Sophos SG/XG/XGS Hardware Brochure

Attached here is the hardware brochures for the Sophos SG R1, R2, R3, XG, and XGS firewall appliances.

  • Click here for Sophos SG R1 series hardware appliances
  • Click here for Sophos SG R2/R3 series hardware appliances
  • Click here for Sophos XG series hardware appliances
  • Click here for Sophos XGS series hardware appliances

Copyrights apply to the original copyright holders, simply mirrored here for educational / historical / archival purposes.

Hacking a Sophos SG Appliance to accept a UTM Home License

Forward:

This document assumes that you have purchased (either new or second hand) a Sophos SG (or XG) hardware appliance and are looking to use the Sophos SG UTM 9, with the LCD front panel remaining functional, all on the free Home license (for home use of course).

Requirements:

You will need:

  • USB DVD Drive (burner if your PC/Mac doesn’t also have a DVD burner installed)
  • Blank DVD disk
  • USB keyboard
  • VGA / HDMI screen (VGA / HDMI depending on the Sophos appliance you have – SG2xx has VGA, SG3xx has HDMI for example)
  • Home license of UTM9 – sign up for an account at myutm.sophos.com
  • ISO file for Sophos hardware appliance – obtain from here (official), or here (unofficial mirror – Australia only)

We’re going to freshly reinstall the UTM OS so you obtain a free 30-day trial license which will allow you to get the appliance up & running…

Burn the ISO to the blank DVD

Connect the USB DVD drive to the Sophos USB port and insert the disk

Power on and boot from the DVD

If your appliance has or will have more than 3.5GB RAM, always install the 64bit kernel when prompted.

When prompted to install all capabilities or only Open Source software, always choose to install all capabilities.

Go through and follow the steps to complete the installation. Once done, it will reboot and you want to make sure it boots from the internal disk – not the DVD.

Post Installation Configuration:

Get to the point where the Sophos has booted from the internal drive with the freshly installed SG UTM OS

Connect your computer to the LAN interface, set a static IP address in the same range as the IP address displayed on the Sophos console screen, but don’t choose the same IP address as the Sophos on your PC.

Open a browser and point it to the https port 4444 of the Sophos IP, so if the IP address of the Sophos is 192.168.2.100, then in the browser, point to: https://192.168.2.100:4444/

Hint, the IP address was also set during the OS installation as seen here:

Set a hostname, organisation name, city, country, admin password and admin email address.

The organisation name, city, country, etc., are used to generate a self-signed certificate and nothing really beyond this.

Hint, a DNS resolved fully qualified host name makes life easier.

Once you’ve done, this the Sophos will log out, generate a new self-signed SSL certificate, and reload the admin page.

Your browser will kick up a small fuss about the SSL not being valid, proceed anyway

Login using admin as the user name and the password you just specified

You have the choice to Continue as a new setup or restore from backup.

Choose to setup as a new appliance (select Continue), as there are a couple of caveats when restoring from backup

Next screen is important, its where you would normally upload to install your license – BUT DON’T – instead, just click next to use a 30 day trial license.

If you try to upload your home license, it will detect that you’re using a hardware appliance & will not let you use it. The reason we freshly installed the OS is to obtain a new 30 day trial license, which otherwise would not have been made available to us.

At the next screen, you can confirm or change the LAN IP of the appliance, and also enable & configure a DHCP server on this interface.

Next it will want you to configure the WAN interface

Then it will ask about the services to enable & configure – leave this as defaults and click Next

Once you get through the basic setup screens, click Finish and you’ll be at the management home screen

Enable SSH and set the loginuser and root passwords:

  • From the left menu, click Management > System Settings
  • From the top, select the Shell Access tab
  • Click the switch to ON to enable shell access
  • Set a password for both the loginuser and root accounts, then click Set Specified Passwords
  • Next, under Allowed Networks, add in the LAN (Network) and click Apply
  • Next, under Authentication, tick Allow password authentication and click Apply
  • Finally, change the SSH port to something else, like 2222, or 2201, or something like this, and click Apply (if the firewall is online or you intend on retaining SSH access) as SSH ports are constantly being scanned.

Edit System Configuration Files:

Either using the connected console (keyboard & display) or SSH from Putty or Terminal, login to the Sophos using the account: loginuser

If you changed the port number above, then use that when connecting in via SSH.

Once logged in, you’re about to do something often frowned upon:

sudo sh

Enter the root password

Now enter the following commands:

rename /etc/asg /etc/asx
mv /etc/asg /etc/asx
vi /etc/asx

Take note of the contents of this file – you’re looking to note down these three lines:

ASG_VERSION=
LCD4LINUX_HW=
ASG_SUBTYPE=

Exit VI.

Now create a new file: /etc/asg

vi /etc/asg

Add in the following (again setting the appliance model & revision appropriately noted down before), in my case:

ASG_VERSION="310"
LCD4LINUX_HW="LCD-SERIAL380"
ASG_SUBTYPE="r2"

Save, exit, and reboot the appliance.

Update Appliance License from 30-day Trial to Home Edition:

Now that the above has all been completed, the LCD should still be reflecting current stats (confirm this by monitoring the CPU & RAM usage changes on LCD and comparing them to the management screen in the web UI), we can go ahead and change out the 30-day trial license for the free Home edition license.

Why Sophos locked down the hardware appliances from home license use is a little bizarre and annoying, but the fact that these R1 and R2 appliances are making their way onto the second hand market in giant waves, means that people will snap them up for home use, hit the license restriction, and decide to wipe them & install alternate firewall OSes on them, like pfSense / OPNsense, etc. Really, this is a set back in two ways: 1) Sophos are encouraging eWaste by not permitting home user licenses to re-use old enterprise hardware, and 2) they cause would be home users or enthusiasts to shy away from the Sophos SG/UTM firewall product as they can’t use it on the actual hardware appliance, so they opt for alternatives. /rant

Download your home license file from your myutm.sophos.com account, and upload this into the Sophos in Management > Licensing > Installation

The Home license will activate many useful features for basic and advanced home labs, and will need to be renewed every (I believe) 2-3 years

.

Something to note, Sophos SG UTM Home License edition has a user device limit of 50 issued IP addresses that are allowed to traverse the firewall. For many home environments with small families, this is probably substantial. There’s also a 10% tolerance on this 50 IP limit, so realistically, 55 devices.

However, larger families, where each family member has at lease 2-3 internet connected devices (say phone, tablet, and laptop), plus a few TVs, game consoles, WiFi access points, etc, you’ll soon run out of IP addresses very quickly. My home is in this larger category, there are currently seven of us living here, multiple “cloud-managed” switches, access points &and  security cameras, two Xbox consoles, three Apple TVs, every person has at least three devices, and we are well over our limit. On top of this, I have a home IT lab with over 20 virtual machines, two physical servers, and additional workstations & laptops (all for lab / test use). I have NEVER had this pose an issue – every device is still able to connect to the internet, despite having well over 100 IPs assigned. I’m not sure why this is the case for me – maybe because there are VLANs in place???

At the end of the day, what Sophos offer out of the box for a free three-year home license is a very generous offering. It would be nice if there was a home-premium style license, where you retained all the same features, but the IP limit was lifted to either 500 or unlimited, and you paid something like US$100 every three years.

What some users out there with Sophos UTM have done to overcome this is to have a second basic router behind the main Sophos – all WiFi devices and family devices would sit behind this second router – leaving only essential systems behind the Sophos. I also initially had my network setup like this, but found it was unnecessary (in my case).

Final note: the free home license also provides high availability (HA) so if you have more than one hardware firewall running UTM9, you can set them up in HA which is really handy for installing firmware updates with zero downtime! Again, something I have working in my home environment.

Sophos SG UTM – Enable & Configure Let’s Encrypt for SSL Certificate services

This post briefly describes the process to enable & configure the Let’s Encrypt SSL Certificate certbot functionality built into the Sophos SG / UTM firewall.

 

Country Blocking:

If you have Country Blocking enabled & configured in the firewall, you will need to add some exclusions for Let’s Encrypt services to pass through

There will need to be three exclusions added for Let’s Encrypt services:

First exclusion will be setup with:

  • No countries selected
  • For all requests going to (any WAN interfaces that will be used for Let’s Encrypt and / or will have SSL protected services behind them)
  • Using services: HTTP

 

The next exclusion:

  • No countries selected
  • For all requests coming from:
    • Create a new Network Group and add in the following DNS Hosts:
      • acme-staging-v02.api.letsencrypt.org
      • acme-staging.api.letsencrypt.org
      • acme-v01.api.letsencrypt.org
      • acme-v02.api.letsencrypt.org
      • outbound1.letsencrypt.org
      • outbound2.letsencrypt.org
  • Using these services: Any

 

The final country blocking exception:

  • No countries selected
  • For all requests coming from: use the same Network Group you created in the previous rule
  • Using these services: Any

 

Finally, ensure all three new rules are switched on.

 

Certbot:

Now we need to configure & enable the Let’s Encrypt certbot built into Sophos UTM.

Head to Webserver Protection > Certificate Management

Click on the Advanced tab

Ensure the four fields in the Regerate Signing CA box are filled in and click Apply

Click to place a check in the Allow Let’s Encrypt certificates checkbox and click Apply

This process will take a minute or two as the account is setup with Let’s Encrypt…

Click the Advanced tab a couple of times until the status changes from:

to:

 

Generate New Certificates:

Now for each certificate you want to create with Let’s Encrypt, you will need to ensure that the FQDN is pointing to the public IP address of the Sophos WAN connection, as this is how the certificates are validated & authorised by LE’s servers and the Sophos certbot.

Once this is done, click on the Certificates tab

Click on the New Certificate button

Change the method from Generate to Let’s Encrypt

  • Set the Name to match the FQDN (this makes it easier to identify later on)
  • Set the Interface to the WAN interface that the required FQDN resolves to
  • Add the FQDN to the domains list
  • Click save

This process can take 2-5 mins. Click the Certificates tab to refresh to get the status of the certificate.

Once the certificate is green and has a valid expiry date, that certificate can now be used for services as required (such as WebAdmin, User Portal, or services in the Webserver Protection).

 

Troubleshooting:

If you get an error regarding Let’s Encrypt failed to retrieve the current terms of service link, then there are a couple of possibilities:

Ensure you’re running the latest or very recent build of the UTM – update if not

Check the Certificate Authorities tab for anything expired, invalid, etc. and remove them.

Delete the ISRG X1-Root CA (so that only the current R3 certificate is present).

Temporarily turn off country blocking

Ensure DNS resolution on the Sophos is working

Ensure that port 80 isn’t blocked by something else – especially in a double NAT scenario

Enable the SSH access, and execute:

 /var/mdw/scripts/httpproxy restart