Getting a Cyberoam device to be upgraded to Sophos XG home

sophos-cyberoam-xg-home.md

These are really rough notes of my process. They maybe helpful to someone else, or may just be a useful reminder to me later.

Sophos XG in their netx gen product and it does more than the UTM product: https://news.sophos.com/en-us/2015/11/10/sophos-xg-firewall-a-network-security-ecosystem-with-many-innovations/

How can I build one using their free XG home software?

There are a bunch of bare bones devices that can run XG Home Edition at around $250 to $300.

I was looking for a cheap way to build this and looking on ebay I saw a bunch of pfsense upgradable devices.

There was also one seller that had a cyberoam device for sale in the same $150 price range, but it was in Netherlands: https://www.ebay.com/itm/Cyberoam-CR25wiNG-SFOS-17-Sophos-XG-firmware-WIFI/222806880153?hash=item33e0532f99:g:5~kAAOSwicpaZkc3

That device got me to see that sophos XG would run... so why not XG Home

CyberRoam devices can be upgraded to Sophos XG Enterprise - http://docs.sophos.com/nsg/sophos-firewall/v16012/PDF/Cyberoam%20to%20Sophos%20Firewall%20Migration%20Guide.pdf

So I found the cheapest device I could at $100 + shipping - Cyberoam CR35i NG Security Appliance - 2.3 Gbps Firewall Throughput 6x GbE Ports https://www.ebay.com/itm/Cyberoam-CR35i-NG-Security-Appliance-2-3-Gbps-Firewall-Throughput-6x-GbE-Ports/183045852584?hash=item2a9e620da8:g:A4AAAOSwdTJaZ9GY&autorefresh=true

Details from Cyberoam about the CR35iNG: https://www.cyberoam.com/downloads/datasheet/CR35iNG.html

The model number of the device is SCB-6905 and that matches up with an AEWIN OEM box that looks really similar: http://www.aewin.com.tw/en/products/p/197/SCB-6905 http://www.aewin.com.tw/uploads/editor/images/scb-6905(1).jpg http://www.aewin.com.tw/uploads/editor/images/scb-6905(1).jpg

It was cheap because the license was expired, and because it has very loud failing cooling fans. Both are fixable problems.

The fan on top of the CPU was failing and was shedding black plastic dust into the case. Removing it made the fans bearable. I'd still not want it anywhere but in an equipment area away from living quarters, becuase they are cheap relatively noisy fans.

For the expired license, we get an XG Home license here: https://www.sophos.com/en-us/products/free-tools/sophos-xg-firewall-home-edition.aspx

Now to actually see what the device is doing using a console cable.

For MacOS SerialTools is a good free option for serial console access: https://itunes.apple.com/us/app/serialtools/id611021963?mt=8

the screen command worked unreliably with my usb serial adapter when changing rates.

I am not sure I'll use it enough to justify buying the very slick Serial Mac app, but their trial is a really great thing for troublshooting: https://www.decisivetactics.com/products/serial/

The cyberoam CR35 has an american megatrends bios that can be accessed through the serial console. Default settings are 9600 8N1. You can get into the bios hitting ESC as the system comes up.

The boot order seems to prevent the USB device from booting if the compact flash card is bootable. So you can go to the last screen in the bios and override the boot order.

The Sophos default for serial console is 38400 8N1, so when the USB installer boots it throws garbage to the screen until you change the settings.

There are settings for console redirection in the BIOS and it looks like changing the rate is possble.

The installer for SW-SFOS_17.0.5_MR-5-162 is what I used. The ISO can be written to a USB directly with the DD command under linux or macos.

The official reimage support page is: https://community.sophos.com/kb/en-us/126906

Cyberoam CR25 can be upgraded to XG Home with a modified version of the process suggested for the CR25iNG: https://community.sophos.com/products/xg-firewall/f/cyberoam-to-xg-migration/89158/cyberoam-to-sophos-xg-firewall-home-edition

My_Reflash_Process

1. Download the current version of XG Firewall Home Edition in .iso format, write it to a USB drive using dd liek the following: dd if=SW-SFOS_17.0.5_MR-5-162.iso of=/dev/disk2

2. Connect the console cable and USB pendrive to CR35iNG. Use the serial settings 9600 8N1.

3. Power up the device and hit ESC several times to get into the BIOS.

4. Go to the last screen and override the default boot device so that the system boots from your USB drive.

5. Change the serial settings to 38400 8N1 and watch the firmware from USB start up. The installer detected my system as Appliance Model: SF01V_SO01

6. You will have to hit "y" to confirm the install and wipe the system. This will format the flash drive and HDD and install SFOS on flash. It takes about 15 minutes.

7. It will prompt you to remove the USB drive and reboot. First boot seems to take another 10 minutes. However you will be able to get the serial console. The web interface will come up at https://172.16.16.16:4444

8. The first ethernet port labeled LAN A is vending DHCP in the 172.16.16 range, and the port labeled WAN does get DHCP from upstream. The config process does want internet access and is relatively simple.

After validating the license with the servers and doing the sync, I got the followng license for most features for just less than 1000 years:

Feature	Status	Expiry
Base Firewall	Evaluating	Tue 31 Dec 2999
Network Protection	Evaluating	Tue 31 Dec 2999
Web Protection	Evaluating	Tue 31 Dec 2999
Email Protection	Evaluating	Tue 31 Dec 2999
Webserver Protection	Evaluating	Tue 31 Dec 2999
Sandstorm	Unsubscribed	-
Enhanced Support	Evaluating	Tue 31 Dec 2999
Enhanced Plus Support	Unsubscribed	-

One of the other writeups for the CR25 said that the port numbers were reversed in version SFOS 16. This has either been corrected in version 17 or this CR35 doesn't have that issue. Port 1 in the web interface was port LAN A on my device.

Now I just need some sophos home stickers to replace the cyberoam branding on the device...

Hi logich,

I tried several times now to get my CR25wiNG-6P with this to XG.
As you described I canged to 38400 8N1 but still only waste on the screen.
Do you have any suggestion or a little help for me to achieve my goal :-)

Greetings from near Munich / Bavaria

Hello,
I manage to get my hands to one of CR25iNG and run an openwrt and it works fine for a week now. I gives me a lot of problem with opnsense, pfsense and even untangle is very hard to install. I settled down with openwrt since thats the only OS works for me and its lightweight better for the old single core cpu. The biggest problem I have was the fan noise. rated 50dB on my living room ): I hope I can find a cheap and reliable solution without breaking a bank. If anybody here manage to fix the fan noise without damaging the device please let me know.

Hi logich!

I managed to install the XG firmware on my CR25iNG with exactly the same steps you mentioned, The hardest part was to actually get the firmware lol. Their support is honestly useless, except their Twitter support page which is weirdly enough more helpful than their phone lines. Anyways, I flashed the file (SW-17.5.9_MR-9-577.iso) to my USB and then changed the BIOS console settings as you said and the installer loaded, You don't know how much this is helpful to me, Thank you.

Hi logich!

I managed to install the XG firmware on my CR25iNG with exactly the same steps you mentioned, The hardest part was to actually get the firmware lol. Their support is honestly useless, except their Twitter support page which is weirdly enough more helpful than their phone lines. Anyways, I flashed the file (SW-17.5.9_MR-9-577.iso) to my USB and then changed the BIOS console settings as you said and the installer loaded, You don't know how much this is helpful to me, Thank you.

Hi,
can anyone tell me if I can do a soft boot using a file like it was mentioned in
https://techvids.sophos.com/watch/tsW5WYiwaofGaBN89YfyvY