Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=firewall-ZeroTouch-add

Add a firewall with Zero Touch

With Zero Touch, you specify your firewall configuration settings in Sophos Central. Your firewall administrator then connects the firewall to the internet and turns it on. The firewall connects to Sophos Central, downloads and applies the configuration, and then registers with Sophos Central.

Note

You must add and configure the firewall in Sophos Central before turning it on and connecting it to the internet.

Requirements

If your firewalls are on version 20.0 MR1 or later, you can deploy them using Zero Touch configuration.

Zero Touch configuration support on XGS firewall devices is available for most devices.

However, for the XGS models listed below, the first five numbers of the device's serial number must be the same as or higher than those shown in the table.

XGS model Serial number prefix
XGS 87 X01123
XGS 87w X01223
XGS 107 X10123
XGS 107w X10223
XGS 116 X11303
XGS 116w X11403
XGS 126 X12303
XGS 126w X12403
XGS 136 X13303
XGS 136w X13403
XGS 2100 X21016
XGS 2300 X23017
XGS 3100 X31018
XGS 3300 X33017
XGS 4300 X43014
XGS 4500 X45014
XGS 5500 X55013
XGS 6500 X65013
XGS 7500 X75006
XGS 8500 X85105

Note

Zero Touch configuration isn't available for XG, SG, and UTM hardware.

The firewall must have DHCP enabled on the WAN port your firewall administrator uses to connect to the internet. New Sophos firewalls have DHCP enabled on WAN Port2 by default.

If you add multiple firewalls, a cache issue may arise, and the process may not work. To prevent this, use a separate private browsing tab to connect each firewall.

What to do in Sophos Central

To add a firewall with Zero Touch, do as follows:

  1. Go to My Products > Firewall Management > Firewalls.

  2. Click Add Firewall.

  3. Under Add firewalls to Sophos Central, click Start Setup.

    Add firewalls to Sophos Central.

  4. Under Add Firewall, enter the serial number of your Sophos Firewall, and click Next.

    Add firewalls window.

    Claim firewall appears. You see your firewall's serial number and model.

  5. Click Next.

    Claim firewall window.

  6. Accept the license agreement and click Continue.

  7. Select the name and time zone of the firewall and click Continue.
  8. Check the licensed features, opt into the customer experience improvement program if you want to, and click Continue.
  9. Configure your LAN settings and enable DHCP if you want to. If you enable DHCP, you must enter a DHCP lease range.
  10. Optional: Click Edit Internet Connection to configure your WAN settings, and click Apply. You can cancel or reset these settings if needed.
  11. Click Continue.

  12. Select your Network protection settings, then click Continue.

    Network protection window.

  13. Check your Configuration summary, then click Finish.

    You see the Zero Touch configuration options.

    Zero Touch configuration.

  14. Under Zero Touch configuration, select Firewall downloads configuration from Sophos Central.

  15. Optional: Under Central Management auto-approval, select Auto approve for Central management, and click Continue.

    If you don't select this option, you can accept your firewall later in Sophos Central.

  16. You see information about the firewall deployment steps. Click Finish.

    Firewall deployment steps.

    You see your firewall under Firewall Management - Firewalls. Its status will be Waiting for deployment.

What to do on Sophos Firewall

Your firewall administrator must do as follows:

  1. Connect the firewall to the internet on a DHCP-enabled port at the site where you want to deploy the firewall, then turn the firewall on.

    The firewall connects to Sophos Central, downloads and applies the configuration, and registers with Sophos Central.

  2. Optional: Type the web admin console address into your browser, followed by port 4444, to see the setup progress in the Sophos Firewall wizard. Example: 172.16.16.16:4444. The Zero Touch setup window will show.

    Zero Touch setup window.

    Note

    If the firewall can't connect to Sophos Central, the firewall administrator can troubleshoot the issue. See Zero Touch FAQ.

    When the Zero Touch setup is complete, the firewall administrator will see the firewall's web admin console sign-in page.

    You can now add the firewall to a group and manage it through Sophos Central.

Accept the firewall if you didn't select auto approve

Note

If you selected Auto approve for Central management, you can skip this section.

  1. In Sophos Central, go to My Products > Firewall Management > Firewalls.
  2. Search for your firewall's serial number.

  3. Click Accept services.

    Once you accept the firewall, the remaining settings are applied. You can now add the firewall to a group and manage it through Sophos Central.

Set your admin password

Note

If you don't set an admin password, administrators may have trouble accessing the firewall if it loses its internet connection or is disconnected from Sophos Central.

  1. In Sophos Central, go to My Products > Firewall Management > Firewalls.

    You see your firewall is now connected.

  2. Click your firewall's name.

    You're connected to your firewall's web admin console.

    Set firewall admin password appears.

  3. Click Set password.

  4. You're redirected to Administration. Scroll down to Default admin's password settings.
  5. Enter and confirm your password, click Apply, then click OK to confirm.

  6. At the top left of the screen, click Back to FW Management.

    You're redirected back to Sophos Central firewall management.

Sign into your firewall

Your firewall administrator must do as follows:

  1. Type the web admin console address into your browser, followed by port 4444. Example: 172.16.16.16:4444.
  2. Sign in to the web admin console using the password you set.

  3. Under the System section, go to Sophos Central.

    Sophos Central page on Sophos Firewall.

    Under Sophos Central registration, the Device status is Registered.

    Under Sophos Central services, the status is Managed.

Skip Zero Touch

You can prevent a firewall from joining a Sophos Central account with the Zero Touch process.

To do this, do as follows:

  1. Create a file named skip_tzt on your computer, and copy the file to a USB stick.

  2. Plug the USB stick into the firewall, connect the firewall to the internet, and turn the firewall on.

    The firewall will skip the Zero Touch process, and you can set the firewall up through the web console with the firewall's setup assistant.