r/sophos

▲ 1 r/sophos

Sophos heartbeat blocks devices during OOBE

Scenario: Sophos XGS and Sophos MDR endpoint. The minimum heartbeat level is set to yellow. The box for "block endpoints with missing heartbeats" is NOT checked.

Windows device has a failed SSD and needs to be re-imaged. During Windows 11 OOBE, you can't go through the process because the network access to the device is cut off. The only way to get around this is to disable the minimum heartbeat level in Sophos Central.

Is this expected behavior? This makes the "minimum heartbeat" setting pretty useless for us. I can't go around disabling this every time I have to image a workstation.

reddit.com
u/4zc0b42 — 7 days ago
▲ 1 r/sophos

Sophos XG115W Firewall - Need some help reimaging

I started a really great helpdesk job about a year ago and the project success manager was asking me where I want to go with my career and what kinds of projects I want to shadow.

At the time, I was struggling with a ticket about a firewall, so I told him that I wanted to learn more about firewalls. The next day, he left an old Sophos XG115W firewall on my desk and told me that I could have it to play around with.

I brought it home and started the process of reimaging it. I bought a VGA to HDMI cord so I could monitor the process.

I plugged it into power only, plugged in the VGA to HDMI to my monitor, and used RUFUS to put the image on a USB that I had.

I followed this KB - Reimage the firewall using a USB flash drive - Sophos Firewall

I used this image -

https://preview.redd.it/mxvjn5p6kt9h1.png?width=1250&format=png&auto=webp&s=f7d0f3d6512f520451773c7ed68b9f70da07400d

I plugged the USB in and turned on the firewall. It turns on, but nothing comes up on the screen, the top light stays green, the bottom light occasionally flashes a little orange. I read that it's supposed to turn red when it's going through the reimaging process.

So far, I've tried reformatting the USB - it's formatted to Fat32, I've tried using belenaetcher rather than RUFUS like the tutorial says, I've tried an older version of the image -

https://preview.redd.it/f3i75v66kt9h1.png?width=1362&format=png&auto=webp&s=8f3e6189652ba3aef1f3ecbe3844d6e9ccd31552

Not sure what I'm doing wrong. Any tips would be appreciated.

I'm thinking that the VGA to HDMI isn't going to work, is there another way that I can view what's happening on the device? I read a little bit about serial/COM ports, but I would need assistance picking out the right one.

reddit.com
u/No_Onion_3665 — 9 days ago
▲ 1 r/sophos

UTM Migration - SFOS v22 keeps rebooting

I'm trying to migrate my Home Use UTM to SFOS. I just installed SW v22.0.0.411 on a Dell XE4 SFF but once installation finished, it just goes into a boot loop.

Any ideas as to why or how to troubleshoot? I've disabled Secure boot, Intel SpeedStep and C-States Control in the BIOS.

reddit.com
u/jeffshead — 10 days ago
▲ 1 r/sophos

SG to XGS (DNS Forwarder)

Hi,

I am doing Firewall Migration from UTM to XGS.

In the SG was DNS Forwarder the ip address of the WAN router.

How to configure that in XGS?

reddit.com
u/Objective-Anxiety410 — 9 days ago
▲ 1 r/sophos

Sophos UTM EOL and REDs and VPNs

Good morning fellow admins,

I have a question regarding the Sophos UTM end of life and Sophos RED devices. Will the REDs still work after June 30th? The UTM license is still valid for another 2 weeks. I received my XGS very late and only have 2 days to familiarize with the system and prepare the configuration. So if the REDs and software VPNs will still work after June 30th, I would have more time to prepare the migration.

Best regards
Thomas

reddit.com
u/Alrik4 — 11 days ago
▲ 7 r/sophos

FortiBleed and Sophos

After hearing of the FortiBleed incident, I read that Sophos had been caught up in the mix and may have been impacted. Sophos says they haven't, there was no offensive use of any unknown vulnerability. But Sophos ran an investigation and published an advisory - thank you for the transparency here - and have only just updated the response to include more concrete findings.

Some Sophos devices were opportunistically attacked. Just because they were on the open internet.

The update is short and succinct... these devices, and many more, are _STILL_ operating on the internet, reachable by anyone and exposing VPN portals and SSH interfaces without additional and NECESSARY controls.

No MFA on the VPN portal.

No Public Key Auth on the SSH service.

https://www.sophos.com/en-us/security-advisories/fortinet-fortibleed-credential-exposure-and-sophos-vpn-bruteforcing-campaign

Please, anyone else who is exposing these services, PROTECT THEM. Properly.

Although there's no direct impact to Sophos, attackers will continue to opportunistically look for ways into an environment for fun and profit.

Personally, I don't like exposing SSH directly to the world, it should be heavily filtered/firewalled to only allow defined origins. Better yet, put it behind a VPN!

As for the VPN, I'm looking at the ZTNA functionality on the Sophos device to have a better user experience and enforcing MFA!

reddit.com
u/awwwww_man — 12 days ago
▲ 12 r/sophos

Live AMA with Sophos CTO John Peterson: AI, the agentic SOC, and the technology decisions behind building (and defending against) frontier AI - June 23, 2026

Hi r/sophos 👋  
 
We're live. I'm John Peterson, CTO at r/sophos , here to take your questions on AI, the agentic SOC, and the engineering decisions behind how we're building (and defending against) frontier AI.

Drop them below - we'll be responding in real time. 

Live Response Window

  • Tuesday, June 23 
  • 13:00–15:00 BST | 08:00–10:00 EDT | 12:00–14:00 UTC
  • I'll circle back to additional questions over the following 24 hours

 

💬 What to ask

  • What an agentic SOC actually looks like once it's running real workflows 
  • Securing the AI footprint enterprises are rapidly building (copilots, agents, model APIs, MCP servers), and where the biggest risks are showing up 
  • Human-in-the-loop, human-on-the-loop, and where those models actually hold up in production
  • The engineering trade-offs of building AI-driven security, including what didn't work

📌 A few housekeeping notes

  • Keep questions focused on cybersecurity and AI
  • Don’t share sensitive configuration or environment details
  • This is a discussion, not a support session, but i aim to be as helpful as possible and if it’s related to my world, i'm happy to help with any issues you may be having. If not i can triage you to our support function or the correct team
  • Be respectful, even when you disagree

 

Let's get into it.

https://preview.redd.it/baw4bkaqu09h1.jpg?width=1200&format=pjpg&auto=webp&s=55798967e996c5c785713465f72f793d0579998c

reddit.com
u/jpeterson7755 — 13 days ago
▲ 4 r/sophos

New Sophos Academy Interface

Hi guys, just logged into the new sophos academy interface and im pretty overrun.
I just cant seem to find my way around in it. Looking back i enjoyed the simple style of the old interface, but there surely is no way of going back. With time maybe I'll find my way around.

To the question, where can i now see my own completed certifications and courses and their respective expiration date ? In the FAQ the explanation to finding my certs doesnt lead me anywhere, but surely there is still an overview somewhere.

reddit.com
u/Virtual_Fondant7424 — 10 days ago
▲ 2 r/sophos

Question About Intelix Analysis Discrepancy

Thanks again to the Sophos team for resolving the false positive on my domain after my previous post. VirusTotal is now clean.

I noticed that in the Intelix portal,
Cloud Lookup reports low risk and
Page Content Analysis shows Likely Clean, but
Hosting Context Analysis still classifies the domain as malicious/spyware with a medium risk score.

(Please see the screenshot)

Is this simply a synchronization delay between different data sources, and will it resolve automatically over time?
Hoping to get some clarification again. Thanks!

u/FillNo4074 — 12 days ago