usually the better choice than a freshly released GA version. If a reimage is part of a recovery or support case, the target version must always match the available backup, licence status and planned restore.

For an XGS reimage, a file such as HW-22.0.1_MR-1-490.iso is normally relevant. SW, VI, AMI or AZU are intended for other platforms and should not be used for a hardware appliance.

Sophos Firewall Installer with hardware ISO for XGS appliance
Sophos Firewall Installer: download the hardware ISO for reimaging an XGS appliance

2. Create a bootable USB stick

The USB stick is formatted when the ISO image is written. All existing data on the USB stick is lost.

  1. Insert a USB stick with at least 4 GB storage into the computer.
  2. Download and start balenaEtcher.
  3. Use Flash from file to select the downloaded SFOS ISO image.
  4. Under Select target, select the correct USB stick.
  5. Use Flash! to write the ISO image to the USB stick.

After writing, eject the USB stick cleanly. If macOS or Windows reports the stick as unreadable afterwards, this is not necessarily an error because the image was written for the appliance boot process.

balenaEtcher with selected SFOS ISO image and USB stick
balenaEtcher writes the SFOS ISO image to the USB stick

3. Reinstall SFOS on the firewall

The reimage process runs directly on the appliance. The device must not be switched off during this process.

  1. Shut down the firewall completely.
  2. Insert the prepared USB stick into the firewall.
  3. Switch on the firewall.
  4. Wait until the Sophos Firmware Installer starts from the USB stick.
  5. Monitor the installation status according to the appliance model.
  6. After successful installation, remove the USB stick and restart the firewall.

Status on XGS desktop appliances

Many XGS desktop models do not have a VGA, SVGA or HDMI connector for a monitor. The reimage status is therefore shown through the status LED on the front. If more detail is required, use the serial console through the COM port.

Model familyDisplay connectorReimage status
XGS 87 / 87w / 107 / 107wNo VGA, SVGA or HDMIStatus LED and optional serial console
XGS 116 / 116w / 126 / 126w / 136 / 136wNo VGA, SVGA or HDMIStatus LED and optional serial console
XGS 88 / 88w / 108 / 108wNo VGA, SVGA or HDMIStatus LED and optional serial console
XGS 118 / 118w / 128 / 128w / 138No VGA, SVGA or HDMIStatus LED and optional serial console
LED statusMeaning
🔴 Blinking redReimage is running
🟢 Solid greenReimage was successful
🔴 Solid redReimage failed

The reimage is only complete when the LED is solid green. While the LED is blinking red, the process is still running.

Status on XGS rack appliances

Rack appliances show the status on the integrated display. Typical messages are Installation in progress, Installation successful, Installation failed or Failsafe mode.

Status through the serial console

For additional diagnostics, a console can be connected. On current XGS desktop appliances, this is usually no longer a classic old RS-232 connector on the notebook, but a USB-to-Micro-USB cable connected to the firewall’s COM Micro USB port. The appliance still provides a serial console through it. On the admin computer, it appears as a COM port on Windows or as a tty device on macOS and Linux.

This is especially useful when no display connector is available, the LED remains solid red, USB boot is unclear or installer and error messages need to be viewed directly. Many XGS models also have an RJ45-COM port. This RJ45-COM port is a console port, not a normal network port. If Micro-USB and RJ45-COM are connected at the same time, Micro-USB has priority.

Typical tools:

  • Windows: PuTTY, Windows Terminal or another serial terminal client.
  • macOS: Terminal with screen, for example screen /dev/tty.usbserial-XXXX 38400.
  • Linux: screen, minicom or picocom.

Serial settings:

SettingValue
Baud rate38400
Data bits8
ParityNone
Stop bits1

4. Reach the firewall after the reimage

After the reimage, the firewall starts with the default configuration. The first access is typically through Port 1:

  • Management IP: https://172.16.16.16:4444
  • Connection: connect the computer directly to Port 1 of the firewall
  • Computer IP: set a suitable static IP in the 172.16.16.0/24 network if access is not possible

Then follow the initial setup or restore an existing backup. During restore, the matching Secure Storage Master Key must be provided if the backup contains protected account data.

After the restore, at least these points should be checked:

  • Interfaces, zones and VLANs.
  • Default gateway, static routes and SD-WAN routes.
  • Firewall rules, NAT rules and web server protection.
  • VPN connections and certificates.
  • Licence status and synchronisation with Sophos Central.
  • HA status if the firewall is part of a cluster.
  • Logging, syslog targets and reporting.

For centrally managed firewalls, connect Sophos Firewall to Sophos Central is helpful. For model changes or older devices, Sophos XG or XGS Firewall: choose the right appliance is relevant.

Acceptance test after reimage and restore

After a successful login, a quick look at the dashboard is not enough. The firewall must serve the most important production paths correctly again.

Useful order:

  1. Check licence status, serial number, model and firmware version.
  2. Check interfaces, link status, VLANs and zones.
  3. Check WAN gateway, DNS, NTP and Sophos Central connection.
  4. Validate firewall rules, NAT rules and Log Viewer with a test client.
  5. Test site-to-site VPNs and remote access with real test targets.
  6. Check HA status and roles if a cluster is involved.
  7. Check syslog, Central Reporting, backups and scheduled reports.
  8. Remove old temporary access, local admin accounts or recovery exceptions.

If a restore was successful but traffic does not flow, do not immediately reimage again. Interface mapping, routing, NAT, Device Access, licence status or the return path of the peer are often involved. For analysis, use test firewall rules with Log Viewer, Policy Test and Packet Capture, understand NAT on Sophos Firewall and Sophos Firewall IPsec VPN troubleshooting.

Common problems

ProblemPossible causeCheck
Firewall does not boot from the USB stickUSB stick not written correctly, wrong USB port or boot problemWrite ISO again, test another USB stick, check serial status
LED remains solid redReimage failedStart reimage again, use another image or another USB stick
Backup restore failsWrong target version, damaged backup or missing SSMKCheck backup version, verify SSMK, try restore with a compatible SFOS version
WebAdmin is not reachableWrong port, wrong client IP or browser blocks certificateUse Port 1, set client IP in 172.16.16.0/24, open https://172.16.16.16:4444
HA does not start cleanlyCluster member was reinstalled without HA planningCheck HA role, Auxiliary Appliance, firmware versions and restore order
Traffic does not flow after restoreInterface mapping, zones, routing, NAT or firewall rules do not matchCheck link status, Rule ID, NAT ID, Route Lookup and Packet Capture
Licence or Central connection is missingAccount assignment, serial number or internet access is wrongCheck licence status, DNS, gateway and Central registration

Checklist

  • Backup downloaded.
  • Secure Storage Master Key available.
  • Backup and target SFOS version documented.
  • Serial number, licence status and Central assignment checked.
  • Correct SFOS installer image selected.
  • USB stick written successfully.
  • Maintenance window and local access clarified.
  • Appliance not switched off during the reimage.
  • WebAdmin reached through Port 1 after restart.
  • Backup restored and SSMK entered.
  • Network, VPN, licence, Central and HA checked.
  • Rule, NAT, routing and VPN tests performed with real clients.
  • Temporary recovery access and notes cleaned up.

FAQ

Does a reimage delete the complete configuration?

Yes. A reimage reinstalls Sophos Firewall OS and overwrites the existing data on the device. Without a backup, the firewall must be rebuilt afterwards.

Is Enhanced Support required for a reimage?

Enhanced Support entitlement is not required for reimaging a hardware, software or virtual appliance. Regular firmware upgrades after the free upgrades have different support conditions.

What is the difference between reimage and Factory Reset?

A Factory Reset resets the configuration but does not reinstall SFOS. A reimage writes the operating system to the device again from the installer image.

Why is the Secure Storage Master Key important?

The Secure Storage Master Key protects sensitive account data in backups. After a reimage or Factory Reset, it is required to restore protected data from a backup.

Can any backup be restored after a reimage?

No. Backup version, target SFOS version, model, platform and port mapping must fit together. Before a production reimage, check which version will be installed and which backup will be restored afterwards.

Can an XGS appliance be repaired with SFLoader?

For XGS appliances with damaged firmware, the reimage procedure is used. SFLoader is not available for XGS appliances.