Skip to content

Troubleshooting

This tells you how to fix common issues with the Sophos appliance.

My appliance doesn't boot when I first start it up.

During its first boot, the virtual machine (VM) checks for an internet connection by pinging sophos.com and waiting five seconds for a reply. This check is repeated up to six times. If there's no internet connection detected, you must power off the VM and resolve the issue.

Follow the instructions for "No internet connection", then restart the VM.

No internet connection.

The VM needs to send and receive HTTP, HTTPS, DNS, and NTP. It also needs DHCP if the management network is configured for it.

Check the following:

  • If your firewall is using website filtering, can the virtual machine access these domains?

    • sophos.com: used for Sophos Central communication.
    • archive.ubuntu.com: used for base OS updates.
    • ntp.ubuntu.com: used for ntp time sync.
    • baltocdn.com: used for Helm package updates.
    • sophossecops.jfrog.io: used for our repository servers.
    • docker.io: used for Clickhouse and RedisDB containers.
    • amazon.com, amazonaws.com: used to upload data to S3 buckets.

  • Is a web proxy blocking internet access?

  • Is the Sophos appliance able to read network packets tagged with a VLAN ID on the management and syslog network interfaces?
  • If a manual IP was set up in Sophos Central, are the settings correct for the network that was assigned to MGMT during VM setup?
  • If you're using DHCP, does anything in your customer network environment prevent the VM from getting an IP address from the DHCP server? For example: firewalls, VLANs, proxies.
SPAN isn't working.

If you suspect SPAN isn't working, go to the NDR tab.

If SPAN 1 Unicast or SPAN 2 Unicast shows less than 100%, SPAN isn't working properly.

Sophos Central isn't receiving integration data.

Check the NDR or Integrations pages to see if data is being uploaded from the appliance.

If data is being sent, but not received in Sophos Central, you can contact the MDR engineering team. An engineer will access integration log files and resolve the issue.

Sophos Central isn't receiving integration data and the appliance (data collector) is Connected.

If the appliance status in Sophos Central is Connected, but data isn't reaching the Data Lake, check the status of the Dragonfly service in the dashboard's Advanced tab.

If the Dragonfly service is in Pending state, and your VM is in an Enhanced vMotion Compatibility (EVC) cluster, check that the EVC mode is Skylake or later.

The Sophos appliance doesn't support running in EVC clusters in Sandy Bridge mode.