Professional Documents
Culture Documents
FW8505 20.0v1 Managing Sophos Firewall in Sophos Central
FW8505 20.0v1 Managing Sophos Firewall in Sophos Central
Managing Sophos
Firewall in Sophos
Central
Sophos Firewall
Version: 20.0v1
[Additional Information]
Sophos Firewall
FW8505: Managing Sophos Firewall in Sophos Central
January 2024
Version: 20.0v1
© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.
DURATION 10 minutes
In this chapter you will learn how to manage Sophos Firewalls in Sophos Central, including creating
and managing groups, VPN orchestration, and managing backups and firmware.
Sophos Firewall licenses are managed in Sophos Central. You can additionally enable management
services for Sophos Firewall, which allows you to:
• Remotely access the web admin console of managed firewalls directly within Sophos Central. This is
a secure way to provide remote access to the web admin console without exposing it to external
networks.
• Manage configuration of groups of Sophos Firewalls.
• And manage backups and firmware updates of your firewalls.
This powerful functionality is included with your Sophos Firewall, so no additional Sophos Central
license will be required.
To manage Sophos Firewall licenses in Sophos Central, open the admin menu in the top-right and
select Licensing.
At the top of the page are buttons to Claim firewall and Transfer firewalls.
You can use the Claim firewall button to add a Sophos Firewall to your Sophos Central account.
The Transfer firewalls button allows you to transfer a firewall license from one Sophos Central account
to another.
On the right you can access firmware downloads for the selected firewall.
To start managing a Sophos Firewall in Sophos Central, the Sophos Firewall needs to be registered with
Sophos Central and the option Manage from Sophos Central must be enabled in Sophos Central
services. This can be found in SYSTEM > Sophos Central.
Once you have enabled Central management on Sophos Firewall you need to login to Sophos Central
and accept the management services in Firewall Management > MANAGE > Firewalls.
Managing a Firewall
You can now add a label to the Sophos Firewall to help you identify it and manage your firewall.
Managing a Firewall
You can also add the location of the firewall using latitude and longitude. This is used to visually plot
SD-WAN connections configured through Sophos Central.
By selecting to Manage Firewall you are logged into the web admin of the Sophos Firewall as the
admin user. This provides real-time access to the web admin console from anywhere without having to
enable access on the WAN zone. The only way that you can tell it is not the local web admin console is
the URL and the option to go back to firewall management in Sophos Central.
Firewall Groups
Firewalls can also be grouped to simplify management. Here you can see a firewall that has not been
added to a group yet in the ‘Ungrouped’ section, and a firewall in the ‘UK Firewalls’ group.
Creating Groups
Sophos Firewalls are not assigned a group by default, so you can either edit an existing group to add
them or create a new group.
When you create a new firewall group in Sophos Central, you can choose to import an existing
configuration from a managed firewall or use the Sophos default configuration for that group.
Once a Sophos Firewall has been added to a group and synchronized, a banner message will be
displayed warning you that local changes to configuration may result in a conflict.
To manage the configuration select Manage Policy from the menu for the group. You can create and
configure a group before you start adding the Sophos Firewalls to it.
Local rules on Sophos Firewall are only overwritten when a rule with the same name is created in Sophos Central
Here you can see that the configuration for groups in Sophos Central uses the same layout and options
as the web admin console of Sophos Firewall.
When creating new firewall rules, note that local rules on the Sophos Firewall are only overwritten
when a rule with the same name is created in Sophos Central. Rules created locally on the Sophos
Firewall do not appear here and are not managed or removed.
Dynamic Objects
You can create dynamic objects in Central Firewall Management to make it possible to create
configurations that will work across devices where there is variation in how they are setup. You can
create dynamic objects for zones and interfaces.
In the example here, we are creating a dynamic zone called Intranet. By default, this maps to a zone
called Intranet, but this is overridden for New York Gateway, where it will map to a zone called LAN.
Dynamic Objects
Here is an example where the dynamic zone object is being used in a firewall rule in Central Firewall
Management.
Dynamic Objects
By clicking the Usage References, you can see which groups are using the dynamic object, and where
in the policy configuration.
VPN Orchestration
SOPHOS
CENTRAL
Configuration Configuration
SOPHOS SOPHOS
FIREWALL FIREWALL
VPN Connection
You can configure a VPN orchestrated SD-WAN network in Sophos Central using SD-WAN connection
groups. Before you create your connection groups, you need to know the following:
• You must choose firewalls with a Central Orchestration license.
• To create a connection group, you need to choose at least two firewalls.
• Firewalls that are in an SD-WAN connection group can't be used in other connection groups.
1/4
SD-WAN Connection Groups: Select Firewalls
To get started creating a new connection group, enter a name for the group and select the firewalls
you want to use. You need to select at least two firewalls.
2/4
SD-WAN Connection Groups: Share Resources
Next, you add your resources. You can add multiple resources and you can also edit any resources that
you added earlier.
2/4
SD-WAN Connection Groups: Share Resources
You can optionally also select to turn on ‘Automatically create firewall rules’, when you do this, there
are additional options that allow you to limit access to authenticated users and enable and configure
Synchronized Security.
3/4
SD-WAN Connection Groups: Configure Networks
For each of the firewalls in the group, you need to select the local networks that will be allowed to
access the shared resources in the groups.
If there are any conflicts, they will be highlighted on this page and will need to be resolved before you
can proceed.
3/4
SD-WAN Connection Groups: Configure Networks
4/4
SD-WAN Connection Groups
Once the SD-WAN connection is configured on the firewalls you will see it represented on the map.
4/4
SD-WAN Connection Groups
FIREWALL VIEW
CONNECTION VIEW
Below the map you can see the SD-WAN connection group details in either firewall view or connection
view.
4/4
SD-WAN Connection Groups
If you login to one of the firewalls you can see the VPN connection that has been created.
Task Queue
When you make a change to the configuration a new task is created, and you can see which Sophos
Firewalls it is being applied to and track the progress.
Tsk Queue
By clicking on the status link for a gateway you can see the JSON for the configuration changes that are
being made on the firewall.
Firmware updates can be applied to groups of firewalls. All firewalls in the group that need a firmware
update will be displayed in the list and you can select the ones to be updated. Updates can either be
applied immediately or based on a schedule.
Manage Backups
You can schedule firewalls to save backups to Sophos Central daily, weekly, or monthly. Note that
backups take place at 8am.
You also need to add which firewalls you want the backup schedule to apply to.
Manage Backups
Pinned backup
Sophos Central will store the five most recent backups for each device. If you want to keep one backup
permanently you can pin it. You can only have one pinned backup per device, and if there is already a
pinned backup it will be replaced.
You can also choose to manually start a backup for the selected firewall immediately by clicking
Generate Backup.
https://training.sophos.com/fw/simulation/CentralManagement/2/start.html
Click Launch Simulation to start. Once you have finished, click Continue.
[Additional Information]
https://training.sophos.com/fw/simulation/CentralManagement/2/start.html
Zero-Touch Deployment
Create Configuration Send Configuration Create USB Boot Sophos with USB
Use the setup wizard in Optionally, email the Copy the configuration to a Plug the USB drive into the
Sophos Central configuration to another USB drive Sophos Firewall and start it
location up
Zero-touch configuration files can only be created for unregistered hardware serial numbers
Zero-touch deployment enables even a non-technical person to connect and configure a remote
Sophos Firewall and get it connected into Sophos Central. An administrator can add the new firewall in
Central and step through the initial setup wizard before the Sophos device is installed. They can then
download the configuration or email it to another location, so it can be copied to a USB stick.
The stick is then plugged into the Sophos Firewall device when it is first fired up, setting its initial
configuration, after which it can be fully managed from Sophos Central. For power users, the config
file can be edited and customized further.
Zero-touch configuration files can only be created for unregistered hardware serial numbers.
Chapter Review
All licenses include Central Management for Sophos Firewall, including; real-time remote access to the
web admin console, scheduling of firmware updates and backups, firewall configuration management
using groups.
You can configure a VPN orchestrated SD-WAN networks in Sophos Central using SD-WAN connection
groups. This requires Central orchestration as part of the license.
Zero-touch deployment enables even a non-technical person to connect and configure a remote Sophos
Firewall and get it connected into Sophos Central. Zero-touch configuration files can only be created for
unregistered hardware serial numbers.
Here are the three main things you learned in this chapter.
All licenses include Central Management for Sophos Firewall, including; real-time remote access to the
web admin, scheduling of firmware updates and backups, firewall configuration management using
groups.
You can configure a VPN orchestrated SD-WAN networks in Sophos Central using SD-WAN connection
groups. This requires Central Orchestration as part of the license.
Zero-touch deployment enables even a non-technical person to connect and configure a remote
Sophos Firewall and get it connected into Sophos Central. Zero-touch configuration files can only be
created for unregistered hardware serial numbers.