We are pleased to welcome you as a new customer of our Sophos SG appliances.
To install and configure the hardware appliance you can use the following
documents:
Ì Hardware Quick Start Guide: Connection to the
system peripherals in a few steps
Ì Operating Instructions: Notes on the security and
commissioning of the hardware appliance
Ì Administration Guide: Installing and configuring the software appliance
The Hardware Quick Start Guide and the Safety Instructions are also delivered
in printed form together with the hardware appliance. The instructions must be
read carefully prior to using the hardware and should be kept in a safe place.
You may download all user manuals and additional documentation from the
support webpage at: sophos.com/support
Security Symbols
The following symbol and its meaning appears in the Hardware Quick Start
Guide, Safety Instructions and in these Operating Instructions.
Caution and Important Note. If these notes are not correctly observed:
Ì This is dangerous to life and the environment
Ì The appliance may be damaged
Ì The functions of the appliance will be no longer guaranteed
Ì Sophos shall not be liable for damages arising from a
failure to comply with the Safety Instructions
Designed Use
The hardware appliances are developed for use in networks. The SG 550/650
models may be operated as a standalone appliance. The hardware appliance can
be used in commercial, industrial and residential environments.
The SG 550/650 models belong to the appliance group A.
The hardware appliance must be installed pursuant to the current installation
notes. Otherwise failure-free and safe operation cannot be guaranteed. The EU
declaration of conformity is available at the following address:
The SG 550/650 appliances comply with FCC Class A, CE, C-Tick, VCCI and UL.
Important Note: For computer systems to remain CE and FCC compliant, only CE
and FCC compliant parts may be used. Maintaining CE and FCC compliance also
requires proper cable and cabling techniques.
Operating Elements and Connections
SG 550 Rev. 2
2 x hot-swap
SSD (RAID-1)
2 x management port
2 x USB 2.0
Navigation
for LCD
1 x COM (RJ45)
Multi-function LCD display
SG 650 Rev. 2
2 x hot-swap
SSD (RAID-1)
Navigation
for LCD
2 x management port
2 x USB 2.0
1 x COM (RJ45)
Multi-function LCD display
SG 550/650 Rev. 2
1 x USB 3.0 1 x VGA portPower switch
4 x swappable fan
4 expansion bays for Flexi Port
modules. 1 x 8 port GbE copper module
supplied as default (removable)
6 expansion bays for Flexi Port
modules. 1 x 8 port GbE copper module
supplied as default (removable)
2 x hot swappable
power supply
2SG 550/650 Rev. 2
Page 4
Operating Instructions
LED Status
Power (LED Display)
Power SupplyRed
PowerGreen
SSD ACTYellow
SSD ActiveRed
LEDs on each RJ45 Ethernet connector
ACT/LNK
(Left LED)
Green Constantly1. The Ethernet port is receiving power.
FlashingThe adapter is sending or receiving network data. The
Off 1. The adapter and switch are not receiving power.
2. Good connection between the Ethernet port and hub.
frequency of the flashes varies with the amount of traffic.
2. No connection between both ends of network.
3. Network drivers have not been loaded
or do not function correctly.
SOPHOS
Protection
UTM 9.xxx
10 days 01:43:17
CPU xx%
xx% yy% zz%
RAM x% y GB
SWAP x% y GB
all in x kbits/sec
out y kbits/sec
Speed
(Right LED)
Back side
Power Supply Green ConstantlyPower
Amber On The Ethernet port is operating at 1,000 Mbps.
Green On The Ethernet port is operating at 100 Mbps.
OffThe Ethernet port is operating at 10 Mbps.
OffNo power
LCD and Control Keys
The Sophos SG 430/450 units have an LCD and an operating unit with four
membrane keys. In the LCD, 16 characters per line can be displayed. The display
contains in four cycling views information on the hardware and specific system
states.
After the security appliance has booted this message is displayed.
Sophos UTM version and Appliance Uptime
CPU load information and Average Load in the last 1, 5 and 15 minutes
Memory usage
Traffic on interface
3SG 550/650 Rev. 2
Page 5
Operating Instructions
Executable Actions
Ì Change IP Address: This option enables the user to change the interface’s IP
address and netmask. All available and enabled IP addresses can be changed.
Ì Reboot machine: The security appliance is rebooted. The reboot
action will shut down the system completely and reboot.
Ì Shut down: The security appliance is shut down. The shut down action allows
you to turn off the system, and allows you to cleanly stop all running services.
Ì Factory reset: All settings are reset to the factory settings. The factory
reset function sets all of the configuration settings and options to their
original state. All data entered after the initial installation will be deleted,
including the HTTP proxy cache, the entire email queue, accounting
and reporting data, passwords, and uninstalled Up2Date packages.
The version of the software will not change. That is, all firmware
and pattern updates that have been installed will be retained.
Ì Disable OTP (One Time Password) authentication: The OTP
authentication will be disabled for the selected options. This feature
only handles webadmin and shell access options if they are enabled.
Control Key Functions
The current menu is left. When the key is pressed a couple of times, the
modifications are discarded and the initial state will be displayed.
These keys are used to switch between the different menus and/or characters.
Pressing executes the configured action.
Change IP Address
S.NO. Action Item/press What you see on the LCDWhat it means
1.
2.
3.
4.
5.
6.
or
7.
8.
9.Saves changed IP address
Config menu
1. Change IP addr
Interface eth0
192.168.0.1/24
IP address (Eth0)
192.168.0.1
IP address (Eth0)
192.168.0.1
eth0 Netmask
24
Selects interface
Edit IP address
Changes digit at cursor position
Moves cursor to the
next right position
Exits edit mode without saving
Displays netmask value after
the last IP address digit
Change netmask value
and netmask
4SG 550/650 Rev. 2
Page 6
Operating Instructions
Reboot Machine
S.NO. Action Item/press What you see on the LCDWhat it means
1.
Config menu
1. Change IP addr
2.
x1
3.
4.
5.
Config menu
2. Reboot Machine
Shutting down
Are you sure? n
Toggles between “y“ and “n“
Selects choice
Shut Down
S.NO. Action Item/press What you see on the LCDWhat it means
1.
2.
x2
3.
4.
5.
Config menu
1. Change IP addr
Config menu
3. Shutdown
Rebooting
Are you sure? n
Toggles between “y“ and “n“
Selects choice
Shut Down
S.NO. Action Item/press What you see on the LCDWhat it means
1.
Config menu
1. Change IP addr
2.
x3
3.
4.
5.
Config menu
4. Factory Reset
All Data erased!
Are you sure? n
Toggles between “y“ and “n“
Selects choice
5SG 550/650 Rev. 2
Page 7
Operating Instructions
Disabling OTP (One Time Password) Authentication
S.NO. Action Item/press What you see on the LCDWhat it means
1.
Config menu
1. Change IP addr
2.
x4
3.
or
4.Selects feature to
5.
6.
7.
Config menu
5. OTP Recovery
Disable OTP
Not available
Disable OTP
xxxxxx
Disable xxxxxx
Are you sure? n
Displayed if no option to
disable is available
disable (if enabled)
Toggles between “y“ and “n“
Selects choice
Putting into Operation
Caution: Risk of explosion if battery is replaced by an incorrect type. Dispose of
used batteries according to the instructions.
Scope of Supply
The supplied parts are indicated in the Hardware Quick Start Guide.
Mounting Instructions
The SG 550/650 appliances are designed for use in racks. Please consider the
following security tips:
Important Note: Functional reliability outside of a rack cannot be guaranteed.
Warnings and Precautions
The appliance can be operated safely if you observe the following notes and the
notes on the appliance itself.
6SG 550/650 Rev. 2
Page 8
Operating Instructions
Rack Precautions
Ì Ensure that the leveling jacks on the bottom of the rack are fully
extended to the floor with the full weight of the rack resting on them.
Ì In single rack installation, stabilizers should be attached to the rack.
Ì In multiple rack installations, the racks should be coupled together.
Ì Always make sure the rack is stable before
extending a component from the rack.
Ì You should extend only one component at a time—extending two or
more simultaneously may cause the rack to become unstable.
General Server Precautions
Ì Review the electrical and general safety precautions that came
with the components you are adding to your appliance.
Ì Determine the placement of each component in
the rack before you install the rails.
Ì Install the heaviest server components on the
bottom of the rack first, and then work up.
Ì Allow the hot plug hard drives and power supply
modules to cool before touching them.
Ì Always keep the rack‘s front door, all panels and server components
closed when not servicing to maintain proper cooling.
Rack Mounting Considerations
Ì Ambient operating temperature: If installed in a closed or multi-unit rack
assembly, the ambient operating temperature of the rack environment
may be greater than the ambient temperature of the room. Therefore,
you should install the equipment in an environment compatible
with the manufacturer’s maximum rated ambient temperature.
Ì Reduced airflow: Equipment should be mounted into
a rack with sufficient airflow to allow cooling.
Ì Mechanical loading: Equipment should be mounted into a rack so that a
hazardous condition does not arise due to uneven mechanical loading.
Ì Circuit overloading: Consideration should be given to the connection
of the equipment to the power supply circuitry and the effect that any
possible overloading of circuits might have on overcurrent protection
and power supply wiring. Appropriate consideration of equipment
nameplate ratings should be used when addressing this concern.
Ì Reliable ground: Reliable grounding must be maintained at all times.
To ensure this, the rack itself should be grounded. Particular attention
should be given to power supply connections other than the direct
connections to the branch circuit (i.e., the use of power strips, etc.).
7SG 550/650 Rev. 2
Page 9
Operating Instructions
Rack Mounting Instructions
To mount the appliance to the rack you need the delivered rack-mount kits.
There are a variety of rack units on the market, which may mean the assembly
procedure will differ slightly. You should also refer to the installation instructions
that came with the rack unit you are using.
Because of their dimension and weight the SG 550/650 models are delivered
with a special rail kit.
Important Note: Make sure you use the screws supplied with the rack-mount
kits. Using the wrong screws could damage the hardware appliance and would
invalidate your warranty. Please observe the mounting instructions for your rack.
1. Attach the rack-mount kits to the appliance.
Place the appliance on a hard, flat surface with the front panel facing you.
Attach the rack–mount kits to the left and right side of the appliance with
the supplied screws.
Make sure the kits are properly attached to the appliance.
Important note: The rails for SG 550/650 will fit a rack of
600 mm/23.6” deep.
2. Choose the rack location.
Leave enough clearance in front of the rack so that you can open the front
door completely (~60 cm/25 inches).
Leave approximately 80 cm/30 inches of clearance in the back of the rack
to allow for sufficient airflow and ease in servicing.
This product is for installation only in a restricted access location (dedicated
equipment rooms, service closets and the like).
3. Slide the appliance into the rack.
Please refer to the dedicated sliding rails mounting instructions from the
scop of supply.
Connection and Configuration
How to connect the appliance is described in the Hardware Quick Start Guide. For
configuration you can follow the initial setup wizard described in the WebAdmin
Quick Start Guide or cancel it and perform a manual setup (see the Sophos SG
Firewall Administrator Guide).
8SG 550/650 Rev. 2
Page 10
Operating Instructions
RAID (SSD) System
The SG 550/650 model are equipped with a RAID system with two Solid State
Drive. A RAID system (redundant array of independent disks) connects several
physical Solid State Drive to one particularly performing logical drive. This
type of Solid State Drive system enhances the transfer rate and data security.
Additionally, a RAID system increases the availability of the security appliance
since a defective Solid State Drive can easily and quickly be exchanged—it is not
necessary to shut down the system.
Important note: If you need to change a Solid State Drive because of a defect,
remember to remove the defective Solid State Drive from the RAID system,
otherwise the complete security appliance will fail. Please note that the safe
operation of the hardware appliance is only ensured in the long term if both
Solid State Drive are working. Immediately exchange damaged Solid State Drive.
Only use Solid State Drive which you purchased directly from Sophos or from
a Sophos distribution partner. Please remember that any warranty claims are
voided for the appliance if a defect has been caused by the use of Solid State
Drive which are not suited for the system.
Exchanging the hard disk
1. Identify the defective Solid State Drive.
In the event of a hardware defect the FAIL LED of the respective Solid State
Drive will turn on e.g., SSD 1 (upper Solid State Drive).
2. Open the Solid State Drive latch.
3. Unlock the Solid State Drive by pushing the latch to
the left and pulling the lever in your direction.
4. Remove the Solid State Drive from the chassis.
5. Now, insert the new Solid State Drive into the chassis.
6. Lock the Solid State Drive by pushing the lever in the direction
of the chassis. Lock the latch at the Solid State Drive.
Important note: Except for short periods of time (e.g., swapping Solid State
Drives), do not operate the server with an empty Solid State Drive.
As soon as the security appliance detects the new Solid State Drive, the existing
hard disk is mirrored to the new Solid State Drive. This process may take 30
minutes or more.
Redundant Power Supply
The SG 550/650 models are equipped with a redundant power supply. The power
supply system consists of two separate power supply units. This power supply
system increases the availability of the security appliance, since a defective
power supply unit can be exchanged easily and quickly during operation.
When the system is running error-free, LED on the back of the appliance shows
green. In the event of a hardware defect in one of the power supply units these
LEDs will turn red and you will hear a continuous beeping sound. The warning
sound can be reset by pressing the red buzzer reset switch on the system
chassis. This buzzer reset switch is on the back of the appliance right beside the
power supply system.
9SG 550/650 Rev. 2
Page 11
Operating Instructions
Important note: If you need to change a power unit because of a defect,
remember to remove the defective power unit from the power supply system,
otherwise the whole security appliance will fail.
Protect yourself from potential burns by wearing protective gloves when
exchanging a power supply unit.
Only use power units which you purchased directly from Sophos or from a
Sophos distribution partner. Please remember that any warranty claims are
voided for the security appliance if a defect has been caused by the use of power
units which are not suited for the system.
Exchanging a power supply unit
1. Identify the defective power supply unit.
Locate the defective power supply unit by examining the individual LEDs of
each unit—no LED light indicates a failure of the unit.
2. On the right side, open the interlock of the power supply unit.
3. Use the special bracket to pull the power supply unit out of the chassis.
4. Now, insert the new power supply unit into the chassis.
5. Lock the new power supply unit.
Plug the power cable back into the connector of the new power supply unit
and check the following LED displays:
LED of the new power supply unit lights green. As soon as the new power
supply unit is detected and functional, the beeping sound will disappear.
SFP GBIC Ports
The SG 550/650 models provide the option to add Sophos FleXi Port network
modules with SFP (1 GbE) or SFP+ (1/10GbE) GBIC Ports. The abbreviation SFP
GBIC stands for small form-factore plugable GigaBit interface converter, a flexible
interface which changes electronic signals into optical signals. The converters
used with the appliance are often also called Mini-GBIC or New GBIC.
To use SFP GBIC ports, you will need the appropriate SFP GBIC modules. These
modules are not delivered with the appliance but available through your Sophos
partner. There are different module types. The required type is determined by the
existing network. The following SFP GBIC module types may be used:
SFP:
1000 Base-T
IEEE 802.3 - 1 Gbit/s via Ethernet cable. An Ethernet cable category 5 covers a
maximum distance about 100 meters.
1000 Base-SX
IEEE 802.3 - 1 Gbit/s via fiberglass. Multi-mode fiberglass cables (MMF) cover a
distance of 200 m to 550 m.
1000 Base-LX
IEEE 802.3 - 1 Gbit/s via fiberglass. Here, exclusively singlemode-fiber glass is
used. This transmission option covers approximately 10 km.
10SG 550/650 Rev. 2
Page 12
Operating Instructions
SFP+:
10GBase-SR
IEEE 802.3 - 10 Gbit/s via fiberglass. Multi-mode fiberglas cables cover a
distance of up to 400 m.
10GBase-LR
IEEE 802.3 - 10 Gbit/s via fiberglass. Single-mode fiberglas cover a distance of
approximately 10 km
Note: The SFP+ ports of the Sophos FleXi Port modules are dual-rate capable
supporting both 1GbE and 10GbE speeds when using appropriate GBICs also
supporting both rates.
Caution: The SFP GBIC and SFP+ ports use lasers to transmit signals over
fiber optic cable. The lasers are compliant with the requirements of a Class 1
Laser equipment and are inherently eye-safe in normal operation. However, you
should never look directly at a transmit port when it is powered on. Always install
appropriate and UL approved Laser Class I Transceivers, rated 3.3Vdc, max. 1W,
in the fiber ports before using the fiber ports.
Installing a SFP GBIC module:
Please read the operation manual to the SFP GBIC module. Carefully insert the
SFP GBIC module into the port until it engages. The interface is immediately
ready for use.
Removing a SFP GBIC module:
1. Remove the fiberglass cable from the module which you wish to remove.
2. Remove the module carefully from the port.
Depending on when you purchased your SFP GBIC module, it may have any
of three different release mechanisms: a plastic tab on the bottom of the
mini-GBIC, a wire bail, or a plastic collar around the mini-GBIC.
Please read the operation manual to the SFP GBIC module.
Serial Console
You can connect a serial console to the COM port of the Sophos SG Firewall
hardware appliances. You can use, for instance, the Hyperterminal terminal
program which is included with most versions of Microsoft Windows to log on to
the appliance console. Use the provided RJ45 to DB9 adapter cable to connect
the console to your hardware appliance.
The required connection settings are:
Ì Bits per second: 38,400
Ì Data bits: 8
Ì Parity: N (none)
Ì Stop bits: 1
Access via the serial console is activated by default on ttyS1. The connections of
the appliances and the respective functionality are listed in chapter “Operating
Elements and Connections.”
11SG 550/650 Rev. 2
Page 13
Operating Instructions
United Kingdom and Worldwide Sales
Tel: +44 (0)8447 671131
Email: sales@sophos.com