Firewalls

You can view and configure any Sophos XG Firewall that can connect to Sophos Central.

Introduction

When you add a firewall to Sophos Central, you can monitor it in Sophos Central and manage it from the firewalls web admin console.

You can manage firewalls individually or as a group. Firewalls that you manage individually are placed in a group called ungrouped. To manage firewalls, go to Firewall Management > Firewalls.

Firewall information

The information displayed for each firewall includes the following:

  • Alerts: Alerts in the last 24 hours.

    Icon

    Description

    CPU usage alert: to see a graph of CPU usage in the last two hours, click the icon.

    Management and reporting alert: for more information, click the icon.

  • Sync & Management

    Status

    Description

    Synchronized

    The firewall is online and sending regular heartbeats. The firewall’s configuration matches the group policy.

    Connected

    If the firewall is ungrouped, this status indicates that the firewall is online and sending regular heartbeats.

    If the firewall is in a group and this status remains unchanged for more than about a minute, the firewall is online and sending regular heartbeats, but it's not starting to synchronize with the group policy. This may be because the synchronization tasks haven't been created or the tasks have been created, but the firewall isn't pulling them. In this case, look in the tasks queue to find out which transactions are pending.

    Error needs attention

    The firewall's configuration doesn't match the group policy. The admin needs to look in the tasks queue to find out which policy can't be applied.

    Synchronizing

    The firewall has just been added to the group. Sophos Central is applying the group policy to the firewall.

    Last seen x hours ago (for Sophos XG Firewall 18 or later) or Disconnected

    The firewall is offline.

    Approval Pending

    The firewall has been registered with Sophos Central by a local admin from the firewall’s web admin console. It's waiting for approval by a Sophos Central admin. When approved, the firewall is ready for group and individual device management.

    Management Disabled

    The firewall is registered with Sophos Central. However, Sophos Central management hasn't been turned on from the firewall’s web admin console.

    If you click a status, more information is displayed:

    Additional information

    Description

    Missing since x hours

    The firewall sends a heartbeat message every minute. If five heartbeat messages are missed, Sophos Central considers the firewall to be offline.

    Failed to apply a policy x days ago

    A policy couldn't be applied to the firewall. The tasks queue may have more details about the reason for the failure.

    Firewall is suspended.

    The firewall has been offline or out of sync with the group policy for more than 30 days. This means that Sophos Central can't discover its current status. To resolve this issue, remove the firewall from the group and re-add it.

    Central Reporting is Disabled

    You can turn on firewall reporting from the firewall’s web admin console.

  • Synchronized Security

    Icon

    Description

    Apps icon

    The number of apps discovered by the firewall.

    Gray graph icon

    Reporting is turned off.

    Blue graph icon

    Reporting is turned on.

  • Version: The firewall OS version.

Click a firewall to open the firewall’s web admin console. This lets you configure the firewall.

Note You must be an Admin or Super Admin in Sophos Central to open the web admin console. This gives you the same permissions as the firewall's local "admin" account. It also lets you change the password for an "admin" account, which is necessary when you deploy firewalls via Zero Touch.

Add a new firewall

To add a new firewall, do as follows:

  1. Click Add Firewall and select the option to add a new firewall.
  2. Register your serial number.

    You're guided through registration and deployment.

Add an existing firewall

To add a firewall that is already deployed, do as follows:
  1. Log in to your firewall.
  2. On the Central Synchronization page, turn on Manage from Sophos Central.
  3. In Sophos Central, on the Firewalls page, expand the Ungrouped group, find the firewall, and click Accept services.

Create group

If your firewalls are on firmware version 18.0 or later, you can add them to a group and configure them all simultaneously using a group policy.

Note You must be an Admin or Super Admin in Sophos Central to create a group.
  1. Click Create New Group.
  2. Enter a name for the group.
  3. Assign firewalls to the group.

    You don't have to assign firewalls when you create a group. You can create an empty group, edit its policy, and then assign firewalls to it. The group policy is applied to firewalls whenever you assign them to the group. From then on, the firewall configuration is in sync with the group policy.

  4. Click Save.

Edit group policy

You can edit the policy that will apply to all firewalls in a group.
  1. Click the ellipsis button (…) on the right-hand side of the group for which you want to edit the policy.
  2. Select Manage Policy.

    This takes you to your firewall web admin console, to Rules and Policies.

  3. You can now edit your policies.

    If a policy refers to firewall zones or interfaces, you may need to create dynamic zones or interfaces.

  4. To return to Sophos Central, you can click Dashboard or Back to Overview (on the left-hand menu).

In Sophos Central, go to Firewall Management - Tasks Queue. You can see whether the policy has been applied to the firewalls.

Caution When you add firewall or NAT rules, the Top and Bottom settings apply only to the ordering of rules within Sophos Central, not rules that may have been created locally on the firewall. All rules pushed from Sophos Central are inserted at the top of the rules list on the firewall. To avoid unexpected firewall behavior, when a firewall is managed from Sophos Central, we recommend that all rules are created and pushed from Sophos Central.

Create subgroup

You can create a subgroup within a group. This enables you to edit the group policy differently for each subgroup.

For example, if you have a group called “Acme Corporation” that contains subgroups called “Boston”, “London”, and “Hyderabad”, the policy created for Acme Corporation is automatically applied to all firewalls in all the subgroups. However, if you edit the policy for Boston, your changes are applied only to firewalls in the Boston subgroup, not firewalls in the London and Hyderabad subgroups.

  1. Click the ellipsis button (…) on the right-hand side of the group in which you want to create a subgroup.
  2. Select Add a Subgroup.
  3. Enter a name for the subgroup.
  4. Assign firewalls to the subgroup.

    You don't have to assign firewalls when you create a subgroup. You can create an empty subgroup, edit its policy, and then assign firewalls to it. The group policy is applied to firewalls whenever you assign them to the group. From then on, the firewall configuration is in sync with the subgroup policy.

  5. Click Save.

Inheritance of objects and settings by subgroup policies

Objects are pages in the group policy editor that typically have Add and Delete buttons. Examples are firewall rules, NAT rules, FQDN hosts, and IP hosts.

A a subgroup policy can't change objects you create for a parent group. For example, you create a custom FQDN Host object for the Acme Corporation policy. The Boston, London, and Hyderabad policies inherit a read-only copy of the object, which appears dimmed in the Boston, London, and Hyderabad policies. However, a subgroup policy can use the parent object as a template to create its own rules. A subgroup policy is also free to create its own objects. Such objects are visible only to that subgroup policy and the policies of its subgroups.

If you try to remove an object from a parent group policy, it's automatically removed from subgroup policies if it is not used by any of them. However, if it's used, removal is prevented, and you're informed of the subgroup and rule where the object is used.

Settings are pages in the group policy editor that typically have an Apply button. You can't delete a setting, only configure it and turn it on or off. Examples of settings are Advanced Threat settings.

You can only configure settings in the topmost parent group policy. You can't configure settings in any of the subgroup policies. When you apply a setting to the top parent group policy, it's applied automatically to all the subgroup policies.

Upgrade firmware for firewalls

You can upgrade firmware for Sophos XG Firewall. If an upgrade is available, you'll see a download button Download button next to all firewalls eligible for it.

To upgrade a firewall, do as follows:

  1. Click the download button.
  2. Click Schedule Upgrades.
    Schedule a firewall upgrade
  3. If more than one firmware version is available, select the version you want.
  4. Choose the date and time of the upgrade.

    You can also upgrade the firmware immediately.

  5. Click Schedule Upgrades.

    Schedule Upgrade button

    Firewalls are updated based on the timezone of the firewall. The upgrade starts at the scheduled time on the firewall. When the upgrade is in progress, you'll see a spinning icon next to the firewall.

    Spinning icon

    When the upgrade is complete, the spinning icon disappears.

You can upgrade multiple firewalls at the same time. You can edit or cancel scheduled upgrades.