Sophos XG: Installing on a Qotom Q355G4

This guide covers installing the Sophos XG Home (V17-MR3) firewall on a Qotom Q355G4.

1. Download the “Firewall OS Software ISO for Intel Hardware” under “Software Installers” from the official Sophos website (www.sophos.com).

Note: You will have to create an account/register to receive the download link and a home use serial number which will be required if you want to use Sophos XG beyond a 30-day trial.

2. Burn the ISO to a USB drive using a program like Etcher (www.etcher.io).

3. Start up the Qotom Q355G4 and press the ‘DEL’ key during the boot up process to access the BIOS.

4. In the BIOS, select the ‘Advanced’ tab and open the ‘USB Configuration’ page. From there, set ‘XHCI Mode’ to ‘Disabled’, exit the BIOS and restart the device with the USB drive plugged in. Of note, this step may not be required based on your setup. Disabling XHCI Mode will make your on-board USB 3.0 ports function like USB 2.0 ports.

Note: Recommend setting ‘Restore From AC Power Loss’ option to automatically turn on your device after a power loss event.

5. With the USB drive plugged in, press ‘F10’ during boot up and select the USB drive as your boot device.

Note: If ‘F10’ is not working, you can also go back into the BIOS and select ‘UEFI: <your USB drive name>’ under ‘Save & Exit’ -> ‘Boot Override’. This will force a boot to your USB drive.

6. Follow the installation instructions. Once the initial part of the installation is complete, you will be asked to remove the install media and reboot the device. After the device reboot, the setup process will continue eventually leading to a prompt asking for a password. At this point, Sophos XG is up and running and you only need to log in if you need to shut down the device or wish to configure Sophos XG from the console. The default password is ‘admin’.

setup_1

setup_2

setup_3

7. Connect a computer to Port 1 on the Q355G4 (this is ‘eth0’ within Sophos XG). Sophos XG will automatically assign an IP address as it has a DHCP server running by default. Connect the internet modem to Port 4 on the Q355G4 (this is actually ‘eth1’ within Sophos XG).

Note: The Qotom Q355G4 network ports aren’t actually in the order as listed on the physical device. The ports labeled 1-2-3-4 on the physical device are actually ports 1-3-4-2 within Sophos XG (which is technically eth0-eth2-eth3-eth1). Additionally, connecting your internet modem to Port 4 isn’t required unless you want to activate Sophos XG during the initial setup. You can choose to skip the activation process and do it at a later time.

8. From your web browser, access the web GUI by browsing to https://172.16.16.16:4444

9. You will receive a security/error message in regards to the website’s security certificates which you can ignore and continue browsing to the website. This occurs because your web browser does not have the Sophos XG SSL certificate.

setup_browser_error

10. Follow the Sophos XG Configuration Wizard.

setup_browser_initial

Note: Many users of the Qotom devices have reported lower CPU temperatures by reapplying the thermal paste between the CPU and heat sink. I used this Arctic Silver kit which includes cleaning solution and non-conductive thermal paste.

12 thoughts on “Sophos XG: Installing on a Qotom Q355G4

  1. Interestingly I have a pretty extensive HA setup, and noticed this thread after finding your site while look around for Home Assistant stuff.

    I was / am looking to do something similar to the above and I bought a QOTOM Core i5 Mini PC with 8GB RAM 128GB SSD from Amazon. It came with pfSense pre-installed and that worked. However, I also wanted to see how it ran Ubuntu, so I booted it to a USB live image and began re-partitioning the drive. After a reboot the BIOS (and now no installation sources) see the drive anymore

    I’ve re-seated the drive, tried an old laptop SATA etc, I was hoping as someone with a working system you could give me insight into the correct BIOS settings for an internal msata SSD, as no attached SSDs seem to show up anymore.

    I’ve not really messed with msata SSD’s much. Is it possible that the entire unit has failed? It only boots to the AMI bios setup, and it was surprisingly hot.

    Any suggestions would be great, TIA
    Chris

    Like

    1. Unfortunately I don’t have my Qotom hooked up to a display and it’s not in a location anywhere near a TV currently. Have you tried resetting everything in the BIOS back to factory defaults? I suppose it is possible the SSD has failed but that would be strange considering it appeared to be working fine just prior to re-partitioning. The only thing I can think of is resetting all of the BIOS settings to the factory default but if it’s still not detecting the drive at all in the BIOS, I’d suspect the SSD has gone bad.

      Like

    1. No specific reason. I’ve never used UTM but Sophos XG does everything I need and my understanding is that it’s their “newer” firewall, so I figured I’d go with what will most likely be supported long term. From what I’ve read, there are still things XG can’t do compared to UTM so if there are specific features you need, I’d probably make sure XG supports it if you decide to go that route.

      Like

    2. There is so much confusion regarding the Sophos firewalls names/models/etc. Basically, there are two firewall platforms… UTM9 and SFOS (Sophos Firewall OS). UTM (and ASG, before the Astaros were re-branded) was the hardware platform that exclusively ran UTM9 (and UTM8 previously). Then came the SG hardware. These were pre-installed with UTM9. Once the “next generation” firewall OS was ready (SFOS), it was released on a new hardware platform…the XG. At this point, the SG and XG hardware was exactly the same…except for which OS was pre-installed. You could “downgrade” and XG to UTM9 and “upgrade” an SG to SFOS.

      Unfortunately, due to marketing and so forth… SG is now synonymous with UTM9 and XG is synonymous with SFOS. (even though SG and XG hardware can run both UTM9 and SFOS)

      That being said…SFOS IS the future for Sophos. But there are also compelling reasons to run SFOS at home over UTM9. First off, the UTM9 home license limits you to 50 internal IPs (may be 100 now). The SFOS license only limits you to 4 CPU cores and 6GB of ram (VERY GENEROUS!).

      Ok, I’m done.

      Liked by 1 person

  2. I tried these steps. I disabled xhci and now my keyboard and mouse don’t work and I have no way to go into the BIOS to enable it. Do you know how to reset the bios?

    Like

    1. Unfortunately, I don’t know how to reset the BIOS. I’m sure you already tried but did you swap to different USB ports? Emailing Qotom support might be the best bet.

      Like

    1. This was simply to get the screenshots for the tutorial. I just installed it like any other OS in virtualbox and selected Ubuntu 64-bit as the OS (since there isn’t an option for Sophos XG). In my home network, I’m running Sophos XG directly on my Qotom Q335G4 (bare metal).

      Like

  3. I got the installer to run, then it says to reboot, then it says it can’t find a boot device. Any ideas? Doesn’t make sense at all to me.

    Like

    1. That’s very strange. The only thing I could think of is maybe messing with the boot order of the HDD (although it shouldn’t really matter) in the BIOS or maybe trying a different Sophos XG build? I haven’t messed with the installer since I wrote this article.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s