Skip to content
Avanet

Check Sophos Firewall SSD Health via SMART

The internal SSD of a Sophos Firewall stores logs, reports, quarantine data, temporary files, and system data, among other things. In environments with extensive logging, on-box reporting, mail protection, or high system load, it may be advisable to occasionally check the SSD’s condition.

This check does not replace official hardware monitoring or support diagnostics. However, it helps to identify a noticeable wear value early and prepare for backup, support cases, or hardware replacement in a timely manner.

⚠️ Important: The Advanced Shell provides direct system access. The commands shown here only read information. Do not delete files, change partitions, start SMART self-tests, or replace drives unless the impact on support, warranty, and operation is clear.

When to Check the SSD

Checking the SSD is particularly advisable if any of the following apply:

  • The firewall generates a large number of local logs or reports.
  • There have been warnings about high memory usage.
  • On-box reports, mail queue, quarantine, or local logs are growing significantly.
  • The appliance has been in operation for several years.
  • The system state should be documented before a major firmware upgrade.
  • An HA cluster should be better monitored in terms of hardware.

For storage space issues, Check Sophos Firewall Storage and Manage Reports is also relevant. For central log retention, Enable Central Firewall Reporting is suitable, so that not every analysis depends on local on-box data.

What This Check Provides

The SMART check is a technical spot check directly on the appliance. It does not answer every hardware question, but it helps classify SSD wear and noticeable drive values.

  • SSD endurance value is unusual or rises quickly: Document the SMART value and check the trend.
  • /var is full or reports stop: Check storage and reports.
  • Temperature, fan, or power supply alarms are visible: Check SNMP Hardware Monitoring and WebAdmin/monitoring.
  • Configuration risks or Health Check findings are open: Evaluate Sophos Firewall Health Check.
  • Hardware replacement or RMA is likely: Prepare serial number, support status, backup, and RMA data.

The Sophos Firewall Health Check evaluates configuration risks. It does not replace drive checks or hardware monitoring. Conversely, an unremarkable SMART value does not prove that reporting, logs, quarantine, or databases are working cleanly.

Prerequisites

For the check, you need:

  • Access to the admin user.
  • SSH access or access to the Advanced Shell.
  • Tightly restricted SSH access from a trusted admin network.
  • A planned maintenance or diagnostic window if the firewall is heavily loaded.
  • For HA: access to both appliances.

How to prepare access is described in Connect to Sophos Firewall via SSH. After logging in, open the Advanced Shell via 5 Device Management > 3 Advanced Shell. After the check, reduce access again to the necessary minimum.

Reading SSD Endurance

On many Sophos Firewall hardware appliances, the internal SSD is visible as /dev/sda. The following command reads the SMART information and filters the output for the endurance value:

smartctl -x /dev/sda | grep Endurance
Sophos Firewall Advanced Shell with smartctl output showing SSD endurance value
Check SSD endurance with smartctl in the Advanced Shell on Sophos Firewall

The command is a read-only diagnostic from the Advanced Shell, not a normal SFOS status indicator in WebAdmin. Depending on the appliance, disk, and firmware, the output can look different or the expected attribute name may be missing. Do not guess; document the full output and the accompanying symptoms.

In the output, the value before Percentage Used Endurance Indicator is particularly interesting. A low value is generally good. In the screenshot, the value is 1, which is uncritical.

Interpreting the Value Correctly

SMART values are diagnostic values of the drive. Such values are useful but not standardized identically for every SSD and manufacturer. Therefore, the value should not be considered in isolation.

  • Very low value: usually unremarkable.
  • Value increases significantly over time: monitor development and plan maintenance.
  • Value is clearly higher than earlier measurements: prepare support case and check replacement options.
  • Additional I/O errors or system problems: do not only check SSD endurance; include logs and support diagnostics.

The trend is important. A single value is less meaningful than repeated checks over several maintenance windows. If the value rises quickly or storage, database, or report problems occur simultaneously, a Sophos support case should be prepared.

A high value alone is not yet a clean diagnosis. The finding becomes more meaningful when several indicators occur together:

  • Endurance value rises faster than expected.
  • /var or report data behaves noticeably.
  • Logs show I/O, database, or file system errors.
  • WebAdmin, reports, or services become unstable without a clear configuration change.
  • One appliance in an HA cluster shows clearly different values from its partner.

Documenting Measurements

To make a rising endurance value traceable later, each check should be briefly documented. This is particularly helpful before firmware upgrades, in HA clusters, and for appliances that have been in productive use for several years.

A simple documentation is usually sufficient:

  • Date and time: 2026-06-20 10:30
  • Firewall or location: XGS 2100 - HQ
  • Node: Primary or Auxiliary
  • Firmware version: SFOS 22.0.1 MR1
  • SSD endurance value: 1
  • Accompanying symptoms: none, storage warning, I/O errors, report problems
  • Next action: monitor, prepare support case, plan replacement

In a support case, this history is more helpful than a single screenshot. It shows whether the value ages slowly, jumps suddenly, or occurs together with storage and database problems.

In addition, keep the measurement point stable. If possible, always document the same command, the same device path, and the same node. In HA clusters, the output should not only be saved as a screenshot but linked to serial number or node role. Otherwise, it may later be unclear whether values came from Primary, Auxiliary, or an already replaced appliance.

If No Endurance Output Appears

If the filtered command produces no output, you can first display the SMART output without a filter:

smartctl -x /dev/sda

Then search for terms like Endurance, Percentage Used, Wear, or manufacturer-specific SMART attributes. If the output is not clear, it should not be guessed but checked with Sophos Support or Avanet.

The device path may vary depending on the platform. Therefore, you should not blindly test or write to other drive paths. For virtual firewalls, drive health is primarily a task for the virtualization platform and the storage system.

If smartctl does not provide usable values, that is not proof of a healthy or defective drive. Document the finding as “not clearly readable” and combine it with other indicators: storage space, system logs, hypervisor monitoring, SNMP hardware values, support diagnostics, and observed symptoms. Write tests, SMART self-tests, or repair attempts should only be performed if Sophos Support or a clear maintenance plan explicitly requires them.

Translate the finding into an action

After the measurement, don’t discuss the value in isolation. Translate it into a concrete operational decision.

  • Low value, no symptoms: document the measurement and check again during the next maintenance window.
  • Value rises quickly or jumps noticeably: secure backup, SSMK, serial number, firmware version, and history. Then prepare a support case.
  • Additional storage warnings or report problems: first check disk space, reports, logs, and quarantine. High storage usage is not automatically an SSD failure.
  • I/O, database, or file-system errors in logs: save SMART output, relevant logs, and timeline together, and don’t experiment with manual delete actions.
  • HA nodes differ significantly: document both serial numbers, roles, firmware versions, and measurements separately. For RMA or replacement it must be clear which node is affected.
  • Virtual firewall: don’t interpret the result like hardware. Hypervisor, storage, datastore, I/O latency, and platform monitoring are decisive.

This classification prevents two typical mistakes: dramatising a single SMART value or dismissing real symptoms as “just a storage problem”. What matters is the combination of trend, symptoms, logs, platform, and support status.

Check HA Cluster Separately

In a Sophos Firewall HA cluster, each appliance has its own SSD. The condition of the drives is not synchronized by HA.

Therefore, you should check:

  • Primary Appliance.
  • Auxiliary Appliance.
  • Serial number or hostname of the respective node.
  • Date, firmware version, and measured endurance value.
  • Whether additional storage or I/O anomalies are visible on a node.

For HA operation and roles, see Sophos Firewall HA Cluster: Active-Passive, Active-Active, and Auxiliary Appliance.

For a possible replacement, the HA role is important. Before an RMA, it should be clear which appliance is being replaced, which firmware version and build run on the healthy appliance, and whether a maintenance window is required. Sophos describes RMA processes for HA scenarios separately by role; in practice, the affected node should therefore not first be clarified when the replacement device arrives.

Do Not Replace Without Support

An SSD should not be replaced independently just because a SMART value appears unusual. A hardware intervention can affect support, warranty, RMA processing, and operational security.

Before a replacement, these points should be prepared:

  • Current configuration backup.
  • Secure Storage Master Key.
  • Serial number and appliance model.
  • Firmware version and build.
  • HA role, if a cluster is used.
  • Screenshot or text excerpt of the SMART output.
  • Description of symptoms and timeline.
  • Storage and report status, if these are also noticeable.
  • License and support status.

The warranty and support basics are described in the article How Long Do I Get Warranty on Sophos Hardware?. If an appliance needs to be reinstalled, Reinstall Sophos Firewall OS: Reimage with USB Stick is the appropriate recovery article.

Checklist

  • SSH access allowed only from trusted admin networks.
  • Advanced Shell opened.
  • smartctl -x /dev/sda | grep Endurance executed.
  • Value, date, firmware version, and serial number documented.
  • Both nodes checked separately in HA.
  • Storage space and local reports additionally checked for anomalies.
  • SNMP or monitoring alarms checked where hardware is suspected.
  • Firmware version, build, model, and support status noted for a support case.
  • Support case prepared for high or rapidly increasing values.
  • No hardware replacement carried out without clarification of support and warranty.

FAQ

Is a low endurance value good?

Yes. A low value indicates that the SSD has used little of its expected write lifespan.

At what value should action be taken?

There is no universal threshold that works equally cleanly for every SSD and every model. Action should be taken for clearly rising values, noticeable jumps, or additional symptoms such as I/O errors, database problems, report issues, or unusual storage usage.

Is an unremarkable SMART value enough as an all-clear?

No. An unremarkable SMART value is a good signal, but it does not replace checking storage space, logs, reports, HA status, SNMP hardware values, and observed symptoms.

How often should SSD health be checked?

For normal environments, checking is usually sufficient during maintenance, firmware preparation, or hardware inventory. More frequent checks should be made for memory warnings, many local reports, noticeable logs, or older appliances.

Does the command also apply to virtual Sophos Firewalls?

Not in the same sense. For virtual firewalls, drive health depends on the hypervisor and the underlying storage. Monitoring tools of the virtualization platform should be used there.

Does the Sophos Firewall Health Check check the SSD?

No. The Health Check assesses configuration risks. Hardware condition, SSD wear, or drive errors must be monitored separately.