Copyright © 2024 Sophos Ltd

Deploying Sophos
Firewall Using the
Initial Setup Wizard

Sophos Firewall
Version: 20.0v1

[Additional Information]

Sophos Firewall
FW1020: Deploying Sophos Firewall Using the Initial Setup Wizard

January 2024
Version: 20.0v1

© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.

Deploying Sophos Firewall Using the Initial Setup Wizard - 1

Copyright
Copyright ©
© 2024
2023 Sophos
Sophos Ltd
Ltd

Deploying Sophos Firewall Using the Initial Setup Wizard

In this chapter you will learn how
to use the initial setup wizard to
configure Sophos Firewall.
RECOMMENDED KNOWLEDGE AND EXPERIENCE
✓ How Sophos Firewall acts as a zone-based firewall
✓ The multiple layers of protection provided to
detect and block attacks

DURATION 10 minutes

In this chapter you will learn how to use the initial setup wizard to configure Sophos Firewall.

Deploying Sophos Firewall Using the Initial Setup Wizard - 2

Copyright © 2024 Sophos Ltd

Connecting Sophos Firewall to the Network

SOPHOS
Protection

2/WAN
1/LAN
The default WAN port
The default LAN port to connect to for initial
A different port can be selected in the initial
configuration
setup wizard

To setup a Sophos Firewall you need to start by connecting to power and then connecting the LAN
port and WAN ports.

On hardware XGS Series firewalls the default LAN and WAN ports will be marked. On software and
virtual Sophos Firewalls these will be the first and second network cards.

You will have the option to modify these ports either during the initial setup or once the setup is
complete.

Deploying Sophos Firewall Using the Initial Setup Wizard - 3

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Command Line Interface (CLI)

SSH Console

Default credentials:
• Username: admin
• Password: admin

These credentials are changed as part of the initial setup wizard

Although Sophos Firewall is managed through a web interface, it also has a command line interface
(CLI) that is accessible through SSH, a console connection, or you could use a monitor and keyboard to
physically connect to the terminal.

You may want to use the CLI to change the IP address of the management port to be in your LAN IP
range, so that you can connect to the web admin console to complete the initial setup wizard. To login
to the CLI, use the password of the built-in ‘admin’ user. The default admin password is ‘admin’; you
change this as part of the initial setup wizard.

In the slide notes you can find the parameters for a console connection.

[Additional Information]
Console connection parameters:
• baud rate or speed: 38,400
• Data bits: 8
• Stop Bits: 1
• Parity and Flow Control: None or 0

Deploying Sophos Firewall Using the Initial Setup Wizard - 4

Copyright © 2024 Sophos Ltd

Simulation: Network Configuration Using the CLI

In this simulation you will use the CLI to change the IP

address of the management port to be in your LAN IP
range.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/CliConf/1/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

[Additional Information]
https://training.sophos.com/fw/simulation/CliConf/1/start.html

Deploying Sophos Firewall Using the Initial Setup Wizard - 5

Copyright © 2024 Sophos Ltd

Web Admin Console

https://172.16.16.16:4444/webpages/initialsetup/Index.html?wizard_run=yes&?v1c2faa6567a06971c412133edf637e9&csrf=6t06j7v4aut3vu48jgu6qr808f

Default IP address: 172.16.16.16 (/24)

Port: 4444
Web admin console URL: https://DeviceIP:4444

Sophos Firewall is configured and managed through a web interface. By default, the device’s IP
address will be 172.16.16.16 and the web admin console on a Sophos Firewall runs on port 4444. So,
to connect to the web admin console you would need to connect to HTTPS://172.16.16.16:4444 on a
brand-new device.

You will receive a certificate error when connecting to the Sophos Firewall because it is using an
untrusted self-signed certificate.

Deploying Sophos Firewall Using the Initial Setup Wizard - 6

Copyright © 2024 Sophos Ltd

Initial Setup Wizard

✓ Set a new admin password

✓ Update the firmware

✓ Agree to the licence

Optionally:
▪ Restore a backup configuration
▪ Connect as high-availability
spare

We will now walk through the initial setup of a Sophos Firewall.

On the first page you set a new admin password and accept the terms and conditions. If you are
configuring the firewall on behalf of someone else, they must accept the terms and conditions.

By default, the Sophos Firewall will download and install the latest firmware as part of the initial setup,
however you can deselect this to postpone it until later.

You also have the option to restore a configuration backup, or connect the Sophos Firewall as an
auxiliary device to a high-availability pair. Both of these options will provide a different initial setup to
the full one we are going to show here.

Deploying Sophos Firewall Using the Initial Setup Wizard - 7

Copyright © 2024 Sophos Ltd

Initial Setup Wizard

✓ Set a secure storage master

key

✓ Confirm that you have stored

it in a password manager or
other safe place

You need to create a secure storage master key. The secure storage master key is used to provide
additional protection for account and password details stored in the device and in configuration
backups.

Once you have set the master key you cannot recover it, which is why the configuration asks you to
confirm that you have stored it in a password manager, or another safe place.

If you do lose the secure storage master key, you will not be able to restore backups or configurations
created with that key.

Deploying Sophos Firewall Using the Initial Setup Wizard - 8

Copyright © 2024 Sophos Ltd

Initial Setup Wizard

✓ Configure the Internet

connection

This step is skipped if the WAN

port is configured by DHCP.

The Sophos Firewall requires an Internet connection for registration and, if selected, to download the
latest firmware.

You can choose which port to configure the WAN connection on, then you need to specify the IP
address, subnet, DNS server and gateway. When you save these settings the Sophos Firewall will test
the connectivity then allow you to continue with the initial setup.

If the WAN port is connected to a network that provides DHCP, this step will be skipped.

Deploying Sophos Firewall Using the Initial Setup Wizard - 9

Copyright © 2024 Sophos Ltd

Initial Setup Wizard

✓ Enter a hostname

✓ Set the time zone

You can enter a fully qualified hostname for your Sophos Firewall, this can be either the internal or
external hostname for the firewall; however, in most scenarios we would recommend using the
internal hostname.

Optionally, you can modify the automatically selected time zone.

Deploying Sophos Firewall Using the Initial Setup Wizard - 10

Copyright © 2024 Sophos Ltd

Initial Setup Wizard

✓ Claim the Sophos Firewall in a

Sophos Central account

✓ Enter the serial number, this is

pre-filled on hardware devices

Optionally:
▪ Start a trial
▪ Migrate a UTM license
▪ Defer registration

The next step is to claim the Sophos Firewall in a Sophos Central account.

If you have a serial number, you can enter it to claim your firewall. On hardware XGS Series devices
this will be prefilled.

You also have the option to migrate an existing UTM license, start a trial, or defer the registration for
30 days. Deferring the registration can be useful if you are preparing a Sophos Firewall prior to taking it
onsite. It is worth noting that when registration is deferred there are several features that you are
unable to use.

To complete the registration, you need to login with your Sophos ID, the Sophos Firewall will then
synchronize the license.

Deploying Sophos Firewall Using the Initial Setup Wizard - 11

Copyright © 2024 Sophos Ltd

Initial Setup Wizard – Hardware Devices

✓ Configure the LAN network

✓ Select which ports to bridge

together to create the LAN

✓ Select the gateway

✓ Configure the IP address

✓ Optionally enable DHCP

You have the option to configure the local network configuration, which is different depending on
whether you are deploying a hardware, virtual, or software Sophos Firewall. We will start by looking at
hardware devices.

Here you can select which ports to use for the LAN. All ports selected will be used to create a single
bridged LAN interface.

You can select the gateway for the LAN network to be either the Sophos Firewall, or an existing
gateway, in which case the LAN will be bridged to the WAN.

You can configure the IP address for the Sophos Firewall, and optionally enable DHCP.

Please note that DHCP cannot be enabled if the Sophos Firewall is bridging the LAN and WAN.

Deploying Sophos Firewall Using the Initial Setup Wizard - 12

Copyright © 2024 Sophos Ltd

Initial Setup Wizard – Virtual and Software Devices

✓ Configure the LAN network

✓ Select the LAN port

✓ Select the gateway mode

✓ Configure the IP address

✓ Optionally enable DHCP

For virtual and software devices the configuration is very similar, except instead of selecting ports to
create a LAN bridge interface you select a single LAN port.

Deploying Sophos Firewall Using the Initial Setup Wizard - 13

Copyright © 2024 Sophos Ltd

Initial Setup Wizard

✓ Enable protection in the

default outbound firewall rule

Options:
▪ Protect users from network
threats
▪ Protect users from the suspicious
and malicious websites
▪ Scan files that were downloaded
from the web for malware
▪ Send suspicious files to Sophos
Sandstorm

As part of the initial setup wizard the Sophos Firewall will create a default firewall rule for outbound
traffic. Here you have the option of enabling various security options for that firewall rule.

The options are:

• Protect users from network threats, which will enable an IPS policy.
• Protect users from the suspicious and malicious websites, which will enable a web policy.
• Scan files that were downloaded from the web for malware, which will enable malware scanning.
• And Send suspicious files to Sophos Sandstorm, which will enable Sandstorm scanning. This
requires ‘Protect users from the suspicious and malicious websites’ to be enabled.

Deploying Sophos Firewall Using the Initial Setup Wizard - 14

Copyright © 2024 Sophos Ltd

Initial Setup Wizard

✓ Enter an email address and

sender for notifications

Optionally:
▪ Specific an internal mail server
for notifications
▪ Enable automatic backups and
enter an encryption password

The last piece of configuration is for notifications and backups.

Here you configure recipient and sender email addresses for notifications. You can optionally choose
to configure an internal email server to use to send these.

You can also enable automatic backups, and to use this you need to set an encryption password for
the backup files.

Deploying Sophos Firewall Using the Initial Setup Wizard - 15

Copyright © 2024 Sophos Ltd

Simulation: Sophos Firewall Initial Setup Wizard

In this simulation you will configure Sophos Firewall using

the initial setup wizard.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/InitialSetup/2/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

[Additional Information]
https://training.sophos.com/fw/simulation/InitialSetup/2/start.html

Deploying Sophos Firewall Using the Initial Setup Wizard - 16

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Resetting the Secure Storage Master Key

During the initial setup you will have set a secure storage master key, which cannot be recovered if
lost. While the secure storage master key cannot be recovered, it can be reset. This is done via the
command line using the default super administrator account.

Login to the console of the Sophos Firewall as ‘admin’ and select option 2 for System Configuration,
then option 5 to Reset the secure storage master key.

[Additional Information]
https://doc.sophos.com/nsg/sophos-firewall/20.0/help/en-
us/webhelp/onlinehelp/CommandLineHelp/SystemSettings/ResetSSMK/index.html

Deploying Sophos Firewall Using the Initial Setup Wizard - 17

Copyright © 2024 Sophos Ltd

Chapter Review

The CLI can be used to change the IP address of the management port so that you can connect to the web
admin console to complete the initial setup wizard.

The Initial Setup Wizard provides a web interface to configure and claim the firewall.

The secure storage master key is used to provide additional protection for account and password details
stored in the device and in configuration backups.

Here are the three main things you learned in this chapter.

The CLI can be used to change the IP address of the management port so that you can connect to the
web admin console to complete the initial setup wizard.

The Initial Setup Wizard provides a web interface to configure and register the firewall.

The secure storage master key is used to provide additional protection for account and password
details stored in the device and in configuration backups.

Deploying Sophos Firewall Using the Initial Setup Wizard - 23

Copyright © 2024 Sophos Ltd

Deploying Sophos Firewall Using the Initial Setup Wizard - 24