I was recently given a used Sophos SG 230 by a generous fellow I work with. I was eager to integrate this into my home network but ran into the licensing issue very quickly. This is how I got it working.
I discovered the home-use license on the Sophos MyUTM page and quickly signed up, created and downloaded it.
I then switched on the SG 230 and used the front control panel to reset to factory defaults.
Once reset, I set the IP address of the eth0 port (the first on the left) to my desired IP using the front panel controls, connected it to my network switch, and went to my PC.
The initial setup process was very straightforward – like the Sophos XG/XGS series that succeed the SG, the web admin port is on https://<IP address>:4444, so I went there. I set the initial admin password, email, hostname, location and ‘company name’.
Then, came the licensing screen. The factory license had expired on this unit, so a new one must be installed to proceed. I downloaded the home-use license from MyUTM and uploaded it to the SG. Unfortunately, I got the following error message.
Well crap… How irritating. After doing quite a bit of research on the UTM OS and the ASG/SG appliances, I found a way to bypass this limitation.
The storage layout of the onboard 128GB SSD in the SG 230 is as follows:
NAME MAJ:MIN RM SIZE RO MOUNTPOINT sda 8:0 0 111.8G 0 ├─sda1 8:1 0 350M 0 /boot ├─sda2 8:2 0 4G 0 [SWAP] ├─sda3 8:3 0 1G 0 ├─sda4 8:4 0 1K 0 ├─sda5 8:5 0 42.2G 0 /var/storage ├─sda6 8:6 0 5.4G 0 / ├─sda7 8:7 0 55.4G 0 /var/log └─sda8 8:8 0 2.5G 0 /tmp
The root mount point for the OS is on the sda6
partition.
I downloaded the latest Debian Live ISO from their website (Debian is my preferred distribution for this kind of work) and used the Rufus tool to image a USB stick with the live OS.
I shut down the SG 230 and inserted the newly-created USB stick into a front USB port on the SG. I connected a VGA monitor and USB keyboard and powered it back on. As soon as it came back, I was greeted with the familiar AMI BIOS screen, which in this case uses the F2 key to select an alternate boot device.
Once pressed, I selected my USB stick (listed as ‘SanDisk’) and hit Enter. It was able to boot into Debian Live from the USB stick successfully. I immediately did the following:
$ sudo su # cd / # mkdir sg-mount # mount /dev/sda6 sg-mount # mv sg-mount/etc/asg sg-mount/etc/asg.bak # umount sg-mount # reboot
From this, we’ve mounted the Sophos SG UTM root file system, renamed the asg
file to asg.bak
, and then un-mounted sda6
and rebooted. At this point, I removed the USB stick once it had restarted.
Once the SG came back online, I was able to upload the license file and proceed with the setup process unhindered. Hooray!
So, I configured the SG, used Up2Date to get it to UTM 9.7 (from 9.5), enabled SSH login, set the loginuser
and root
passwords and rebooted. I noticed that the LCD and buttons on the front panel no longer worked and were stuck on “Restarting now…” – which appeared when I rebooted into Debian.
I logged in via SSH and inspected the original contents of the asg.bak
file:
ASG_VERSION="230" LCD4LINUX_HW="LCD-SERIAL300" ASG_SERIAL="S2100XXXXXXXXX0" ASG_SUBTYPE="r1" ASG_ID="$98sd334efg90bn90z339264abbe"
After fiddling and rebooting a few times, I had found that recreating the original /etc/asg
file with the following contents restores the LCD and controls:
ASG_VERSION="230" LCD4LINUX_HW="LCD-SERIAL300" ASG_SUBTYPE="r1"
After another reboot, the screen works again and the license didn’t break. Updates still work and all is well.
I’m confident that this above method would work on the following models:
- SG 210
- SG 230
- SG 310
- SG 330
- SG 430
- SG 450
My Sophos SG 230 is now working well as my default gateway/firewall for my home network – it’s been a great addition.