Firewall in failsafe mode

David,

are you using Sophos appliances or intel x86 hw?

The best way is to remove the HA, format the secondary unit and join it again inside the cluster.

Regards,

Hi Luk,

I'm using sophos appliances... How can I remove the HA format???

I have reset the device to the default configuration and the device initialize in failsafe mode too. Have I to do something more???

Thanks in advance!!

Regards,

David.

Hi David,

Select option 2. Reset to factory defaults >3. Reset configuration, report and signatures. This will reset the appliance to factory default settings.

Refer the below link to disable HA.

https://www.sophos.com/en-us/medialibrary/PDFs/documentation/SophosFirewall/Pocket%20Guides/DisableHighAvailabilityHA.pdf?la=en

Thanks

Hi Saching,

I can't follow this guide beacuse the device doesn't show me the menu... It only shows me the failsafe mode menu:

Sophos Firmware Version SFOS 16.01.2

Failsafe Mode

1. Device Console
2. Reset to Factory Defaults
3. Flush Device Reports
4. Remove Firewall Rules
5. Advanced Shell
6. Shutdown/Reboot Device
0. Exit

Select Menu Number [0-6]:

Can I do something from this menu??? The device doesn't let me access it via admin console neither....

Thanks in advance!!

Regards,

David.

Hi David,

Go to Device console and type : system ha disable.

This will disable HA and the appliance in Auxiliary mode shall restart to factory default. Restart the primary device to boot up in normal mode.

Thanks

Hi Saching,

as I said to you, this menu is not the normal menu, is the failsafe mode menu... If I select the option 1, the console doesn't let me run this command. I only can run this:

Sophos Firmware Version SFOS 16.01.2

failsafe> system
system System Configuration
Press <TAB> for see more options
failsafe> system
diagnostics Diagnose the Appliance
failsafe> system

If I run the system command and I press TAB, it only let me do this:

failsafe> system diagnostics
utilities Utilities to Diagnose the Appliance
failsafe> system diagnostics utilities
ping Send ICMP ECHO_REQUEST packets to network hosts
ping6 Send ICMPv6 ECHO_REQUEST packets to network hosts
ip IP utility from iproute2 package.
traceroute Print the route packets take to network host
dnslookup Query internet domain name servers for hostname resolving
bandwidth-monitor Monitors Bandwidth
traceroute6 Print the route packets take to network host
dnslookup6 Query internet domain name servers for hostname resolving
ip6 IPv6 utility from iproute2 package.
failsafe> system diagnostics utilities

Any idea more???

Thanks in advance.

Regards,

David.

Hi Saching,

as I said to you, this menu is not the normal menu, is the failsafe mode menu... If I select the option 1, the console doesn't let me run this command. I only can run this:

Sophos Firmware Version SFOS 16.01.2

failsafe> system
system System Configuration
Press <TAB> for see more options
failsafe> system
diagnostics Diagnose the Appliance
failsafe> system

If I run the system command and I press TAB, it only let me do this:

failsafe> system diagnostics
utilities Utilities to Diagnose the Appliance
failsafe> system diagnostics utilities
ping Send ICMP ECHO_REQUEST packets to network hosts
ping6 Send ICMPv6 ECHO_REQUEST packets to network hosts
ip IP utility from iproute2 package.
traceroute Print the route packets take to network host
dnslookup Query internet domain name servers for hostname resolving
bandwidth-monitor Monitors Bandwidth
traceroute6 Print the route packets take to network host
dnslookup6 Query internet domain name servers for hostname resolving
ip6 IPv6 utility from iproute2 package.
failsafe> system diagnostics utilities

Any idea more???

Thanks in advance.

Regards,

David.

HI David, 

As per my observation, you device went in Failsafe mode. 

You would need to reset the device to default and configure the address on your interface which different from your primary appliance. Once the Address is pingable from both end you may enable HA on your Primary appliance . At this stage, your Secondary would reboot and would be configured. 

To check the system is in HA , you may check  on your primary appliance by the command provided by Sachin . 

To reset the Device you would need to Select Option 2. 

Note If the device again went to failsafe mode then you may need to contact support to check the device .

Hi Aditya,

I have reset the appliance more than one times but the appliance boots ,every time, in failsafe mode... I can't configure any port. I'm able to see that the port 0 is configured with the IP address 172.16.16.16, but I can't ping it....

I'm going to contact to the support team but is very strange....

Thanks to all for your help and Merry Christmas to all!!

Kind Regards,

David.

Hi All,

I've the same issue, very unstable, the only way to solve is reimage the unit.

I've had open  a case, and the only way is reimage the unit.

Any other idea related to the issue.

Regards,

Wisnu

Hi Wisnu,

 There are various reasons for failing into Failsafe mode, This would include database corruption, fail to load configuration etc and would suggest  to keep a backup file to re-image and load the backup . 

how do you reimage one of the hardware appliances?

i have one unit that's in failsafe and reset to default is not fixing it

Hello,

You can connect your appliance through console cable and restart device and press enter to go to the boot menu and select boot loader and follow the steps to update new firmware from scratch.

For detail steps refer below link.

Good luck!!!

Regards, Ronak.

i found that KB, but where do i get the .img files from?, the ones i have are all .gpg (for example: HW-SFOS_17.0.1_MR-1.SF110-98.gpg ) and when i try to use it it says that "this image is not for this device"

Hi,

you must download it from Sophos... In "My Sophos" page, you will be able to download the image...

https://www.sophos.com/en-us/mysophos/my-account/network-protection/download-installers.aspx

From this page, you will be able to download the image in .iso format...

Regards

David