Firewalls
You can view and configure any Sophos XG Firewall that can connect to Sophos Central.
Introduction
When you add a firewall to Sophos Central, you can monitor it in Sophos Central and manage it from the firewalls web admin console.
You can manage firewalls individually or as a group. Firewalls that you manage individually are placed in a group called ungrouped. To manage firewalls, go to
.Firewall information
The information displayed for each firewall includes the following:
- Alerts: Alerts in the last 24
hours.
Icon
Description
CPU usage alert: to see a graph of CPU usage in the last two hours, click the icon.
Management and reporting alert: for more information, click the icon.
- Sync & Management
Status
Description
Synchronized
The firewall is online and sending regular heartbeats. The firewall’s configuration matches the group policy.
Connected
If the firewall is ungrouped, this status indicates that the firewall is online and sending regular heartbeats.
If the firewall is in a group and this status remains unchanged for more than about a minute, the firewall is online and sending regular heartbeats, but it's not starting to synchronize with the group policy. This may be because the synchronization tasks haven't been created or the tasks have been created, but the firewall isn't pulling them. In this case, look in the tasks queue to find out which transactions are pending.
Error needs attention
The firewall's configuration doesn't match the group policy. The admin needs to look in the tasks queue to find out which policy can't be applied.
Synchronizing
The firewall has just been added to the group. Sophos Central is applying the group policy to the firewall.
Last seen x hours ago (for Sophos XG Firewall 18 or later) or Disconnected
The firewall is offline.
Approval Pending
The firewall has been registered with Sophos Central by a local admin from the firewall’s web admin console. It's waiting for approval by a Sophos Central admin. When approved, the firewall is ready for group and individual device management.
Management Disabled
The firewall is registered with Sophos Central. However, Sophos Central management hasn't been turned on from the firewall’s web admin console.
If you click a status, more information is displayed:
Additional information
Description
Missing since x hours
The firewall sends a heartbeat message every minute. If five heartbeat messages are missed, Sophos Central considers the firewall to be offline.
Failed to apply a policy x days ago
A policy couldn't be applied to the firewall. The tasks queue may have more details about the reason for the failure.
Firewall is suspended.
The firewall has been offline or out of sync with the group policy for more than 30 days. This means that Sophos Central can't discover its current status. To resolve this issue, remove the firewall from the group and re-add it.
Central Reporting is Disabled
You can turn on firewall reporting from the firewall’s web admin console.
- Synchronized Security
Icon
Description
The number of apps discovered by the firewall.
Reporting is turned off.
Reporting is turned on.
- Version: The firewall OS version.
Click a firewall to open the firewall’s web admin console. This lets you configure the firewall.
Add a new firewall
To add a new firewall, do as follows:
Add an existing firewall
- Log in to your firewall.
- On the Central Synchronization page, turn on Manage from Sophos Central.
- In Sophos Central, on the Firewalls page, expand the Ungrouped group, find the firewall, and click Accept services.
Create group
If your firewalls are on firmware version 18.0 or later, you can add them to a group and configure them all simultaneously using a group policy.
Edit group policy
You can edit the policy that will apply to all firewalls in a group. To do this, do as follows:
In Sophos Central, go to . You can see whether the policy has been applied to the firewalls.
Create subgroup
You can create a subgroup within a group. This enables you to edit the group policy differently for each subgroup.
For example, if you have a group called “Acme Corporation” that contains subgroups called “Boston”, “London”, and “Hyderabad”, the policy created for Acme Corporation is automatically applied to all firewalls in all the subgroups. However, if you edit the policy for Boston, your changes are applied only to firewalls in the Boston subgroup, not firewalls in the London and Hyderabad subgroups.
To create a subgroup, do as follows:
Inheritance of objects and settings by subgroup policies
Objects are pages in the group policy editor that typically have Add and Delete buttons. Examples are firewall rules, NAT rules, FQDN hosts, and IP hosts.
A a subgroup policy can't change objects you create for a parent group. For example, you create a custom FQDN Host object for the Acme Corporation policy. The Boston, London, and Hyderabad policies inherit a read-only copy of the object, which appears dimmed in the Boston, London, and Hyderabad policies. However, a subgroup policy can use the parent object as a template to create its own rules. A subgroup policy is also free to create its own objects. Such objects are visible only to that subgroup policy and the policies of its subgroups.
If you try to remove an object from a parent group policy, it's automatically removed from subgroup policies if it is not used by any of them. However, if it's used, removal is prevented, and you're informed of the subgroup and rule where the object is used.
Settings are pages in the group policy editor that typically have an Apply button. You can't delete a setting, only configure it and turn it on or off. Examples of settings are Advanced Threat settings.
You can only configure settings in the topmost parent group policy. You can't configure settings in any of the subgroup policies. When you apply a setting to the top parent group policy, it's applied automatically to all the subgroup policies.
Upgrade firmware for firewalls
You can upgrade firmware for Sophos XG Firewall. If an
upgrade is available, you'll see a download button next to all firewalls eligible for it.
To upgrade a firewall, do as follows:
You can upgrade multiple firewalls at the same time. You can edit or cancel scheduled upgrades.