Skip to content


You can see, add, and manage Zero Trust Network Access (ZTNA) gateways to control the apps and services your users can access.

You can set up an on-premise gateway or a Sophos Cloud gateway on an ESXi server or on Microsoft Hyper-V. You can also set up a Sophos Cloud gateway on your centrally managed SFOS devices.

Go to ZTNA > Gateways to see a list of gateways.

You can add a gateway or click an existing gateway to manage its settings and resources.

DNS settings

You need to set up public (external) and private DNS servers.

To find out more, see DNS Management in the Requirements section of the startup guide. See Requirements.


Changing IP addresses on your network, or using DHCP for network addressing, can stop your ZTNA from working.

One-arm or two-arm deployment

You can use one-arm or two-arm deployment on an ESXi server or on Microsoft Hyper-V.

One-arm deployment uses the WAN port for both incoming and outgoing traffic and is easier to set up.

Two-arm deployment uses both physical ports (WAN and LAN) of the device. You must have two network interfaces for two-arm deployment.

For more information on deploying an ESXi gateway within your network, see Network Configuration.

Add gateway

If you want to use an ESXi server, you must click Download gateway VM to get the gateway image (OVA file) and deploy it in ESXi before you click Add gateway.

If you want to use Microsoft Hyper-V, you must click Download Gateway VM image for Hyper-V to get the gateway image (VHDX file) and deploy it on Microsoft Hyper-V before you click Add gateway.

You can set up a gateway cluster to ensure availability. In Add gateway, click Gateway clustering and set up additional instances of the gateway.

For step-by-step instructions, see Set up a gateway.

Gateway details

Click an existing gateway to see more details.

In Gateway Details you can see the status and software version of the gateway, or the nodes in a gateway cluster.

You can Edit the gateway settings or Delete a gateway. You can also add and edit gateway instances in Edit gateway.

Click Resource to see the resources assigned to the gateway.

Click Certificate to see the certificates assigned to the gateway. You can upload certificates and private keys.

You can turn on Sophos support access to a gateway for troubleshooting. After you've turned it on, click Token to see a unique token to give to Sophos support staff. You can set the time when tokens expire in Settings.

Troubleshooting logs

You can generate and download logs of gateway activity. You can use them yourself or send them to Sophos support.

To generate logs, do as follows.

  1. Go to Gateway Details for the gateway you want to investigate.
  2. Click Troubleshooting logs.

    Troubleshooting logs appears.

  3. Click Generate logs.

    Generating logs might take a few minutes. When they are generated, an entry appears in the Troubleshooting log column for the gateway you are investigating.

  4. Click the entry in the Troubleshooting log column to download your logs.

Troubleshooting logs expire after an hour.

If you've reviewed the logs and not resolved your issue, you can give Sophos access to your gateway for troubleshooting. See Gateway details.

Gateway updates

You can update the virtual machine for a gateway.

When a new version is available, a green check mark shows in the Version column, next to the version number for your gateway.

To update your gateway, do as follows.

  1. Click the version number for the gateway you want to update.

    Software update appears.

  2. Choose which version to apply.

    You're warned if a restart is required.

  3. Schedule the update or select Now to update your gateway immediately.

    If a restart is required, we recommend you schedule the restart for a maintenance window.

  4. Click Save.