Professional Documents
Culture Documents
FW8510 20.0v1 Firewall Reporting in Sophos Firewall
FW8510 20.0v1 Firewall Reporting in Sophos Firewall
Firewall Reporting in
Sophos Central
Sophos Firewall
Version: 20.0v1
[Additional Information]
Sophos Firewall
FW8510: Firewall Reporting in Sophos Central
January 2024
Version: 20.0v1
© 2024 Sophos Limited. All rights reserved. No part of this document may be used or reproduced in any form or by any means without the prior written
consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and marks mentioned in this document may be the
trademarks or registered trademarks of Sophos Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no warranties, conditions or representations (whether express
or implied) as to its completeness or accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at The Pentagon, Abingdon Science Park, Abingdon,
Oxfordshire, OX14 3YP.
DURATION 6 minutes
In this chapter you will learn how to enable Sophos Firewall reporting in Sophos Central, and how to
run reports.
Central Firewall Reporting provides access to dashboards and reports in Sophos Central for each of
your Sophos Firewalls. You can also view and filter logs. The last 7 days of data is available in Sophos
Central updated on a first in, first out (FIFO) basis. This means that the oldest data is always replaced
with the most current data.
You can increase the amount of reporting data that can be stored, and for how long, using Central
Firewall Reporting Advanced licenses. These licenses also unlock additional reporting features.
To start using Central Firewall Reporting, the Sophos Firewall needs to be registered with Sophos
Central and the option Send logs and reports to Sophos Central must be enabled in Sophos Central
services. This can be found in SYSTEM > Sophos Central.
Once enabled, data should start appearing in Sophos Central within around 10 – 15 minutes.
Enabling Central reporting creates a syslog server for uploading the data to Central in CONFIGURE >
System services > Log settings.
Here you can also customize the data that is uploaded to Central in the Log settings section.
In the Report Hub, you first need to select the firewall, either by label or by serial number if you have
not added a label. These are organized into groups.
You can click on the summary buttons in each section and the information below will be updated to
show more detail. Where available, a View Report link will also be displayed to take you directly to the
full report.
Report Generator
Select report
In the Report Generator you can access and customize the prebuilt reports.
Report Generator
By clicking on the data in the chart or the links in the table below you can apply filters to the report.
Report Generator
You can also manually enter filters. When you click in the ‘Query’ field you will see the fields that you
can select to filter on.
Report Generator
You can customize the graphs in each report by selecting the type of chart and the fields that you want
displayed.
Report Generator
You can also select which columns you want to appear in the table.
Logs
Select columns
In the ‘Log Viewer & Search’ report you will see the logs from the Sophos Firewall. Just like for the
reports you can click on the links to add filters, or you can add them manually. In the top-right you can
select which columns are shown and switch between the column view and log view.
To unlock more features in Central Firewall Reporting, you can add a CFR Advanced license to your
Central account. Once applied it will appear on the licensing page, that can be opened from the admin
menu in the top-right. To get started with the new features, you first need to assign the licenses to the
firewalls; click Manage next to the Central Firewall Reporting license.
[Additional Information]
https://community.sophos.com/sophos-xg-firewall/b/blog/posts/new-enhancements-to-central-
firewall-reporting
Licenses provide 100 GB of storage each. Use the plus and minus buttons next to each device to apply
the licenses then click Save.
Once you have applied licenses to a device, you have additional options to manage the license,
including associating it with a replacement, reclaiming the license, and deleting the data.
With CFR Advanced licenses you can start reporting on multiple firewalls in a single report. You can do
this from the group’s menu.
You can also select multiple firewalls that have CFR Advanced licenses directly on the Report Hub and
Report Generator pages.
Firewalls that do not have CFR licenses can only be selected for reporting on their own.
CFR Advanced licenses unlock the ability to create report templates, and optionally configure
automatic scheduled exports as PDF, CSV or HTML.
The exports can be sent via email notification and can either be included as a link or an attachment.
In the Report Generator you will notice that the Saved Templates, Scheduled Exports and Queue tabs
are unlocked.
From the Saved Templates tab, you can edit the settings of your template and launch it.
The Scheduled Exports tab stores your exported reports and makes them available for download for
90 days.
The Queue tab is for reports that take a long time to generate.
https://training.sophos.com/fw/simulation/CentralReporting/2/start.html
Click Launch Simulation to start. Once you have finished, click Continue.
[Additional Information]
https://training.sophos.com/fw/simulation/CentralReporting/2/start.html
Alerts Configurator
The alerts configurator allows you to configure the frequency of alerts for a specific time period,
thereby suppressing repeat alerts, and configure their severity rating.
There are three alert categories that can be configured: Default, Verbose, and Silent.
In the Default alert category, you will typically receive an alert, and if the issue isn’t resolved, you
receive another alert 8 hours later. There are some alerts that are set to ‘Never’, which you will not
receive.
In the Verbose alert category, alerts are sent every hour until it is resolved.
In the Silent alert category, alerts are sent every 24 hours until it is resolved.
Alerts Configurator
Firewalls are automatically assigned to the Default alert category unless you select to assign them to
either the Verbose or Silent alert categories.
Alerts Configurator
Chapter Review
Standard Central Firewall Reporting provides storage for the last 7 days of data in Sophos Central. You can
filter logs and reports from Sophos Firewall and create customized reports.
To start using Central Firewall Reporting, the Sophos Firewall needs to be registered with Sophos Central
and the option ‘send logs and reports to Sophos Central’ must be enabled. You can customize the data
that is uploaded in the log settings.
Each CFR advanced license includes 100GB of data storage, and enables reporting on multiple firewalls,
saving templates, and scheduling reports.
Standard Central Firewall Reporting provides storage for the last 7 days of data in Sophos Central. You
can filter logs and reports from Sophos Firewall and create customized reports.
To start using Central Firewall Reporting, the Sophos Firewall needs to be registered with Sophos
Central and the option ‘Send logs and reports to Sophos Central’ must be enabled. You can customize
the data that is uploaded in the log settings.
Each CFR Advanced license includes 100GB of data storage, and enables reporting on multiple
firewalls, saving templates, and scheduling reports.