This article provides the general steps on what can be done on the Sophos XG Firewall in the event of an emergency. The following sections are covered:
Applies to the following Sophos products and versions Sophos Firewall
There are a number of things that can be done in the event of a total system failure, failure to boot (reboot cycle), or general lockout. Some depend on environment configuration, but many of the steps below will apply in most emergency situations.
If a production XG Firewall won't boot, it's important to determine whether the issue is caused by hardware (physically defective, dead power supply/motherboard, etc.), by software (such as a kernel problem or missing system files), or by configuration (issues with a license, etc.).
It is always a good practice to ensure that the XG Firewall is updated to the latest version. If it is possible, please update first prior to engaging in any of the troubleshooting steps listed in this article.
In all emergency situations, you should contact Sophos Support immediately so that one of our engineers can assist you:
If you are completely locked out of the XG Firewall (missing WebAdmin/SSH passwords), please see the following KB for instructions on password recovery:
Sophos XG Firewall: How to reset the admin password
With only one XG Firewall available, options for implementing a quick workaround are limited. If another gateway is available, a good first step would be to bypass the XG Firewall so that the entire network isn't down. If that option isn't available, there is no other choice but to troubleshoot the issue on the XG Firewall itself.
With multiple XG Firewalls, more options are available in terms of workarounds, especially because often only one node will experience an issue. The purpose of HA is to automatically bypass failed XG Firewalls, so normally if the primary node fails, another node will take over and you can attempt to recover the failed node via the following steps:
system ha disable
If the issue continues to occur:
Sometimes the only remaining option is to replace a unit under warranty. Please browse to the link below for instructions on contacting support to submit a request for RMA:
If you've spotted an error or would like to provide feedback on this article, please use the section below to rate and comment on the article. This is invaluable to us to ensure that we continually strive to give our customers the best information possible.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.