Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=firewall-reporting-FAQs

Firewall reporting FAQs

Find answers to common questions about Central Firewall Reporting (CFR).

What is CFR, and how do I get it?

CFR is Sophos' cloud-based reporting service for SFOS firewalls. Using CFR, you can create customized historical reports to gain insight into the applications, risks, and trends that impact your network.

CFR is integrated into Sophos Firewall and is available on any SFOS firewalls that are running current firmware versions.

Is CFR supported on hardware, software, virtual, and cloud firewall instances?

Yes. CFR is available on all SFOS firewall platforms that are running current firmware versions.

What are the flexible customization options in CFR?

CFR allows you to configure flexible reports that you can customize. Each report table contains many column choices, which allow you to add or remove columns of data to make a report more granular, compressed, or more detailed, as needed. This flexibility allows you to define the data fields you need in your reports and to see correlated data.

What are the different chart options available?

You can choose between a bar, pie, stacked area, or line chart for any report and Sankey diagrams for specific reports. In addition, you can configure the X and Y dimensions in the chart, providing a high degree of choice when deciding what to represent in a report.

How flexible are the pre-defined report modules?

Reports are structured around specific modules such as Application Usage and Web Usage. You can further customize the reports by changing data fields in the table and charts and applying filters to the hundreds of data fields. The flexible report table and charts allow you to customize each report and create a library of hundreds of variations from any report. Each report provides multiple charting options, enabling you to visualize data and trends for your specific use case. For example, the Application Bandwidth report uses a stacked area chart showing bandwidth consumption over a defined period.

Can I utilize third-party reporting applications using the stored data?

CFR doesn't function as a log forwarder. If you need to store your log data in a third-party security information and event management system (SIEM) or log collector in addition to Sophos Central, you can configure your firewall to send data to multiple locations simultaneously. Example: A local SIEM and Sophos Central.

What is the Report Dashboard?

The Report Dashboard is an at-a-glance view from the firewall for network operational health, policy control events, and all security-driven events. You can see the previous 24 hours of events without having to look at a more detailed report. The Report Dashboard shows the top network, security, and policy-driven events. From the dashboard, you can generate a full report for a more detailed analysis.

Is the report data "real-time," or is there a lag for visualizing and reporting on the data?

Firewalls send log data in batches every few minutes or once enough log data has been collected. Logs are then processed and ingested into the Sophos Central data lake, where they become available for CFR reports, XDR and MDR queries, and case alerts. This process may take several minutes from the time an event is logged until it's available for reports.

Is there an "executive summary" type of report that I can send to my manager?

The Security Posture Assessment report is a special-purpose report that includes a customizable list of reports that can be included within it. The included reports may be limited to the top 10 to 100 events each, allowing for a brief overview suitable for executive reporting. It additionally includes an inventory report showing the status and CFR license usage details on all managed firewalls in your account.

What happens if the storage capacity for the firewall is exceeded?

Data is retained using a first in, first out (FIFO) approach. When a firewall consumes all its allocated storage, data is rotated according to FIFO. The expiry date is decided by the rate at which the firewall sends data to Sophos Central. CFR Advanced customers may purchase more storage capacity up to the firewall's limit, up to a maximum of one year of storage.

Are different versions of CFR available?

There are three license levels for CFR per firewall: Free tier, Xstream Bundle, and CFR Advanced. Each license provides different storage amounts, retention periods, and Sophos Central features. The Sophos Central Firewall Data Storage Estimation Tool can assist in estimating which option is best for you.

What is included in the CFR Free tier license?

All firewalls with an active subscription are eligible for a maximum of seven days of data retention.

The storage amount provided is based on the specific firewall appliance model. This storage is large enough to provide most firewalls with a full seven days of data retention.

However, firewalls that produce exceptionally high log volumes may experience a shorter data retention period, as the storage may fill up faster.

Free-tier firewalls aren't included in scheduled reports or group reports.

What is included in CFR for firewalls with an Xstream Bundle license?

Firewalls with an active Xstream subscription bundle are eligible for a maximum of 30 days of data retention.

The storage amount provided is based on the specific firewall appliance model. This storage is large enough to provide most firewalls with a full 30 days of data retention.

However, firewalls that produce exceptionally high log volumes may experience a shorter data retention period, as the storage may fill up faster.

Firewalls with the Xstream Bundle can be included in both scheduled reports and group reports.

What is included in the CFR Advanced license?

All firewalls with an active subscription and at least one CFR Advanced license user are eligible for a maximum of 365 days of data retention.

The storage volume assigned to these firewalls is based on the number of CFR Advanced license users:

Each CFR Advanced license user increases the data volume by 100 GB. The more CFR Advanced license users a firewall has, the more storage volume it will be assigned. Firewalls that produce exceptionally high log volumes may need more than one CFR Advanced license user to provide the maximum 365 days of data retention.

You can use the Sophos Central Firewall Data Storage Estimation Tool to determine the appropriate number of CFR Advanced licenses needed based on your firewall's log volume.

Firewalls that have CFR Advanced licenses can be included in both scheduled reports and group reports.

What features does CFR Advanced offer?

CFR Advanced enables you to increase the cloud storage capacity of your syslog data in your Sophos Central account by purchasing additional capacity. Doing so allows more log data to be stored for reporting purposes and will also extend the reporting period up to 365 days.

How do I get CFR? Is there a license key?

For the free version, you activate CFR by selecting a check box in the firewall UI. No license key is required. For the Advanced version, you must purchase and activate a subscription license. Licensing is on a per-firewall basis, so you can't share licenses between firewalls.

What happens when I upgrade from the free version of CFR to Advanced?

Upgrading from the free version to CFR Advanced enables more log data to be stored for reporting purposes and extends the reporting period up to 365 days. In addition, CFR Advanced licensed firewalls, or firewalls with an Xstream subscription bundle, may be included in group reports that aggregate data from multiple firewalls into one report.

How does data storage capacity work?

Syslog data is stored in your Sophos Central account in the cloud, within the Sophos Central account's data region, where it can be retrieved as needed through the firewall to create a new report. Each firewall has a specified amount of associated storage, which varies by model, with high-end 2U firewalls having the most. You can choose to send or not send certain log data types for cloud storage. Data is deleted using a first in, first out (FIFO) approach.

How far back does the historical reporting go?

The free version enables reporting for up to seven days based on the amount of log data generated and the firewall's storage capacity. The advanced version has a longer period of reporting of up to one year. With CFR Advanced, you can increase or reduce the amount of storage allocated to a given device at any time. Doing so will either expand or reduce the duration for which the old log data is available.

If I stop using either version, what happens to the log data at any point in time?

Syslog data is stored in the cloud in your Sophos Central account. Data is added and removed using a first-in, first-out (FIFO) basis. Once the storage capacity maximum is reached, the oldest data will be replaced by the newest.

How do I license more storage capacity?

CFR Advanced provides the option to add more storage capacity as needed through stackable 100 GB licenses. You must purchase a minimum of a single 100 GB license for one firewall to receive all CFR Advanced features.

There are three price bands based on quantity, as follows:

  • 100 GB to 1 TB (1 to 10 licenses)
  • 1.1 TB to 5 TB (11 to 50 licenses)
  • 5.1 TB or more (51 licenses or more)

Storage is bought per Sophos Central account and you can assign storage to your firewalls.

Contact your Sophos partner for pricing.