Firewalls

You can view and configure any Sophos XG Firewall that can connect to Sophos Central.

Go to Firewall management > Firewalls.

You can manage firewalls individually or as a group. Firewalls that are managed individually are placed in a group called Ungrouped.

The information displayed for each firewall includes the following:

  • Alerts: Alerts in the last 24 hours.

    Icon

    Description

    CPU usage alert: to see a graph of CPU usage in the last two hours, click the icon.

    Management and reporting alert: for more information, click the icon.

  • Sync & Management

    Status

    Description

    Synchronized

    The firewall is online and sending regular heartbeats. The firewall’s configuration matches the group policy.

    Connected

    If the firewall is ungrouped, this status indicates that the firewall is online and sending regular heartbeats.

    If the firewall is in a group and this status remains unchanged for more than about a minute, this indicates that the firewall is online and sending regular heartbeats but it is not starting to sychronize with the group policy. This may be because the sychronization tasks have not been created or the tasks have been created but the firewall is not pulling them. In this case, inspect the tasks queue to find out which transactions are pending.

    Error needs attention

    The firewall's configuration does not match the group policy. The admin needs to inspect the tasks queue to find out which policy cannot be applied.

    Synchronizing

    The firewall has just been added to the group. Sophos Central is applying the group policy to the firewall.

    Last seen x hours ago (for Sophos XG Firewall 18 or later) or Disconnected

    The firewall is offline.

    Approval Pending

    The firewall has been registered with Sophos Central by a local admin from the firewall’s web admin console. It is waiting for approval by a Sophos Central admin. When approved, the firewall is ready for group and individual device management.

    Management Disabled

    The firewall is registered with Sophos Central. However, Sophos Central management has not been turned on from the firewall’s web admin console.

    If you click a status, more information is displayed:

    Additional information

    Description

    Missing since x hours

    The firewall sends a heartbeat message every minute. If five heartbeat messages are missed, Sophos Central considers the firewall to be offline.

    Failed to apply a policy x days ago

    A policy could not be applied to the firewall. The tasks queue may have more details about the reason for the failure.

    Firewall is suspended.

    The firewall has been offline or out of sync with the group policy for more than 30 days. This means that Sophos Central cannot discover its current status. To resolve this issue, remove the firewall from the group and re-add it.

    Central Reporting is Disabled

    Firewall reporting can be turned on from the firewall’s web admin console.

  • Synchronized Security

    Icon

    Description

    Apps icon

    The number of apps discovered by the firewall

    Gray graph icon

    Reporting is turned off

    Blue graph icon

    Reporting is turned on

  • Version: The firewall OS version.

Click a firewall to open the firewall’s web admin console. This lets you configure the firewall.

Note You must be an Admin or Super Admin in Sophos Central to open the web admin console. This gives you the same permissions as the firewall's local "admin" account. It also lets you change the password for an "admin" account, which is necessary when you deploy firewalls via Zero Touch.
Note For information on using Zero Touch configuration, see Add a firewall with Zero Touch.

Add firewalls

You add firewalls so that you can monitor them in Sophos Central and also manage them from the web admin console.

The steps depend on whether you want to add a new firewall or add a firewall that has already been deployed.

To add a new firewall:

  1. Click Add Firewall and select the option to add a new firewall.
  2. Register your serial number.

    You're guided through registration and deployment.

To add a firewall that is already deployed:

  1. Log in to your firewall.
  2. On the Central Synchronization page, turn on Manage from Sophos Central.
  3. In Sophos Central, on the Firewalls page, expand the Ungrouped group, find the firewall, and click Accept services.

Watch a video of these steps here: XG Firewall Management from Sophos Central.

If you have problems accessing the video, you can also find it in our XG Firewall How-To Library.

Create group

If your firewalls are on firmware version 18.0 or later, you can add them to a group and configure them all simultaneously using a group policy.

Note You must be an Admin or Super Admin in Sophos Central to create a group.
  1. Click Create New Group.
  2. Enter a name for the group.
  3. Assign firewalls to the group.

    You don’t have to assign firewalls when you create a group. You can create an empty group, edit its policy, and then assign firewalls to it. The group policy is applied to the firewalls as they are assigned, even if they are assigned after the group policy has been edited. From then on, the firewall configuration is in sync with the group policy.

  4. Click Save.

Edit group policy

You can edit the policy that will apply to all firewalls in a group.

  1. Click the ellipsis button (…) on the right of the group for which you want to edit the policy.
  2. Select Manage Policy to open the group policy editor.

    In the main menu, under Manage Firewalls > Firewalls, the name of the group is displayed.

  3. Change the policy as required, in any of the sections in the main menu. For an explanation, see the Sophos XG Firewall help.

    If your policy refers to firewall zones or interfaces, you may need to create dynamic zones or interfaces. See Dynamic objects.

You can view the tasks queue to see the status of the application of the policy to the firewalls.

Caution When you add firewall or NAT rules, the Top and Bottom settings apply only to the ordering of rules within Sophos Central, not rules that may have been created locally on the firewall. Furthermore, all rules pushed from Sophos Central are inserted at the top of the rules list on the firewall. To avoid unexpected firewall behavior, when a firewall is managed from Sophos Central, we recommend that all rules are created and pushed from Sophos Central.

Create subgroup

You can create a subgroup within a group. This enables you to edit the group policy differently for each subgroup. For example, if you have a group called “Acme Corporation” that contains subgroups called “Boston”, “London”, and “Hyderabad”, the policy created for Acme Corporation is automatically applied to all firewalls in all the subgroups. However, if you edit the policy for Boston, your changes are applied only to firewalls in the Boston subgroup, not firewalls in the London and Hyderabad subgroups.

  1. Click the ellipsis button (…) on the right of the group in which you want to create a subgroup.
  2. Select Add a Subgroup.
  3. Enter a name for the subgroup.
  4. Assign firewalls to the subgroup.

    You don’t have to assign firewalls when you create a subgroup. You can create an empty subgroup, edit its policy, and then assign firewalls to it. The subgroup policy is applied to the firewalls as they are assigned, even if they are assigned after the subgroup policy has been edited. From then on, the firewall configuration is in sync with the subgroup policy.

  5. Click Save.

Inheritance of objects and settings by subgroup policies

“Objects” are those pages in the group policy editor that typically have Add and Delete buttons. Examples are firewall rules, NAT rules, FQDN hosts, and IP hosts. Objects you create for a parent group policy cannot be modified by a subgroup policy. For example, if you create a custom FQDN Host object for the Acme Corporation policy, the Boston, London, and Hyderabad policies inherit a read-only copy of the object, which appears dimmed in the Boston, London, and Hyderabad policies. However, a subgroup policy can use an object created by its parent group policy to create its own rules. A subgroup policy is also free to create its own objects. Such objects are visible only to that subgroup policy and the policies of its subgroups.

If you try to remove an object from a parent group policy, it is automatically removed from subgroup policies if it is not used by any of the them. However, if it is used, removal is prevented, and you are informed of the subgroup and rule where the object is used.

“Settings” are those pages in the group policy editor that typically have an Apply button. You cannot delete a setting, only configure it and turn it on or off. Examples of settings are Advanced Threat settings. Settings can only be configured in the topmost parent group policy. They cannot be configured in any of the subgroup policies. When a setting is applied to the topmost parent group policy, it is applied automatically to all the subgroup policies.

Upgrade firmware for firewalls

You can upgrade firmware for Sophos XG Firewall. If an upgrade is available, you'll see a download button Download button next to all firewalls eligible for it.

To upgrade a firewall, do as follows:

  1. Click the download button.
  2. Click Schedule Upgrades.

    Schedule a firewall upgrade
  3. If more than one firmware version is available, select the version you want.
  4. Choose the date and time of the upgrade.

    You can also upgrade the firmware immediately.

  5. Click Schedule Upgrades.

    Schedule Upgrade button

    Firewalls are updated based on the timezone of the firewall. The upgrade starts at the scheduled time on the firewall. When the upgrade is in progress, you'll see a spinning icon next to the firewall.

    Spinning icon

    When the upgrade is complete, the spinning icon disappears.

You can upgrade multiple firewalls at the same time. You can edit or cancel scheduled upgrades.