Copyright © 2024 Sophos Ltd

Firewall Reporting in
Sophos Central

Sophos Firewall
Version: 20.0v1

[Additional Information]

Sophos Firewall
FW8510: Firewall Reporting in Sophos Central

January 2024
Version: 20.0v1

© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.

Firewall Reporting in Sophos Firewall - 1

Copyright
Copyright ©
© 2024
2023 Sophos
Sophos Ltd
Ltd

Firewall Reporting in Sophos Central

In this chapter you will learn how
to enable Sophos Firewall
reporting in Sophos Central, and
how to run reports.
RECOMMENDED KNOWLEDGE AND EXPERIENCE
✓ How to navigate and manage Sophos Firewall
using the web admin console
✓ How to use Sophos Central as a cloud
management solution.

DURATION 6 minutes

In this chapter you will learn how to enable Sophos Firewall reporting in Sophos Central, and how to
run reports.

Firewall Reporting in Sophos Firewall - 2

Copyright © 2024 Sophos Ltd

Central Firewall Reporting Overview

Dashboards and reports available in Central

View and filter logs from the Sophos Firewall

Last 7 days of data available in Central

Central Firewall Reporting Advanced license

Central Firewall Reporting provides access to dashboards and reports in Sophos Central for each of
your Sophos Firewalls. You can also view and filter logs. The last 7 days of data is available in Sophos
Central updated on a first in, first out (FIFO) basis. This means that the oldest data is always replaced
with the most current data.

You can increase the amount of reporting data that can be stored, and for how long, using Central
Firewall Reporting Advanced licenses. These licenses also unlock additional reporting features.

We will start by looking at the free firewall reporting.

Firewall Reporting in Sophos Firewall - 3

Copyright © 2024 Sophos Ltd

Enabling Central Firewall Reporting

SYSTEM > Sophos Central

To start using Central Firewall Reporting, the Sophos Firewall needs to be registered with Sophos
Central and the option Send logs and reports to Sophos Central must be enabled in Sophos Central
services. This can be found in SYSTEM > Sophos Central.

Once enabled, data should start appearing in Sophos Central within around 10 – 15 minutes.

Firewall Reporting in Sophos Firewall - 4

Copyright © 2024 Sophos Ltd

Managing Central Firewall Reporting

Syslog server created for

Central Firewall Reporting

Manage the data uploaded too

Central

Enabling Central reporting creates a syslog server for uploading the data to Central in CONFIGURE >
System services > Log settings.

Here you can also customize the data that is uploaded to Central in the Log settings section.

Firewall Reporting in Sophos Firewall - 5

Copyright © 2024 Sophos Ltd

Report Hub Click the summary buttons to

see more details below

Select the firewall by label or

serial number

In the Report Hub, you first need to select the firewall, either by label or by serial number if you have
not added a label. These are organized into groups.

You can click on the summary buttons in each section and the information below will be updated to
show more detail. Where available, a View Report link will also be displayed to take you directly to the
full report.

Firewall Reporting in Sophos Firewall - 6

Copyright © 2024 Sophos Ltd

Report Generator

Select report

In the Report Generator you can access and customize the prebuilt reports.

Firewall Reporting in Sophos Firewall - 7

Copyright © 2024 Sophos Ltd

Report Generator

Click data to apply filters

Click links to apply filters

By clicking on the data in the chart or the links in the table below you can apply filters to the report.

Firewall Reporting in Sophos Firewall - 8

Copyright © 2024 Sophos Ltd

Report Generator

Manually enter filters

You can also manually enter filters. When you click in the ‘Query’ field you will see the fields that you
can select to filter on.

Firewall Reporting in Sophos Firewall - 9

Copyright © 2024 Sophos Ltd

Report Generator

Customize chart type

• Bar chart
• Horizontal bar chart
• Pie chart
• Line chart
• Stack-area chart

Customize the fields for

the chart

You can customize the graphs in each report by selecting the type of chart and the fields that you want
displayed.

Firewall Reporting in Sophos Firewall - 10

Copyright © 2024 Sophos Ltd

Report Generator

Customize the columns in

the table

You can also select which columns you want to appear in the table.

Firewall Reporting in Sophos Firewall - 11

Copyright © 2024 Sophos Ltd

Logs
Select columns

Click links to apply filters

Manually enter filters

In the ‘Log Viewer & Search’ report you will see the logs from the Sophos Firewall. Just like for the
reports you can click on the links to add filters, or you can add them manually. In the top-right you can
select which columns are shown and switch between the column view and log view.

Firewall Reporting in Sophos Firewall - 12

Copyright © 2024 Sophos Ltd
Additional information in
the notes
Central Firewall Reporting (CFR) Advanced
Central Firewall Reporting Advanced Enhancements

To unlock more features in Central Firewall Reporting, you can add a CFR Advanced license to your
Central account. Once applied it will appear on the licensing page, that can be opened from the admin
menu in the top-right. To get started with the new features, you first need to assign the licenses to the
firewalls; click Manage next to the Central Firewall Reporting license.

[Additional Information]
https://community.sophos.com/sophos-xg-firewall/b/blog/posts/new-enhancements-to-central-
firewall-reporting

Firewall Reporting in Sophos Firewall - 13

Copyright © 2024 Sophos Ltd

Central Firewall Reporting (CFR) Advanced

Licenses provide 100 GB of storage each. Use the plus and minus buttons next to each device to apply
the licenses then click Save.

Once you have applied licenses to a device, you have additional options to manage the license,
including associating it with a replacement, reclaiming the license, and deleting the data.

Firewall Reporting in Sophos Firewall - 14

Copyright © 2024 Sophos Ltd

Central Firewall Reporting (CFR) Advanced

With CFR Advanced licenses you can start reporting on multiple firewalls in a single report. You can do
this from the group’s menu.

Firewall Reporting in Sophos Firewall - 15

Copyright © 2024 Sophos Ltd

Central Firewall Reporting (CFR) Advanced

You can also select multiple firewalls that have CFR Advanced licenses directly on the Report Hub and
Report Generator pages.

Firewalls that do not have CFR licenses can only be selected for reporting on their own.

Firewall Reporting in Sophos Firewall - 16

Copyright © 2024 Sophos Ltd

Central Firewall Reporting (CFR) Advanced

CFR Advanced licenses unlock the ability to create report templates, and optionally configure
automatic scheduled exports as PDF, CSV or HTML.

The exports can be sent via email notification and can either be included as a link or an attachment.

Firewall Reporting in Sophos Firewall - 17

Copyright © 2024 Sophos Ltd

Central Firewall Reporting (CFR) Advanced

In the Report Generator you will notice that the Saved Templates, Scheduled Exports and Queue tabs
are unlocked.

From the Saved Templates tab, you can edit the settings of your template and launch it.

Firewall Reporting in Sophos Firewall - 18

Copyright © 2024 Sophos Ltd

Central Firewall Reporting (CFR) Advanced

The Scheduled Exports tab stores your exported reports and makes them available for download for
90 days.

The Queue tab is for reports that take a long time to generate.

Firewall Reporting in Sophos Firewall - 19

Copyright © 2024 Sophos Ltd

Simulation: Central Firewall Reporting

In this simulation you will run reports for Sophos Firewall

in Sophos Central.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/CentralReporting/2/start.html

Please complete this simulation.

Click Launch Simulation to start. Once you have finished, click Continue.

[Additional Information]
https://training.sophos.com/fw/simulation/CentralReporting/2/start.html

Firewall Reporting in Sophos Firewall - 20

Copyright © 2024 Sophos Ltd

Alerts Configurator

The alerts configurator allows you to configure the frequency of alerts for a specific time period,
thereby suppressing repeat alerts, and configure their severity rating.

There are three alert categories that can be configured: Default, Verbose, and Silent.

In the Default alert category, you will typically receive an alert, and if the issue isn’t resolved, you
receive another alert 8 hours later. There are some alerts that are set to ‘Never’, which you will not
receive.

In the Verbose alert category, alerts are sent every hour until it is resolved.

In the Silent alert category, alerts are sent every 24 hours until it is resolved.

Firewall Reporting in Sophos Firewall - 21

Copyright © 2024 Sophos Ltd

Alerts Configurator

Firewalls are automatically assigned to the Default alert category unless you select to assign them to
either the Verbose or Silent alert categories.

Firewall Reporting in Sophos Firewall - 22

Copyright © 2024 Sophos Ltd

Alerts Configurator

To modify the settings for an alert category, you can customize:

• The severity, which can be either low, medium, or high.
• And how many occurrences of the alert can be sent in the selected time period.

Firewall Reporting in Sophos Firewall - 23

Copyright © 2024 Sophos Ltd

Chapter Review

Standard Central Firewall Reporting provides storage for the last 7 days of data in Sophos Central. You can
filter logs and reports from Sophos Firewall and create customized reports.

To start using Central Firewall Reporting, the Sophos Firewall needs to be registered with Sophos Central
and the option ‘send logs and reports to Sophos Central’ must be enabled. You can customize the data
that is uploaded in the log settings.

Each CFR advanced license includes 100GB of data storage, and enables reporting on multiple firewalls,
saving templates, and scheduling reports.

Here are the main things you learned in this chapter.

Standard Central Firewall Reporting provides storage for the last 7 days of data in Sophos Central. You
can filter logs and reports from Sophos Firewall and create customized reports.

To start using Central Firewall Reporting, the Sophos Firewall needs to be registered with Sophos
Central and the option ‘Send logs and reports to Sophos Central’ must be enabled. You can customize
the data that is uploaded in the log settings.

Each CFR Advanced license includes 100GB of data storage, and enables reporting on multiple
firewalls, saving templates, and scheduling reports.

Firewall Reporting in Sophos Firewall - 29

Copyright © 2024 Sophos Ltd

Firewall Reporting in Sophos Firewall - 30