Home-Use License on Sophos SG series appliances

I was recently given a used Sophos SG 230 by a generous fellow I work with. I was eager to integrate this into my home network but ran into the licensing issue very quickly. This is how I got it working.

I discovered the home-use license on the Sophos MyUTM page and quickly signed up, created and downloaded it.

All the subscription goodness you could want for a home network.

I then switched on the SG 230 and used the front control panel to reset to factory defaults.

The SG 210/230/310/330/430/450 series all have useful front-panel LCDs and controls.

Once reset, I set the IP address of the eth0 port (the first on the left) to my desired IP using the front panel controls, connected it to my network switch, and went to my PC.

The initial setup process was very straightforward – like the Sophos XG/XGS series that succeed the SG, the web admin port is on https://<IP address>:4444, so I went there. I set the initial admin password, email, hostname, location and ‘company name’.

The initial setup screen (taken from the Quick Start Guide)

Then, came the licensing screen. The factory license had expired on this unit, so a new one must be installed to proceed. I downloaded the home-use license from MyUTM and uploaded it to the SG. Unfortunately, I got the following error message.

“Cannot use ASG software license on SG230 device.”

Well crap… How irritating. After doing quite a bit of research on the UTM OS and the ASG/SG appliances, I found a way to bypass this limitation.

The storage layout of the onboard 128GB SSD in the SG 230 is as follows:

sda      8:0    0 111.8G  0
├─sda1   8:1    0   350M  0 /boot
├─sda2   8:2    0     4G  0 [SWAP]
├─sda3   8:3    0     1G  0
├─sda4   8:4    0     1K  0
├─sda5   8:5    0  42.2G  0 /var/storage
├─sda6   8:6    0   5.4G  0 /
├─sda7   8:7    0  55.4G  0 /var/log
└─sda8   8:8    0   2.5G  0 /tmp

The root mount point for the OS is on the sda6 partition.

I downloaded the latest Debian Live ISO from their website (Debian is my preferred distribution for this kind of work) and used the Rufus tool to image a USB stick with the live OS.

I shut down the SG 230 and inserted the newly-created USB stick into a front USB port on the SG. I connected a VGA monitor and USB keyboard and powered it back on. As soon as it came back, I was greeted with the familiar AMI BIOS screen, which in this case uses the F2 key to select an alternate boot device.

AMI BIOS screen (simplified) from the Sophos SG appliance.

Once pressed, I selected my USB stick (listed as ‘SanDisk’) and hit Enter. It was able to boot into Debian Live from the USB stick successfully. I immediately did the following:

$ sudo su
# cd /
# mkdir sg-mount
# mount /dev/sda6 sg-mount
# mv sg-mount/etc/asg sg-mount/etc/asg.bak
# umount sg-mount
# reboot

From this, we’ve mounted the Sophos SG UTM root file system, renamed the asg file to asg.bak, and then un-mounted sda6 and rebooted. At this point, I removed the USB stick once it had restarted.

Once the SG came back online, I was able to upload the license file and proceed with the setup process unhindered. Hooray!

So, I configured the SG, used Up2Date to get it to UTM 9.7 (from 9.5), enabled SSH login, set the loginuser and root passwords and rebooted. I noticed that the LCD and buttons on the front panel no longer worked and were stuck on “Restarting now…” – which appeared when I rebooted into Debian.

I logged in via SSH and inspected the original contents of the asg.bak file:


After fiddling and rebooting a few times, I had found that recreating the original /etc/asg file with the following contents restores the LCD and controls:


After another reboot, the screen works again and the license didn’t break. Updates still work and all is well.

I’m confident that this above method would work on the following models:

  • SG 210
  • SG 230
  • SG 310
  • SG 330
  • SG 430
  • SG 450

My Sophos SG 230 is now working well as my default gateway/firewall for my home network – it’s been a great addition.

Leave a comment

Your email address will not be published. Required fields are marked *