Copyright © 2024 Sophos Ltd

Managing Sophos
Firewall in Sophos
Central

Sophos Firewall
Version: 20.0v1

[Additional Information]

Sophos Firewall
FW8505: Managing Sophos Firewall in Sophos Central

January 2024
Version: 20.0v1

© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.

Managing Sophos Firewall in Sophos Central - 1

Copyright
Copyright ©
© 2024
2023 Sophos
Sophos Ltd
Ltd

Managing Sophos Firewall in Sophos Central

In this chapter you will learn how
to manage Sophos Firewalls in
Sophos Central, including
creating and managing groups,
VPN orchestration, and
managing backups and firmware
updates.
RECOMMENDED KNOWLEDGE AND EXPERIENCE
✓ How to access, navigate, and manage Sophos
Firewall using the web admin console
✓ How to use Sophos Central as a cloud
management solution

DURATION 10 minutes

In this chapter you will learn how to manage Sophos Firewalls in Sophos Central, including creating
and managing groups, VPN orchestration, and managing backups and firmware.

Managing Sophos Firewall in Sophos Central - 2

Copyright © 2024 Sophos Ltd

Central Firewall Management Overview

Manage firewall licenses

Remotely access the web admin console of managed Sophos Firewalls

Manage configuration of groups of Sophos Firewalls

Manage backups and firmware updates

No additional license required for basic management

Sophos Firewall licenses are managed in Sophos Central. You can additionally enable management
services for Sophos Firewall, which allows you to:
• Remotely access the web admin console of managed firewalls directly within Sophos Central. This is
a secure way to provide remote access to the web admin console without exposing it to external
networks.
• Manage configuration of groups of Sophos Firewalls.
• And manage backups and firmware updates of your firewalls.

This powerful functionality is included with your Sophos Firewall, so no additional Sophos Central
license will be required.

Managing Sophos Firewall in Sophos Central - 3

Copyright © 2024 Sophos Ltd

Manage Firewall Licenses

To manage Sophos Firewall licenses in Sophos Central, open the admin menu in the top-right and
select Licensing.

On the licensing page, select the Firewall licenses tab.

Managing Sophos Firewall in Sophos Central - 4

Copyright © 2024 Sophos Ltd

Manage Firewall Licenses

At the top of the page are buttons to Claim firewall and Transfer firewalls.

You can use the Claim firewall button to add a Sophos Firewall to your Sophos Central account.

The Transfer firewalls button allows you to transfer a firewall license from one Sophos Central account
to another.

If you expand a firewall, you will see two further options:

• Apply subscriptions, which you can use to add additional subscriptions to a firewall using the
subscription key from your license schedule.
• And Transfer subscriptions, which you use to transfer the subscriptions to a different firewall.

On the right you can access firmware downloads for the selected firewall.

Managing Sophos Firewall in Sophos Central - 5

Copyright © 2024 Sophos Ltd

Enabling Central Management on Sophos Firewall

SYSTEM > Sophos Central

To start managing a Sophos Firewall in Sophos Central, the Sophos Firewall needs to be registered with
Sophos Central and the option Manage from Sophos Central must be enabled in Sophos Central
services. This can be found in SYSTEM > Sophos Central.

Managing Sophos Firewall in Sophos Central - 6

Copyright © 2024 Sophos Ltd

Accepting Management in Central

Firewall Management > Manage > Firewalls

Once you have enabled Central management on Sophos Firewall you need to login to Sophos Central
and accept the management services in Firewall Management > MANAGE > Firewalls.

Managing Sophos Firewall in Sophos Central - 7

Copyright © 2024 Sophos Ltd

Managing a Firewall

You can now add a label to the Sophos Firewall to help you identify it and manage your firewall.

Managing Sophos Firewall in Sophos Central - 8

Copyright © 2024 Sophos Ltd

Managing a Firewall

You can also add the location of the firewall using latitude and longitude. This is used to visually plot
SD-WAN connections configured through Sophos Central.

Managing Sophos Firewall in Sophos Central - 9

Copyright © 2024 Sophos Ltd

Remotely Managing a Firewall

Real-time access to the web admin console of managed Sophos Firewalls

By selecting to Manage Firewall you are logged into the web admin of the Sophos Firewall as the
admin user. This provides real-time access to the web admin console from anywhere without having to
enable access on the WAN zone. The only way that you can tell it is not the local web admin console is
the URL and the option to go back to firewall management in Sophos Central.

Managing Sophos Firewall in Sophos Central - 10

Copyright © 2024 Sophos Ltd

Firewall Groups

Firewalls can also be grouped to simplify management. Here you can see a firewall that has not been
added to a group yet in the ‘Ungrouped’ section, and a firewall in the ‘UK Firewalls’ group.

Managing Sophos Firewall in Sophos Central - 11

Copyright © 2024 Sophos Ltd

Creating Groups

Sophos Firewalls are not assigned a group by default, so you can either edit an existing group to add
them or create a new group.

When you create a new firewall group in Sophos Central, you can choose to import an existing
configuration from a managed firewall or use the Sophos default configuration for that group.

Managing Sophos Firewall in Sophos Central - 12

Copyright © 2024 Sophos Ltd

Central Managed Sophos Firewall

Once a Sophos Firewall has been added to a group and synchronized, a banner message will be
displayed warning you that local changes to configuration may result in a conflict.

Managing Sophos Firewall in Sophos Central - 13

Copyright © 2024 Sophos Ltd

Managing Group Policies

To manage the configuration select Manage Policy from the menu for the group. You can create and
configure a group before you start adding the Sophos Firewalls to it.

Managing Sophos Firewall in Sophos Central - 14

Copyright © 2024 Sophos Ltd

Managing Group Policies

Local rules on Sophos Firewall are only overwritten when a rule with the same name is created in Sophos Central

Here you can see that the configuration for groups in Sophos Central uses the same layout and options
as the web admin console of Sophos Firewall.

When creating new firewall rules, note that local rules on the Sophos Firewall are only overwritten
when a rule with the same name is created in Sophos Central. Rules created locally on the Sophos
Firewall do not appear here and are not managed or removed.

Managing Sophos Firewall in Sophos Central - 15

Copyright © 2024 Sophos Ltd

Dynamic Objects

You can create dynamic objects in Central Firewall Management to make it possible to create
configurations that will work across devices where there is variation in how they are setup. You can
create dynamic objects for zones and interfaces.

In the example here, we are creating a dynamic zone called Intranet. By default, this maps to a zone
called Intranet, but this is overridden for New York Gateway, where it will map to a zone called LAN.

Managing Sophos Firewall in Sophos Central - 16

Copyright © 2024 Sophos Ltd

Dynamic Objects

Here is an example where the dynamic zone object is being used in a firewall rule in Central Firewall
Management.

Managing Sophos Firewall in Sophos Central - 17

Copyright © 2024 Sophos Ltd

Dynamic Objects

By clicking the Usage References, you can see which groups are using the dynamic object, and where
in the policy configuration.

Managing Sophos Firewall in Sophos Central - 18

Copyright © 2024 Sophos Ltd

VPN Orchestration

SOPHOS
CENTRAL

Configuration Configuration
SOPHOS SOPHOS
FIREWALL FIREWALL

VPN Connection

▪ Firewalls require a license with Central Orchestration

▪ You need at least two firewalls
▪ Firewalls that are in an SD-WAN connection group can’t be used in other connection groups

You can configure a VPN orchestrated SD-WAN network in Sophos Central using SD-WAN connection
groups. Before you create your connection groups, you need to know the following:
• You must choose firewalls with a Central Orchestration license.
• To create a connection group, you need to choose at least two firewalls.
• Firewalls that are in an SD-WAN connection group can't be used in other connection groups.

Managing Sophos Firewall in Sophos Central - 19

Copyright © 2024 Sophos Ltd

1/4
SD-WAN Connection Groups: Select Firewalls

The connection of SD-WAN connection groups is done in broadly three steps:

• Select the firewalls.
• Define the resources that should be accessible over the VPNs.
• Select the local networks that will take part in the VPN orchestration.

To get started creating a new connection group, enter a name for the group and select the firewalls
you want to use. You need to select at least two firewalls.

Managing Sophos Firewall in Sophos Central - 20

Copyright © 2024 Sophos Ltd

2/4
SD-WAN Connection Groups: Share Resources

Next, you add your resources. You can add multiple resources and you can also edit any resources that
you added earlier.

For each resource you want to add:

• Select the firewall with the resource that you want to share across the group.
• Enter the IP address or network range of the resource you want to share.
• And choose the service type and ports. Resources can be TCP, UDP, IP, or ICMP.

Managing Sophos Firewall in Sophos Central - 21

Copyright © 2024 Sophos Ltd

2/4
SD-WAN Connection Groups: Share Resources

You can optionally also select to turn on ‘Automatically create firewall rules’, when you do this, there
are additional options that allow you to limit access to authenticated users and enable and configure
Synchronized Security.

Managing Sophos Firewall in Sophos Central - 22

Copyright © 2024 Sophos Ltd

3/4
SD-WAN Connection Groups: Configure Networks

For each of the firewalls in the group, you need to select the local networks that will be allowed to
access the shared resources in the groups.

If there are any conflicts, they will be highlighted on this page and will need to be resolved before you
can proceed.

Managing Sophos Firewall in Sophos Central - 23

Copyright © 2024 Sophos Ltd

3/4
SD-WAN Connection Groups: Configure Networks

In the settings, any identified conflicts will be shown.

Here you can:

• Enable and disable networks.
• Add custom networks.
• Select primary and secondary WAN links and optionally overrider the gateway address.
• And choose between SD-WAN profile and primary and backup gateways to select a backup gateway.

Managing Sophos Firewall in Sophos Central - 24

Copyright © 2024 Sophos Ltd

4/4
SD-WAN Connection Groups

Once the SD-WAN connection is configured on the firewalls you will see it represented on the map.

Managing Sophos Firewall in Sophos Central - 25

Copyright © 2024 Sophos Ltd

4/4
SD-WAN Connection Groups
FIREWALL VIEW

CONNECTION VIEW

Below the map you can see the SD-WAN connection group details in either firewall view or connection
view.

Managing Sophos Firewall in Sophos Central - 26

Copyright © 2024 Sophos Ltd

4/4
SD-WAN Connection Groups

If you login to one of the firewalls you can see the VPN connection that has been created.

Managing Sophos Firewall in Sophos Central - 27

Copyright © 2024 Sophos Ltd

Task Queue

When you make a change to the configuration a new task is created, and you can see which Sophos
Firewalls it is being applied to and track the progress.

Managing Sophos Firewall in Sophos Central - 28

Copyright © 2024 Sophos Ltd

Tsk Queue

By clicking on the status link for a gateway you can see the JSON for the configuration changes that are
being made on the firewall.

Managing Sophos Firewall in Sophos Central - 29

Copyright © 2024 Sophos Ltd

Schedule Firmware Updates

Firmware updates can be applied to groups of firewalls. All firewalls in the group that need a firmware
update will be displayed in the list and you can select the ones to be updated. Updates can either be
applied immediately or based on a schedule.

Managing Sophos Firewall in Sophos Central - 30

Copyright © 2024 Sophos Ltd

Manage Backups

You can schedule firewalls to save backups to Sophos Central daily, weekly, or monthly. Note that
backups take place at 8am.

You also need to add which firewalls you want the backup schedule to apply to.

Managing Sophos Firewall in Sophos Central - 31

Copyright © 2024 Sophos Ltd

Manage Backups

Pinned backup

Sophos Central will store the five most recent backups for each device. If you want to keep one backup
permanently you can pin it. You can only have one pinned backup per device, and if there is already a
pinned backup it will be replaced.

You can also choose to manually start a backup for the selected firewall immediately by clicking
Generate Backup.

Managing Sophos Firewall in Sophos Central - 32

Copyright © 2024 Sophos Ltd

Simulation: Manage Sophos Firewall in Sophos Central

In this simulation you will add a Sophos Firewall to Sophos

Central, assign it to a group, and push configuration
changes to the firewall, including using VPN orchestration.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/CentralManagement/2/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

[Additional Information]
https://training.sophos.com/fw/simulation/CentralManagement/2/start.html

Managing Sophos Firewall in Sophos Central - 33

Copyright © 2024 Sophos Ltd

Zero-Touch Deployment
Create Configuration
Use the setup wizard in
Sophos Central
Send Configuration Create USB Boot Sophos with USB
Optionally, email the Copy the configuration to a Plug the USB drive into the
configuration to another USB drive Sophos Firewall and start it
location up

Zero-touch configuration files can only be created for unregistered hardware serial numbers

Zero-touch deployment enables even a non-technical person to connect and configure a remote
Sophos Firewall and get it connected into Sophos Central. An administrator can add the new firewall in
Central and step through the initial setup wizard before the Sophos device is installed. They can then
download the configuration or email it to another location, so it can be copied to a USB stick.

The stick is then plugged into the Sophos Firewall device when it is first fired up, setting its initial
configuration, after which it can be fully managed from Sophos Central. For power users, the config
file can be edited and customized further.

Zero-touch configuration files can only be created for unregistered hardware serial numbers.

Managing Sophos Firewall in Sophos Central - 34

Copyright © 2024 Sophos Ltd

Chapter Review

All licenses include Central Management for Sophos Firewall, including; real-time remote access to the
web admin console, scheduling of firmware updates and backups, firewall configuration management
using groups.

You can configure a VPN orchestrated SD-WAN networks in Sophos Central using SD-WAN connection
groups. This requires Central orchestration as part of the license.

Zero-touch deployment enables even a non-technical person to connect and configure a remote Sophos
Firewall and get it connected into Sophos Central. Zero-touch configuration files can only be created for
unregistered hardware serial numbers.

Here are the three main things you learned in this chapter.

All licenses include Central Management for Sophos Firewall, including; real-time remote access to the
web admin, scheduling of firmware updates and backups, firewall configuration management using
groups.

You can configure a VPN orchestrated SD-WAN networks in Sophos Central using SD-WAN connection
groups. This requires Central Orchestration as part of the license.

Zero-touch deployment enables even a non-technical person to connect and configure a remote
Sophos Firewall and get it connected into Sophos Central. Zero-touch configuration files can only be
created for unregistered hardware serial numbers.

Managing Sophos Firewall in Sophos Central - 40

Copyright © 2024 Sophos Ltd

Managing Sophos Firewall in Sophos Central - 41