Professional Documents
Culture Documents
FW1020 20.0v1 Deploying Sophos Firewall Using The Initial Setup Wizard
FW1020 20.0v1 Deploying Sophos Firewall Using The Initial Setup Wizard
Deploying Sophos
Firewall Using the
Initial Setup Wizard
Sophos Firewall
Version: 20.0v1
[Additional Information]
Sophos Firewall
FW1020: Deploying Sophos Firewall Using the Initial Setup Wizard
January 2024
Version: 20.0v1
© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.
DURATION 10 minutes
In this chapter you will learn how to use the initial setup wizard to configure Sophos Firewall.
SOPHOS
Protection
2/WAN
1/LAN
The default WAN port
The default LAN port to connect to for initial
A different port can be selected in the initial
configuration
setup wizard
To setup a Sophos Firewall you need to start by connecting to power and then connecting the LAN
port and WAN ports.
On hardware XGS Series firewalls the default LAN and WAN ports will be marked. On software and
virtual Sophos Firewalls these will be the first and second network cards.
You will have the option to modify these ports either during the initial setup or once the setup is
complete.
SSH Console
Default credentials:
• Username: admin
• Password: admin
Although Sophos Firewall is managed through a web interface, it also has a command line interface
(CLI) that is accessible through SSH, a console connection, or you could use a monitor and keyboard to
physically connect to the terminal.
You may want to use the CLI to change the IP address of the management port to be in your LAN IP
range, so that you can connect to the web admin console to complete the initial setup wizard. To login
to the CLI, use the password of the built-in ‘admin’ user. The default admin password is ‘admin’; you
change this as part of the initial setup wizard.
In the slide notes you can find the parameters for a console connection.
[Additional Information]
Console connection parameters:
• baud rate or speed: 38,400
• Data bits: 8
• Stop Bits: 1
• Parity and Flow Control: None or 0
https://training.sophos.com/fw/simulation/CliConf/1/start.html
Click Launch Simulation to start. Once you have finished, click Continue.
[Additional Information]
https://training.sophos.com/fw/simulation/CliConf/1/start.html
Sophos Firewall is configured and managed through a web interface. By default, the device’s IP
address will be 172.16.16.16 and the web admin console on a Sophos Firewall runs on port 4444. So,
to connect to the web admin console you would need to connect to HTTPS://172.16.16.16:4444 on a
brand-new device.
You will receive a certificate error when connecting to the Sophos Firewall because it is using an
untrusted self-signed certificate.
Optionally:
▪ Restore a backup configuration
▪ Connect as high-availability
spare
On the first page you set a new admin password and accept the terms and conditions. If you are
configuring the firewall on behalf of someone else, they must accept the terms and conditions.
By default, the Sophos Firewall will download and install the latest firmware as part of the initial setup,
however you can deselect this to postpone it until later.
You also have the option to restore a configuration backup, or connect the Sophos Firewall as an
auxiliary device to a high-availability pair. Both of these options will provide a different initial setup to
the full one we are going to show here.
You need to create a secure storage master key. The secure storage master key is used to provide
additional protection for account and password details stored in the device and in configuration
backups.
Once you have set the master key you cannot recover it, which is why the configuration asks you to
confirm that you have stored it in a password manager, or another safe place.
If you do lose the secure storage master key, you will not be able to restore backups or configurations
created with that key.
The Sophos Firewall requires an Internet connection for registration and, if selected, to download the
latest firmware.
You can choose which port to configure the WAN connection on, then you need to specify the IP
address, subnet, DNS server and gateway. When you save these settings the Sophos Firewall will test
the connectivity then allow you to continue with the initial setup.
If the WAN port is connected to a network that provides DHCP, this step will be skipped.
✓ Enter a hostname
You can enter a fully qualified hostname for your Sophos Firewall, this can be either the internal or
external hostname for the firewall; however, in most scenarios we would recommend using the
internal hostname.
Optionally:
▪ Start a trial
▪ Migrate a UTM license
▪ Defer registration
The next step is to claim the Sophos Firewall in a Sophos Central account.
If you have a serial number, you can enter it to claim your firewall. On hardware XGS Series devices
this will be prefilled.
You also have the option to migrate an existing UTM license, start a trial, or defer the registration for
30 days. Deferring the registration can be useful if you are preparing a Sophos Firewall prior to taking it
onsite. It is worth noting that when registration is deferred there are several features that you are
unable to use.
To complete the registration, you need to login with your Sophos ID, the Sophos Firewall will then
synchronize the license.
You have the option to configure the local network configuration, which is different depending on
whether you are deploying a hardware, virtual, or software Sophos Firewall. We will start by looking at
hardware devices.
Here you can select which ports to use for the LAN. All ports selected will be used to create a single
bridged LAN interface.
You can select the gateway for the LAN network to be either the Sophos Firewall, or an existing
gateway, in which case the LAN will be bridged to the WAN.
You can configure the IP address for the Sophos Firewall, and optionally enable DHCP.
Please note that DHCP cannot be enabled if the Sophos Firewall is bridging the LAN and WAN.
For virtual and software devices the configuration is very similar, except instead of selecting ports to
create a LAN bridge interface you select a single LAN port.
Options:
▪ Protect users from network
threats
▪ Protect users from the suspicious
and malicious websites
▪ Scan files that were downloaded
from the web for malware
▪ Send suspicious files to Sophos
Sandstorm
As part of the initial setup wizard the Sophos Firewall will create a default firewall rule for outbound
traffic. Here you have the option of enabling various security options for that firewall rule.
Optionally:
▪ Specific an internal mail server
for notifications
▪ Enable automatic backups and
enter an encryption password
Here you configure recipient and sender email addresses for notifications. You can optionally choose
to configure an internal email server to use to send these.
You can also enable automatic backups, and to use this you need to set an encryption password for
the backup files.
https://training.sophos.com/fw/simulation/InitialSetup/2/start.html
Click Launch Simulation to start. Once you have finished, click Continue.
[Additional Information]
https://training.sophos.com/fw/simulation/InitialSetup/2/start.html
During the initial setup you will have set a secure storage master key, which cannot be recovered if
lost. While the secure storage master key cannot be recovered, it can be reset. This is done via the
command line using the default super administrator account.
Login to the console of the Sophos Firewall as ‘admin’ and select option 2 for System Configuration,
then option 5 to Reset the secure storage master key.
[Additional Information]
https://doc.sophos.com/nsg/sophos-firewall/20.0/help/en-
us/webhelp/onlinehelp/CommandLineHelp/SystemSettings/ResetSSMK/index.html
Chapter Review
The CLI can be used to change the IP address of the management port so that you can connect to the web
admin console to complete the initial setup wizard.
The Initial Setup Wizard provides a web interface to configure and claim the firewall.
The secure storage master key is used to provide additional protection for account and password details
stored in the device and in configuration backups.
Here are the three main things you learned in this chapter.
The CLI can be used to change the IP address of the management port so that you can connect to the
web admin console to complete the initial setup wizard.
The Initial Setup Wizard provides a web interface to configure and register the firewall.
The secure storage master key is used to provide additional protection for account and password
details stored in the device and in configuration backups.