Firewall groups

You can create and manage firewall groups in Sophos Central.

Create group

You can add your firewalls to a group and configure them all simultaneously using a group policy.

1. Go to My Products > Firewall Management > Firewalls.
2. Click Create New Group.

3. Select an initial configuration option for your group. Select Use Sophos default to create a new configuration or select Import existing configuration to import the configuration from an existing firewall.

   You can customize your configuration later.

4. Enter a name for the group.

5. Assign firewalls to the group.

   You don't have to assign firewalls when you create a group. You can create an empty group, edit its policy, and then assign firewalls to it. The group policy is applied to firewalls whenever you assign them to the group. From then on, the firewall configuration is in sync with the group policy.

6. Click Save.

Create and edit group policies

You can create and edit policies that will apply to all firewalls in a group.

To create and edit policies, do as follows:

1. Click the ellipsis button (…) on the right-hand side of the group for which you want to create or edit the policy.

2. Select Manage Policy.

   This takes you to your firewall group web admin console, to Rules and Policies.

3. You can now create and edit your policies.

   If a policy refers to firewall zones or interfaces, you may need to create dynamic zones or interfaces.

   Note

   If you remove the firewall from the group, the policies you created remain on the firewall.

4. To return to Sophos Central, click Dashboard or Back to Overview (on the left-hand menu).

In Sophos Central, go to My Products > Firewall Management > Tasks Queue. You can see whether the policy has been applied to the firewalls.

Create subgroup

You can create a subgroup within a group. This enables you to edit the group policy differently for each subgroup.

For example, if you have a group called “Acme Corporation” that contains subgroups called “Boston”, “London”, and “Hyderabad”, the policy created for Acme Corporation is automatically applied to all firewalls in all the subgroups. However, if you edit the policy for Boston, your changes are applied only to firewalls in the Boston subgroup, not firewalls in the London and Hyderabad subgroups.

To create a subgroup, do as follows:

1. Click the ellipsis button (…) on the right-hand side of the group in which you want to create a subgroup.
2. Select Add a Subgroup.
3. Enter a name for the subgroup.

4. Assign firewalls to the subgroup.

   You don't have to assign firewalls when you create a subgroup. You can create an empty subgroup, edit its policy, and then assign firewalls to it. The group policy is applied to firewalls whenever you assign them to the group. From then on, the firewall configuration is in sync with the subgroup policy.

5. Click Save.

Inheritance of objects and settings by subgroup policies

Objects are pages in the group policy editor that typically have Add and Delete buttons. Examples are firewall rules, NAT rules, FQDN hosts, and IP hosts.

A subgroup policy can't change objects you create for a parent group. For example, you create a custom FQDN Host object for the Acme Corporation policy. The Boston, London, and Hyderabad policies inherit a read-only copy of the object, which appears dimmed in those policies. However, a subgroup policy can use the parent object as a template to create its own rules. A subgroup policy is also free to create its own objects. Such objects are visible only to that subgroup policy and the policies of its subgroups.

If you try to remove an object from a parent group policy, it's automatically removed from subgroup policies if it's not used by any of them. However, if it's used, removal is prevented, and you're informed of the subgroup and rule where the object is used.

Settings are pages in the group policy editor that typically have an Apply button. You can't delete a setting; you can only configure it and turn it on or off. Examples of settings are Advanced Threat settings.

You can only configure settings in the topmost parent group policy. You can't configure settings in any of the subgroup policies. When you apply a setting to the top parent group policy, it's applied automatically to all the subgroup policies.

Assign a firewall to a group and skip full sync

You can add firewalls to a group and skip synchronization with Sophos Central. You can do this for standalone firewalls and firewalls belonging to a high availability (HA) pair.

To do this, do as follows:

1. Go to My Products > Firewall Management > Firewalls.
2. Find your firewall group in the list, in the rightmost column click the three dots, and click Edit Group.
3. Under Available Firewalls, click the firewall you want to add to the group, then click the arrow to move it to Assigned Firewalls.

4. Select Skip full sync.

   

   Note

   If you skip full sync, this may cause a configuration mismatch between Sophos Central and the firewall. The firewall won't synchronize with the other firewalls in the group, which means Sophos Central won't push existing configurations to the firewall.

5. Click Save.

6. In the firewall list, click the arrow next to the group name to see your firewall. Your firewall shows as Connected.

You can configure and apply settings for the firewall group immediately. The new settings will be applied to all firewalls in the group.

To force a full sync, do as follows:

1. Go to My Products > Firewall Management > Firewalls.

2. In the firewall list, click the arrow next to the group name to see your firewall.

   Under Sync & Managements, you'll see your firewall status.

3. Click on your firewall's status. In this case, it will be Connected.

4. Click Force sync.

   

   Note

   The Force sync link doesn't appear for passive firewalls in a HA pair. To update a HA pair, you must force a full sync on the active firewall.

Your firewall will synchronize with Sophos Central, which means that it will inherit all of the group configurations.