Sophos Firewall: How to submit an RMA case and setup the replacement firewall

Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.


Overview

This Recommended Read describes how to identify and submit RMA (Return Merchandise Authorization) and DOA (Dead on Arrival) support cases, whom to connect to get the shipping/RMA case status post-RMA, and how to bring up the RMA replacement appliance.

Applies to the following Sophos products:

  • Sophos Firewall XG/XGS

Sophos RMA Overview (Video)

Submit a support case for RMA/DOA

The following are common reasons for device failure, which can be troubleshot by gathering the information mentioned in the section applicable to your device and then submitting an RMA case to Sophos support. 

A) Complete power failure/Dead on Arrival  – Device fails to power ON. The device isn't turning on when pressing the Power Button.

Please create a Sophos Support case (support.sophos.com) and attach the RMA form after filling it with all the information (The RMA form is provided at the end of the article) and provide answers to the following questions. Once the RMA is approved, please see the "Shipping/RMA case status" section to get shipping-related updates and follow the "Post RMA Process" section to finish setting up the new/replaced device.

1. What is the (approximate) purchase date of the device?

2. What is the status of the power LED and HDD LED while powering on the device?

3. Do you hear a single beep when powering on the device? (This observation does not apply to XGS).

4. Have you tried powering on with a different power cable and a different power outlet socket?

5. If your device has dual power supplies, please try powering on with the other power supply input.

6. If your device supports a hot-swappable power supply, kindly try powering on with a different power supply.

7. It is recommended to submit a video/picture showcasing the described issue for quicker RMA approval.

B) Device is being powered on but not booting further/ Device GUI/CLI/Console not accessible – When powering on the device, an error is observed on the console or the HDMI/VGA output (if applicable), and the GUI isn't accessible. 

Please create a Sophos Support case (support.sophos.comand attach the RMA form after filling it with all the information(The RMA form is provided at the end of the article) and provide answers to the following questions. Once RMA is approved, please see the "Shipping/RMA case status" section to get shipping-related updates and follow the "Post RMA Process" section to finish setting up the new/replaced device.

1. Is the device accessible via HTTPS/SSH from LAN and WAN?

2. Were any changes made from the GUI/CLI or any other activity after Sophos Firewall lost the device access? Please describe the changes made before the incident.

3. Is there a beep sound while we're rebooting the firewall? (This observation does not apply to XGS).

4. Is the device responding over the serial console? If No, then are you connecting it directly via the provided serial cable (DB-9 serial port), USB converter cable (serial to USB converter), or via the micro-USB serial console cable (the latest XG/XGS model may have this console port)? Do you see it under the device manager of that system without any errors related to the driver, etc., for that connection? 

Note: Please ensure that the baud rate is set to 38400 and the device status over the console has been verified multiple times at different time intervals.

5. (Optional) If the device is not responding over the serial console, please try connecting with any other system via serial connection to confirm the console connectivity status of the device.

6. If you observe any errors in the console connection, please take a snapshot to share it with Sophos Support when logging an RMA case.

C) Sophos Firewall Interface or Port not working  – This happens when the interface's status is disconnected when physically connected to the network.

Please create a Sophos Support case (support.sophos.comand attach the RMA form after filling it with all the information(The RMA form is provided at the end of the article) and provide answers to the following questions. Once RMA is approved, please see the "Shipping/RMA case status" section to get shipping-related updates and follow the "Post RMA Process" section to finish setting up the new/replaced device.

1. What is the Port LED status when the cable is connected? Including a snapshot of the LED status of the port in question is recommended.

2. Please check the interface status via the CLI command provided below:

console> show network Interfaces

OR

#ifconfig -a

3. Please access the device via SSH and select 5. Device Management > 3. Advanced Shell and run the following command:

#tail -f /log/syslog.log

Plug in the cable in the problematic port. If you observe any errors/log lines, please include them in the support case. 

4. With the cable plugged into the problematic port, please ensure that the Port test is performed and share the results in the support case. 

Note: Port test doesn't apply to XGS models

a. Access the device via the SSH and select 5. Device Management > 3. Advanced Shell and run the following command:

#ethtool -t PortX 
(Replace X with the problematic port number)

Optionally, you can also run the Sophos Firewall Ethernet card test (Requires downtimeNote: Port test is not applicable to XGS models.

b. Connect the problematic port with another functional port on the same firewall and run the following command again in Advanced Shell:

#ethtool -t PortX (Replace X with the problematic port number)

c. Lastly, connect the problematic port to a PC or a Laptop and confirm the interface status on the firewall.

Please share the outputs from sections a.b., and c. in the support case. 

7. Please try changing the cable used to connect the problematic port and confirm the port connection status.

8. Try changing the Interface duplex/speed with other available options to validate the status of the Port/Interface connection by going through the following steps:

Please access the device via the SSH and select 4. Device Console and execute the following command:

console> set network [interface-speed [Port<port name or number > <1000fd | 1000hd | 100fd | 100hd | 10fd | 10hd | auto >] 

 

9. Optional: Insert an unmanaged switch between the Sophos appliance and a computer and confirm the port/interface status. If it shows disconnected, follow steps 7 and 8 after adding the switch and validating port/interface status.

Lastly, access the device via SSH and select 5. Device Management > 3. Advanced Shell and run the following command to view Syslog: 

#tail -f /log/syslog.log

Please share the observations in the support case.

Note: Our support team will review and validate the information provided and may reach out to perform further diagnosis if necessary.

Shipping/RMA case status:

The Customer Care Team will provide an RMA case number once the RMA is approved. To comply with export compliance regulations worldwide, the RMA team will review the regulatory requirements, and once the RMA has cleared these regulatory requirements, a replacement will be dispatched from the regional RMA center as soon as possible.

Note: There might be delays in the RMA unit delivery for a few regions due to export compliance checks.

As soon as the package is sent out, you'll receive a notification with the tracking number of the shipment in the RMA case number, along with our regional RMA Team's email address. Getting in touch with your regional RMA Team for shipment-related queries is recommended.

Service Region

RMA Team Email

UK, Ireland & Non-EU member countries of Europe

EMEA_RMA@sophos.com

European Union (EU Member countries)

NL_RMA@sophos.com

Africa

africarma@sophos.com

APAC

apacrma@sophos.com

Japan

JPRMA@sophos.com

USA, Canada, LATAM

AMERICAS.RMA@sophos.com

India

INDIARMA@sophos.com

Post RMA Process:

Once the RMA replacement appliance has been received, one can go through the steps below to bring it up.

1. Sophos Firewall: License transfer after RMA
2. Backup and restore
3. Backup-restore compatibility check

Note: RMA replacements will be sent with the latest Firmware available that the RMA team has.

RMA form:

Please complete the form below (Please fill in all the parameters):

=====================================
Technical Issue
======================================
Description/RMA Reason: [ ]
Fault Code:
Sub Fault Code:
======================================
Defective Product Details/License Details
======================================
Model/Product:
Revision:
Firmware version:
Serial # of faulty device:
License #: (was used in the faulty device)
Dead on arrival: Y/N
Is this part of a HA Cluster: Y/N
======================================
Shipping Info (All fields required):
======================================
Company:
TAX ID #: (EU countries, Brazil, and India)
Name:
Address:
City:
Zip/Postal code:
Country:
Phone:
Email:
Special Instructions:
======================================

Note: TAX ID is required for tax reporting purposes. Without this number, Sophos won’t be able to ship a replacement unit to the end-user directly. 



Ticket for Case
[edited by: emmosophos at 5:19 PM (GMT -8) on 23 Jan 2024]