Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=firewall-ZeroTouch-add

Add a firewall with Zero Touch

With Zero Touch, you specify your firewall configuration settings in Sophos Central. Your firewall administrator then connects the firewall to the internet and turns it on. The firewall connects to Sophos Central, downloads and applies the configuration, and then registers with Sophos Central.

Requirements

If your firewalls are on version 20.0 MR1 or later, you can deploy them using Zero Touch configuration.

Zero Touch configuration is available for XGS firewall devices with a serial number with a prefix where the last two digits are the same or higher than those in the table below.

Model Minimum Prefix
XGS 87 r1 X01123
XGS 87w r1 X01223
XGS 107 r1 X10123
XGS 107w r1 X10223
XGS 116 r2 X11303
XGS 116w r2 X11403
XGS 126 r2 X12303
XGS 126w r2 X12403
XGS 136 r2 X13303
XGS 136w r2 X13403
XGS 2100 r1 X21016
XGS 2300 r1 X23017
XGS 3100 r1 X31018
XGS 3300 r1 X33017
XGS 4300 r2 X43014
XGS 4500 r2 X45014
XGS 5500 r2 X55013
XGS 6500 r2 X65013
XGS 7500 r1 X75006
XGS 8500 r1 X85105

The firewall must have DHCP enabled on the WAN port your firewall administrator uses to connect to the internet. New Sophos firewalls have DHCP enabled on WAN Port2 by default.

If you add multiple firewalls, a cache issue may arise, and the process may not work. To prevent this, use a separate private browsing tab to connect each firewall.

What to do in Sophos Central

To add a firewall with Zero Touch, do as follows:

  1. Go to My Products > Firewall Management > Firewalls.

  2. Click Add Firewall.

  3. Under Add firewalls to Sophos Central, click Start Setup.

    Add firewalls to Sophos Central.

  4. Under Add Firewall, enter the serial number of your Sophos Firewall, and click Next.

    Add firewalls window.

    Claim firewall appears. You see your firewall's serial number and model.

  5. Click Next.

    Claim firewall window.

  6. Accept the license agreement and click Continue.

  7. Select the name and time zone of the firewall and click Continue.
  8. Check the licensed features, opt into the customer experience improvement program if you want to, and click Continue.
  9. Configure your LAN settings and enable DHCP if you want to. If you enable DHCP, you must enter a DHCP lease range.
  10. Optional: Click Edit Internet Connection to configure your WAN settings, and click Apply. You can cancel or reset these settings if needed.
  11. Click Continue.

  12. Select your Network protection settings, then click Continue.

    Network protection window.

  13. Check your Configuration summary, then click Finish.

    You see the Zero Touch configuration options.

    Zero Touch configuration.

  14. Under Zero Touch configuration, select Firewall downloads configuration from Sophos Central.

  15. Optional: Under Central Management auto-approval, select Auto approve for Central management, and click Continue.

    If you don't select this option, you can accept your firewall later in Sophos Central.

  16. You see information about the firewall deployment steps. Click Finish.

    Firewall deployment steps.

    You see your firewall under Firewall Management - Firewalls. Its status will be Waiting for deployment.

What to do on Sophos Firewall

Your firewall administrator must do as follows:

  1. Connect the firewall to the internet on a DHCP-enabled port at the site where you want to deploy the firewall, then turn the firewall on.

    The firewall connects to Sophos Central, downloads and applies the configuration, and registers with Sophos Central.

  2. Optional: Type the web admin console address into your browser, followed by port 4444, to see the setup progress in the Sophos Firewall wizard. Example: 172.16.16.16:4444. The Zero Touch setup window will show.

    Zero Touch setup window.

    Note

    If the firewall can't connect to Sophos Central, the firewall administrator can troubleshoot the issue. See Zero Touch FAQ.

    When the Zero Touch setup is complete, the firewall administrator will see the firewall's web admin console sign-in page.

    You can now add the firewall to a group and manage it through Sophos Central.

Accept the firewall if you didn't select auto approve

Note

If you selected Auto approve for Central management, you can skip this section.

  1. In Sophos Central, go to My Products > Firewall Management > Firewalls.
  2. Search for your firewall's serial number.

  3. Click Accept services.

    Once you accept the firewall, the remaining settings are applied. You can now add the firewall to a group and manage it through Sophos Central.

Set your admin password

Note

If you don't set an admin password, administrators may have trouble accessing the firewall if it loses its internet connection or is disconnected from Sophos Central.

  1. In Sophos Central, go to My Products > Firewall Management > Firewalls.

    You see your firewall is now connected.

  2. Click your firewall's name.

    You're connected to your firewall's web admin console.

    Set firewall admin password appears.

  3. Click Set password.

  4. You're redirected to Administration. Scroll down to Default admin's password settings.
  5. Enter and confirm your password, click Apply, then click OK to confirm.

  6. At the top left of the screen, click Back to FW Management.

    You're redirected back to Sophos Central firewall management.

Sign into your firewall

Your firewall administrator must do as follows:

  1. Type the web admin console address into your browser, followed by port 4444. Example: 172.16.16.16:4444.
  2. Sign in to the web admin console using the password you set.

  3. Under the System section, go to Sophos Central.

    Sophos Central page on Sophos Firewall.

    Under Sophos Central registration, the Device status is Registered.

    Under Sophos Central services, the status is Managed.

Skip Zero Touch

You can prevent a firewall from joining a Sophos Central account with the Zero Touch process.

To do this, do as follows:

  1. Create a file named skip_tzt on your computer, and copy the file to a USB stick.

  2. Plug the USB stick into the firewall, connect the firewall to the internet, and turn the firewall on.

    The firewall will skip the Zero Touch process, and you can set the firewall up through the web console with the firewall's setup assistant.