Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=firewall-ZeroTouch-FAQ

Zero Touch FAQ

Find answers to common questions about Zero Touch deployment.

How do I troubleshoot if Zero Touch deployment fails due to a connectivity issue?
  1. Access Sophos Firewall locally with a console cable. See Sophos Firewall: Set up a serial connection with a console cable.
  2. When you're signed in to the command line interface (CLI), press 5 to access Device Management.
  3. Press 3 to access Advanced Shell. For more information about the advanced shell, see Sophos Firewall: Device Management.
  4. Change to the log directory using the command cd /log. For more details about logs, see Sophos Firewall: Log file details.
  5. Go to zt.log to see the Zero Touch logs.
What do I do if Zero Touch deployment fails, and the following error appears in the firewall's Zero Touch setup assistant: Zero Touch Setup Error?

You can click one of the following options: Restart Zero Touch process or Manage firewall locally.

Zero Touch Setup Error.

  • If you click Restart Zero Touch process, you must remove the firewall from Sophos Central, re-add it using Zero Touch, then from the firewall's Zero Touch setup assistant, click Reset firewall, then OK to restart it.

Restart Zero Touch process.

Restart firewall with factory configuration.

The firewall will factory reset, then restart the Zero Touch process.

  • If you click Manage firewall locally, you must restart the firewall from the firewall's Zero Touch setup assistant with its factory configuration.

The firewall will factory reset and then you can reconfigure it through the web console with the firewall's setup assistant.

How does a Sophos Central administrator or Sophos Central Partner administrator skip Zero Touch configuration for a specific customer's firewall?

The Sophos Central Partner admin or the Sophos Central admin must do as follows:

  • Create a file named tzt_skip on their computer, and copy the file to a USB stick.
  • Plug the USB stick into the firewall, connect the firewall to the internet, and turn the firewall on.

The firewall will skip the TZT process, and the admin can set the firewall up through the web console with the firewall's setup assistant.

When I configure a DHCP lease range in Sophos Central, which ranges can I use?

You can use any DHCP lease range apart from 172.16.16.x.

By default, the firewall creates a DHCP server with the name Default_DHCP_Server and an IP range of 172.16.16.x. When the ZeroTouch configuration is applied, another DHCP entry is created, named Default_DHCP_Server_CM. When this setting is applied, the API parser doesn't allow the creation of another entry for the DHCP server, with the same range on the same interface.