Sophos XG Home on a Sophos appliance
Sophos offers the Sophos XG Home firewall free of charge for general home use or home labs. Sophos XG Home can either be run as a VM on a common hypervisor or installed on an Intel-based appliance. Basically, Sophos XG Home supports all Intel-based computers and appliances with at least 4GB RAM and 2 dedicated network interfaces. The RAM is limited to 6GB and the CPU cores to 4. However, the limits are defined in the software. The actual hardware used may therefore be “stronger”.
The hardware appliances that are widely used in the home sector are mostly fanless NoName micro PCs, which were developed for free firewall solutions like PFsense or OPNsense. In principle, such appliances are sufficient for home use, but are similarly expensive (price range: CHF 300 – 500) as a low-priced appliance from Sophos without services (e.g. Sophos XG 86, which is already available for less than CHF 400.) On various online platforms, you can also find used and discarded Sophos XG and SG firewalls, sometimes at really affordable conditions.
Many technicians, who know the Sophos XG Firewall from their daily work, would therefore like to install Sophos XG Home on a Sophos SG or Sophos XG appliance. The question now is: Will this work?
General: Installing Sophos XG Home
Installing SFOS
The process for installing Sophos XG Home is relatively simple. You put the installation ISO on a USB stick. My tool of choice for this task is Rufus. It is important that you switch from ISO image mode to DD image mode when you are burning the ISO onto your USB-Stick. Otherwise the USB sticks does not seem to work.
To install the Sophos XG Home operating system (SFOS), a monitor and a USB keyboard are connected to the appliance. (Alternatively, this should also work via the console port. However, I have never tested this).
After booting from the USB medium you have just created, the very simple SFOS installer appears. If you confirm the message with y, the found internal storeage is partitioned and completely used for the Sophos XG appliance.
After the installation is complete, Mozart’s Little Night Music is played over the appliance’s internal speaker (if present). After removing the USB stick, you can restart the appliance by entering “y”.
After restarting the appliance, the next steps are taking place in WebGUI. Basically, you can now disconnect the screen and keyboard from the appliance.
Installation completion and licensing
It is best to connect a notebook via Ethernet to port 1 of the firewall. On port 2, the firewall expects a WAN uplink with DHCP by default. I usually attach my test network (with DHCP) to port 2 temporarily, so that the firewall has at least a functioning Internet connection.
The WebGUI of the firewall can be accessed via https://172.16.16.16:4444 by default.
Basically, you now follow the installation wizard. First you create an admin password, then you select the time zone and then set the licensing. The appliance is assigned the serial number that we have already received from Sophos by mail. The free evaluation licenses are already stored in MySophos and will be synchronized by the portal in the next step. To do this, you need to log in with a Sophos ID. If no such account exists, it must now be created. It is important to know that after setting the serial number, the firewall may restarts.
After confirming the licenses, we can look which licenses are provided by Sophos as perpetual evaluation:
After synchronizing the licenses, the rest of the setup is relatively individual, but still straight forward. Personally, I always use the default settings for Sophos XG and then finetune the settings after the wizard has finished.
Restrictions, limitations & workarounds
Installing on a Sophos appliance / bypassing hardware limitation
The installation of the universal image on a Sophos appliance does not work “out of the box”. This is due to a protection mechanism in the installer that prevents the “wrong” version of SFOS from being installed. The following error message appears:
Detected Sophos Physical Device.
Please get proper installation source.
The approach to delete all partitions via a partitioning tool (such as GParted) (as suggested here) didn’t change anything in my case. Even without partitions on the SSD the installation was blocked. At first I suspected some firmware trickery. The BIOS firmware does contain the firewall serial number in the field provided. However, the installer does not seem to read this.
After some tests I found the reason: The version of the appliance and the serial number are written to the MBR. The MBR is not altered by GParted even when deleting all partitions. Even recreating the partition table in GParted does not touch the MBR.
The easiest workaround for this problem is to install a Linux distro (I used Debian) or another OS like FreeDOS which completely repartitiones the SSD of the appliance and overwrites the MBR with the installation of the bootloader (e.g. GRUB).
After these steps, the installation with the SFOS image of Sophos XG Home also works without problems on Sophos appliances. (Tested on a Sophos SG 210 Rev. 2, which had already been upgraded to the XG firmware). For Sophos SG appliances with the UTM 9.x firmware, this intermediate step is not necessary.
Sophos XG Home firmware limits
Basically, the Sophos XG Home firmware locks down the appliance at the software level to the following hardware limits:
- 4 CPU Cores
- 6 GB RAM
Furthermore, special hardware is not supported:
- Displays of larger Sophos SG or Sophos XG appliances
- Packet flow processing architecture on Sophos XGS appliances
- β¦
Licensing restrictions
Important Legal Notice: The Home Use edition is free for personal home use only. You are strictly prohibited from using the Home Edition for anything other than personal home use.
Legal Notice in licensing E-Mail
Sophos XG Home is intended for home use only. Commercial use (even for testing purposes) is strictly prohibited. Time-limited trial versions are recommended for testing purposes. Resellers can obtain NFR versions from Sophos or their distributors to populate commercial labs.
Usefull Links
- Find Sophos SG Appliances on Ebay
- Find Sophos XT Appliances on Ebay
- Find Sophos Appliances on ricardo.ch